-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
1/15
Larry ClintonPresident
Internet Security
[email protected]
202-236-0001
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
2/15
ISA Board of Directors
Ty Sagalow, Board Chair; President innovation Division
ZurichInsurance
Mike Hickey, Board Vise Chair, VP Government Affairs and
nationalSecurity Verizon Corp.
Tim McKnight, VP & CSO Northrop Grumman Jeff Brown, CISO
Information Security Raytheon Charlie Croom, VP Cyber Security
Solutions, Lockheed Martin Eric Gureno, CIO, Bank of new
York/Mellon Financial Pradeep Khosla, Dean, School of Computer
Sciences Carnegie Mellon U Lawrence Dobranski, Security Manager,
Nortel Mark Antony Signorino, Chief Technology Nat. Assoc
Manufacturers Joe Buonomo, Pres. Direct Computer Resources Inc.
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
3/15
Our Partners
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
4/15
ISA Mission
Integrate technology with
economically practical business
considerations and public policy tocreate a sustainable system
of cyber
security
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
5/15
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
6/15
National Risk Continuum
Consequence
Very low Very high
Nati
on-state/unlimitedresources
Nation-state/terrorist
limitedresources
Nation-state/
Stea
l
Crim
inal
gang
Verylo
w
HackersProje
ctpower/damageordestroy
Projectpower
Severe
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
7/15
2009 ISA Priority Projects
1. Create a Cyber Security Social Contract betweenbusiness and
government to provide marketincentives for improved security
2. Develop Best Practices for financial riskmanagement of cyber
incidents
3. Create a framework for managing conflictinglegal structures
and unified communications tech.
4. Develop standards to secure the VOIP platform5. Framework to
secure the IT supply Chain
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
8/15
ISA Supply Chain Project
18 months long (start fall 07) Focus on firmware Carnegie Mellon
University and Center for CyberConsequences Unit 3 conferences 100
Gov., Industry and Academic participants Results are strategy and
framework provided to
USG for NSC 60-day review of cyber policy
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
9/15
ISA/CMU Study Results
1. Globalization of IT Supply Chain will increase2. USG reliance
on IT will also increase3. Threat from IT supply chain significant
for USG4. USG-only solution impractical5. Attackers will be fluid
and creative so fixed
policies will be ineffective long term
6. Need a flexible framework of solutions7. Framework must
account for both security and
cost
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
10/15
Framework: Danger of
Malicious Firmware
Serious danger of infiltrating the supply chain Altered
circuitry to transfer control over info
systems
A logic bomb cold lay dormant then activated atthe worst
possible moment
A weapons system could be shut down whenneeded, or even turned
against the owner
Virtually impossible to detect Domestic sole sourcing is
economically impractical
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
11/15
Framework: Economic
Issues
Supply chain attacks are very difficult andexpensive
Almost always cheaper and more effective to usemore traditional
cyber attacks
NATION STATES CAN AFFORD AND MIGHT BEWILLING TO INVEST IN SUPPLY
CHAIN ATTACKS
Some criminal conspiracies might also be willing toconduct
supply chain attacks
Malicious firmware is a serious but limited issue
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
12/15
Types of Supply Chain
Attacks & Remedies
1. Interrupt Operation: Maintain alternative sources
andcontinual sharing of production across chain
2. Corrupt Operation (e.g. insert malaria): strict control
ofenvironment where key IP is being applied, logical andphysical
tamper proof seals/tracking containers
3. Discredit the operation (undermine trust or brand
value):logging operation and responsibility
4. Loss of information: Versioning as a tool for protecting
IP
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
13/15
Framework: Stages When
Attacks May Occur
1. Design Phase2. Fabrication Phase3. Assembly Phase
4.
Distribution Phase
5. Maintenance Phase
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
14/15
Framework: Legal Support
Needed
1. Rigorous contracts delineating security measures2. Locally
responsible corporations w/long term
interest in complying3. Local ways of overcoming agency problems
and
motivating workers and executives
4. Adequate provision for verifying implementationof
security
5. Local law enforcement of agreements at all levels
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at
the NDIAs DIB CIP Conference
15/15
Larry ClintonPresident
Internet Security Alliance
[email protected]
202-236-0001
