WEIS 2011 Workshop on the Economics of Information Security Chris Greer Assistant Director for Information Technology R&D White House Office of Science & Technology Policy June 14, 2011

America's economic prosperity in the 21st century will depend on cybersecurity - President Obama, May 2009

Invest in the Building Blocks of American Innovation Educate Americans with 21 st century skills and create a world-class workforce Build a leading physical infrastructure Strengthen and broaden American leadership in fundamental research Develop an advanced information technology ecosystem Catalyze Breakthroughs for National Priorities Unleash a clean energy revolution Accelerate biotechnology, nanotechnology, and advanced manufacturing Develop breakthroughs in space applications Drive breakthroughs in health care technology Create a quantum leap in educational technologies Promote Market-Based Innovation Accelerate business innovation with the R&E tax credit Promote investments in ingenuity through effective intellectual property policy Encourage high-growth and innovation-based entrepreneurship Promote innovative, open, and competitive markets Source: President’s Strategy for American Innovation

Invest in the Building Blocks of American Innovation Strengthen and broaden American leadership in fundamental research Develop an advanced information technology ecosystem Catalyze Breakthroughs for National Priorities Unleash a clean energy revolution Accelerate biotechnology, nanotechnology, and advanced manufacturing Develop breakthroughs in space applications Drive breakthroughs in health care technology Create a quantum leap in educational technologies Promote Market-Based Innovation Accelerate business innovation with the R&E tax credit Promote investments in ingenuity through effective intellectual property policy Encourage high-growth and innovation-based entrepreneurship Promote innovative, open, and competitive markets Source: President’s Strategy for American Innovation

Invest in the Building Blocks of American Innovation Strengthen and broaden American leadership in fundamental research Develop an advanced information technology ecosystem Source: President’s Strategy for American Innovation Comprehensive Cybersecurity Framework Trustworthy Cyberspace: Strategic Plan for Federal R&D Trustworthy Cyberspace: Strategic Plan for Federal R&D International Strategy for Cyberspace International Strategy for Cyberspace Administration Proposal for Cybersecurity Legislation National Strategy for Trusted Identities in Cyberspace National Initiative for Cybersecurity Education

President’s Cyberspace Policy Review May 2009 Themes:  Lead from the top  Build capacity for a digital nation  Share responsibility for cybersecurity  Create effective information sharing and incident response  Encourage Innovation

President’s Cyberspace Policy Review May 2009 Themes:  Lead from the top  Build capacity for a digital nation  Share responsibility for cybersecurity  Create effective information sharing and incident response  Encourage Innovation

International Strategy for Cyberspace

“Cyberspace, and the technologies that enable it, allow people of every nationality, race, faith, and point of view to communicate, cooperate, and prosper like never before.” President Obama May

The United States will work internationally to promote an open, interoperable, secure, and reliable cyberspace that supports international trade and commerce, strengthens international security, and fosters free expression and innovation. Our Goal

The cyberspace environment that we seek:  rewards innovation and empowers entrepreneurs;  connects individuals and strengthens communities;  builds better governments and expands accountability;  safeguards fundamental freedoms and enhances personal privacy; and  builds understanding, clarifies norms of behavior, and enhances national and international security.

 Upholding Fundamental Freedoms  Respect for Property  Valuing Privacy  Protection from Crime  Right of Self-Defense  Global Interoperability  Network Stability  Reliable Access  Multi-stakeholder Governance  Cybersecurity Due Diligence Norms of Responsible Behavior

 Upholding Fundamental Freedoms  Respect for Property  Valuing Privacy  Protection from Crime  Right of Self-Defense  Global Interoperability  Network Stability  Reliable Access  Multi-stakeholder Governance  Cybersecurity Due Diligence Norms of Responsible Behavior

Administration Proposal for Cybersecurity Legislation

The Administration should partner appropriately with Congress to ensure adequate law, policies, and resources are available to support the U.S. cybersecurity-related missions. President’s Cyberspace Policy Review May 2009

President’s Cyberspace Policy Review May 2009 Themes:  Lead from the top  Build capacity for a digital nation  Share responsibility for cybersecurity  Create effective information sharing and incident response  Encourage Innovation

 the American people;  our Nation’s critical infrastructure;  federal government networks and systems; and The proposal helps protect:  Privacy and civil liberties.

Protecting the American People  National Data Breach Reporting  Penalties for Cyber Criminals

Protecting our Nation’s Critical Infrastructure  Voluntary government assistance to industry, states, and local government  Voluntary information sharing with DHS  Critical infrastructure cybersecurity plans

Protecting Federal Computers & Networks  Management – FISMA update and roles  Personnel – Hiring authorities and exchange  Intrusion Prevention Systems – EINSTEIN  Data Centers – Promoting cloud innovation

Protecting Privacy and Civil Liberties  Privacy and civil liberties expert review and Attorney General (AG) approval  Limitation to cybersecurity threats and criminal law enforcement with AG review  Threat information shared without unrelated identifying information  Layered oversight programs and Congressional reporting

National Initiative for Cybersecurity Education NICE

President’s Cyberspace Policy Review May 2009 Themes:  Lead from the top  Build capacity for a digital nation  Share responsibility for cybersecurity  Create effective information sharing and incident response  Encourage Innovation

NICE Website:

Building Capacity for a Digital Nation  Increase public awareness  Enhance formal cybersecurity education  Expand, define, and train a world-class cybersecurity workforce

Cybersecurity Pipeline

National Cybersecurity Awareness  Lead: Department of Homeland Security (DHS)  Public service campaigns and awareness activities year round Formal Cybersecurity Education  Leads: Department of Education (ED), National Science Foundation (NSF)  Co-Leads: Department of Labor (DOL), DHS  STEM and cybersecurity education programs in accredited settings NICE Components

Cybersecurity Workforce Structure  Overall Lead: Department of Homeland Security (DHS)  Federal Workforce – Office of Personnel Management  Government Workforce (non-Federal) – DHS  Private Sector Workforce – Dept. Labor, National Institute of Standards and Technology Cybersecurity Workforce Training and Professional Development  Tri-Leads: Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS) Tri-Leads:  General IT Use – Federal Chief Information Officer Council and DHSIT  Infrastructure, Operations, Maintenance & Information Assurance – DoD, DHS  Domestic Law Enforcement and Counterintelligence – Department of Defense Cyber Crime Center (DC3), National Counterintelligence Executive (NCIX), Department of Justice, and DHS  Specialized Cybersecurity Operations - NSA NICE Components

National Initiative for Trusted Identities in Cyberspace NSTIC

President’s Cyberspace Policy Review May 2009 Themes:  Lead from the top  Build capacity for a digital nation  Share responsibility for cybersecurity  Create effective information sharing and incident response  Encourage Innovation

NSTIC Website:

 Passwords are inconvenient and insecure  Individuals are unable to prove their true identity online for significant transactions NSTIC Focus - Two Central Problems:

 Identity theft is costly, inconvenient and all-too common  Phishing continues to rise, with attacks becoming more sophisticated  Managing multiple passwords is expensive  Passwords are failing  Maintenance of multiple accounts is increasing as more services move online

Characteristics of the Identity Ecosystem  Led by the private sector  Allows consumers who want to participate to: o obtain a single digital credential for wide use o choose among a diverse market of credential providers o use their credential when needed and remain anonymous when desired  Enhances privacy through: o “need-to-know” restrictions o reduced identity theft o reduced instances of sensitive information sharing

Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program

President’s Cyberspace Policy Review May 2009 Themes:  Lead from the top  Build capacity for a digital nation  Share responsibility for cybersecurity  Create effective information sharing and incident response  Encourage Innovation

Encouraging Innovation Provide a framework for research and development strategies that focus on game-changing technologies that will help meet infrastructure objectives, building on the existing NITRD strategies …

 NITRD: Networking and Information Technology Research and Development Program o CSIA: Cyber Security and Information Assurance Working Group o SSG: Senior Steering Group for Cybersecurity  SCORE: Special Cyber Operations Research and Engineering Interagency Coordination

 Near Horizon o Moving Target Defense o Tailored Trustworthy Spaces o Cyber Economic Incentives o Designed-in Security  Over the Horizon o Science of Cybersecurity  Research for Results o Translation to practice Strategy Overview

 Near Horizon o Moving Target Defense o Tailored Trustworthy Spaces o Cyber Economic Incentives o Designed-in Security  Over the Horizon o Science of Cybersecurity  Research for Results o Translation to practice Strategy Overview

Cyber Economic Incentives - Examples  Economics of legislation and policy choices – Immunity, liability, safe harbor, incentives, material disclosure, audit and assessment  Cyber insurance – Actuarial analysis, quantitative risk assessment, moral hazard, catastrophic and interdependent risks, risk pooling  Market factors – Valuation, cost/benefit analyses, technology risk, standards and innovation, awareness, intellectual arbitrage, risk decision-making, criminal markets

Invest in the Building Blocks of American Innovation Strengthen and broaden American leadership in fundamental research Develop an advanced information technology ecosystem Source: President’s Strategy for American Innovation Comprehensive Cybersecurity Framework Trustworthy Cyberspace: Strategic Plan for Federal R&D Trustworthy Cyberspace: Strategic Plan for Federal R&D International Strategy for Cyberspace International Strategy for Cyberspace Administration Proposal for Cybersecurity Legislation National Strategy for Trusted Identities in Cyberspace National Initiative for Cybersecurity Education

Contact: Additional Information: