Title: Cyber Security Professionalism
1Cyber Security Professionalism
- Cyber Security Becomes a Profession Navigating
U.S. Sectoral Security S.773 - the Current
Impetus
2Is CyberSecurity a Profession?What About Risk
Analysis?
- Are these Trick/Gotcha Questions?
- Maybe
- WhyWhat is the Dilemma?
- Long tradition of fields, disciplines, callings
actively seek legitimacy of professional status - Vs.
- Once youre a Professional, Public Expectations
Hold you Feet to the Fire - What is the Role of S.773 S.778 in
CyberSecurity Professionalism?
3What is a Profession?
- Traditionally only 3 professions
- Divinity, Medicine, Law
- Persons/firms who supply specialized knowledge
(subject, field, science) to fee-paying clients - Also the body of qualified professional persons
- Derived from Latin professio - to swear (an
oath), avowal, public declaration - Professional (adj) - behaves properly, not
amateurish - The oath dictates ethical standards, usually
include confidentiality, truthfulness, expertise,
all for clients benefit also upholding
professions good name - EX
- Architects, Accountants, Actuaries,
Chiropractors, Clergy, Dentists, Engineers,
Lawyers, Librarians, Nurses, Occupational/
Physical Therapists, Pharmacists, Physicians,
Professors/Teachers, Psychiatrists, Veterinarians - (Cyber-)Security Professionals too?!?
4Milestones towards Profession
- Full-Time Occupation
- Training University Instruction
- Accreditation of Instruction Qualifications
- Associations local, national, intl
- Codes of Conduct (govt self-)
- ethics, professional responsibility,
self-discipline - Law/Regulation Compels Professional Status
- Licensure, Certification
5Characteristics of Most Professions
- Skill based on theoretical knowledge
- Professional associations
- Extensive period of education
- Testing of competence
- Institutional training (apprenticeship)
- Licensure/Certification
- Work autonomy
- Code of professional conduct or ethics
- Self-regulation
- Self-Discipline
- Public service and altruism (pro bono)
- Exclusion, monopoly legal recognition
- Fee advertising control
- High status rewards
- Individual clients vs. In-House single client
- Legitimacy, legal authority over some activities
- Body of Knowledge Inaccessible to Laity
- Professional interpretation required for body of
knowledge - Professional Mobility
6Is CNSSI a Professional Program?
- Ostensibly, but is it persistent?!?
- CNSS standards for training education were
embraced by 169 U.S. institutions - Provides baseline for cadre of IA professionals
- Educational Standards for IA professionals
- NSTISSI 4011-Information Systems Security
(INFOSEC) Professionals - CNSSI 4012-Senior Systems Managers
- CNSSI 4013-System Administrators
- CNSSI 4014-Information Systems Security Officers
- NSTISSI 4015-System Certifiers
- CNSSI 4016-Risk Analyst
7IT Governance Drives Professionalism
- specifying the decision rights and
accountability framework to encourage desirable
behavior in the use of IT. - the leadership and organizational structures and
processes that ensure that IT serves strategic
objectives. - Corporate governance constraints impact of law,
regulators, security privacy standards SOX
Implemented through - technology transfer agreements
- private contracts
- employment restrictions
- IP constraints
- eCommerce commercial practice
8Standardization of Security Duties
- ISO 17799 (predecessor BS7799)
- Progeny now replaced by ISO/IEC 27000 series
- ISO 27001 Info. Security Mgt.
- ISO 27002 Best Practices
- ISO 15408 Common Criteria Computer Security
- PCI DSS payment card security
- COBIT (ISACA Info. Sys. Audit Control Assn)
- ITIL IT Infrastructure Library IT Service Mgt
- NISTs Fed. Info. Processing Stds
- Fair Information Practice Principles (FIPP)
- (1) Notice, (2) Choice, (3) Participation, (4)
Security, (5) Redress
9Why are Standards Important?
- Stds are emerging from obscurity
- More widely understood to impact most economic
activity - Increasingly viewed less as technically objective
matters more as arbitrary choices from among
near infinite alternatives - Increasingly perceived to favor particular
nations, industries, identifiable groups or
individual firms who participate most effectively
- Increasingly have behavioral component
10Why Standards Impact CyberSecurity Duties
- Stds Created CyberSpace
- Consider html, ftp, http, xml, 802.11
- Facilitates comparison, interoperability,
competition - Attracts investment in compatible technologies,
products services - Standardization promises superior process design
best practice integration - Domain experts develop rather than meddlers
- Standards Reduce Risks of Variety
- Incompatibility, Incompetence
- Conformity Assessment Analyzes Non-Compliance
Risk, Provides Feedback - Incentivizes Compliance Improvement
11Risks of Security Standardization
- General Disadvantages of Standardization
- Lock in old/obsolete technology
- Resists favorable evolution or adaptation
- Favors/disfavors particular groups
- Voluntary Consensus is really a Sub-optimal
Compromise that Dictates too much Design However,
Standardization Risks Stagnancy Communicates
Widespread Vulnerability
12Economic Analysis of Security
- The Law Economics Approach
- legal theory applies methods of economics to law
economic concepts explain effects of
law/regulation assesses efficient rules
predicts legal rules will/should be promulgated - Micro-Economics Fundamentals
- Information Asymmetries
- Market Failure its Justification for
alternative policies - Adverse Selection
- Moral Hazard
- Positive vs. Negative Externalities
- Free Rider Tragedy of the Commons
- Game Theoretic Framework Network Economics
Approach - Critical Mass
- Network Externality
- Vulnerability Markets Disclosure Incentive
13Some Public Policies Pressing Security Duties
- Privacy Law Requires CyberSecurity
- G/L/B, SourBox (a/k/a SOX), FCPA
- Internal Control
- The Primary Federal Privacy Regulator FTC
- Enforcement Caselaw, deceptive trade practices
- State Privacy Info Security Laws
- CA state Privacy Czar
- Breach Notification, see Privacyrights.org
- Mass, Nev. Comprehensive Regulations
- Tort Liability for Privacy Violations
- HIPAA now HITECH PHI std
- IA laws Impact Security Duties
- Outsourcing (SAS70)
- Trade Secrecy (IP) National Security
- USA PATRIOT Act
- FTC Privacy Enforcement Common Law History
- Red Flags (best/worst practices), Disposal Rule,
- Exposing then Stamping Out Deception
14Example of Security Complexity the Purported
IPAS Drivers
- PSU Policies
- FN07, Credit Card Sales
- AD11 - University Policy on Confidentiality of
Student Records - AD19 - Use of Penn State Identifier and Social
Security Number - AD20, Computer and Network Security
- AD22 - Health Insurance Portability and
Accountability Act (HIPAA) - AD23, Use of Institutional Data
- Trusted Network Specifications
- AD35, University Archives and Records Management
- AD53 - Privacy Statement
- Public Policies
- Health Insurance Portability and Accountability
Act (HIPAA) - Gramm-Leach-Bliley Act (G/L/B)
- Family Educational Rights and Privacy Act (FERPA)
- PA Breach of Personal Information Notification
Act 73 P.S. 2301 - PA Mental Health Law
- 21 USC Ch. 16 - Drug Abuse Prevention, Treatment,
Rehab
15What is Federal Pre-Emption?
- Only the most central institutional design
feature in the whole American Experience - E.g., Reaction to English Crown, Articles of
Confederation, Civil War, New Deal, Reagans New
Federalism - Fed. Law May Displace State Law
- EX FDA labeling overrides state products
liability - Why would it be good to bar the states from
regulating CyberSecurity? - Why would it be good to include states in
regulating CyberSecurity?
16S.773 S.778
- S.773Cyber Security Act of 2009
- Sponsors
- John Rockefeller D, WV 3 Co-Sponsors
- Evan Bayh D, IN
- Bill Nelson D, FL
- Olympia Snowe R, ME
- S.773 Bill Actions
- 4.1.09 Introduced Read twice
- Referred to Commerce, Science Transportation.
- S.778
- Companion to S.773
- Creates White House Office of National
Cybersecurity Advisor - Authority/Power from S.773 later
legislation/delegation
17Some S.773 S.778 Provisions
- Raise CyberSecurity profile within Fed. Govt.
- Streamline cyber-related govt functions
authorities - Establish Office of the National CyberSecurity
Advisor - Develop CyberSecurity national strategy
- Quadrennial Cybersecurity Review
- modeled after the DoD Quadrennial Defense Review
- to examine cyber strategy, budget, plans
policies - Require a threat vulnerability assessment
- Promote public awareness
- Protect civil liberties
- Require comprehensive legal review
18More S.773 S.778 Provisions
- ISAC
- pub-pvt clearinghouse for cyber threat
vulnerability info-sharing - CyberSecurity Advisory Panel
- industry, academia, not-for, advocacy
organizations - review advise President
- Establish enforceable cybersecurity standards
- NIST to create measureable, auditable
CyberSecurity stds - Licensing certification of CyberSecurity
professionals - Establish negotiate international norms
- cybersecurity deterrence measures
- Foster innovation and creativity in cybersecurity
- Scholarship-For-Cyber-Service program
- NSF Increase federal cybersecurity RD
- Develop CyberSecurity risk evaluation framework
19Probability of S.773 Passage
- Much proposed legislation is arguably political
grandstanding, with scant probability of success - Passage of any proposed legislation is uncertain
- Predictions based on heuristics of domain experts
- Few sectors reactive, most pro-active
- Limits of empirical approaches to prediction
- See Resume of Congressional Activity
- http//www.senate.gov/pagelayout/reference/two_col
umn_table/Resumes.htm - 110th Cong. 1st Sess. (Jan. 4-Dec. 31, 2007) 138
enacted/9227 introduced 1.5 yield - 110th Cong. 2nd Sess. (Jan. 3, 2008 Jan. 2,
2009) 278 enacted/4815 introduced 5.8 yield
20Security Risk Analysis is Sectoral
- Risk Analysis Differs by Domain
- Just like U.S. Privacy Law, but not EU Privacy
Law - Major Differences Physical vs. Intangible
Security - Most domains blend tangible w/ information
- Many Key Domains Track Critical Infrastructures
as defined in USA Patriots CIPA 1016(e) - systems and assets, whether physical or
virtual, so vital to the U.S. that the incapacity
or destruction of such systems and assets would
have a debilitating impact on security, national
economic security, national public health or
safety, or any combination of those matters. - telecommunications electrical power systems gas
oil storage transportation banking
finance transportation water supply systems
emergency services (e.g., medical, police, fire,
rescue), govt. continuity CyberSpace - Calls for National Effort to Enhance Modeling
Analytical Capacities - appropriate mechanisms to ensure the stability
of complex interdependent systems, incl
continuous viability adequate protection of
critical infrastructures - What is Shared Among these Vastly Different
Sectors?
21Law Permits/Regulates Risk Analytics
- Quantitative
- Statistical
- Actuarial
- Mortality Morbidity
- Admissibility of Forensic Quality Expertise
- Decision Analysis
- Failure Analysis
- Qualitative
- Heuristic
- Visualization
- Interdependence
- Risk Assessment Education
- Demographics
- Risk Recognition
- Emotion
22Epilogue
- There is far more here than meets the eye!
- A website devoted to the developing public policy
of cyber security professionalism - http//faculty.ist.psu.edu/bagby/SecurityProfessio
nalism/ - This IS interdisciplinary!
- Good luck w/o interdisciplinarity
23Financial Info Security Risks SEC
- Financial Institutions w/in SEC Juris. Must
- Adopt written policies procedures, reasonably
designed to - Insure security confidentiality of customer
records - Protect against anticipated threats or hazards
- Protect against unauthorized access or use that
could result in substantial harm or inconvenience
- Disposal Rule
- must properly dispose of PII using reasonable
measures to protect against unauthorized access
to or use of PII
24Controls over Internal Risks
- COSOs Definition of Internal Control
- a process, effected by an entitys board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in these
categories - effectiveness and efficiency of operations
- reliability of financial reporting and
- compliance with applicable laws and regulations.
- Components of Internal Control are
- - Control Environment
- - Risk Assessment
- - Control Activities
- - Information Communication
- - Monitoring
25GLB Safeguards Rule
- Financial institutions must design, implement and
maintain safeguards - Purpose to protect private info
- Must implement written information security
program - appropriate to company's size complexity,
nature scope of activities, sensitivity of
customer data - Security program must also
- assign one or more employees to oversee program
- conduct risk assessment
- put safeguards in place to control risks
identified in assessment then regularly test
monitor them - require service providers, by written contract,
to protect customers' personal information - periodically update security program
26Admitting then Analyzing Outsourcing Risks
- Not Outsourcing Risks Internal Failure
- Interdependency Reduces (Some) Risks of Conflict
- Outsourcing Sacrifices Monitoring Risking Injury
from Diminished Control - Slipshod Rush to Outsource for avings
- Cross-Cultural Ignorance Obscures Outsourcing
Vulnerabilities - SAS 70 Requires Outsourcing Risk Analysis/Mgt
- SLC Negotiation Opportunities to Reduce Risk
27NIST Risk Mgt Method
- Asset Valuation
- Information, software, personnel, hardware,
physical assets - Intrinsic value the near-term impacts
long-term consequences of its compromise - Consequence Assessment
- Degree of harm or consequence that could occur
- Threat Identification
- Typical threats are error, fraud, disgruntled
employees, fires, water damage, hackers, viruses
28NIST Risk Mgt Method
- Vulnerability Analysis
- Safeguard Analysis
- Any action that reduces an entitys vulnerability
to a threat - Includes the examination of existing security
measures the identification of new safeguards - Risk Management Requires Risk Analysis
- Analyzed in terms of missing safeguardsThe
Process of Identifying, Controlling and
Minimizing the Impact of Uncertain Events
(NIST, 1995 _at_59)
Source NIST Handbook
29Roles of Law/Reg/Policy in Risk Analysis Risk
Management
- Law Resolves Disputes, Shifts Risk of Loss
- Risk Analysis Failure Shifts Liability Risks to
Creator - Actual Injuries Trigger Disputes over Risk Duties
- Law Defines Risks Duties of Care
- Crimes, Torts, Contracts, Standards,
Determination of Injury - Law Dis-Incentivizes Risky Deeds (DDtDDC)
- Law Defines Risk Management Duties
- Law Compensates Injuries Derived from
- Law Defines/Constrains Damage Computation
- Law Encourages Risk Mgt
- Law Defines Risk Mgt Professionalism
- Law Enforces Risk Shifting Contracts
- Law Requires Risk Analysis Impacts Methods
- But Law may Disincentivize Introspection w/o
Self-Eval Privilege - Law Regulates Risk Management Industry
- Law Enforces Risk Mgt Professions Arrangements