Cyber Security
Professionalism
Cyber Security Becomes a Profession
Navigating U.S. Sectoral Security
S.773 - the Current Impetus
Is “CyberSecurity” a Profession?
What About “Risk Analysis?”

Are these Trick/Gotcha Questions?


Maybe
Why…What is the Dilemma?
Long tradition of fields, disciplines, callings
actively seek legitimacy of professional status
Vs.
 Once you’re a Professional, Public Expectations
Hold you Feet to the Fire


What is the Role of S.773 & S.778 in
CyberSecurity Professionalism?
What is a Profession?



Traditionally only 3 professions:
 Divinity, Medicine, Law
Persons/firms who supply specialized knowledge (subject, field,
science) to fee-paying clients
 Also the body of qualified professional persons
 Derived from Latin professiō - to swear (an oath), avowal, public
declaration
 Professional (adj) - behaves properly, not amateurish
 The oath dictates ethical standards, usually include
confidentiality, truthfulness, expertise, all for client’s benefit; also
upholding profession’s good name
EX:
 Architects, Accountants, Actuaries, Chiropractors, Clergy,
Dentists, Engineers, Lawyers, Librarians, Nurses, Occupational/
Physical Therapists, Pharmacists, Physicians,
Professors/Teachers, Psychiatrists, Veterinarians
 (Cyber-)Security “Professionals” too?!?
Milestones towards Profession





Full-Time Occupation
Training & University Instruction
Accreditation of Instruction & Qualifications
Associations: local, national, int’l
Codes of Conduct (govt & self-)


ethics, professional responsibility, self-discipline
Law/Regulation Compels Professional Status

Licensure, Certification
Characteristics of Most
Professions











Skill based on theoretical
knowledge
Professional associations
Extensive period of education
Testing of competence
Institutional training
(apprenticeship)
Licensure/Certification
Work autonomy
Code of professional conduct
or ethics
Self-regulation
Self-Discipline
Public service and altruism
(pro bono)








Exclusion, monopoly & legal
recognition
Fee & advertising control
High status & rewards
Individual clients vs. In-House
single client
Legitimacy, legal authority over
some activities
Body of Knowledge
Inaccessible to Laity
Professional interpretation
required for body of knowledge
Professional Mobility
Is CNSSI a Professional Program?


Ostensibly, but is it persistent?!?
CNSS standards for training & education were
embraced by 169 U.S. institutions


Provides baseline for cadre of IA professionals
Educational Standards for IA professionals






NSTISSI 4011-Information Systems Security (INFOSEC)
Professionals
CNSSI 4012-Senior Systems Managers
CNSSI 4013-System Administrators
CNSSI 4014-Information Systems Security Officers
NSTISSI 4015-System Certifiers
CNSSI 4016-Risk Analyst
IT Governance Drives Professionalism



“specifying the decision rights and accountability
framework to encourage desirable behavior in the use
of IT.”
“the leadership and organizational structures and
processes that ensure that [IT serves strategic
objectives].”
Corporate governance constraints; impact of law,
regulators, security & privacy standards; SOX;
Implemented through:
 technology transfer agreements
 private contracts
 employment restrictions
 IP constraints
 eCommerce commercial practice
Standardization of Security Duties

ISO 17799 (predecessor: BS7799) & :

Progeny: now replaced by ISO/IEC 27000 series
 ISO 27001 Info. Security Mgt.
ISO 27002 Best Practices
ISO 15408 Common Criteria: Computer Security







PCI DSS payment card security
COBIT (ISACA: Info. Sys. Audit & Control Assn)
ITIL IT Infrastructure Library: IT Service Mgt
NIST’s Fed. Info. Processing Stds
Fair Information Practice Principles (FIPP):

(1) Notice, (2) Choice, (3) Participation, (4) Security, (5) Redress
Why are Standards Important?





Stds are emerging from obscurity
More widely understood to impact most economic
activity
Increasingly viewed less as technically objective
matters; more as arbitrary choices from among near
infinite alternatives
Increasingly perceived to favor particular nations,
industries, identifiable groups or individual firms who
participate most effectively
Increasingly have behavioral component
Why Standards Impact
CyberSecurity Duties

Stds Created CyberSpace:




Facilitates comparison, interoperability, competition
Attracts investment in compatible technologies, products &
services
Standardization promises superior process design & best
practice integration


Domain experts develop rather than meddlers
Standards Reduce Risks of Variety


Consider: html, ftp, http, xml, 802.11
Incompatibility, Incompetence
Conformity Assessment Analyzes Non-Compliance Risk,
Provides Feedback

Incentivizes Compliance & Improvement
Risks of Security Standardization


General Disadvantages of Standardization

Lock in old/obsolete technology

Resists favorable evolution or adaptation

Favors/disfavors particular groups
Voluntary Consensus is really a Sub-optimal
Compromise that Dictates too much Design
However, Standardization Risks Stagnancy &
Communicates Widespread Vulnerability
Economic Analysis of Security

The Law & Economics Approach:


Micro-Economics Fundamentals
1.
2.
3.
4.
5.
6.

legal theory applies methods of economics to law; economic
concepts explain effects of law/regulation; assesses efficient
rules; predicts legal rules will/should be promulgated
Information Asymmetries
Market Failure & its Justification for alternative policies
Adverse Selection
Moral Hazard
Positive vs. Negative Externalities
Free Rider & Tragedy of the Commons
Game Theoretic Framework & Network Economics
Approach
1.
2.
3.
Critical Mass
Network Externality
Vulnerability Markets & Disclosure Incentive
Some Public Policies Pressing
Security Duties

Privacy Law Requires CyberSecurity

G/L/B, SourBox (a/k/a SOX), FCPA


The Primary Federal Privacy Regulator: FTC






CA state Privacy Czar
Breach Notification, see: Privacyrights.org
Mass, Nev. Comprehensive Regulations
Tort Liability for Privacy Violations
HIPAA now HITECH PHI std
IA laws Impact Security Duties


Outsourcing (SAS70)
Trade Secrecy (IP) & National Security


Enforcement Caselaw, deceptive trade practices
State Privacy & Info Security Laws


Internal Control
USA PATRIOT Act
FTC Privacy Enforcement Common Law History


Red Flags (best/worst practices), Disposal Rule,
Exposing then Stamping Out Deception
Example of Security Complexity:
the Purported IPAS Drivers

PSU “Policies”










FN07, Credit Card Sales
AD11 - University Policy on Confidentiality of Student Records
AD19 - Use of Penn State Identifier and Social Security Number
AD20, Computer and Network Security
AD22 - Health Insurance Portability and Accountability Act (HIPAA)
AD23, Use of Institutional Data
Trusted Network Specifications
AD35, University Archives and Records Management
AD53 - Privacy Statement
Public Policies






Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (G/L/B)
Family Educational Rights and Privacy Act (FERPA)
PA Breach of Personal Information Notification Act 73 P.S. § 2301
PA Mental Health Law
21 USC Ch. 16 - Drug Abuse Prevention, Treatment, & Rehab
What is Federal Pre-Emption?

Only the most central institutional design
feature in the whole “American Experience”


E.g., Reaction to English Crown, Articles of
Confederation, Civil War, New Deal, Reagan’s
New Federalism
Fed. Law May Displace State Law



EX: FDA labeling overrides state products liability
Why would it be good to bar the states from
regulating CyberSecurity?
Why would it be good to include states in
regulating CyberSecurity?
S.773 & S.778

S.773=Cyber Security Act of 2009
 Sponsors





S.773 Bill Actions



John Rockefeller [D, WV] + 3 Co-Sponsors
Evan Bayh [D, IN]
Bill Nelson [D, FL]
Olympia Snowe [R, ME]
4.1.09: Introduced & Read twice
Referred to Commerce, Science & Transportation.
S.778
 Companion to S.773
 Creates White House Office of National Cybersecurity Advisor
 Authority/Power: from S.773 & later legislation/delegation
Some S.773 & S.778 Provisions









Raise CyberSecurity profile within Fed. Govt.
Streamline cyber-related govt functions & authorities
Establish: Office of the National CyberSecurity Advisor
Develop CyberSecurity national strategy
Quadrennial Cybersecurity Review
 modeled after the DoD Quadrennial Defense Review
 to examine cyber strategy, budget, plans & policies
Require a threat & vulnerability assessment
Promote public awareness
Protect civil liberties
Require comprehensive legal review
More S.773 & S.778 Provisions









ISAC:
 pub-pvt clearinghouse for cyber threat & vulnerability info-sharing
CyberSecurity Advisory Panel
 industry, academia, not-for, advocacy organizations
 review & advise President
Establish enforceable cybersecurity standards
 NIST to create measureable, auditable CyberSecurity stds
Licensing & certification of CyberSecurity professionals
Establish & negotiate international norms
 cybersecurity deterrence measures
Foster innovation and creativity in cybersecurity
Scholarship-For-Cyber-Service program
NSF: Increase federal cybersecurity R&D
Develop CyberSecurity risk evaluation framework$
Probability of S.773 Passage

Much proposed legislation is arguably political
grandstanding, with scant probability of success



Passage of any proposed legislation is uncertain
Predictions based on heuristics of domain experts
 Few sectors reactive, most pro-active
Limits of empirical approaches to prediction

See: “Resume of Congressional Activity:”



http://www.senate.gov/pagelayout/reference/two_column_table/Resumes.htm
110th Cong. 1st Sess. (Jan. 4-Dec. 31, 2007) 138
enacted/9227 introduced = 1.5% yield
110th Cong. 2nd Sess. (Jan. 3, 2008 – Jan. 2, 2009) 278
enacted/4815 introduced = 5.8% yield
Security Risk Analysis is Sectoral

Risk Analysis Differs by Domain
 Just like U.S. Privacy Law, but not EU Privacy Law
 Major Differences: Physical vs. Intangible Security


Most domains blend tangible w/ information
Many Key Domains Track Critical Infrastructures as defined in
USA Patriot’s CIPA §1016(e)



“…systems and assets, whether physical or virtual, so vital to the
U.S. that the incapacity or destruction of such systems and assets
would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those
matters.”
telecommunications; electrical power systems; gas & oil storage &
transportation; banking & finance; transportation; water supply
systems; emergency services (e.g., medical, police, fire, & rescue),
govt. continuity & CyberSpace
Calls for National Effort to Enhance Modeling & Analytical Capacities


appropriate mechanisms to ensure the stability [of] complex & interdependent
systems, [incl] continuous viability & adequate protection of critical infrastructures
What is Shared Among these Vastly Different Sectors?
Law Permits/Regulates Risk Analytics







Quantitative
Statistical
Actuarial
Mortality & Morbidity
Admissibility of
Forensic Quality
Expertise
Decision Analysis
Failure Analysis








Qualitative
Heuristic
Visualization
Interdependence
Risk Assessment
Education
Demographics
Risk Recognition
Emotion
Epilogue


There is far more here than meets the eye!
A website devoted to the developing public
policy of cyber security professionalism


http://faculty.ist.psu.edu/bagby/SecurityProfession
alism/
This IS interdisciplinary!

Good luck w/o interdisciplinarity…
Financial Info Security Risks: SEC

Financial Institutions w/in SEC Juris. Must:





Adopt written policies & procedures, reasonably designed
to …
Insure security & confidentiality of customer records
Protect against anticipated threats or hazards
Protect against unauthorized access or use that could
result in substantial harm or inconvenience
Disposal Rule:

must properly dispose of PII using reasonable measures to
protect against unauthorized access to or use of PII
Controls over Internal Risks
COSO’s Definition of Internal Control


“a process, effected by an entity’s board of directors,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives” in these categories:
 effectiveness and efficiency of operations;
 reliability of financial reporting; and
 compliance with applicable laws and regulations.
Components of Internal Control are:
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring
GLB Safeguards Rule

Financial institutions must design, implement and maintain
safeguards
 Purpose: to protect private info
 Must implement written information security program


appropriate to company's size & complexity, nature & scope of
activities, & sensitivity of customer data
Security program must also:





assign one or more employees to oversee program;
conduct risk assessment;
put safeguards in place to control risks identified in assessment then
regularly test & monitor them
require service providers, by written contract, to protect customers'
personal information; &
periodically update security program
Admitting then Analyzing
Outsourcing Risks

Not Outsourcing Risks Internal Failure


Outsourcing Sacrifices Monitoring Risking Injury
from Diminished Control



Interdependency Reduces (Some) Risks of Conflict
Slipshod Rush to Outsource for $avings
Cross-Cultural Ignorance Obscures Outsourcing
Vulnerabilities
SAS 70 Requires Outsourcing Risk Analysis/Mgt

SLC Negotiation Opportunities to Reduce Risk
NIST Risk Mgt Method

Asset Valuation



Consequence Assessment


Information, software, personnel, hardware, & physical
assets
Intrinsic value & the near-term impacts & long-term
consequences of its compromise
Degree of harm or consequence that could occur
Threat Identification

Typical threats are error, fraud, disgruntled employees,
fires, water damage, hackers, viruses
NIST Risk Mgt Method


Vulnerability Analysis
Safeguard Analysis



Any action that reduces an entity’s vulnerability to a threat
Includes the examination of existing security measures &
the identification of new safeguards
Risk Management Requires Risk Analysis

Analyzed in terms of missing safeguards“The Process of
Identifying, Controlling and Minimizing the Impact of
Uncertain Events” (NIST, 1995 @59)
Source: NIST Handbook
Roles of Law/Reg/Policy in Risk
Analysis & Risk Management

Law Resolves Disputes, Shifts Risk of Loss



Law Defines Risks & Duties of Care








Law Compensates Injuries Derived from
Law Defines/Constrains Damage Computation
Law Encourages Risk Mgt


Crimes, Torts, Contracts, Standards, Determination of Injury
Law Dis-Incentivizes Risky Deeds (DD&tDDC)
Law Defines Risk Management Duties


Risk Analysis Failure Shifts Liability Risks to Creator
Actual Injuries Trigger Disputes over Risk Duties
Law Defines Risk Mgt Professionalism
Law Enforces Risk Shifting Contracts
Law Requires Risk Analysis & Impacts Methods
But Law may Disincentivize Introspection w/o Self-Eval Privilege
Law Regulates Risk Management Industry
Law Enforces Risk Mgt Profession’s Arrangements