Vol. 10 No. 6
July 2007

Shifting Paradigms: Protection and Resilience;
Suppliers and Consumers; Incentives and Costs


Critical Questions

• What is the case for action?
  
• What is the relationship between protection and resilience?
  
• How does the target audience shift from suppliers to consumers?
  
• What is the assurance of resiliency?
  
• What are the incentives and benefits?
  
  
  
  
  
  
  
  
  
  
  
  

Threat: The Case for Action
“Testimony Before the House on Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology”, April 25, 2007 touches upon both the infrastructure and its dependent usage [House 07]. The following extracts from the testimony are instructive:

The Infrastructure
1. The majority of government communications utilize private-sector networks, including critical infrastructures -- such as information technology, communications, financial services, electricity, and oil and gas systems.
2. For example, if the electrical grids fail, that failure impacts the communications systems, which in turn can hamper financial networks.
3. The Internet connects all other networks, including our Nation's critical infrastructure. It has become the central nervous system for our government, our citizens and our industries. When it is attacked, the effects can ripple far and wide.
4. Cell phones, PDAs, and wireless networks are vulnerable, as are the supervisory control and data acquisition (SCADA) systems underlying our critical infrastructure.

Dependent Usage
1. A 2004 Congressional Research Service (CRS) report stated that cyber attacks on publicly traded firms resulted in losses of 1 percent to 5 percent on the firms' stock price in the days following an attack.
2. For the average New York Stock Exchange company, this means shareholder losses in the range of $50 million to $200 million.
3. Americans make extensive use of the Internet. March 2007 global statistics indicate there are more than 210 million Americans - 70 percent of our total population - using the Internet.
4. A 2006 survey from the Cyber Security Industry Alliance (CSIA) found that Internet users who do shop online indicate that they spend an average of $116 per month per person - an estimated $8 billion per month in total -- but that half of all users avoid making purchases because of fear of identify theft or compromise of financial information.

Protection and Resilience
The broader community concerned about Cyber Security is undergoing a paradigm shift away from Critical Infrastructure Protection (CIP) and towards Critical Infrastructure Resilience (CIR). Evidence substantiating this claim includes the following:
1. The GMU Law Center papers provide excellent background reading material on this [GMU 07].
2. The CEO Resilience Summit above provides concrete evidence of this [COC 07].
3. In addition the focus on resilience by Robert Cresanti in the Department of Commerce provides further confirmation [DOC 07].

Protection as a security strategy is insufficient; however, protection as a tactic may provide a cost effective means to reduce cleanup, lost opportunity, and reconstitution costs.

Suppliers and Consumers
Suppliers deliver protection; consumers need resilience. Protection is viewed as a cost; resilience is viewed as an investment. Suppliers, such as, security tool vendors, focus on protection and have succeeded in commoditizing this space with cost effective offerings. Consumers such as, CEO's, CIO's, and CXO's, must own full responsibility for enterprise Cyber Security solutions which extend defense in depth to business continuity, system survivability, and system of systems resilience.

Let's examine the organization change tactics needed to transition from protection to resilience:
1. Who is the target? While the target is often the supplier and the technical domain, the target should also be the consumer and the business domain.
2. What is the message? The message needs to include the threat, the prescription, and the incentives.
3. The threat can best be communicated using the arguments posited by experts in their case for action [House 07].
4. The prescription I advocate is the “Maturity Framework for Assuring Resilience Under Stress” [O'Neill 07]. Proceeding from an overarching objective to drive the business case and enterprise commitment towards the assurance of software security, business continuity, system survivability, and system of systems resiliency, the framework provides a roadmap for achieving the objective through a set of progressive goals and leading indicators of achievement spanning the dimensions of management, process, and engineering. The Build Security In web site contains two articles I authored recently as an SEI Visiting Scientist that touch on and elaborate on many of the leading indicators of achievement within the maturity framework [BSI 07].
5. The incentives can include the macro business benefits of interest to CEO's, CIO's, and CXO's including reduced insurance expense, Research and Engineering Tax Credit, and improved positions in lending markets and bond rating.
6. What is the method of engagement? Tool vendors as suppliers of protection offerings are accustomed to employing push tactics typical of commoditized marketing. For interfacing with consumers consider instead the use of pull tactics using business case models, such as, Security Return on Investment and Competitiveness versus Security Assessments. Should the adoption of the Maturity Framework for Assuring Resiliency Under Stress take hold, the pull tactic would become the natural means for transitioning consumers to improved levels of maturity.
7. What is the role of government? Government should do as little as possible and as much as necessary. When it does act, government should lead and do so selectively and by degrees. “Reflections on 21st Century Government Management” provides a comprehensive discussion of government challenges and solutions [IBM 07]. The role of government is to lead by setting goals. Where a critical need exists and government possesses superior knowledge, the role of government is market development. Where a critical need exists and a competitive market is not developing, the role of government may be to regulate or confiscate.

Incentives and Costs
The benefits from resiliency maturity assurance come in the form of reduced cost exposure and macro business incentives.

Reduced Costs
1. Reduced cleanup costs
2. Reduced opportunity loss
3. Reduced recovery costs
4. Reduced reconstitution costs

Macro Business Incentives
1. Reduced insurance cost
2. Research and Engineering Tax Credit
3. Improved position in lending market
4. Improved bond rating

References
[FSTC 07] Dan Schutzer, Financial Services Technology Consortium (FSTC), dan.schutzer@fstc.org. FSTC is working to define a framework for Operational Resilience.
http://www.fstc.org

[GMU 07] Dr. Christine Pommerening, George Mason University Law Center, cpommere@gmu.edu, Series of papers published as "Critical Thinking: Moving from Infrastructure Protection to Infrastructure Resilience", February 2007.

[DOC 07] Robert Cresanti is the DOC contact point on resilience. He is the Under Secretary for Technology for the United States Department of Commerce. In connection with the Council on Competitiveness, Cresanti spoke on “Enterprise Resiliency Drives Competitiveness” on 22 January 2007 and “The Resilience Imperative” on 13 October 2006.

[COC 07] Debbie Van Opstal, Council on Competitiveness, DvanOpstal@compete.org, CEO Resilience Summit, 25 June 2007. http://www.compete.org

[House 07] The case for action: “Testimony Before the House on Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology”, April 25, 2007, http://homeland.house.gov/hearings/index.asp?ID=41

[IBM 07] Reflections on 21st Century Government Management, “Interactive Forum on the Future of Government Management”, http://www.businessofgovernment.org/transition2008

[BSI 07] Build Security In, “Business Considerations and Foundations for Assuring Software Security: Business Case Models for Rational Action” and “Calculating Security Return on Investment”, Don O'Neill, https://buildsecurityin.us-cert.gov/daisy/bsi/home.html

[O'Neill 07] “Maturity Framework for Assuring Resiliency Under Stress”, The Competitor Vol. 10 No. 4, March 2007, http://members.aol.com/ONeillDon2/competitor10-4.html