ECONOMIC SECURITY COMPONENT OF CIP: Roles of Industry and Government U ECONOMIC SECURITY COMPONENT OF CIP: Roles of Industry and Government U.S.-Bulgaria Conference on Cybersecurity Sofia September 8-9, 2003 Daniel C. Hurley, Jr. Director, Critical Infrastructure Protection U.S. Department of Commerce
Homeland Security Components National Defense Departments of Defense and Homeland Security Law Enforcement Departments of Justice and Homeland Security Economic Security Departments of Commerce, Treasury and Homeland Security
Within the U.S. Government, the Department of Commerce is appropriate agency for addressing economic security issues: Core mission incorporates CIP Historic ties with and understanding of industry Trust between Department and industry Without DOC’s involvement, U. S. industry won’t play effectively
Facets of Economic Security Goal: To ensure that CIP policies, programs and activities support an economic security perspective Commerce Department Operating Agencies have complementary programs/roles for CIP Many pre-existing programs have adjusted to contribute CIP support
Solution Factors Technology Process People - Standards - Guidelines/Policies - Best Practices - Education & Awareness
Costs of Computer Crime 2003: $201 million 2002: $455 million Types: Proprietary info ($70 million) denial of service ($65 million) financial fraud ($10.2 million; down from $116 million in 2002) Forms of attack: virus incidents (82%) insider abuse (80%) CSI/FBI 2003 Computer Crime and Security Survey
Examples of Recent Attacks Klez virus: -- Clean up and lost productivity: $9 billion Code Red: 1 million computers affected Clean-up and lost productivity: $2.6 billion Love Bug: 50 variants, 40 million computers affected Clean-up and lost productivity: $8.8 billion NIMDA: Clean-up and lost productivity: $1.2 billion Slammer: Clean up and lost productivity: $1 billion +
“Business Case” for Cybersecurity Research reported in CSO Magazine in 2002 demonstrates a 21% Return on Investment for cyber security systems implemented early in network development. “The costs of a sever computer attack are likely to be greater than the preemptive investment in a cyber security program would have been.” (Source: National Strategy to Secure Cyber Space, February 2003)
Commerce Agencies Involved National Telecommunications and Information Administration (NTIA) International Trade Administration (ITA) Bureau of Industry and Security (BIS) Technology Administration (TA) Economic Development Administration (EDA)
Departmental CIP Programs NTIA Spectrum management Domain Name System root server tasks International Telecommunication organizations IPv6 Task Force ITA e-Commerce Privacy
Departmental CIP Programs BIS Export Administration Defense Industrial Base issues TA/NIST Security Standards EDA Economic recovery protocols
Security Standards National Institute of Standards and Technology Technical Security Standards Security Management Standards Testing, Evaluation, and Assessment Programs International Recognition Arrangements
References and Tools “Best Practices” Security Standards www.nric.org Security Standards http://csrc.nist.gov American Bar Association guides available upon request
CIP Lessons Learned • GLOBAL ECONOMIC BENEFITS OF CIP • Economic Security is a motivating factor • Complements law enforcement and national security objectives • cONTINUAL EDUCATION & AWARENESS NECESSARY • Solutions involve people, not just technology and process • INDUSTRY INTERACTION ESSENTIAL • Facilitates issue identification • Broadens analytic support • Facilitates buy-in by industry • Accelerates economic benefits to be derived
ECONOMIC SECURITY COMPONENT OF CIP: ROLES OF GOVERNMENT AND PRIVATE SECTOR U.S.-Bulgaria Conference on Cybersecurity September 8-9, 2003 Daniel C. Hurley, Jr. Director, Critical Infrastructure Protection U.S. Department of Commerce www.ntia.doc.gov dhurley@ntia.doc.gov