XXXX-11-02观势-论则-取实--网络信息安全的趋势、

观势、论则、取实——网络信息安全的趋势、原则和实践2010年11月2日2内容简介3得到高层重视的两件事奥巴马政府的报告IBM提出智慧地球4奥巴马报告要点观察•明确Cyberspace网际空间陆、海、空、太空、网际等五大空间并列•突出讲问题、威胁•强调政治、军事、经济、外交等手段共同协调•划定关键基础设施电信、金融、电力、联邦政务•总统直辖的负责人和办公室•近期和中期行动计划5近期行动计划1.AppointacybersecuritypolicyofficialresponsibleforcoordinatingtheNation’scybersecuritypoliciesandactivities;establishastrongNSCdirectorate,underthedirectionofthecybersecuritypolicyofficialdual-hattedtotheNSCandtheNEC,tocoordinateinteragencydevelopmentofcybersecurity-relatedstrategyandpolicy.2.PrepareforthePresident’sapprovalanupdatednationalstrategytosecuretheinformationandcommunicationsinfrastructure.ThisstrategyshouldincludecontinuedevaluationofCNCIactivitiesand,whereappropriate,buildonitssuccesses.3.DesignatecybersecurityasoneofthePresident’skeymanagementprioritiesandestablishperformancemetrics.4.DesignateaprivacyandcivillibertiesofficialtotheNSCcybersecuritydirectorate.5.Conveneappropriateinteragencymechanismstoconductinteragency-clearedlegalanalysesofprioritycybersecurity-relatedissuesidentifiedduringthepolicy-developmentprocessandformulatecoherentunifiedpolicyguidancethatclarifiesroles,responsibilities,andtheapplicationofagencyauthoritiesforcybersecurity-relatedactivitiesacrosstheFederalgovernment.6近期行动计划6.Initiateanationalpublicawarenessandeducationcampaigntopromotecybersecurity.7.DevelopU.S.Governmentpositionsforaninternationalcybersecuritypolicyframeworkandstrengthenourinternationalpartnershipstocreateinitiativesthataddressthefullrangeofactivities,policies,andopportunitiesassociatedwithcybersecurity.8.Prepareacybersecurityincidentresponseplan;initiateadialogtoenhancepublic-privatepartnershipswithaneyetowardstreamlining,aligning,andprovidingresourcestooptimizetheircontributionandengagement9.IncollaborationwithotherEOPentities,developaframeworkforresearchanddevelopmentstrategiesthatfocusongame-changingtechnologiesthathavethepotentialtoenhancethesecurity,reliability,resilience,andtrustworthinessofdigitalinfrastructure;providetheresearchcommunityaccesstoeventdatatofacilitatedevelopingtools,testingtheories,andidentifyingworkablesolutions.10.Buildacybersecurity-basedidentitymanagementvisionandstrategythataddressesprivacyandcivillibertiesinterests,leveragingprivacy-enhancingtechnologiesfortheNation.7近期行动计划1.任命网际安全政策高级协调官2.为总统准备更新的国家战略3.明确网际安全是总统的关键管理优先级，建立指标度量4.任命隐私和公民自由官员5.建立合适的跨部门机制6.启动一个国家公众宣传和教育计划7.发展并加强对于国际伙伴的保障8.准备一个网际安全事件响应计划；启动与私营机构的合作9.关注改变游戏规则的技术发展10.建立基于网际安全的ID管理战略8中期行动计划1.Improvetheprocessforresolutionofinteragencydisagreementsregardinginterpretationsoflawandapplicationofpolicyandauthoritiesforcyberoperations.2.UsetheOMBprogramassessmentframeworktoensuredepartmentsandagenciesuseperformance-basedbudgetinginpursuingcybersecuritygoals.3.ExpandsupportforkeyeducationprogramsandresearchanddevelopmenttoensuretheNation’scontinuedabilitytocompeteintheinformationageeconomy.4.Developastrategytoexpandandtraintheworkforce,includingattractingandretainingcybersecurityexpertiseintheFederalgovernment.5.Determinethemostefficientandeffectivemechanismtoobtainstrategicwarning,maintainsituationalawareness,andinformincidentresponsecapabilities.6.Developasetofthreatscenariosandmetricsthatcanbeusedforriskmanagementdecisions,recoveryplanning,andprioritizationofR&D.7.Developaprocessbetweenthegovernmentandtheprivatesectortoassistinpreventing,detecting,andrespondingtocyberincidents.8.Developmechanismsforcybersecurity-relatedinformationsharingthataddressconcernsaboutprivacyandproprietaryinformationandmakeinformationsharingmutuallybeneficial.9中期行动计划9.Developsolutionsforemergencycommunicationscapabilitiesduringatimeofnaturaldisaster,crisis,orconflictwhileensuringnetworkneutrality.10.Expandsharingofinformationaboutnetworkincidentsandvulnerabilitieswithkeyalliesandseekbilateralandmultilateralarrangementsthatwillimproveeconomicandsecurityinterestswhileprotectingcivillibertiesandprivacyrights11.Encouragecollaborationbetweenacademicandindustriallaboratoriestodevelopmigrationpathsandincentivesfortherapidadoptionofresearchandtechnologydevelopmentinnovations.12.Usetheinfrastructureobjectivesandtheresearchanddevelopmentframeworktodefinegoalsfornationalandinternationalstandardsbodies.13.Implement,forhigh-valueactivities(e.g.,theSmartGrid),anopt-inarrayofinteroperableidentitymanagementsystemstobuildtrustforonlinetransactionsandtoenhanceprivacy.14.Refinegovernmentprocurementstrategiesandimprovethemarketincentivesforsecureandresilienthardwareandsoftwareproducts,newsecurityinnovation,andsecuremanagedservices.10中期行动计划1.法律2.预算计划3.教育和研究4.引入专家进入联邦政府5.战略预警机制和事件响应能力6.开发一套威胁场景和度量7.建立政府和私营机构的良好机制，以应对事件8.建立信息分享机制9.保障应急通讯能力10.保护隐私和公民自由11.鼓励与研究机构和产业界的合作12.研究开发框架和标准13.建立可以互操作的ID管理14.改进政府采购策略11IBM提出的智慧地球12IBM提出的智慧地球的3个I13从风险三要素开始抓住最根本的、保持不变的14梳理手上的强认证入侵检测组织体系多功能网关UTM工作流管理平台等级保护规划/计划项目管理应急响应三观论宏观/中观/微观合作/外包分布式拒绝服务攻击办公安全骨干网服务器安全设备故障网络渗透电磁泄漏终端安全文档安全垃圾信息漏洞/脆弱性黑客15梳理手上的分布式拒绝服务攻击办公安全骨干网服务器安全设备故障网络渗透电磁泄漏终端安全文档安全垃圾信息漏洞/脆弱性黑客16梳理手上的分布式拒绝服务攻击办公安全骨干网服务器安全设备故障网络渗透电磁泄漏终端安全文档安全垃圾信息漏洞/脆弱性黑客业务大集中数据中心线路中断17梳理手中的业务大集中数据中心线路中断强认证入侵检测组织体系多功能网关UTM工作流管理平台等级保护规划/计划项目管理应急响应三观论宏观/中