Ken Watson 9 Sep 2003 kwatson@cisco.com Critical Infrastructure Assurance: Business Case for Public-Private Partnership Ken Watson 9 Sep 2003 kwatson@cisco.com

The World is a Network of Networks… Any Geographical Area, Any Network, Any Functional Area Is a Place of Vulnerability Water Oil and Gas Banking and Finance Transportation Internet Core Telecommunications Government Services Emergency Electric 2

Critical Infrastructures – Dependent on networks…and on each other Transportation Government Services Electric Power PDD-63 Critical Infrastructures Telecommunications Emergency Services Water Banking and Finance Oil and Gas

Critical Infrastructures Agriculture Food Key National Assets* Added Critical Infrastructures Defense Industrial Base Postal and Shipping Chemical Industry and Hazardous Materials Public Health

National Security Interest Infrastructures… Are critical to safety, security, our way of life Depend on commercial networks Are interdependent Are largely owned and operated by private companies Cannot entirely depend on the Federal government for defense against cyber attacks Government Needs Industry in a True Public-Private Partnership

The Business Case Businesses dependent for their survival on the Internet Vulnerabilities threaten economic survivability and competitiveness Interdependency Supply chain Partners Customers Infrastructure industries Companies are on the front lines of defense Industry Needs Government in a True Public-Private Partnership

Cross-sector Collaboration Partnership for Critical Infrastructure Security (PCIS) http://www.pcis.org Participation by leaders from government, industry & academia Coordinates cross-sector initiatives and compliments public-private efforts Board of Directors majority always critical infrastructure “sector coordinators” We’ve talked about some of our internal initiatives around Critical Infrastructure Assurance – I also want to briefly mention how we are engaged at the national level as an industry representative. The PCIS is the leading public-private forum for these discussions, and we are proud to have Ken Watson elected as President of the Partnership. Ken started the CIAG and has been leading Cisco’s CIP efforts for since the original call to action several years ago. The PCIS Mission is to – “coordinate cross-sector initiatives and complement public-private efforts to promote the assurance of reliable provisions of critical infrastructure services in the face of emerging risks to economic and national security.” Some of their current tasks are: o        Risk Assessment o        Information Exchange o        Awareness and Public Policy o        Digital Control Systems o        National Strategy o        Effective Practices The partnership currently enjoys participation from 80 member companies comprised of: Members Sector coordinators Infrastructure owners and operators Vendors Suppliers Security companies Other interested businesses Government & Academic participants originate from Sector liaisons Key federal, state, and local government representatives Representatives of academia

US Public-Private Relationships for CIP DHS President of the United States Federal Departments and Agencies Advisory Committees PCIS Sector Coordinators Electric Power Food Safety Financial Services Telecommunications Chemicals Water Oil and Natural Gas Surface Transportation Air Transportation Information Technology Law Enforcement Firefighters Emergency Medical Manufacturing State and Local Governments

National Strategy to Secure Cyberspace Five National Priorities National Cyberspace Response System National Cyberspace Threat and Vulnerability Reduction Program National Cyberspace Awareness & Education Securing Government Cyber Systems National Security and International Cooperation Public-private partnership Primarily market-based approach Multi-level risk assessments

Stay Safe Online Campaign www.staysafeonline.info Security education for homes, small businesses “Top Ten” tips, Tech Talks, security guides, links 105 companies; 15 Federal agencies National Cyber Security Alliance (NCSA)—educational foundation of PCIS Poster contest winners meet Tom Ridge in West Wing Apr 18, 2002

Information Sharing and Analysis Centers (ISACs) Vital part of Critical Infrastructure Protection (CIP) Gather, analyze, and disseminate information on security threats, vulnerabilities, incidents, countermeasures, and best practices Early and trusted advance notification of member threats and attacks Organized by industry: cross-sector awareness, outreach, response and recovery ISAC Council: Leadership of ten ISACs ISAC stands for "Information Sharing and Analysis Center", and the objective of an ISAC is to gather, analyze and share security information about threats, vulnerabilities, incidents, countermeasures, and best practices. The creation of industry ISACs was recommended in Presidential Decision Directive (PDD) 63. This recommendation follows a finding from a presidential commission to study how the US could protect its critical infrastructures. The idea is that each industry gets together and establishes an ISAC. So far, several industries have operational ISACs already: the Telecommunications, the Information Technology, the Financial Services, the Oil and Gas, the Electric, and several other industries all have ISACs, and the number is growing. ISACs promise to deliver several important benefits to member companies. Some of these benefits include: early notification, relevant information, industry-wide vigilance, subject matter expertise, anonymous information sharing, and trending, metrics, and benchmark data.

One Company’s Response: Cisco’s Critical Infrastructure Assurance Group Mission Provide for secure and reliable critical infrastructure networks through Cisco’s leadership. Program Areas Research Education Training Incident Response Communication In 1998, Cisco created the Critical Infrastructure Assurance Group, or CIAG, to do our part to help both government and the industry sectors in assuring the delivery of critical services. Over the last four years, we have developed five program areas we believe are key to success in this area. In the short term, we’re raising awareness of critical infrastructure assurance and helping to coordinate responses to incidents, to spread the word and assist where we can with countermeasures, best practices, and solutions. In the long term, we are helping close the network security “skills gap” working with colleges and universities, Cisco’s Networking Academies, and our commercial learning partners, and conducting internal and collaborative research in key infrastructure security technology areas. We take the results of these programs and bring them back to Cisco product teams where applicable. www.cisco.com/go/ciag

Critical Infrastructure Protection Challenges New sectors Implementing strategy Information sharing Interdependency research Contingency plans War on terrorism Balancing budgets/priorities Global issues Cyber alerts and warning Harmonization of national laws

Summary National security and economic security forever intertwined Infrastructures are interdependent Companies, governments, and academia must work together Research, training and education, information sharing, and incident response are key areas for collaboration

Going Forward Critical infrastructure assurance is a public-private issue Internet is borderless—security planning must be international Build on strengths—core competencies DHS is providing focus—ongoing public-private cooperation will be key to success

Contact Information Ken Watson 12515 Research Blvd Austin, Texas 78759 USA +1 512 378 1112 +1 512 750 7574 (mobile) kwatson@cisco.com www.pcis.org www.cisco.com/go/ciag