“Cutting Costs or Cutting Our Throats?” Mark D. Troutman, Ph.D. Associate Director Center for Infrastructure Protection/Homeland Security George Mason.

Slides:

Advertisements

Similar presentations

ADVANCES IN TECHNOLOGY-BASED TRAINING Bradford S. Bell and Steve W. J. Kozlowski.

Advertisements

ENVIRONMENTAL ANALYSIS UNIT III. Environmental Analysis Managers must have a deep understanding and appreciation of the environment in which they and.

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

L3 Communications Holdings Inc. (LLL) Jim Clark Doug Coursen Addison Doyle Andrew Felten Kevin Freeman SIA Analyst Program Wednesday March 28, 2007.

Selected Previous Studies Leif E Peterson. Outline Air Force S&E Future Study – 2002 National Defense University – 2008 NRC STEM Study for Air Force –

CUBIC DEFENSE APPLICATIONS Security Summit Discussions Jeff Snyder Vice President, Cyber Programs Cubic Defense Applications.

What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

Presented By:- Dharm Jeeta Singh

COMPETITIVE STRATEGY - Dolly Dhamodiwala.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

Understanding the Client and General Planning

Lean Operations for Water and Wasterwater Controlling Cost While Improving Efficiency… A Real World View.

Globalization of Markets : - Some Trends and Implications for Norwegian Industry Arild Aspelund, PhD.

©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Lecture 11 Reliability and Security in IT infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Providing Practical Solutions Winning the Talent Wars for Recruiting and Retaining 21 st Century Cyber Engineers Jeff Kubik, PMP, CISSP Sr PM, Praxis Engineering.

1 Unified Communications Survey Summary Results Market Connections, Inc. June 2007.

Internal Auditing and Outsourcing

Chapter 15 Conflicts of Interest in the Financial Industry.

ELECTRICAL CRITICAL INFRASTRUCTURE SECURITY Charles Hookham, P.E., M.ASCE, VP, Utility Projects HDR Engineering 1.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Page 1 Keep Your Company Out of the Media Workshop Rachel Verdugo March 23, 2011 Reno, Nevada Protect and Control Your Data.

James Brehm Senior Strategist Compass Intelligence.

New Opportunities for P3s on Military Installations NCPPP Conference July 2014 Barry Scribner Co-President, Public Institutions JLL.

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.

BUSINESS DRIVEN TECHNOLOGY

The Debate Rages: Hosted vs. Premise-Based VoIP Expert Panel Wendy Moore-Bayley, Solutions Marketing UCaaS Mitel Huw Rees, VP Business and Channel Development.

Canada’s Labour Market Challenges A View from Canadian Industry.

Quality of the VET Workforce Dianne Wallace 20 June 2012.

EXTERNAL INFLUENCES Technological Change Economics and Business P Oldfield 2013.

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.

CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC) Presentation to: Insider Threat SOAR Workshop.

PUBLIC R&D POLICY IN RUSSIA Restructuring Government S&T Institutions Tatiana Kuznetsova STATE UNIVERSITY – HIGHER SCHOOL OF ECONOMICS Institute for Statistical.

Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Outsourcing Business Processes ( without In-sourcing the Associated Risks) Gregg Anderson – Crowe Horwath (risk manager) Doug Tripp – Crowe Dunlevy (outsourced.

The Changing World of Endpoint Protection

McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc. All rights reserved. 5-1 BUSINESS DRIVEN TECHNOLOGY Chapter Five: Organizational Structures that.

Personnel Requirements for Implementing the New Triad Robert B. Barker December 15, 2005.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Abbasian, Phd Ch 1 -1 Chapter 1 The Nature of Strategic Management Strategic Management: Concepts & Cases 13 th Edition Fred David.

©2004 by South-Western/Thomson Learning 1 The External Environment: Opportunities, Threats, Industry Competition, and Competitor Analysis Robert E. Hoskisson.

©2003 Southwestern Publishing Company 1 The External Environment: Opportunities, Threats, and Industry Competition, and Competitor Analysis Michael A.

Creating an Insider Threat Program.

Unclassified/FOUO Intelligence Community Directive (ICD) 119 Media Contacts Training.

CSCE 548 Secure Software Development Security Operations.

© 2014 IBM Corporation Does your Cloud have a Silver Lining ? The adoption of Cloud in Grid Operations of Electric Distribution Utilities Kieran McLoughlin.

Industry’s Perspective on Industry-University Intellectual Property External Research Directors Network Industrial Research Institute, Inc. April 17, 2001.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Trinity Industries, Inc. FEI Presentation May 31, 2012.

The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.

5 . C H A P T E R F I V E Recruitment.

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Information Security Program

ADVANCES IN TECHNOLOGY-BASED TRAINING

Educause/Internet 2 Computer and Network Security Task Force

Information Technology Sector

CHAPTER 9 Cooperative Strategy

Cyber Resilient Energy Delivery Consortium

KEYNOTE STAGE SPONSOR.

ESG 2010 IT Spending Intentions Survey

Business cases on standardization

Background information

Distribution Statement A: Approved for Public Release; Distribution is unlimited. 1 Customer Advocate Airborne Electronic Warfare Systems 29 MAR 2011 Tim.

Indicator 3.02 Use communication skills to foster open, honest communications.

JTAMS Post-Milestone C Analysis

What affects our business from the outside?

Presentation transcript:

“Cutting Costs or Cutting Our Throats?” Mark D. Troutman, Ph.D. Associate Director Center for Infrastructure Protection/Homeland Security George Mason University Paul B. Losiewicz, Ph.D. Senior Scientific Advisor Cyber Security and Information Systems Analysis Center 15 August 2013 Insider Threats Current Events: The Critical Infrastructure Security Perspective

Overview Recent Events Technology Increases Risk from Insider Threat Government Resource Constraints Costs Incurred by Lack of Due Diligence Implications and Policy Responses

Recent Events Recent incidents of Pvt Manning and Edward Snowden highlight risk of “insider threat.” Snowden had classified access due to his status as a contractor, as well as advanced computer training. 1 Employed by Booz-Allen Hamilton under contract to NSA. Previous CIA experience and an incomplete military career (left before completing Special Forces training). There were some questions about facts relating to his background check but Snowden was hired and granted clearance with access anyway. 2 Subsequent statements indicate Snowden sought employment in order to gain access with the intent of making public practices with which he disagreed. 3 Summary: Government agency depended on contract employee for specific skills and access, but screening failed to raise red flags regarding individual's background and motivations

Technology Increases Risk from Insider Threat Computing capacity continues to increase while embedded systems proliferate. Operating systems gain efficiency and capability with more sensors and distributed controls linked to other operating systems. Infrastructure is capital intensive and expensive to operate. Efficient and cost minimizing approaches have great emphasis. SCADA systems have evolved to meet this need. Combination of greater computing power and reach afforded by linked information systems affords greater span of influence; asymmetric threats increase. Greater span of control allows fewer personnel to monitor a greater range of control systems – with lower personnel cost. Personnel costs are the highest business costs. Similar dynamic holds in intellectual property and knowledge management systems. Less expensive cloud storage allows for more information to be available to more collaborative processes by small to mid-size businesses

Government Resource Constraints Budget Control Act of 2011 (BCA 2011) attempted deficit reduction through constraints on discretionary spending. Defense budget and associated security functions sustained largest share of reductions. DoD budget sustained $487B of cuts by end of Secretary Gates’ tenure (2011). BCA 2011 identified an additional $500B over 10 years; total could reach $1T. 4 DoD costs for uniformed personnel have increased 57% in real terms (per person) over previous decade. 5 Contract resources offer government an opportunity to reduce expenses and find specialty skill sets; personnel costs are the concern of the contract firm. US Government has greatly increased use of contracted personnel in last decade to extend its capabilities, despite directions to the contrary. Contract organizations have a potentially different set of incentives from the government – minimize costs. Potentially reduces resources associated with vetting and oversight. Snowden case seems to illustrate this.

Costs incurred by Lack of Due Diligence The Cost of Cutting Corners with Infrastructure – Sony fined $400K by the UK for failure to protect PII, on top of the $171M in outage losses by a hack of their interactive gaming network 6 – PII maintained on five year old servers, non-updated software, poor security Cost of failure in Personnel Reliability – Manning's release of diplomatic cables to WikiLeaks had "a chilling effect that will go on for some time" on foreign officials' willingness to speak candidly to U.S. 7 – 855 man-hours estimated by the Army to review the posted Wikileaks documents, WITH computer aided analysis 8 – Civilian Arsonist costs the Navy $94M in direct costs and the loss of an Attack Sub 9 – Information Technology & Innovation Foundation: Snowden may cost U.S. cloud industry $35B in losses to foreign competitors because of PRISM revelations 10 SEC and mandatory disclosure of Cyber Self Assessment 11 – Fines for compliance failure?

Implications and Policy Responses? Risk to intellectual property protection and innovation R&D collaboration requires access to information, but greater access raises the risk of unwanted disclosure and economic damage to innovative firms, hampering economic competitiveness Some policy responses? – Greater resources for personnel vetting and oversight – difficult in constrained environments; Individual privacy concerns as well – Higher access standards – but this imposes costs on collaboration and span of control – Limits of access by any one individual or group – this drives up personnel costs Conclusion: – In a Technologically riskier environment there is greater need for new technological solutions and system responses – Other non-technical (e.g. cognitive) approaches to Personnel Reliability