1. ECONOMIC SECURITY COMPONENT OF CIP: Roles of Industry and Government U
ECONOMIC SECURITY COMPONENT OF CIP: Roles of Industry and Government U.S.-Bulgaria Conference on Cybersecurity Sofia September 8-9, Daniel C. Hurley, Jr. Director, Critical Infrastructure Protection U.S. Department of Commerce

2. Homeland Security Components
National Defense
Departments of Defense and Homeland Security
Law Enforcement
Departments of Justice and Homeland Security
Economic Security
Departments of Commerce, Treasury and Homeland Security

3. Within the U.S. Government, the Department of Commerce is appropriate agency for addressing economic security issues:
Core mission incorporates CIP
Historic ties with and understanding of industry
Trust between Department and industry
Without DOC’s involvement, U. S. industry won’t play effectively

4. Facets of Economic Security
Goal: To ensure that CIP policies, programs and activities support an economic security perspective
Commerce Department Operating Agencies have complementary programs/roles for CIP
Many pre-existing programs have adjusted to contribute CIP support

5. Solution Factors Technology Process People - Standards
- Guidelines/Policies - Best Practices
- Education & Awareness

6. Costs of Computer Crime
2003: $201 million
2002: $455 million
Types:
Proprietary info ($70 million)
denial of service ($65 million)
financial fraud ($10.2 million; down from $116 million in 2002)
Forms of attack:
virus incidents (82%)
insider abuse (80%)
CSI/FBI 2003 Computer Crime and Security Survey

7. Examples of Recent Attacks
Klez virus:
-- Clean up and lost productivity: $9 billion
Code Red:
1 million computers affected
Clean-up and lost productivity: $2.6 billion
Love Bug:
50 variants, 40 million computers affected
Clean-up and lost productivity: $8.8 billion
NIMDA:
Clean-up and lost productivity: $1.2 billion
Slammer:
Clean up and lost productivity: $1 billion +

8. “Business Case” for Cybersecurity
Research reported in CSO Magazine in 2002 demonstrates a 21% Return on Investment for cyber security systems implemented early in network development.
“The costs of a sever computer attack are likely to be greater than the preemptive investment in a cyber security program would have been.”
(Source: National Strategy to Secure Cyber Space, February 2003)

9. Commerce Agencies Involved
National Telecommunications and Information Administration (NTIA)
International Trade Administration (ITA)
Bureau of Industry and Security (BIS)
Technology Administration (TA)
Economic Development Administration (EDA)

10. Departmental CIP Programs
NTIA
Spectrum management
Domain Name System root server tasks
International Telecommunication organizations
IPv6 Task Force
ITA
e-Commerce
Privacy

11. Departmental CIP Programs
BIS
Export Administration
Defense Industrial Base issues
TA/NIST
Security Standards
EDA
Economic recovery protocols

12. Security Standards National Institute of Standards and Technology
Technical Security Standards
Security Management Standards
Testing, Evaluation, and Assessment Programs
International Recognition Arrangements

13. References and Tools “Best Practices” Security Standards
Security Standards
American Bar Association guides
available upon request

14. CIP Lessons Learned • GLOBAL ECONOMIC BENEFITS OF CIP
• Economic Security is a motivating factor
• Complements law enforcement and national security objectives
• cONTINUAL EDUCATION & AWARENESS NECESSARY
• Solutions involve people, not just technology and process
• INDUSTRY INTERACTION ESSENTIAL
• Facilitates issue identification
• Broadens analytic support
• Facilitates buy-in by industry
• Accelerates economic benefits to be derived

15. ECONOMIC SECURITY COMPONENT OF CIP: ROLES OF GOVERNMENT AND PRIVATE SECTOR U.S.-Bulgaria Conference on Cybersecurity September 8-9, Daniel C. Hurley, Jr. Director, Critical Infrastructure Protection U.S. Department of Commerce