information security: it’s everyone’s business september 16, 2003 greg garcia, vice president,...
TRANSCRIPT
Information Security: It’s Everyone’s Business
September 16, 2003Greg Garcia, Vice President, Information SecurityITAA
Information Security: It’s Everyone’s Business
About ITAA National 450+ Member Company Association Leading Corporate Names in IT
Established in 1961 Leader in Public Policy Advocacy,
Business Development, Networking Programs
Capitol Hill and White House Liaisons 200 Member-Driven InfoSec Committee DC and West Coast Offices
Information Security: It’s Everyone’s Business
A Brief History of Time – Cyber Attacks Increase
• Denial of Service Attacks in 2000….• …Spurred implementation of PDD 63 and
establishment of sector coordinators (ITAA)
• More attacks from Anna Kournikova, ILoveYou virus, Code Red, NIMDA
• Cyber security makes its way onto the nation’s radar (and computer) screens
Information Security: It’s Everyone’s Business
A Brief History of Time – Government Focuses• 2002-03, White House releases National Strategy
to Secure Cyberspace with 5 priorities:• National Cyberspace Security Response System• Threat and Vulnerability Reduction Program• Awareness and Training Program• Securing Governments’ Cyberspace• National Security and International Cyberspace Security
Cooperation
Included creation of Cyber Security “Czar”, which ITAA began advocating in 1999
Public/Private Partnership is Overriding Theme as 85% of the network is owned and operated by private enterprise
Information Security: It’s Everyone’s Business
A Brief History of Time – Government Focuses
• …After Cyber Security leadership left the White House, the National Strategy was in suspended animation without someone in charge to implement it
• Physical security wasn’t enough; no physical security without cyber security
• At urgings of ITAA, and many inside government, Homeland Security Department created the National Cyber Security Division within IAIP
• New NCSD Director, Amit Yoran, will have large job surmounting bureaucratic obstacles, but ITAA committed to helping make it work
Information Security: It’s Everyone’s Business
A Brief History of Time – NCSD Mission Defined
• Identify risks and vulnerabilities, and coordinate with the private sector
• Oversee a consolidated “war room” Cyber Security Tracking, Analysis, & Response Center (CSTARC) for advance warning and incident response coordination with federal, state, local, private sector and international partners;
• CSTARC absorbed into new “U.S. CERT” announced September 15, 2003
• Help build cyber security awareness and education programs and partnerships with consumers, businesses, governments, academia, and international communities.
Information Security: It’s Everyone’s Business
Costs of Cyber Security Breaches are Real
CERT reports more than 76,000 incidents in the first half of 2003, almost as many as the 82,000 reported in all of 2002
CSI/FBI 2003 report found 75% of respondents with financial losses
$202 million in losses for those reporting Proprietary information losses over $70 million Denial of Service losses pegged at $65 million But still no good national metrics exist for
evaluating our readiness and measuring improvement
Information Security: It’s Everyone’s Business
What We Do About It
Information Sharing is Paramount… within the company: training and awareness;
e.g., ITAA I–ACERT Online Awareness Test
Within the industry: ISAC’s
Across industries: Partnership for Critical Infrastructure Protection – (PCIS)
With government and law enforcement: FOIA exemption helps
Internationally: OECD Guidelines
Information Security: It’s Everyone’s Business
What We Do About It
Private Sector Response Must Adapt and Mobilize
Without action, government mandates will result
CA – Identity Theft Law is a good example Government is watching private sector
leadership and action Develop infosec metrics and constantly review
our progress
Information Security: It’s Everyone’s BusinessWhat ITAA is Doing About It www.itaa.org/infosec
Established Information Security Committee in 1997 PDD 63 Sector Coordinator “National Strategy to Secure Cyberspace” “The Long Campaign: Information Assurance in the Age of
Cyber Terror” Information Assurance in the States and Other National and
Regional Events IT Information Sharing and Analysis co-founder and partner,
www.it-isac.org Founding Sponsor, National Cyber Safety Alliance CyberCitizen -- www.cybercitizenship.org Founder and Board Member, PCIS Created “I-ACERT”, an online information security awareness
test – “for the rest of us” Building a National Information Security Metrics Survey to
Determine a Baseline, Measure Progress, and Inform Public Policy and Investment
Information Security: It’s Everyone’s Business
What Government Can Do About It Strengthen Infosec requirements and
accountability Fund and Spend on Infosec in DHS
and Elsewhere Implement National Plan Defend FOIA Exemption Implement Safety Act Regulations
Information Security: It’s Everyone’s Business
Going Forward … The Challenges are Many Industry and Government are
Stepping Up, but… More Can Be Done Collaboration is Key Need to solidify the “culture of
security”
Thank You!To Follow Up…
Greg GarciaVice President, Information [email protected]