DOCSLIB.ORG

Building a Defensible Cyberspace

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Building a Defensible Cyberspace Building a Defensible Cyberspace NEW YORK CYBER TASK FORCE Contents Forward 1 Members of the New York Cyber Task Force 3 Executive Summary 4 Introduction: The Upside and Downside Risks of Cyberspace 6 Factors that have Undermined Cyber Defense 8 Past Innovations to Make Cyberspace Defensible 10 Toward a More Defensible Cyberspace 12 Leverage: The Key to Success 13 From Essential to Albatross 14 The Lessons of Leverage 18 Curveballs 21 Future Innovations to Make Cyberspace Defensible 22 Future Research 28 Conclusion 29 End Notes 31 A more defensible cyberspace is possible, but only through leverage: innovations that give defenders the most advantage at the greatest scale at least cost. Building a Defensible Cyberspace: Report of the NY Cyber Task Force Foreword Providing satisfactory security controls in a computer system is in itself a system design problem. A combination of hardware, software, communications, physical, personnel, and administrative-procedural safeguards is required for comprehensive security. In particular, software safeguards are not sufficient. “ Security Controls for Computer Systems: Report of the Defense Science Board on Computer Systems” (aka, The Ware Report)1 For decades, cybersecurity professionals have been During the course of dozens of meetings over 2 years, treading water, putting in never-ending effort but we carefully examined ways to make cyberspace more rarely making progress. The quote above would not defensible, focusing on four core questions: seem obsolete if it appeared today on a slide in a ven- • Why hasn’t cyberspace been defensible? dor presentation or at a computer security confer- • What innovations in technology, operations, and ence, yet the report it was taken from was published in 1970. policy have made the biggest difference on the Nearly five decades have passed, yet the problems largest scale and at the least cost? remain the same. It is time for defenders to change their approach. • What common factors contributed to the success of these innovations? The New York Cyber Task Force was formed in the Fall of 2015 to try to break this stalemate. Our conclu- • Based on these past successes, what new innova- sion is that defense is possible, but only if we identify tions deserve attention and investment? and prioritize the right innovations. This report presents our consensus on ways to make In keeping with the recommendations of the Ware cyberspace more defensible without sacrificing what Report, the task force was compromised of ~30 experts makes it essential to our national economies and per- with varied backgrounds in cybersecurity, including sonal lives. We coalesced around a concept that can be many members from New York City, who contributed expressed in a single word: leverage. a distinct, practical, in the trenches perspective. As the The most successful innovations have been those that nation’s political capital, Washington, DC can sink into were leveraged, they operate on an internet-wide scale pessimism over cyber threats, the “new domain of war- and impose the highest costs (roughly measured in fare”; Silicon Valley, the global technological capital, both dollars and effort) on attackers with the least cost sometimes falls victim to its own unbounded optimism. to defenders. For New Yorkers, balancing threats with opportunities Leverage is not the same as increased cybersecurity is as natural as crossing the street. New York is one of return on investment, as understood by business exec- the global cities; participants want the best for Amer- utives; nor does it simply increase costs to attackers, ica but understand these interconnected and complex a strategy commonly employed by military and law problems require global solutions. Building a Defensible Cyberspace: Report of the NY Cyber Task Force | 1 enforcement. Rather, it facilitates broader thinking to as many other practitioners and academics who pro- maximize the impact of these and similar strategies, at vided valuable input. Our special thanks to Jason Internet scale, for the least cost to the defender. Healey, the author of this report, for playing a lead Some of our colleagues have given up on defense in role in conceptualizing and organizing this effort. favor of more counter-offensive attacks to disrupt the Not all members fully concurred with every finding in operations of our adversaries. Others place their faith this document, but a broad consensus emerged on the in some kind of cyber deterrence. Such tactics have goal of making cyberspace more defensible, the impor- a role when they provide leverage, but they are only tance of leveraging innovations to achieve that goal, part of the solution. At the core of our recommenda- and that “to do nothing” is not an option. tions are the many new innovations across technology, The views represented and attributed herein are those operations, and policy that will give defenders far more of the participants and do not represent the policies or advantages than we have today. opinions of the organizations to which they are cur- Many in the field have called for a “moonshot” or even rently, or were previously, affiliated. a “cyber Manhattan Project,” a massive surge of effort Many others helped us along this journey, including our to improve cybersecurity before it is too late. Perhaps colleagues at Harvard University’s Belfer Center for that is indeed needed, but it should not detract from Science and International Affairs, Stanford University’s the incredible progress that can be made with the Center for International Security and Cooperation, patient application of those innovations that provide McKinsey and Company, PricewaterhouseCoopers, the most leverage. Barclays, Baker McKenzie, participants of the Black Our task force includes leading cybersecurity executives, Hat and New York State Cyber Security Conferences, world-recognized technologists, former White House the Cyber Green Initiative, Spencer Francus of JP and government officials, and renowned academics. Morgan Chase for his assistance with graphic design, Some of our recommendations are directed at com- and several SIPA students, including Christian van de panies dependent on cyberspace. Others are aimed at Werken, Joyce Dong, Alex James, Claudia Shrivastava, policymakers, at technology executives developing the and Christine Taylor. next generation of standards and IT tools, or at aca- To these and others, we give our thanks and the demics and think-tank experts. We believe that together, reminder that defense is possible. We hope that our we can establish a more defensible cyberspace. conclusions in this report contribute to the ongoing We give our thanks as co-chairs to the members of essential dialogue regarding how we further enhance the task force, who gave their time and ideas, as well the security of cyberspace, the world depends on it. Merit E. Janow Gregory Rattray Phil Venables 2 | SIPA: School of International and Public Affairs Members of the New York Cyber Task Force Dmitri Alperovitch, CrowdStrike Marcus H Sachs, NERC Angela McKay, Microsoft Yurie Ito, Cyber Green Initiative Edward G Amoroso, TAG Cyber Karl Schimmeck, Morgan Stanley Jeff Moss, DEF CON and Black Hat Merit E Janow,† Columbia University Steven M Bellovin, Columbia University Adam Segal, Council on Foreign Relations Derek O’Halloran, World Economic Forum James Kaplan, McKinsey John W Carlson, FS-ISAC Timothy Strabbing, Viola Foundation Gary Owen, Time Warner Elena Kvochko, Barclays Gordon M Goldstein, Silver Lake Phil Venables,† Goldman Sachs Neal Pollard, PricewaterhouseCoopers Arthur M Langer, Columbia University Royal Hansen, American Express Matthew Waxman, Columbia University Gregory Rattray,† JPMorgan Chase David C Lashway, Baker McKenzie Jason Healey ,* Columbia University John Yetter, NASDAQ Katheryn E Rosen, Atlantic Council Aaron K Martin, JPMorgan Chase Melody Hildebrandt, 21st Century Fox Larry Zelvin, Citigroup * Task Force Executive Director † Task Force Co-Chairs Building a Defensible Cyberspace: Report of the NY Cyber Task Force | 3 Executive Summary In a little over 20 years, the percent of the global Our task force started by asking, “what technological, population with access to the Internet (and the larger operational, and policy innovations have had the great- cyberspace of connected devices and information, terms est impact in thwarting attackers?” We found that the this report will use interchangeably) has gone from less highest-impact innovations shared two key traits: than one to about 40, over 3.595 billion people.2 In • Defense advantage: Any innovation by defend- the United States alone, the Internet sector makes up ers must impose far greater costs on attackers. an estimated six percent of GDP; the “mobile internet A “dollar of defense” (or hour or other measure and app services” subsector alone has a “contribution of input) should yield not merely a “dollar of to the US GDP [of] approximately 3.11%, putting attack,” but should force attackers to spend con- it at approximately the same size as the Automotive siderably more to defeat it. industry.”3 Yet, as the reach and benefits of the Inter- net have increased, so too have the economic costs. • Hyperscale: The innovation must easily, even A 2015 study indicated that cybersecurity costs were automatically, work across enterprises or cyber- likely to rise above $1.2 trillion by 2030 costing a total space as a whole. of roughly $20 trillion over those 15 years.4 The task force members and the colleagues we inter- The costs are high because
Load more

Recommended publications
  • Group Project
    Awareness & Prevention of Black Hat Hackers Mohamed Islam & Yves Francois IASP 470 History on Hacking • Was born in MIT’s Tech Model Railway Club in 1960 • Were considered computer wizards who had a passion for exploring electronic systems • Would examine electronic systems to familiarize themselves with the weaknesses of the system • Had strict ethical codes • As computers became more accessible hackers were replaced with more youthful that did not share the same ethical high ground. Types of Hackers • Script Kiddie: Uses existing computer scripts or code to hack into computers usually lacking the expertise to write their own. Common script kiddie attack is DoSing or DDoSing. • White Hat: person who hacks into a computer network to test or evaluate its security system. They are also known as ethical hackers usually with a college degree in IT security. • Black Hat: Person who hacks into a computer network with malicious or criminal intent. • Grey Hat: This person falls between white and black hat hackers. This is a security expert who may sometimes violate laws or typical ethical standards but does not have the malicious intent associated with a black hat hacker. • Green Hat: Person who is new to the hacking world but is passionate about the craft and works vigorously to excel at it to become a full-blown hacker • Red Hat: Security experts that have a similar agenda to white hat hackers which is stopping black hat hackers. Instead of reporting a malicious attack like a white hat hacker would do they would and believe that they can and will take down the perpretrator.
    [Show full text]
  • Strategic Latency: Red, White, and Blue Managing the National and International Security Consequences of Disruptive Technologies Zachary S
    Strategic Latency: Red, White, and Blue Managing the National and International Security Consequences of Disruptive Technologies Zachary S. Davis and Michael Nacht, editors Center for Global Security Research Lawrence Livermore National Laboratory February 2018 Disclaimer: This document was prepared as an account of work sponsored by an agency of the United States government. Neither the United States government nor Lawrence Livermore National Security, LLC, nor any of their employees makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or Lawrence Livermore National Security, LLC, and shall not be used for advertising or product endorsement purposes. LLNL-BOOK-746803 Strategic Latency: Red, White, and Blue: Managing the National and International Security Consequences of Disruptive Technologies Zachary S. Davis and Michael Nacht, editors Center for Global Security Research Lawrence Livermore National Laboratory February
    [Show full text]
  • Defending an Open, Global, Secure, and Resilient Internet
    Spine Should Adjust depending on page count Defending an Open,Defending Global, Secure, and Resilient Internet The Council on Foreign Relations sponsors Independent Task Forces to assess issues of current and critical importance to U.S. foreign policy and provide policymakers with concrete judgments and recommendations. Diverse in backgrounds and perspectives, Task Force members aim to reach a meaningful consensus on policy through private and nonpartisan deliberations. Once launched, Task Forces are independent of CFR and solely responsible for the content of their reports. Task Force members are asked to join a consensus signifying that they endorse “the general policy thrust and judgments reached by the group, though not necessarily every finding and recommendation.” Each Task Force member also has the option of putting forward an additional or a dissenting view. Members’ affiliations are listed for identification purposes only and do not imply institutional endorsement. Task Force observers participate in discussions, but are not asked to join the consensus. Task Force Members Elana Berkowitz Craig James Mundie McKinsey & Company, Inc. Microsoft Corporation Bob Boorstin John D. Negroponte Google, Inc. McLarty Associates Jeff A. Brueggeman Joseph S. Nye Jr. AT&T Harvard University Peter Matthews Cleveland Samuel J. Palmisano Intel Corporation IBM Corporation Esther Dyson Neal A. Pollard EDventure Holdings, Inc. PricewaterhouseCoopers LLP Martha Finnemore Elliot J. Schrage George Washington University Facebook Patrick Gorman Adam Segal Bank of America Council on Foreign Relations Independent Task Force Report No. 70 Michael V. Hayden Anne-Marie Slaughter Chertoff Group Princeton University Eugene J. Huang James B. Steinberg John D. Negroponte and Samuel J.
    [Show full text]
  • Annual Report and Accounts 2019
    Annual Report and Accounts 2019 Richemont is one of the world’s leading luxury goods groups. The Group’s luxury goods interests encompass some of the most prestigious names in the industry, including Cartier, Van Cleef & Arpels, Piaget, Vacheron Constantin, Jaeger-LeCoultre, IWC and Montblanc. Each of Our Maisons™ represents a proud tradition of style, quality and craftsmanship which Richemont is committed to preserving. 1 Financial and operating highlights 37 Peace Parks Foundation 2 Chairman’s review 38 Laureus 4 Business review 39 Michelangelo Foundation 4 Jewellery Maisons 5 Cartier 40 Board of Directors 6 Van Cleef & Arpels 7 Specialist Watchmakers 45 Corporate governance 8 A. Lange & Söhne 9 Baume & Mercier 10 IWC Schaffhausen 54 Compensation report 11 Jaeger-LeCoultre 12 Officine Panerai 67 Consolidated financial statements 13 Piaget 14 Roger Dubuis 15 Vacheron Constantin 138 Company financial statements 16 Online Distributors 17 Watchfinder 147 Five year record 18 YOOX NET-A-PORTER 19 Other 149 Statutory information 20 Alaïa 21 Chloé 150 Notice of meeting 22 Dunhill 23 Montblanc 24 Peter Millar 25 Purdey 26 Regional & Central Functions 29 Financial review 35 Corporate social responsibility Cautionary statement regarding forward-looking statements This document contains forward-looking statements as that term is defined in the United States Private Securities Litigation Reform Act of 1995. Words such as ‘may’, ‘should’, ‘estimate’, ‘project’, ‘plan’, ‘believe’, ‘expect’, ‘anticipate’, ‘intend’, ‘potential’, ‘goal’, ‘strategy’, ‘target’, ‘will’, ‘seek’ and similar expressions may identify forward-looking statements. Such forward-looking statements are not guarantees of future performance. Actual results may differ materially from the forward-looking statements as a result of a number of risks and uncertainties, many of which are outside the Group’s control.
    [Show full text]
  • A Nonstate Strategy for Saving Cyberspace
    A Nonstate Strategy for Saving Cyberspace Jason Healey Foreword by Jeff Moss A Nonstate Strategy for Saving Cyberspace Atlantic Council Strategy Paper No. 8 © 2017 The Atlantic Council of the United States. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means without permission in writing from the Atlantic Council, except in the case of brief quotations in news articles, critical articles, or reviews. Please direct inquiries to: Atlantic Council 1030 15th Street, NW, 12th Floor Washington, DC 20005 ISBN: 978-1-61977-445-2 Cover art credit: Museum of Fine Arts of Rennes. Paysans surpris par un orage (Peasants Surprised by a Storm) by Francesco Giuseppe Casanova, ca. 1770. This report is written and published in accordance with the Atlantic Council Policy on Intellectual Independence. The authors are solely responsible for its analysis and recommendations. The Atlantic Council, its partners, and funders do not determine, nor do they necessarily endorse or advocate for, any of this report’s particular conclusions. January 2017 Atlantic Council Strategy Papers Editorial Board Executive Editors Mr. Frederick Kempe Dr. Alexander V. Mirtchev Editor-in-Chief Mr. Barry Pavel Managing Editor Dr. Daniel Chiu Table of Contents Foreword ............................................................................ i Executive Summary ..........................................................1 Everything Depends on the Internet…but the Internet is Threatened ....................................................................7
    [Show full text]
  • Media Kit Serves As Your Guide for Using the Black Hat Briefings to Reach a Highly Targeted and Influential Market
    Black Hat THE DAWNING OF AN INDUSTRY Black Hat Briefings Black Hat Training Since the Black Hat Briefings was first introduced in 1997, Black Hat Windows Security it has quickly become the premiere event and indispensable resource for the computer security industry. This media kit serves as your guide for using the Black Hat Briefings to reach a highly targeted and influential market. On the following pages, you will find information about the Black Hat Briefings: mission: How and why the Black Hat Briefings serves the computer security arena leaders: The knowledgeable and experienced people who have made the Black Hat Briefings possible coverage: Topics that have been covered in past Black Hat Briefings Conferences supporters: The industry leaders who support the Black Hat Briefings calendar: Schedule of Black Hat events contacts: The people who can help you make the most of your participation at the Black Hat Briefings 2606 Second Avenue, No 406 • Seattle WA 98121 • v +1 206 790 3628 • f +1 866 899 6225 www.blackhat.com Black Hat THE MISSION Black Hat Briefings Black Hat Training Black Hat Briefings was originally founded in 1997 by Jeff Moss to fill the need of Black Hat Windows Security computer security professionals to better understand the security risks to their computers and information infrastructures by potential threats. To do this, the Black Hat Briefings assembles a group of vendor neutral security professionals and let them speak candidly about the problems businesses face, and the solutions they see to those problems. No gimmicks, no sales pitches, just straight talk by people who make it their business to explore the ever changing security space.
    [Show full text]
  • ICT Risk Reduction Subcommittee Report
    HOMELAND SECURITY ADVISORY COUNCIL Final Report: Information Communications and Technology Risk Reduction Subcommittee NOVEMBER 2020 1 | Page This page is intentionally left blank. 2 | Page On behalf of the Homeland Security Advisory Council, Information and Communications Risk Reduction Subcommittee, Robert Rose, Chair, and Steve Adegbite, Vice Chair, present this final report and recommendations to the Acting Secretary of the Department of Homeland Security, Chad Wolf. <SIGNATURE OBTAINED FOR PDF COPY> Robert Rose (Chair) Steve Adegbite (Vice Chair) Founder and President Former CSO, Cotiviti Corporation Robert N. Rose Consulting LLC 3 | Page This page is intentionally left blank. 4 | Page Subcommittee on Information Communications and Technology Risk Reduction Robert Rose (Chair) Founder and President, Robert N. Rose Consulting LLC Steve Adegbite (Vice Chair) Former Chief Security Officer, Cotiviti Corporation Keith Alexander Founder and CEO, IronNet Cybersecurity Jeff Moss Founder of Black Hat and DEF CON Conferences Paul Stockton Managing Director, Sonecon LLC Homeland Security Advisory Council Staff Mike Miron Acting Executive Director, Homeland Security Advisory Council Evan Hughes Associate Director, Homeland Security Advisory Council Garret Conover Director, Homeland Security Advisory Council Colleen Silva Analyst, Homeland Security Advisory Council Additional Contributors Anjana Rajan Technology Policy Fellow, The Aspen Institute Katharine Petrich Research Fellow, Research on International Policy Implementation Lab, American
    [Show full text]