1 / 7

“Cutting Costs or Cutting Our Throats?”

Insider Threats Current Events: The Critical Infrastructure Security Perspective. Mark D. Troutman, Ph.D. Associate Director Center for Infrastructure Protection/Homeland Security George Mason University Paul B. Losiewicz, Ph.D. Senior Scientific Advisor

danika
Télécharger la présentation

“Cutting Costs or Cutting Our Throats?”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Insider Threats Current Events:The Critical Infrastructure Security Perspective Mark D. Troutman, Ph.D. Associate Director Center for Infrastructure Protection/Homeland Security George Mason University Paul B. Losiewicz, Ph.D. Senior Scientific Advisor Cyber Security and Information Systems Analysis Center 15 August 2013 “Cutting Costs or Cutting Our Throats?”

  2. Overview • Recent Events • Technology Increases Risk from Insider Threat • Government Resource Constraints • Costs Incurred by Lack of Due Diligence • Implications and Policy Responses

  3. Recent Events • Recent incidents of Pvt Manning and Edward Snowden highlight risk of “insider threat.” • Snowden had classified access due to his status as a contractor, as well as advanced computer training.1 • Employed by Booz-Allen Hamilton under contract to NSA. Previous CIA experience and an incomplete military career (left before completing Special Forces training). • There were some questions about facts relating to his background check but Snowden was hired and granted clearance with access anyway. 2 • Subsequent statements indicate Snowden sought employment in order to gain access with the intent of making public practices with which he disagreed.3 • Summary: Government agency depended on contract employee for specific skills and access, but screening failed to raise red flags regarding individual's background and motivations

  4. Technology Increases Risk from Insider Threat • Computing capacity continues to increase while embedded systems proliferate. • Operating systems gain efficiency and capability with more sensors and distributed controls linked to other operating systems. • Infrastructure is capital intensive and expensive to operate. Efficient and cost minimizing approaches have great emphasis. SCADA systems have evolved to meet this need. • Combination of greater computing power and reach afforded by linked information systems affords greater span of influence; asymmetric threats increase. • Greater span of control allows fewer personnel to monitor a greater range of control systems – with lower personnel cost. Personnel costs are the highest business costs. • Similar dynamic holds in intellectual property and knowledge management systems. Less expensive cloud storage allows for more information to be available to more collaborative processes by small to mid-size businesses

  5. Government Resource Constraints • Budget Control Act of 2011 (BCA 2011) attempted deficit reduction through constraints on discretionary spending. Defense budget and associated security functions sustained largest share of reductions. • DoD budget sustained $487B of cuts by end of Secretary Gates’ tenure (2011). BCA 2011 identified an additional $500B over 10 years; total could reach $1T.4 • DoD costs for uniformed personnel have increased 57% in real terms (per person) over previous decade.5 • Contract resources offer government an opportunity to reduce expenses and find specialty skill sets; personnel costs are the concern of the contract firm. • US Government has greatly increased use of contracted personnel in last decade to extend its capabilities, despite directions to the contrary . • Contract organizations have a potentially different set of incentives from the government – minimize costs. Potentially reduces resources associated with vetting and oversight. Snowden case seems to illustrate this.

  6. Costs incurred by Lack of Due Diligence • The Cost of Cutting Corners with Infrastructure • Sony fined $400K by the UK for failure to protect PII, on top of the $171M in outage losses by a hack of their interactive gaming network6 • PII maintained on five year old servers, non-updated software, poor security • Cost of failure in Personnel Reliability • Manning's release of diplomatic cables to WikiLeaks had "a chilling effect that will go on for some time" on foreign officials' willingness to speak candidly to U.S.7 • 855 man-hours estimated by the Army to review the posted Wikileaks documents, WITH computer aided analysis8 • Civilian Arsonist costs the Navy $94M in direct costs and the loss of an Attack Sub9 • Information Technology & Innovation Foundation: Snowden may cost U.S. cloud industry $35B in losses to foreign competitors because of PRISM revelations10 • SEC and mandatory disclosure of Cyber Self Assessment11 • Fines for compliance failure?

  7. Implications and Policy Responses? • Risk to intellectual property protection and innovation R&D collaboration requires access to information, but greater access raises the risk of unwanted disclosure and economic damage to innovative firms, hampering economic competitiveness • Some policy responses? • Greater resources for personnel vetting and oversight – difficult in constrained environments; Individual privacy concerns as well • Higher access standards – but this imposes costs on collaboration and span of control • Limits of access by any one individual or group – this drives up personnel costs • Conclusion: • In a Technologically riskier environment there is greater need for new technological solutions and system responses • Other non-technical (e.g. cognitive) approaches to Personnel Reliability

More Related