Transcript Fire 2013 CTO challenge IP Protection vFinal

Getting to Zero: Achieving
Zero Loss of Crown Jewel IP
CTO Design Challenge Team
A National Crisis
• Ongoing, state-sponsored theft of
Government and Commercial IP
• “This may be the greatest transfer of wealth
through theft and piracy in the history of the
world and we are on the losing end of it.”
-
Sen. Sheldon Whitehouse of Rhode Island
• $300 Billion cost to US each year
- Source: Commission on the Theft of American
Intellectual Property
A Policy and Technology
Response
• “Everyone has been penetrated and will
continue to be penetrated” – US Gov’t
• “If we do not hang together, we shall
surely hang separately” – Thomas Paine
Crown Jewels
• Fake Jewels with Payload (think of “parting gift”)
• Code looks real, compiles, boots, gathers data and phones
home
• Traceable “Honeypots”, “Honeytokens”, signatures
• Prevent Single Points of Failure with requirement of
Multiple trusted employees using “two keys for a
missile launch”
• Frequent, inconsistent movement of IP “shell game”
• Protect by physical isolation
• Obfuscate the Jewels
• Distribute components, withhold
“keystone” offsite
Trade Policy – Trans Pacific Partners
• Import tariffs on stolen IP-based products
– Alt: Delay imports, deny entry, seize ships/goods
• Prevent companies trading technology for access
– Enforce Wassenaar Arrangement
• Export controls on arms and dual-use tech
• Penalize companies selling stolen-IP
–
–
–
–
Arrest, charge execs of offending companies
Deny/revoke visas to other company representatives
Deny access to stock exchanges
Deny ownership in US companies
Industry Policy
• Create industry-specific consortia
– Establish consortia-specific private networks
– Think “SABREnet” (US airlines)
• Create/Leverage Industry CSO organization
– Discuss/share threat information, observations
– Establish threat levels, vectors
• Physical isolation, secure networks, & restrictive
access policies
Governmental Policy
• CSO: SEC compliance statement
– Separate from financial audit
– Security compliance, reporting
– Data classification and marking
• Equivalent of MSDS sheet
• How valuable to other people
• (Nat’l, Industrial, Corp) Security or Trade Secret
– Watermarking, digital leakage prevention
Academic Policies
• Universities must have IP protection as part of their
major studies required coursework in order to apply
for/receive US agency funding
– Renewed/audited yearly for first 5 years
– Benefits both US students, and instills IP mindset in
foreign students
– Publishing hold-backs: key processes held back from
generally-published papers
• Universities need to understand their own profitability
• Detail requires specific disclosure process
• Particular audits for non TransPacific Partnership disclosures
Organization Policies
• Implement dual networks (red/green)
• Machines run dual VMs (red/green)
• Red VM and network interface
–
–
–
–
Internal applications, Email (restricted)
Intranet access only
Changing IP and MAC addresses randomly
Aggressive network monitoring
• Green VM and network interface
– Internet access
– no access to internal network
• Document classification mapped to
potential dollar loss. Required training.
Organization IT
• Machines/devices locked-down
– TPM ecosystem, NIST 7904 (Geofencing/Geolocation)
– No BYOD, devices encrypted, secured
• Ports are locked-out, UETF-lockout
– Only boot from encrypted HD
• Drives encrypted – require TPM
• Only the application that has access to the information has the
encryption access
– Must go through the agent
• Encryption and Key management is reasonable expense: $20K
for a company, $2K for a server
• Ability for Emergency Push of changes
A National Priority?
• So let me now be blunt for you and for the
American people – Sequestration forces the
intelligence community to reduce all intelligence
activities and functions without regard to impact on
our mission. In my considered judgment as the
nation's senior intelligence officer, sequestration
jeopardizes our nation's safety and security, and
this jeopardy will increase over time.
• – James R. Clapper, Director of National Intelligence
Thank you…
Organization: Executive Level
• Board of Directors Accountability & Awareness
• Chief Security Officer – SEC compliance
– Responsibility of rank-ordering the Crown Jewels
periodically. Refresh entire list.
• Full review/update of organizational security
made 20 years ago. Aggressive steps
– Drive internal security culture change
– Required continual training of employees
• Planted employees
Organization Policies
• Tiered defense
• IP classification on all
documents/devices/materials
– Red/Orange/Yellow books
– No removal from room/bldg/campus
• Compartmentalize information, limited disclosure
• Traceability: both individuals and devices
• Clean, secured desks/cabinets
– Strong Enforcement: One warning
and/or dismissal
Organizations: Facilities
• Secured, limited entrances; no piggybacking
– Positive, two-factor identity in critical areas
• Visible, changing badges
• Cameras, monitoring
• Changes in unexpected ways
– Avoid predictability
Employee
• Badge changes, limited access
• Periodic access and security reviews,
renewals
• Building, server, group policies
• Enforce Least Privilege
Private Sector IP Protection Tactics –
Multidisciplinary Approach
•
Org Processes and Methodologies
–
–
–
–
–
–
–
–
•
IP clarification: know your crown jewels
Tiered defense
Protect by physical isolation
Frequent movement
Compartmentalization
Traceability: both individuals and
devices
Multiple stakeholders: “two set of eyes”
Move IP and IT to a more secure Cloud
Based solution
Organization and Governance
–
–
–
Org culture change related to security
awareness
Training of internal stakeholders
Board of Directors role
•
Technology Solutions
–
–
–
–
–
–
•
Encryption done the right way: do it all
Key protection
Privileged credential protection
Information sharing management
Device tracking outside network
Use Strong Compliance Frameworks:
FedRAMP, ISO 27000, PCI
Private sector coalition
–
Framework to defend and retaliate
Public Sector Role in IP Protection – Balance
between strong offensive and defensive strategies
•
Increase the role of government
–
•
Raise the economic cost of IP theft
–
–
•
Enforcing Law, Diplomatic Pressure, Share DoD level Security Protection Methods
Ban products based on IP theft from US market
Restrict US financial system for companies whose products are based on IP theft
Build offensive capabilities
Broad Scope of Impact and Involvement
Stakeholder Ecosystem
• Corporate Executives
• Employees
• Partners (e.g., supply chain,
distribution, etc.)
• Policy makers
Vehicles for IP Theft
Ecosystem
• All devices (PCs, laptops,
mobile devices, sensors, etc.)
• Networks
• Other??
A Multilayered
Solution
Governmental
Policies
Industry &
Academic
Processes
Corporate
Policies
Employee
Policies