1 / 13

Potomac Institute for Policy Studies Jamie Barnett, Rear Admiral, USN (Retired)

Military Cyber Security Symposium. Cyber Policy Development & Decision Making at the Highest Levels of Government. Potomac Institute for Policy Studies Jamie Barnett, Rear Admiral, USN (Retired) Senior Vice President. October 3, 2012. Potomac Institute for Policy Studies.

marty
Download Presentation

Potomac Institute for Policy Studies Jamie Barnett, Rear Admiral, USN (Retired)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Military Cyber Security Symposium Cyber Policy Development & Decision Making at the Highest Levels of Government Potomac Institute for Policy Studies Jamie Barnett, Rear Admiral, USN (Retired) Senior Vice President October 3, 2012

  2. Potomac Institute for Policy Studies • The premier science and technology policy think tank in the Washington, D.C. area • Founded in 1994 after the Congressional Office of Technology Assessment was abolished • Fiercely independent, non-partisan, not-for-profit “The Potomac Institute identifies and aggressively shepherds discussion on key science and technology issues facing our society. From these discussions and forums, we develop meaningful science and technology policy options and ensure their implementation at the intersection of business and government...” Michael S. Swetnam CEO

  3. Critical Infrastructure Protection Attacks against computer networks between 2009 and 2011, including critical infrastructure, are up 1,700% Attacks against American banks

  4. FCC Approach to Cybersecurity • FCC Approach: • Facilitate development of voluntary best practices. • Secure routing • Secure DNS • Botnet remediation • Website remediation • Communications reliability • Establish performance metrics and benchmarks; collect data. • Perform technical and statistical analyses. • Work with industry participants to address problem areas. • Track progress toward benchmarks. Why voluntary? (1) Best first approach & (2) Some question FCC authority

  5. Rodney Joffe CTO - Neustar Mike O’Rierdan Chairman, MAAWG Alan Paller Research Director SANS Institute Prof. Jen Rexford Princeton University FCC Communications Security, Reliability & Interoperability Council The FCC recruited top leaders in cybersecurity to serve on CSRIC III and its working groups, for example: Ed Amoroso CISO – AT&T Danny McPherson CSO - Verisign Dr. Steve Crocker CEO Shikuro & Chair of ICANN Barry Greene President – Internet Systems Consortium Rod Rasmussen CTO – Internet Identity 5

  6. Federal Communications Commission Communications Security, Reliability & Interoperability Council (CSRIC III) Glen Post, CEO of CenturyLink, Chair of CSRIC III ISP Anti-Botnet Code of Conduct Working Group 7 Report Secure Internet Routing Working Group 6 Report DNSSEC: Securing the Domain Name System Working Group 5 Report Cybersecurity Reports Fighting Botnets, Securing the Domain Name System, & Securing Internet Routing

  7. Cybersecurity Act of 2012/S. 3414 • Establish the National Cybersecurity Council: an interagency chaired by DHS to conduct risk assessments • Create a Public‐Private Partnership to Combat Cyber Threats: industry-led • groups will develop voluntary outcome‐based cybersecurity practices • Incentivize the Adoption of Voluntary Cybersecurity Practices • Improve Information Sharing While Protecting Privacy and Civil Liberties • Improve the Security of the Federal Government’s Networks: • federal government must develop a comprehensive acquisition risk management strategy • Move from culture of compliance to culture of security • Continuous monitoring of systems • Red team exercises and operational testing • Strengthen the Cybersecurity Workforce • Coordinate Cybersecurity Research and Development 52 voted for, 46 against taking up S.3414

  8. Possible Cybersecurity Executive Order Actions • Use existing executive branch authorities to establish new cybersecurity standards • Create near real time monitoring of critical infrastructure • Connect private companies to government networks • Ease limits on information sharing between government and the private sector Source: Bloomberg Government, Sept. 28, 2012

  9. Supply Chain Threats • As significant as cybersecurity • All critical infrastructure, but esp. communications & energy • Cannot be transactional or foreign versus domestic approach • Recommended: Tiered system of supply chain risk management • Incentives and best practices for industry • Legal authorities for effective approach may not exist • www.potomacinstitute.org http://www.potomacinstitute.org/index.php?option=com_content&view=article&id=1282:special-event-addressing-the-supply-chain-threat-&catid=65:past-events&Itemid=94

  10. Cyber Policy Needs • National Critical Infrastructure Cyber Exercise Capability • National Cyber Doctrine Doctrine: (n.) a body of principles that is advocated and taught

  11. The Need for a National Cyber Doctrine Coming in November, 2012 #CyberDoc No Borders-No Boundaries National Doctrine for the Cyber Era “Creating a doctrine is made more difficult because the government cannot simply dictate actions, but must delicately balance roles between government and industry and be flexible enough to adjust as situations rapidly evolve.” Potomac Institute Press

  12. Policy Questions: What is the big idea? • New mental model for cyberspace: like the law of the sea? • Government must recognize that private industry is the front line of cybersecurity and critical infrastructure protection • Security costs money • Light touch regulation, not detailed or prescriptive • Private industry must recognize that governments can create markets for security • Government can create incentives for security • Security is good for business • New authorities will be needed • Legislation for supply chain and cybersecurity? • FCC could reclassify and treat ISPs as carriers? • New structures of government will be needed • First tier Presidential Cyber Advisor? • New Department of Communications and Cybersecurity? • Fully realize the Privacy and Civil Liberties Oversight Board (PCOB)?

  13. Potomac Institute for Policy Studies • The premier science and technology policy think tank in the Washington, D.C. area • Founded in 1994 after the Congressional Office of Technology Assessment was abolished • Fiercely Independent, non-partisan, not-for-profit “The Potomac Institute identifies and aggressively shepherds discussion on key science and technology issues facing our society. From these discussions and forums, we develop meaningful science and technology policy options and ensure their implementation at the intersection of business and government...” Michael S. Swetnam CEO 901 N. Stuart Street, Suite 200 Arlington, Virginia, 22203 Office: 703.525.0770 Fax: 703.525.0299 www.potomacinstitute.org

More Related