Larry Clinton President Internet Security Alliance - - PowerPoint PPT Presentation

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

ISA Project Background

• Started in 2007 with CMU & USCCU
• 60 Entities (NSA, NIST, DOD, DOE, FBI)
• Published base paper in 2008
• Published Framework in 2009 (CSPR)
• Current Phase III to implement framework
• 4 workshops in DC and SF—three

technical and one legal

• Expect Publication of Guidelines Fall 2011

Focus of Effort

• Hardware
• Risk management and appreciate the

differences government vs. private sector

• Economics as important as technology
• Practical----keep it comprehensible to non-

tech people from different parts of industry

• Include international analysis of legal

issues

Domain of Loses

• Interruption of the supply chain
• Corruption of the supply chain
• Discrediting of the process or products
• Theft of Intellectual Property

Guidelines Will Cover

• The design process
• Production photomaps used in making

microelectronic components

• Manufacture of the microelectronic

components

• Manufacture of the printed circuit boards
• Pre-assembly of components onto the

boards

Guidelines Will Cover

• Assembly of the actual products
• Distribution to end users
• Maintenance of usage life, ending with

disposal

• Legal issues to be considered in assuring

you supply chain

Legal Requirements

• Rigorous contracts delineating what is required
• Locally responsible corporations with a Long term

interest in complying

• We need to be sure local execs and workers are

adequately motivated to comply

• We need adequate provisions for verifying security

implementation

• There needs to be local law enforcement of

agreements by both civil and criminal judicial systems

Who Has To Be Legally Accountable

• Individual employees
• The family, clan or tribe ...often ignored by

western law even though it is the main vehicle for social accountability in much of the developing world...where costs are low

• The corporation
• Police and civil courts
• Individuals you need

Individuals

• A list of who is working..in advance
• Documented identities
• The equivalent of background checks
• Under surveillance...preferably video at

the production facility

Family and Tribe

• The ability of a local contractor to to meet their legal
• bligations will often depend on local tribal

relationships

• Contracting with one tribe in an area where a

different dominates can leave the corporation without the local support.

• Tribes or clans with true commitment will

encourage workers to behave

• Bad relationships with the tribe it will be understood

that it's permissible to violate written agreements

Corporations

• Contracts must be written in ways suppliers

understand, agree to and can actually be enforced

• Penalties need to be assessed in ways that

will not undermine the relationship

• Procedures for unannounced visits must be

clear so they can be carried out

• Contracts need to spell out strategies to get

suppliers to remain responsible for the long term

Police and Cival Courts

• Some areas have reputations for being good with

international business and others do not

• You need to decide what are the minimum legal

conditions that must be in place for your contracts to be enforced

• Local law enforcement will be essential to stop and

discourage crimes such as theft and sabotage...what is the criteria for local law enforcement you need to have

Final Thoughts

• Is the supply “chain” still relevant----is it

the WEB?

• Key role of economics driving insecurity
• What is the role of “compliance”
• Do we need to be Anti-American?

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001