Cyber Security Professionalism

1
Cyber Security Professionalism

• Cyber Security Becomes a Profession Navigating
  U.S. Sectoral Security S.773 - the Current
  Impetus

2
Is CyberSecurity a Profession?What About Risk
Analysis?

• Are these Trick/Gotcha Questions?
• Maybe
• WhyWhat is the Dilemma?
• Long tradition of fields, disciplines, callings
  actively seek legitimacy of professional status
• Vs.
• Once youre a Professional, Public Expectations
  Hold you Feet to the Fire
• What is the Role of S.773 S.778 in
  CyberSecurity Professionalism?

3
What is a Profession?

• Traditionally only 3 professions
• Divinity, Medicine, Law
• Persons/firms who supply specialized knowledge
  (subject, field, science) to fee-paying clients
• Also the body of qualified professional persons
• Derived from Latin professio - to swear (an
  oath), avowal, public declaration
• Professional (adj) - behaves properly, not
  amateurish
• The oath dictates ethical standards, usually
  include confidentiality, truthfulness, expertise,
  all for clients benefit also upholding
  professions good name
• EX
• Architects, Accountants, Actuaries,
  Chiropractors, Clergy, Dentists, Engineers,
  Lawyers, Librarians, Nurses, Occupational/
  Physical Therapists, Pharmacists, Physicians,
  Professors/Teachers, Psychiatrists, Veterinarians
• (Cyber-)Security Professionals too?!?

4
Milestones towards Profession

• Full-Time Occupation
• Training University Instruction
• Accreditation of Instruction Qualifications
• Associations local, national, intl
• Codes of Conduct (govt self-)
• ethics, professional responsibility,
  self-discipline
• Law/Regulation Compels Professional Status
• Licensure, Certification

5
Characteristics of Most Professions

• Skill based on theoretical knowledge
• Professional associations
• Extensive period of education
• Testing of competence
• Institutional training (apprenticeship)
• Licensure/Certification
• Work autonomy
• Code of professional conduct or ethics
• Self-regulation
• Self-Discipline
• Public service and altruism (pro bono)

• Exclusion, monopoly legal recognition
• Fee advertising control
• High status rewards
• Individual clients vs. In-House single client
• Legitimacy, legal authority over some activities
• Body of Knowledge Inaccessible to Laity
• Professional interpretation required for body of
  knowledge
• Professional Mobility

6
Is CNSSI a Professional Program?

• Ostensibly, but is it persistent?!?
• CNSS standards for training education were
  embraced by 169 U.S. institutions
• Provides baseline for cadre of IA professionals
• Educational Standards for IA professionals
• NSTISSI 4011-Information Systems Security
  (INFOSEC) Professionals
• CNSSI 4012-Senior Systems Managers
• CNSSI 4013-System Administrators
• CNSSI 4014-Information Systems Security Officers
• NSTISSI 4015-System Certifiers
• CNSSI 4016-Risk Analyst

7
IT Governance Drives Professionalism

• specifying the decision rights and
  accountability framework to encourage desirable
  behavior in the use of IT.
• the leadership and organizational structures and
  processes that ensure that IT serves strategic
  objectives.
• Corporate governance constraints impact of law,
  regulators, security privacy standards SOX
  Implemented through
• technology transfer agreements
• private contracts
• employment restrictions
• IP constraints
• eCommerce commercial practice

8
Standardization of Security Duties

• ISO 17799 (predecessor BS7799)
• Progeny now replaced by ISO/IEC 27000 series
• ISO 27001 Info. Security Mgt.
• ISO 27002 Best Practices
• ISO 15408 Common Criteria Computer Security
• PCI DSS payment card security
• COBIT (ISACA Info. Sys. Audit Control Assn)
• ITIL IT Infrastructure Library IT Service Mgt
• NISTs Fed. Info. Processing Stds
• Fair Information Practice Principles (FIPP)
• (1) Notice, (2) Choice, (3) Participation, (4)
  Security, (5) Redress

9
Why are Standards Important?

• Stds are emerging from obscurity
• More widely understood to impact most economic
  activity
• Increasingly viewed less as technically objective
  matters more as arbitrary choices from among
  near infinite alternatives
• Increasingly perceived to favor particular
  nations, industries, identifiable groups or
  individual firms who participate most effectively
  
• Increasingly have behavioral component

10
Why Standards Impact CyberSecurity Duties

• Stds Created CyberSpace
• Consider html, ftp, http, xml, 802.11
• Facilitates comparison, interoperability,
  competition
• Attracts investment in compatible technologies,
  products services
• Standardization promises superior process design
  best practice integration
• Domain experts develop rather than meddlers
• Standards Reduce Risks of Variety
• Incompatibility, Incompetence
• Conformity Assessment Analyzes Non-Compliance
  Risk, Provides Feedback
• Incentivizes Compliance Improvement

11
Risks of Security Standardization

• General Disadvantages of Standardization
• Lock in old/obsolete technology
• Resists favorable evolution or adaptation
• Favors/disfavors particular groups
• Voluntary Consensus is really a Sub-optimal
  Compromise that Dictates too much Design However,
  Standardization Risks Stagnancy Communicates
  Widespread Vulnerability

12
Economic Analysis of Security

• The Law Economics Approach
• legal theory applies methods of economics to law
  economic concepts explain effects of
  law/regulation assesses efficient rules
  predicts legal rules will/should be promulgated
• Micro-Economics Fundamentals
• Information Asymmetries
• Market Failure its Justification for
  alternative policies
• Adverse Selection
• Moral Hazard
• Positive vs. Negative Externalities
• Free Rider Tragedy of the Commons
• Game Theoretic Framework Network Economics
  Approach
• Critical Mass
• Network Externality
• Vulnerability Markets Disclosure Incentive

13
Some Public Policies Pressing Security Duties

• Privacy Law Requires CyberSecurity
• G/L/B, SourBox (a/k/a SOX), FCPA
• Internal Control
• The Primary Federal Privacy Regulator FTC
• Enforcement Caselaw, deceptive trade practices
• State Privacy Info Security Laws
• CA state Privacy Czar
• Breach Notification, see Privacyrights.org
• Mass, Nev. Comprehensive Regulations
• Tort Liability for Privacy Violations
• HIPAA now HITECH PHI std
• IA laws Impact Security Duties
• Outsourcing (SAS70)
• Trade Secrecy (IP) National Security
• USA PATRIOT Act
• FTC Privacy Enforcement Common Law History
• Red Flags (best/worst practices), Disposal Rule,
• Exposing then Stamping Out Deception

14
Example of Security Complexity the Purported
IPAS Drivers

• PSU Policies
• FN07, Credit Card Sales
• AD11 - University Policy on Confidentiality of
  Student Records
• AD19 - Use of Penn State Identifier and Social
  Security Number
• AD20, Computer and Network Security
• AD22 - Health Insurance Portability and
  Accountability Act (HIPAA)
• AD23, Use of Institutional Data
• Trusted Network Specifications
• AD35, University Archives and Records Management
• AD53 - Privacy Statement
• Public Policies
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Gramm-Leach-Bliley Act (G/L/B)
• Family Educational Rights and Privacy Act (FERPA)
• PA Breach of Personal Information Notification
  Act 73 P.S. 2301
• PA Mental Health Law
• 21 USC Ch. 16 - Drug Abuse Prevention, Treatment,
  Rehab

15
What is Federal Pre-Emption?

• Only the most central institutional design
  feature in the whole American Experience
• E.g., Reaction to English Crown, Articles of
  Confederation, Civil War, New Deal, Reagans New
  Federalism
• Fed. Law May Displace State Law
• EX FDA labeling overrides state products
  liability
• Why would it be good to bar the states from
  regulating CyberSecurity?
• Why would it be good to include states in
  regulating CyberSecurity?

16
S.773 S.778

• S.773Cyber Security Act of 2009
• Sponsors
• John Rockefeller D, WV 3 Co-Sponsors
• Evan Bayh D, IN
• Bill Nelson D, FL
• Olympia Snowe R, ME
• S.773 Bill Actions
• 4.1.09 Introduced Read twice
• Referred to Commerce, Science Transportation.
• S.778
• Companion to S.773
• Creates White House Office of National
  Cybersecurity Advisor
• Authority/Power from S.773 later
  legislation/delegation

17
Some S.773 S.778 Provisions

• Raise CyberSecurity profile within Fed. Govt.
• Streamline cyber-related govt functions
  authorities
• Establish Office of the National CyberSecurity
  Advisor
• Develop CyberSecurity national strategy
• Quadrennial Cybersecurity Review
• modeled after the DoD Quadrennial Defense Review
• to examine cyber strategy, budget, plans
  policies
• Require a threat vulnerability assessment
• Promote public awareness
• Protect civil liberties
• Require comprehensive legal review

18
More S.773 S.778 Provisions

• ISAC
• pub-pvt clearinghouse for cyber threat
  vulnerability info-sharing
• CyberSecurity Advisory Panel
• industry, academia, not-for, advocacy
  organizations
• review advise President
• Establish enforceable cybersecurity standards
• NIST to create measureable, auditable
  CyberSecurity stds
• Licensing certification of CyberSecurity
  professionals
• Establish negotiate international norms
• cybersecurity deterrence measures
• Foster innovation and creativity in cybersecurity
• Scholarship-For-Cyber-Service program
• NSF Increase federal cybersecurity RD
• Develop CyberSecurity risk evaluation framework

19
Probability of S.773 Passage

• Much proposed legislation is arguably political
  grandstanding, with scant probability of success
• Passage of any proposed legislation is uncertain
• Predictions based on heuristics of domain experts
  
• Few sectors reactive, most pro-active
• Limits of empirical approaches to prediction
• See Resume of Congressional Activity
• http//www.senate.gov/pagelayout/reference/two_col
  umn_table/Resumes.htm
• 110th Cong. 1st Sess. (Jan. 4-Dec. 31, 2007) 138
  enacted/9227 introduced 1.5 yield
• 110th Cong. 2nd Sess. (Jan. 3, 2008 Jan. 2,
  2009) 278 enacted/4815 introduced 5.8 yield

20
Security Risk Analysis is Sectoral

• Risk Analysis Differs by Domain
• Just like U.S. Privacy Law, but not EU Privacy
  Law
• Major Differences Physical vs. Intangible
  Security
• Most domains blend tangible w/ information
• Many Key Domains Track Critical Infrastructures
  as defined in USA Patriots CIPA 1016(e)
• systems and assets, whether physical or
  virtual, so vital to the U.S. that the incapacity
  or destruction of such systems and assets would
  have a debilitating impact on security, national
  economic security, national public health or
  safety, or any combination of those matters.
• telecommunications electrical power systems gas
  oil storage transportation banking
  finance transportation water supply systems
  emergency services (e.g., medical, police, fire,
  rescue), govt. continuity CyberSpace
• Calls for National Effort to Enhance Modeling
  Analytical Capacities
• appropriate mechanisms to ensure the stability
  of complex interdependent systems, incl
  continuous viability adequate protection of
  critical infrastructures
• What is Shared Among these Vastly Different
  Sectors?

21
Law Permits/Regulates Risk Analytics

• Quantitative
• Statistical
• Actuarial
• Mortality Morbidity
• Admissibility of Forensic Quality Expertise
• Decision Analysis
• Failure Analysis

• Qualitative
• Heuristic
• Visualization
• Interdependence
• Risk Assessment Education
• Demographics
• Risk Recognition
• Emotion

22
Epilogue

• There is far more here than meets the eye!
• A website devoted to the developing public policy
  of cyber security professionalism
• http//faculty.ist.psu.edu/bagby/SecurityProfessio
  nalism/
• This IS interdisciplinary!
• Good luck w/o interdisciplinarity

23
Financial Info Security Risks SEC

• Financial Institutions w/in SEC Juris. Must
• Adopt written policies procedures, reasonably
  designed to
• Insure security confidentiality of customer
  records
• Protect against anticipated threats or hazards
• Protect against unauthorized access or use that
  could result in substantial harm or inconvenience
  
• Disposal Rule
• must properly dispose of PII using reasonable
  measures to protect against unauthorized access
  to or use of PII

24
Controls over Internal Risks

• COSOs Definition of Internal Control
• a process, effected by an entitys board of
  directors, management and other personnel,
  designed to provide reasonable assurance
  regarding the achievement of objectives in these
  categories
• effectiveness and efficiency of operations
• reliability of financial reporting and
• compliance with applicable laws and regulations.
• Components of Internal Control are
• - Control Environment
• - Risk Assessment
• - Control Activities
• - Information Communication
• - Monitoring

25
GLB Safeguards Rule

• Financial institutions must design, implement and
  maintain safeguards
• Purpose to protect private info
• Must implement written information security
  program
• appropriate to company's size complexity,
  nature scope of activities, sensitivity of
  customer data
• Security program must also
• assign one or more employees to oversee program
• conduct risk assessment
• put safeguards in place to control risks
  identified in assessment then regularly test
  monitor them
• require service providers, by written contract,
  to protect customers' personal information
• periodically update security program

26
Admitting then Analyzing Outsourcing Risks

• Not Outsourcing Risks Internal Failure
• Interdependency Reduces (Some) Risks of Conflict
• Outsourcing Sacrifices Monitoring Risking Injury
  from Diminished Control
• Slipshod Rush to Outsource for avings
• Cross-Cultural Ignorance Obscures Outsourcing
  Vulnerabilities
• SAS 70 Requires Outsourcing Risk Analysis/Mgt
• SLC Negotiation Opportunities to Reduce Risk

27
NIST Risk Mgt Method

• Asset Valuation
• Information, software, personnel, hardware,
  physical assets
• Intrinsic value the near-term impacts
  long-term consequences of its compromise
• Consequence Assessment
• Degree of harm or consequence that could occur
• Threat Identification
• Typical threats are error, fraud, disgruntled
  employees, fires, water damage, hackers, viruses

28
NIST Risk Mgt Method

• Vulnerability Analysis
• Safeguard Analysis
• Any action that reduces an entitys vulnerability
  to a threat
• Includes the examination of existing security
  measures the identification of new safeguards
• Risk Management Requires Risk Analysis
• Analyzed in terms of missing safeguardsThe
  Process of Identifying, Controlling and
  Minimizing the Impact of Uncertain Events
  (NIST, 1995 _at_59)

Source NIST Handbook
29
Roles of Law/Reg/Policy in Risk Analysis Risk
Management

• Law Resolves Disputes, Shifts Risk of Loss
• Risk Analysis Failure Shifts Liability Risks to
  Creator
• Actual Injuries Trigger Disputes over Risk Duties
  
• Law Defines Risks Duties of Care
• Crimes, Torts, Contracts, Standards,
  Determination of Injury
• Law Dis-Incentivizes Risky Deeds (DDtDDC)
• Law Defines Risk Management Duties
• Law Compensates Injuries Derived from
• Law Defines/Constrains Damage Computation
• Law Encourages Risk Mgt
• Law Defines Risk Mgt Professionalism
• Law Enforces Risk Shifting Contracts
• Law Requires Risk Analysis Impacts Methods
• But Law may Disincentivize Introspection w/o
  Self-Eval Privilege
• Law Regulates Risk Management Industry
• Law Enforces Risk Mgt Professions Arrangements