Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Investing

1. Introduction - Columbia University

advertisement 
National Cyber Defense Financial Services
Workshop
(Draft) Report
“Helping Government Form a Sound Investment
Strategy to Defend Against Strategic Attack on
Financial Services”
October 28-29, 2009
Hosted by: BITS, FSTC and Financial Services Roundtable
1001 Pennsylvania Avenue NW, Suite 500 South, Washington DC
Sponsored by: National Science Foundation and Department of
Homeland Security
Chartered by: National Cyber Defense Initiative
7 Oct 2009 (Annotated Outline)
Executive Summary
<This section will contain a one-page summary of the most important content>
i
Revision History
Date
10/07/09
Description
Outline Created
10/07/09
Changed to outline heading
Author
O. Sami Saydjari,
ssaydjari@CyberDefenseAgency.com
1. Jenny McNeill,
jenny.mcneill@sri.com
ii
Preface
Co-Chairs: Dan Schutzer, FSTC and Sal Stolfo, Columbia, and Brian Peretti, Treasury
Chartering: O. Sami Saydjari, NMCI Executive
Organizing Committee: John Mitchell, Stanford and John Carlson, FSTC
Sponsor Representatives: Doug Maughan, DHS, Karl Levitt, Lenore Zuck, Sylvia
Spengler, DHS
Participants: <list Participants here, as a table [name::org]>
iii
Table of Contents
1. Introduction ......................................................................................................................................... 1
1.1 Background ................................................................................................................................... 1
1.2 Purpose and Goals ...................................................................................................................... 1
1.3 Participation ................................................................................................................................. 2
1.4 Intended Audience ..................................................................................................................... 2
2. Problem .................................................................................................................................................. 2
2.1 Research Challenges .................................................................................................................. 2
2.1.1. Prevention ........................................................................................................................ 3
2.1.2. Detection and Response .............................................................................................. 3
2.1.3. Recovery and Reconstitution .................................................................................... 3
3. Strategies for Addressing Challenges ......................................................................................... 3
3.1.1. Prevention ........................................................................................................................ 3
3.1.2. Detection and Response .............................................................................................. 3
3.1.3. Recovery and Reconstitution .................................................................................... 3
4. Innovative Industry-Government Partnership Models ....................................................... 3
5. Recommendations ............................................................................................................................. 3
6. Conclusions and Findings ............................................................................................................... 3
IV
1. Introduction
This report documents a one and half day public-private information technology
industry workshop on national cyber defense sponsored by NSF and DHS. The
workshop is one in a series organized by the National Cyber Defense Initiative
Steering committee with support from several government organizations and
leaders. The workshop took place October 28 -29 (half day) at the BITS
organization headquarters in Washington DC.
1.1 Background
Large portions of our country’s economic, industrial, social and governmental
functions now depend upon a cyber infrastructure assembled from readily available
commercial information system components. Much of this infrastructure is
organized to tolerate random failures and outages but could fail catastrophically
under malicious attack. Industry leadership is needed to substantially reduce this
serious vulnerability. There are many efforts underway to begin to address these
issues at the national level. We had representatives from the leading commissions
and working groups participating in the workshop. This workshop was intended as
a forum for members of the financial industry to contribute input to multiple
planning and strategic efforts underway and to define actionable plans to take back
to their organizations and to input into government planning.
1.2 Purpose and Goals
The goal of the workshop is to develop a shared view of an attack-resistant and
attack-tolerant cyber infrastructure and specific steps to be taken to reach that
vision. Specifically, we seek to:
1.
Understand the changing threat environment and the increasing possibility
of extraordinary attacks mounted by nation-state adversaries for strategic gain and
the growing sophistication of criminal organizations for financial gain.
2.
Review Financial Services Sector Coordinating Council Research and
Development priorities and National Cyber Leap Year priorities. Discuss research
that support these priorities and specific game-changing technologies and processes
that apply to the banking and finance sector
3.
Discuss ways to incorporate new innovation partnership models. Create
processes whereby the banking and finance sector and the broader research
community and the U.S. Government can produce relevant solutions to current and
long-term challenges and plan for a more efficient transfer of these research
products into industry best practices.
4.
Produce a public report and plan to help inform government of needed R&D
to defend the financial services infrastructure. (Background resource:
http://ncdi.nps.edu/)
1
1.3 Participation
Technical and business leaders of the banking and finance sector, government
(including representatives from White House Office of Science and Technology, DHS,
NSF and Treasury Department), and academic researchers. Participants had deep
understanding of the technologies and operations and of significant failures that
have happened to date. To assure focus and productivity, the meeting was limited to
approximately 35 participants. The workshop was chaired by Sal Stolfo (Columbia
University and representing the National Cyber Defense Initiative steering
committee), John Mitchell (Stanford University), Dan Schutzer (President of the
Financial Service Technology Consortium and representing the FSSCC R&D
Committee) and Brian Peretti (Financial Services Critical Infrastructure Program
Manager and representing the Department of the Treasury and the Financial and
Banking Infrastructure Information Committee or FBIIC).
1.4 Intended Audience
There are two main audiences for this report: (1) government research and
development planners and (2) financial service industry strategic leaders. Our goal
is to provide input into the government planning process to offer up key strategic
problem areas that need to be worked for the nation’s benefit. For the financial
service industry folks, we hope to give some insights on the problem and some
approaches to planning defenses against large-scale attacks that are within their
purview.
2. Problem
Recent events demonstrate the vulnerability of banking from cascaded effects, such
as the sub-prime lending disaster. Banks have done reasonably well in protecting
themselves from sophisticated criminals; losses have been growing, but are
tolerable. We expect that banking will continue to be effective against “ordinary”
cyber attacks as part of the cost of doing business. We are concerned with
extraordinary attacks mounted by nation-state adversaries for strategic gain. On a
very small experimental scale, the attack by Russia on Estonia’s banking system is
an example of the potential situation our nation may face, especially if cyber attacks
are launched in conjunction with kinetic attacks.
2.1 Research Challenges
<Given the top-level statement above, what are the challenges we face? The
material here will come partly from the first plenary talk by Jane, but mostly from
the breakout working groups. We should draw heavily from the brief out materials
and the scribe notes from the works sessions, particular the first working session.
The problems should be in some sort of rank order as prepared by the breakouts. –
oss>
2
2.1.1.
Prevention
2.1.2.
Detection and Response
2.1.3.
Recovery and Reconstitution
3. Strategies for Addressing Challenges
<This section should include strategies for address the key problems identified in
the section above—with focus on the top ranked issues/opportunities. The material
for this section should come directly from the working sessions. –oss>
3.1.1.
Prevention
3.1.2.
Detection and Response
3.1.3.
Recovery and Reconstitution
4. Innovative Industry-Government Partnership Models
<This section is intended to document innovative ways that industry and
government can work together to address challenges and implement the strategies.
The primary content is intended to come from the plenary session on Wednesday. –
oss>
5. Recommendations
<What does the group recommend to government and financial services leadership
be done about the strategic risk to the financial services sector. These are intended
to be clear actionable recommendations, particularly focused on investment toward
addressing the hard problems. Prioritization is important and should be gleaned
from the group. I expect some of this material to come from the working sessions,
particularly the last one, but much of it will come from the plenary session (whole
group) led by Sal at the end of day one, and John M. at the beginning of day 2). –oss>
6. Conclusions and Findings
<What conclusions do we draw about this area regarding the problem and the
proper courses to solutions. I expect this section to be an abstraction of specific
recommendations. I also expect to include any findings regarding the situation or
the nature of solution approaches that transcend any specific idea. I expect these
will be recorded along the way from comments made both in plenary and breakout
sessions. –oss>
3
Appendix: National Cyber Defense Financial Services Workshop Agenda
“Helping Government Form a Sound Investment Strategy to Defend Against Strategic Attack on Financial Services”
Wednesday, October 28
8:00–8:30
Breakfast
8:30–8:45
Welcome Opening Remarks
8:45–9:00
Workshop Context
9:00–9:45
Changing Threat environment and Needs of the Financial
Services Industry– scenarios of likely outcomes if FI
infrastructure is disabled, timing of downtime and
requirements for reconstitution; learn what we need to know
Brainstorming research challenges for nation state and
organized crime threat to FI infrastructure; prevention
strategies, reconstitution strategies.
Breakout into 3 parallel Working Groups
Working Group 1: Detection and Response
- how one would know that a strategic financial service
sector attack was unfolding and perhaps what top-level
actions might mitigate damages,
- What kind of attacks do we need to worry about (service
denial, attack on integrity of services, on financial health)
Working Group 2: Prevention
- how do we increase the adversaries work factor to make
such attacks much harder
Working Group 3: Recover and Reconstitution
- how do we maintain the largest possible core of a system,
where a strategic attack succeeds, and recover the rest as
quickly as possible
Break
Interim Report out of Working Groups to Plenary session
Discussion of R&D and game-changing technologies that
support the needs of the Banking and Finance Sector. Review
relevant recommendations from Cyber Leap Year
Working Lunch
9:45–9:55
9:55–10:55
9:55–10:55
9:55–10:55
10:55–11:10
11:10–11:45
11:45–12:45
12:45–1:30
1:30–1:35
1:35–2:30
2:30–2:45
2:45–4:15
4:15–4:45
4:45–5:30
6:00
Continuation of discussion of R&D and game-changing
technologies that support the needs of the Banking and
Finance Sector. Charge to working groups
Working Group 1, 2 and 3 continues to meet to finish and to
prioritize their lists of needed technologies
Break
Continuation of discussion of R&D and game-changing
technologies; rank key ideas, develop strategies to address
Reports by Three Working Groups on top ideas
Recap of the day discussion
Group Dinner @ Bistro D’Oc, 518 10th St, NW (1 blk north)
Brian Peretti (Treasury), Dan Schutzer
(FSTC) and Sal Stolfo (Columbia
University)
Douglas Maughan (DHS) and Lenore
Zuck (NSF)
Discussion facilitated by Jane Carlin
(Morgan Stanley and chair of the
FSSCC Cybersecurity Committee)
Dan Schutzer (FSTC)
Working Group Chairs
John Mitchell (Stanford University)
Mark Clancy to discuss recent Cyber
Exercise for Financial Services
Sami Saydjari (Cyber Defense Agency)
Working Group Chairs to Workshop
Led by Sal Stolfo and Dan Schutzer
1
Thursday, October 29
8:00–8:30
Breakfast
8:30–9:30
Review and discussion of yesterday’s findings and
recommendations
9:30–9:45
Break
9:45–11:15
Discussion of the Innovation Partnership model and efficient
technology transfer mechanisms
11:15–12:30
12:30
Review Outline of Report, Assign Authors to Draft Portions,
and Establish Target Completion Date
Box Lunches and Adjourn
John Mitchell
Introduced by Aneesh Chopra, Obama
Administration’s Chief Technology
Officer (led by Sal Stolfo and Dan
Schutzer if Aneesh isn’t able to stay)
Sami Saydjari, Jeremy Epstein (SRI)
2
Related documents
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
solving national security challenges with information technology by
solving national security challenges with information technology by
Need for New Approaches to Security PowerPoint
Need for New Approaches to Security PowerPoint
Internet SafetyK5
Internet SafetyK5
Cyber-Security Awareness PowerPoint
Cyber-Security Awareness PowerPoint
“Current Cyber Security Landscape” Dr. Josh Pauli Presentation
“Current Cyber Security Landscape” Dr. Josh Pauli Presentation
RADM Day (USCG Cyber) - Feb 2013
RADM Day (USCG Cyber) - Feb 2013
tamil tiger credit card scam spreads to chennai, india
tamil tiger credit card scam spreads to chennai, india
Download
advertisement