Larry Clinton President Internet Security Alliance lclinton@isalliance.

org 703-907-7028 202-236-0001

ISA Project Background

Started in 2007 with CMU & USCCU 60 Entities (NSA, NIST, DOD, DOE, FBI) Published base paper in 2008 Published Framework in 2009 (CSPR) Current Phase III to implement framework 4 workshops in DC and SFthree technical and one legal Expect Publication of Guidelines Fall 2011

Focus of Effort
Hardware Risk management and appreciate the differences government vs. private sector Economics as important as technology Practical----keep it comprehensible to nontech people from different parts of industry Include international analysis of legal issues

Domain of Loses
Interruption of the supply chain Corruption of the supply chain Discrediting of the process or products Theft of Intellectual Property

Guidelines Will Cover

The design process Production photomaps used in making microelectronic components Manufacture of the microelectronic components Manufacture of the printed circuit boards Pre-assembly of components onto the boards

Guidelines Will Cover

Assembly of the actual products Distribution to end users Maintenance of usage life, ending with disposal Legal issues to be considered in assuring you supply chain

Legal Requirements
Rigorous contracts delineating what is required Locally responsible corporations with a Long term interest in complying We need to be sure local execs and workers are adequately motivated to comply We need adequate provisions for verifying security implementation There needs to be local law enforcement of agreements by both civil and criminal judicial systems

Who Has To Be Legally Accountable

Individual employees The family, clan or tribe ...often ignored by western law even though it is the main vehicle for social accountability in much of the developing world...where costs are low The corporation Police and civil courts Individuals you need

Individuals
A list of who is working..in advance Documented identities The equivalent of background checks Under surveillance...preferably video at the production facility

Family and Tribe

The ability of a local contractor to to meet their legal obligations will often depend on local tribal relationships Contracting with one tribe in an area where a different dominates can leave the corporation without the local support. Tribes or clans with true commitment will encourage workers to behave Bad relationships with the tribe it will be understood that it's permissible to violate written agreements

Corporations
Contracts must be written in ways suppliers understand, agree to and can actually be enforced Penalties need to be assessed in ways that will not undermine the relationship Procedures for unannounced visits must be clear so they can be carried out Contracts need to spell out strategies to get suppliers to remain responsible for the long term

Police and Cival Courts

Some areas have reputations for being good with international business and others do not You need to decide what are the minimum legal conditions that must be in place for your contracts to be enforced Local law enforcement will be essential to stop and discourage crimes such as theft and sabotage...what is the criteria for local law enforcement you need to have

Final Thoughts
Is the supply chain still relevant----is it the WEB? Key role of economics driving insecurity What is the role of compliance Do we need to be Anti-American?

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001