Sessions Overview
Monday, October 6, 2008
Tuesday, October 7, 2008
Wednesday, October 8, 2008
GENERAL— CSIS Commission to Advise the 44th President on Cyber Security
Monday, October 6, 2:15 - 3:15pm
Speaker:
Jim Lewis, Senior Fellow and Director of the Technology and Public Policy Program at CSIS
Objective:
Discuss the role of global security moving forward.
Description:
When the next president of the United States takes office in January 2009, he will be greeted with some advice on cyber security policy. The Center for Strategic and International Studies has put together a Commission on Cyber Security for the 44th Presidency and expects to have a set of recommendations ready by the end of the year. Mr. Lewis will discuss issues such as infrastructure protection, software assurance, cyber security, and cooperative initiatives between the public and private sectors.
GENERAL— Panel: Lessons Learned from National Emergency & Crisis Response
Exercises- Industry & Government Working Together
Monday, October 6, 3:15 - 4:15pm
Panelists:
Bob Dix, VP, Government Affairs, Juniper Networks, and Chairman, IT Sector Coordinating Council
Bill Nelson, FS-ISAC CEO
Chris Anderson, DHS Director of Contingency Planning & Incident Management Division, Office of Infrastructure Protection
Description:
Representatives from the private sector Critical Infrastructure and Key Resource (CI/KR) community have been working with DHS to determine the appropriate roles and responsibilities for the private sector during incident management activities associated with a national emergency/crisis. Recent and planned table-top exercises have set forth objectives to: identify current capabilities and process gaps in CI/KR private sector incident management; consider improvements to CI/KR private sector integration and collaboration in incident management processes and procedures; and develop possible solutions to identified procedural gaps.
In this session, the panelists will discuss the actionable recommendations from the latest exercises, including protective measures, cross-sector communications, DHS commitment to provide private sector CI/KR access to the National Infrastructure Coordinating Center (NICC) and the Incident Management Cell (IMC), and the increased role of the private sector in developing, planning and participating in future exercises.
CRISIS MANAGEMENT— Crisis Communications: How to Manage the Message
Tuesday, October 7, 10:15 - 11:30am
Speaker: Jeroen Meijer, Vice President & National Director, Control Risks
Objective:
Discuss the need for crisis management and crisis communication to be intertwined in order to succeed. Participants will learn the keys to a successful crisis communication strategy.
Description:
A crisis can take many forms for an organization, and not every crisis grabs the media headlines. But to manage your way to a resolution, you have to know how to deploy communications effectively. A shooting in the workplace, a product contamination, a civil lawsuit alleging human rights abuses—these are all crises that corporations have faced recently, and these are the kind of events that require a crisis communications capacity. Crisis management and crisis communications have to be intertwined to succeed, and must include: prior planning; an experienced communications leader; a clear idea of your audience; and a willingness to admit the truth, even when it is painful. The media are global, continuous and omnipresent. You cannot hope to control everything that is written about your company, but you can control your own message.
INFORMATION SECURITY— Outsourced Application Development: Caveats and Best Practices for Security
Tuesday, October 7, 10:15 - 11:30am
Speaker:
Matt Moynahan, Veracode
Objective:
Identify the caveats and five critical steps to ensuring security when outsourcing application development.
Description:
With India, China and Eastern Europe developing more than $50 billion in custom software, many businesses have taken advantage of cost savings and flexibility to gain a competitive advantage. Unfortunately, due to training and developer turnover, secure coding and application security testing are often overlooked, resulting in an unacceptable level of unbounded risk. Organizations face an uphill battle in controlling security risks across their extended software supply chain. Identifying, controlling and reducing the unbounded risk and capital requirements are critical. In this presentation, Matt Moynahan, CEO of Veracode, will outline five key steps enterprises can take to implement security best practices when opting to outsource application development.
GOVERNMENT & INDUSTRY— Panel: Technology and Policy
Enabling Emergency Internet Traffic
Tuesday, October 7, 10:15 - 11:30am
Panelists:
Bob Dix, VP, Government Affairs, Juniper Networks, and Chairman, IT Sector Coordinating Council
Dr. Phyllis Schneck, VP, Research Integration, Secure Computing Corporation and Founding Chairman and Chairman Emeritus, InfraGard National Members Alliance
Phil Lacombe
Description:
One of the most potent vulnerabilities in cyberspace today is that anyone, anywhere, can send anything they wish and it will likely arrive at the desired destination – potentially even claiming a false origination or identity – using bandwidth and enabling transnational organized crime.
Consider a time of crisis, whether a pandemic, weather, cyber or other event. Network bandwidth may be needed to sustain response, and people may not be traveling to work—rendering all infrastructures affected, and bandwidth resource requirements expanded and/or shifted. The loss of communications infrastructure could occur in several instances, including mass Internet use increases from political, weather or health events, or low bandwidth availability due to malicious DDoS attacks or other cyber warfare. Who makes decisions about which traffic should get priority routing and how? Can technology enforce this—even in an open, globally interconnected medium with no predictability of traffic volume? These are the questions that must be answered for the nation to have confidence in the resilience and utility of our cyber infrastructure in times of crisis.
This panel will address the technology and policy issues, from a private sector and government perspective, to enable emergency Internet traffic, from traffic prioritization to dropping malicious/criminal traffic at different points within the network infrastructure. Dedicated infrastructure and “out-of-band” solutions can help in some situations, but do not always solve dynamic routing issues or enable the use of the massive interconnectivity offered by the public Internet. We will discuss some of the existing policy issues such as net neutrality vs. crisis management, as well as technology challenges such as potential speed/performance effects of additional logic in networking.
PHYSICAL SECURITY— Hackers, Psychos, and Criminals –
How to Reduce the Human Factor Risk
Tuesday, October 7, 10:15 - 11:30am
Speaker:
W. Michael Susong, iSIGHT Partners
Objective:
Examine the human and geopolitical threat to government and corporate infrastructure from other governments, stateless actors and organized crime.
Description:
The threat landscape faced by global corporations has shifted dramatically in the last five years. The same technology advances that created new market opportunities in China, Russia, and worldwide also enabled a new generation of criminals. An evolving criminal business model now conspires to steal capital and undermine brand integrity. During this presentation, the motivations, methods, and future technology risks from the world’s most profitable criminal enterprises and rogue players will be discussed. Functioning as electronic crime ecosystems, there are strong social, historic, and economic forces to be confronted in order to create effective risk mitigation strategies.
GENERAL— Panel: Guarding Our Future - Protecting the Nation’s Infrastructure
Tuesday, October 7, 1:30 - 2:30pm
Moderated by: Aaron Schulman, Partner, Toffler Associates
Panelists: David Mongan, President American Society of Civil Engineer
Randy Beardsworth, Principle Olive, Edwards & Cooper LLC
Brendan Owens-Vice President U.S. Green Building Council
Objective:
Discuss the environment in which we build and operate the nation’s critical infrastructure and how this environment will change over the next 20 years. As these changes evolve, the nation’s approaches to infrastructure protection must proactively and rapidly adapt to new threats, risks and opportunities.
Description:
Over the next 20 years, those charged with protecting our infrastructure will face unprecedented challenges brought on by accelerating change. Technological, social, economic, environmental and political changes will occur more quickly, and in many cases faster than legacy organizations can adjust their planning and risk management practices. Exacerbating the effects of accelerating change is the increasing interconnectedness of infrastructure systems, where an attack or event at one point affects multiple systems. These dense connections make it more difficult to determine the cause of an attack, to implement protective measures, or to respond to an event.
CRISIS MANAGEMENT— Lessons Learned Information Sharing (LLIS.gov)
Tuesday, October 7, 2:45 - 3:45pm
Speaker:
William Moore, Vice President & National Director, Lessons Learned Information Sharing
Objective:
Demonstrate the benefits of LLIS.gov to emergency response personnel and the homeland security community.
Description:
Lessons Learned Information Sharing (LLIS.gov) is the national, online network of lessons learned and best practices for the emergency response and homeland security communities. LLIS.gov helps to improve homeland security and emergency preparedness nationwide by providing federal, state and local responders with a wealth of information and front-line expertise on effective planning, training, and operational practices across homeland security functional areas. Sponsored by the Department of Homeland Security's Federal Emergency Management Agency, LLIS.gov helps emergency response providers and homeland security officials prevent, protect against, respond to, and recover from terrorist attacks, major disasters, and other emergencies.
GOVERNMENT & INDUSTRY— Government and Industry Collaboration
to Secure the IT Sector
Tuesday, October 7, 2:45 - 3:45pm
Speakers:
Patrick Beggs and Scott Algeier, Department of Homeland Security and IT-ISAC
Objective:
Provide participants with a better understanding of the IT sector’s approach to assessing risk, and how these activities might impact businesses in other sectors.
Description:
This session will explain the IT sector's collaborative process to assess risks to the IT infrastructure and explore potential impacts of the risk assessment on businesses that depend on information technology, especially the critical infrastructures. It will detail the purpose of the risk assessment, discuss the functions (as opposed to assets) focus of the risk assessment and highlight lessons learned. The session will enable participants to gain a better understanding of how the IT sector conducts its risk assessment, and what this means for their businesses and the rest of the other critical infrastructure sectors.
INFORMATION SECURITY— Panel: The Latest in Vulnerability and Compliance Techniques
Tuesday, October 7, 2:45 - 3:45pm
Moderator:
Elliott Glazer, DTCC
Panelists:
Kent Landfeld, McAfee
Ron Gula, Tenable Network Security
Dow Williamson, SCIPP International
Objective:
Provide insights into new and emerging capabilities and standards that aim to ease the pain of dealing with the plethora of vulnerability and compliance information.
Description:
We are all inundated with vulnerability information today. Each of us has rolled out many controls that bring us vulnerability data—for our network, our server platforms and our applications. Many of us have reached data overload. However, new and emerging standards, driven by NIST, bring hope of solving the issue of how we can aggregate, correlate, and manage this data into useful information for risk evaluation and compliance management. The standard is SCAP. The discussion will highlight benefits and issues of the SCAP capabilities. Learn how to ensure that your organization meets best business practices by leveraging these new techniques.
PHYSICAL SECURITY — Alert Communication in Times of Crisis and Response:
A View from a University
Tuesday, October 7, 2:45 - 3:45pm
Speaker:
Theresa Rowe, Oakland University and current chair of the EDUCAUSE CIO Constituent Group
Description:
Campus-based institutions are increasingly employing communications technologies to provide instantaneous, wide-scale alerting in the event of an emergency situation. For example, universities are rapidly adopting technologies to alert students, faculty, staff, and parents in the event of a campus emergency. Various technologies are needed in order to effectively reach constituents in their native communications modalities. Reliability of the channels must be assured in the face of massive cotemporaneous messaging. Alerting must be established in the social context. Requirements and deployment experiences will be discussed, along with the experience gained by having "gone through an event.” Traffic behavior may differ in crisis than in normal communications, and standard procedures often must be adapted.
CRISIS MANAGEMENT— Business Impact Analysis Workshop
Tuesday, October 7, 4:00 - 5:00pm
Speaker:
Arun Sharma, Vice President & National Director, Control Risks
Objective:
Provide an advanced scenario that deals with a business disruption case study.
Description:
The Business Impact Analysis workshop will be developed around a business disruption case study that attendees will have to face and think through. The exercise will aim at developing business impact assessment skills, identifying the key players, responding to personnel, maintaining the critical business processes and assessing plausible outcomes. This hands-on exercise will provide attendees with the tools and knowledge they need to successfully face a pre-designed business interruption. The workshop will touch upon the several aspects of an all-hazard business resilience program whose elements will be recapped before conducting the workshop.
GOVERNMENT & INDUSTRY— Panel: DHS and Industry Collaboration in Exercises and Real Event Crisis Management
Tuesday, October 7, 4:00 - 5:00pm
Speakers:
TBD, DHS-Office of Infrastructure Protection
Susan Tramposch, Water ISAC
Denise Anderson, FS-ISAC
Description:
This panel will educate attendees on the basic structure, terms, operations, communications and information flow between the Office of Infrastructure Protection and the critical infrastructure private sector during an incident of national significance. Panelists will also inform attendees of the role that DHS-Office of Infrastructure Protection plays in exercises, provide an overview of exercise structure, and discuss the role the private sector can play.
INFORMATION SECURITY— Security and Compliance in Cloud Computing
Tuesday, October 7, 4:00 - 5:00pm
Speaker:
Mark Rasch, FTI Consulting, Inc.
Objective:
Mr. Rasch will discuss the impact of so-called "cloud" computing on information security, electronic discovery, and legal and regulatory compliance. He will present practical advice on how to comply with regulations while using third-party applications.
Description:
In the landmark case Smith v. Maryland, the United States Supreme Court held that telephone toll records in the hands of a third party—i.e. the telephone company—were not entitled to legal or privacy protection, and that the consumer had no recognizable "expectation of privacy" in records held by a third party. With the advent and expansion of so-called "cloud computing," corporate, financial and government documents may no longer be contained within a single enterprise. Third-party servers or services enable access to records by "authorized" users the world over. The records themselves may be held on servers owned by third parties, data aggregators, storage farms or similar business models. Mr. Rasch will address the legal obligations of the parties to such "cloud computing," including requirements for data access, availability, encryption, privacy, and notice. He will also address jurisdictional issues, such as whose privacy and procedural law applies to such data and the law of the "owner" or that of the location where the data is stored. Finally, Mr. Rasch will address issues related to electronic discovery and inspection (by both private litigants and governments) of data that is stored in the cloud.
PHYSICAL SECURITY— Advanced Physical Security and Environmental Awareness
Tuesday, October 7, 4:00 - 5:00pm
Speaker:
Arun Hampapur, Ph.D., IBM
Objective:
Provide information on how advanced physical security applications are being used in homeland security, retail and banking sectors, as well as the business applications that can leverage the security infrastructure.
Description:
With increasingly open societies, global economies, intercontinental flights and Web data, the notion of physical security needs to transform. The migration of physical security systems to IT infrastructure is an enabler for the transformation of physical security. Technologies like biometrics, intelligent video surveillance, and trusted identification are key components in advanced physical security systems. While advanced physical security technologies enhance security significantly, they also provide a unique insight into "real world activities” and environmental awareness. This talk will focus on business applications that leverage the security infrastructure.
GENERAL— Panel: Shared Cross-Sector Solutions for Converging Threats
Wednesday, October 8, 10:00 - 11:00am
Moderated by:
Paula Scalingi, Pacific Northwest Center for Regional Disaster Resilience
Panelists:
Steve Katz, Security Risk Solutions (Information Security)
Brian Stephens, Bank of America (Physical Security)
Andrew McCruden, Citi (Crisis Management)
Greg Gammon, Fire Chief, Las Vegas Fire & Rescue Department (Crisis Management)
Objective:
Discuss the following: the importance of sharing information across different sectors and the impact each sector has on the resilience of the other sectors; how information security, physical security and crisis management are converging as a result of blended threats; and share insights into how to improve enterprise preparedness against risks, threats and incidents involving multiple disciplines.
Description:
Panel members will represent different sectors, including finance and banking, information technology, and emergency management services. Each panel member will also represent a different discipline: crisis management, physical security, and information security. The discussion will focus on emerging new threats common to each of the critical infrastructures and how ISACs can work together to develop solutions to address these threats.
CRISIS MANAGEMENT— The Resilience Imperative
Wednesday, October 8, 11:15am - 12:15pm
Speaker:
Jeff Gaynor, Director, National Resilience Programs Business Executives for National Security
Objective:
Provide the rationale for and actions required to implement an objectively measurable and sustainable 21st century national preparedness imperative.
Description:
Critical infrastructure is both the enabler and potentially the disabler of any modern nation. The consequences wrought by nature, age, neglect, anomalous activities in cyberspace, and inherent capacities for attacks against America’s interdependent overstressed, highly exploitable and consequence-amplifying critical infrastructure demonstrate that current infrastructure protection programs – while necessary – are inadequate to meet the challenges of the post 9/11 “All-Hazards Environment.”
Accordingly, a new risk and “ground-truth-based” approach to American preparedness is required. Mr. Gaynor will discuss the Critical Infrastructure and National Resilience—an imperative that will provide a universally accepted and objectively measurable success metric, and an achievable and sustainable preparedness condition that will ensure a safer, stronger and better America throughout the 21st century and beyond.
GOVERNMENT & INDUSTRY— Planning for the Unpredictable: 21st Century Critical Infrastructure Protection
Wednesday, October 8, 11:15am - 12:15pm
Speaker:
Brandon Wales, Deputy Director HITRAC, DHS
Objective:
Highlight approaches and opportunities designed to help government and industry partners alike think about future risks, and proactively shape the future risk landscape in the 21st century.
Description:
Constrained by budgets set years in advance, the critical infrastructure protection community faces considerable challenges correctly identifying and responding to the dynamic risk environment it faces, necessitating new approaches designed to break the cycle of strategies designed for yesterday’s greatest threats. Not only must the critical infrastructure protection community catch up with the changing risk landscape, it must also learn how to strategically shape that landscape and dictate the terms of how the next generation of critical infrastructure protection battles will be fought. To move ahead of our adversaries, however, the critical infrastructure protection community must first strengthen the historic public-private partnerships currently in development, and change how we think about, and approach, the infrastructure protection mission as a community.
INFORMATION SECURITY— Dealing with NextGen Threats Using Active Threat Intelligence
Wednesday, October 8, 11:15am - 12:15pm
Speaker:
Eddie Schwartz, Netwitness, CSO
Objective:
Understand the next generation of security risks associated with social networking, virtual world and online collaboration sites. Learn how to improve threat intelligence by network monitoring and responding quickly to potential security issues.
Description:
Social networking and virtual world sites such as Facebook, MySpace, Ning, and Second Life represent a new generation of threats to your organization, and create fertile ground for attackers. End-users access sites from both work and home, and interact with these sites and their online communities under an assumption of trust. Mr. Schwartz will describe the various types of next-generation threats associated with these sites and offer methodologies for monitoring usage, detecting malicious activity, and investigating incidents occurring on your network. The session will describe how to attenuate your internal threat intelligence model to provide maximum visibility into these attacks, and how to leverage this active threat intelligence to perform real-time network investigations and incident response to track down and kill threat agents. The session will also demonstrate the automated fusion of organizational network session analysis with third-party automated telemetry sources such as reputation, botnet, and geoIP services.
PHYSICAL SECURITY— Panel: Cyber Control of Physical Infrastructure
Wednesday, October 8, 11:15am - 12:15pm
Moderator:
Dr. Phyllis Schneck, VP, Research Integration, Secure Computing Corporation and Founding Chairman and Chairman Emeritus, InfraGard National Members Alliance
Panelists:
Seth Kulakow, ISO, Denver International Airport
Richard Garcia, Director, Corporate Security, Royal Dutch Shell
Tim Roxey, Technical Assistant to Vice Chairman CEG/Security; Deputy Chair, Nuclear Sector Coordinating Council; Vice Chairman, Nuclear Sector Coordinating Council/Cyber Security Sub Council; NSCC representative to Partnership for Critical Infrastructure Security (PCIS)
Description:
Panelists will explore cyber controls within the physical infrastructures of the nuclear, transportation and energy sectors and provide anecdotal presentations of real-world scenarios, including Denver International Airport’s experience with the Democratic National Convention.
CRISIS MANAGEMENT— Establishing Secure Communications in a Crisis
Wednesday, October 8, 12:30 - 2:00pm
Speaker:
Brian Symonds, DataPath
Objective:
Help attendees understand how to enable high-bandwidth, secure connectivity anywhere, even in the most challenging situations and remote locations.
Description:
This presentation—designed for executives in security, disaster recovery and emergency preparedness—includes example profiles of mission-critical broadband wireless networks, as well as recommendations for ensuring network reliability and availability. Key objectives will include how to obtain broadband communications capabilities for on-demand or emergency requirements, and protecting critical communications and networks. In addition, the results of a case study to deploy an end-to-end voice encryption solution for mobile phones will be summarized.
CRISIS MANAGEMENT— Supply Chain Issues: Threat and Impact Identification,
Assessment, and Mitigation
Wednesday, October 8, 12:30 - 2:00pm
Speaker:
J.R. Helmig, Senior Analyst, SPADAC Inc.
Description:
Fear of the unknown and too many "what-ifs" often lead to misdirected resources, meaning that your true vulnerabilities are either unseen or still exposed, and that sizeable opportunities were lost. Intelligence and analytical techniques that provide consistent and robust risk identification and quantification will be discussed. Participants will also learn how to assess the impact of risk reduction and mitigation techniques at both strategic and tactical levels.
With today's business landscape more competitive than ever, many of these same techniques can be used to exploit competitive advantages for existing and emerging markets, thereby turning your "risk reduction" into "higher ROI". While the supply chain is used as a detailed example, the same concepts will be related to financial systems, information networks, and other critical infrastructure.
GOVERNMENT & INDUSTRY— Panel: HR1 Voluntary Standards; Regulatory
Standpoint and Industry View
Wednesday, October 8, 12:30 - 2:00pm
Moderated by:
Doug Johnson, ABA
Panelists:
Jim Caverly, DHS
Dow Williamson, The Business Continuity Institute
Objective:
Provide an update on the latest developments regarding the voluntary private sector Preparedness Accreditation and Certification Program.
Description:
The Voluntary Private Sector Preparedness Accreditation and Certification Program is mandated by the Implementing Recommendations of the 9/11 Commission Act of 2007 to establish a common set of criteria for private sector preparedness, disaster management, emergency management, and business continuity programs. The goal of the Voluntary Private Sector Preparedness Program is to improve private sector preparedness in disaster management, emergency management, and business continuity to enhance nationwide resilience in an all hazards environment. Participation in the Program will be voluntary and is intended to be driven by the marketplace. Mr. Caverly and Mr. Williamson will provide perspectives from the government and industry, respectively, regarding the Voluntary Private Sector Preparedness Accreditation and Certification Program.
PHYSICAL SECURITY— The Role of Intelligence in Securing Camp Ramadi, Iraq
Wednesday, October 8, 12:30am - 2:00pm
Speaker:
Captain Luke Ott, Delta Air Lines and US Navy Reserves
Description:
US Military forces are using intelligence across all sectors and disciplines to defeat Al Qaeda in Iraq and assisting the Iraqi people in taking control of their country. A cross-sector methodology provided the ability to coordinate and support overall security, insurgent activity, infrastructure defense and improvement, encouragement and guidance to local and provincial governments for peaceful and effective resolution of issues, improvements to school systems, and support for economic activity. Crisis response strategies used at Task Force Ramadi will be discussed, including entry control point procedures, perimeter protection, counter insurgency operations, oversight of essential services (water, electric, food, housing), and management of a foreign national work force. Captain Ott will provide a discussion of lessons learned from his very recent tour in Iraq.
GENERAL — The Financial Impact of Cyber Security: 50 Questions Your CFO Should Ask
Wednesday, October 8, 12:30am - 2:00pm
Speaker:
Ty R. Sagalow, President, AIG, Product Development, General Insurance
Description:
While companies have for some time understood the great advantages of the Internet to their businesses, chief financial officers have often failed to truly comprehend and, therefore, financially manage accompanying potential financial risks. The key to understanding the financial risks of cyber security is to understand and fully embrace its multi-disciplinary nature. To successfully analyze and manage financial risk means a dialogue, a series of to-the-point questions directed at the major stakeholders in these domains: the Chief Financial Officer, General Counsel, Chief Technology Officer/Chief Information Security Officer, Chief Risk Officer, heads of Corporate Communications, Investor Relations, Customer Service, and others.
This session will show you how to bring the multiple stakeholders in cyber security together and give them, in the form of strategic questions to be asked by the company's chief financial officer or chief executive officer, a roadmap for developing a multi-disciplinary risk management approach to analyze, manage, and mitigate the financial risks of cyber security. At the end, this session will map out for a company's chief information security officer or other stakeholder a method to make a compelling business case for sufficient funding to manage security in a truly multi-disciplined nature.
CRISIS MANAGEMENT— Public/Private Partnerships and Information Sharing
Wednesday, October 8, 2:15 - 3:15pm
Speaker:
Richard Andrews, NC4
Description:
Mr. Andrews will provide a review of recent efforts to develop information sharing networks between the public and private sectors, describe the progress made on these efforts and will discuss the future challenges and opportunities facing the critical infrastructure sectors.
GOVERNMENT & INDUSTRY— Panel: Legislative Initiatives for the Next Congress
Wednesday, October 8, 2:15 - 3:15pm
Moderator:
Doug Johnson, ABA
Panelists:
Tom Yedinak, Senior Legislative Representative, APTA
Jack Lichtenstein, ASIS
Thomas L. Farmer, Deputy General Manager - Mass Transit at the TSA
Objective:
Provide an update on future Congressional actions that may impact various critical infrastructure sectors and their participants.
Description:
Following this year's presidential election, the new Congress will have a number of key priorities to address relating to critical infrastructure protection. Recognizing that terrorism, nation state and cyber criminal attacks affect America and its constituents, Congress will explore a number of legislative and regulatory actions in its next term. Experts with legislative expertise in three key fields—physical security, transportation and banking—will discuss their respective views on what to expect from Congress and executive branch agencies with respect to implementation of more effective and focused efforts in the following areas: public/private sector coordination; critical infrastructure protection and resilience; and enhanced physical security measures to protect the country and its citizens.
INFORMATION SECURITY — Mobile 2.0: Trends and Threats
Wednesday, October 8, 2:15 - 3:15pm
Speaker:
Ram Boreda, VeriSign, Inc
Objective:
Discuss the latest trends and threats surrounding explosive growth of mobile devices and applications in sectors such as advertising, banking, payments, entertainment, marketing, ticketing and identification.
Description:
Enterprises in several industries such as advertising, banking, payments, entertainment, marketing, ticketing and technology are aggressively trying to push personalized content and solutions to the ubiquitous “cell phone.” Nokia estimates five billion Internet-enabled mobile phones by 2015. Mobile search and advertising markets are growing rapidly. The mobile financial services market alone, with a projected market size of $582 billion by 2010 is rapidly turning into another gold rush after the eCommerce wave. In the race to maximize market share, service providers and technology vendors are not paying serious attention to potential security and fraud issues. Mobile devices will be Internet-enabled, while mini-computers will be managing our personally identifiable information (PII). Today's mobile services do not encompass the same level of security protection available for PCs and online transactions. Security capabilities, such as encryption, two-factor authentication, and anti-virus software need to be developed to mitigate serious security threats.
PHYSICAL SECURITY — Insights from the Nuclear Sector
Wednesday, October 8, 2:15 - 3:15pm
Speaker:
Vijay Nilekani, Senior Project Manager, Security and Operations Support, Nuclear Energy Institute, PCIS Member and Secretary of Nuclear Sector Coordinating Council
Description:
Private nuclear power plants in the US are among the most hardened, robust, 24x7 armed security operations in the country. They are the only private-sector operations whose security is federally regulated to a stringent standard and who are required to demonstrate adequate security capability by conducting periodic force-on-force (FOF) exercises. This panel will discuss the many principles, lessons learned and technologies employed, including the security elements such as hardware, software, multiple levels of barriers, vehicle barriers, armed officers with high training and qualifications, background checks and access control, insider threat mitigation, etc. The industry's latest initiatives with DHS and other federal agencies to further enhance security will also be discussed.
GENERAL— Plenary Event Senior Executives Panel: Security Decision Making in the Risk 2.0 World
Wednesday, October 8, 3:30 - 4:30pm
Moderated by:
Greg Raimann, Ernst & Young
Panelists:
Larry Gordon, University of Maryland
Peter Poulos, Morgan Stanley
Bob Reinhold, Ernst & Young
Description:
How can information and physical security threats/challenges be measured and communicated to executive management in terms they understand? This panel will wrap up the 2008 CIP Congress by drawing on the lessons learned from previous sessions and focus on practical approaches (e.g., risk/cost/benefit optimization) for information security, business continuity and IT service management (delivery) to enable executive management decision making in addressing the threats and challenges facing their organizations.