Government Research Needs: Who Funds What?

Transcription

1 Dept. of Homeland Security Science & Technology Directorate Government Research Needs: Who Funds What? ACSAC 2009 Honolulu, HI December 10, 2009 Douglas Maughan, Ph.D. Branch Chief / Program Mgr. douglas.maughan@dhs.gov /

2 Science and Technology (S&T) Mission Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users. 10 December

3 R&D Execution Model Post R&D Customers * CS&C * NCSC * OCIO * USSS * National Documents Customers Other Sectors e.g., Banking & Finance Prioritized Requirements Pre R&D Critical Critical Infrastructure Infrastructure Providers Providers Outreach Venture Community & Industry Experiments and Exercises R&D Coordination Government & Industry Workshops CIP Sector Roadmaps DNSSEC R&D SPRI Solicitation Preparation Cyber Security Assessment Cyber Forensics Emerging Threats HOST Supporting Programs BAAs SBIRs DETER PREDICT 10 December

4 Agenda Information Infrastructure Security Critical Infrastructure and Key Resources (CI/KR) National Research Infrastructure Next Generation Technologies Broad Agency Announcements (BAAs) Two new program areas (2009) Cyber Forensics and Homeland Open Security Technology (HOST) SBIRs, Experimental Deployments, Outreach New Emphasis Areas Software Assurance Education, Competitions, Challenges Research Landscape 10 December

5 National Strategy to Secure Cyberspace The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives. 10 December

6 Information Infrastructure Security DNSSEC Domain Name System Security Working with OMB, GSA, NIST to ensure USG is leading the global deployment efforts Working with vendor community to ensure solutions SPRI Secure Protocols for Routing Infrastructure Working with global registries to deploy Public Key Infrastructure (PKI) between ICANN/IANA and registry and between registry and ISPs/customers Working with industry to develop solutions for our current routing security problems and future technologies 10 December

7 History of Routing Outages Commercial Internet -- specific network outages Apr 1997 AS 7007 announced routes to all the Internet Apr 1998 AS 8584 mis-announced 100K routes Dec 1999 AT&T s server network announced by another ISP misdirecting their traffic (made the Wall Street Journal) May 2000 Sprint addresses announced by another ISP Apr 2001 AS mis-announced 5K routes Dec 24, 2004 thousands of networks misdirected to Turkey Feb 10, 2005: Estonian ISP announced a part of Merit address space Sep 9, 2005 AT&T, XO and Bell South (12/8, 64/8, 65/8) misdirected to Bolivia [the next day, Germany prompting AT&T to deaggregate] Jan 22, 2006 Many networks, including PANIX and Walrus Internet, misdirected to NY ISP (Con Edison (AS27506)) Feb 26, Sprint and Verio briefly passed along TTNET (AS9121 again?) announcements that it was the origin AS for 4/8, 8/8, and 12/8 Feb 24, 2008 Pakistan Telecom announces /24 from YouTube March 2008 Kenyan ISP s /24 announced by AboveNet Frequent full table leaks, e.g., Sep08 (Moscow), Nov08 (Brazil), Jan09(Russia) 10 December

8 SPRI Roadmap COMMENTS ARE ENCOURAGED!!! Roadmap Outline Threats Two major areas Deployment Mechanisms (e.g., BCPs) Protocol Issues Research Near term research Long term research Other research problems 10 December

9 SPRI Deployment Activities Working with registries to deploy PKI between ICANN/IANA and registry and between registry and ISPs/customers Pilot project with the Asia-Pacific Network Information Center (APNIC) to add public key infrastructure to registration operations BGPSEC Protocol Design Team Router Vendors, ISPs, Standards, Academics End Goal: Agreed upon secure routing protocol that can be expedited through the Internet standards process, implemented by router vendors, and deployed by ISPs Tools to help current routing research and operations Check out new RouteViews Real-time data feeds Tool for Prefix Hijack Alert System (PHAS / Cyclops) Tool for Prefix Checker (PCH) 10 December

10 DECIDE (Distributed Environment for Critical Infrastructure Decision-making Exercises) Provide a dedicated exercise capability for several critical infrastructures in the U.S. Beginning with Banking and Finance Foster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats Enterprises will be able to initiate their own large-scale exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity, all from their desktops Think through sector impacts and responses to operational disruptions of market-based transactions across networks of the National Planning Scenarios Enhance coordination during a large-scale disruption to key infrastructures The concept has been reviewed by and developed with input from experts at ChicagoFIRST, the Options Clearing Corporation, ABN- AMRO, Eurex, Archipelago, Bank of New York, and CitiBank. The Financial Services Sector Coordinating Council R&D Committee has organized a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years. 10 December

11 LOGIIC Linking Oil & Gas Industry to Improve Cybersecurity A collaboration of oil and natural gas companies and DHS S&T to facilitate cooperative research, development, testing, and evaluation procedures to improve cyber security in Industrial Automation and Control Systems. Consortium under the Automation Federation Industry determines the R&D projects and then government, industry, and national labs help them execute the projects and then promote the results to the rest of the sector Raising awareness for the whole community 10 December

12 TCIPG Trustworthy Computing Infrastructure for the Power Grid Drive the design of an adaptive, resilient, and trustworthy cyber infrastructure for transmission & distribution of electric power Protecting the cyber infrastructure Making use of information to detect and respond to attacks Supporting greatly increased throughput and timeliness requirements Support the provisioning of a new resilient smart power grid that Enables advanced energy applications High-speed monitoring and asset control, advanced metering, diagnostics & maintenance 10 December

13 Agenda Information Infrastructure Security Critical Infrastructure and Key Resources (CI/KR) National Research Infrastructure Next Generation Technologies Broad Agency Announcements (BAAs) Two new program areas (2009) Cyber Forensics and Homeland Open Security Technology (HOST) SBIRs, Experimental Deployments, Outreach New Emphasis Areas Software Assurance Education, Competitions, Challenges Research Landscape 10 December

14 National Research Infrastructure DETER - Researcher and vendor-neutral experimental infrastructure that is open to a wide community of users to support the development and demonstration of next-generation cyber defense technologies Over 170 users from 14 countries (and growing) PREDICT Repository of network data for use by the U.S.- based cyber security research community Privacy Impact Assessment (PIA) completed Over 330 datasets; Over 100 active users (and growing) End Goal: Improve the quality of defensive cyber security technologies 10 December

15 DETER Map of Global Users Over 170 users from 14 countries (and growing) 10 December

16 DETER Projects DoS Worms and malware Overlays, routing, replic. Hw, sw and netw. test Traceback and attribution Models, policies Classes Diagnosis and recovery Multicast, group comm. Collaborative security Scanning Authentication DNS Spam Spoofing Botnets Wireless 10 December

17 Data Collection Activities Classes of data that are interesting, people want collected, and seem reasonable to collect Netflow Packet traces headers and full packet (context dependent) Critical infrastructure BGP and DNS data Topology data IDS / firewall logs Performance data Network management data (i.e., SNMP) VoIP (2200 IP-phone network) Blackhole Monitor traffic 10 December

18 Agenda Information Infrastructure Security Critical Infrastructure and Key Resources (CI/KR) National Research Infrastructure Next Generation Technologies Broad Agency Announcements (BAAs) Two new program areas (2009) Cyber Forensics and Homeland Open Security Technology (HOST) SBIRs, Experimental Deployments, Outreach New Emphasis Areas Software Assurance Education, Competitions, Challenges Research Landscape 10 December

19 Next Generation Technologies R&D funding model that delivers both near-term and medium-term solutions: To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation s critical information infrastructure. To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency. 10 December

20 BAA Program / Proposal Structure NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in (DHS) customer environments Type I (New Technologies) New technologies with an applied research phase, a development phase, and a deployment phase (optional) Funding not to exceed 36 months (including deployment phase) Type II (Prototype Technologies) More mature prototype technologies with a development phase and a deployment phase (optional) Funding not to exceed 24 months (including deployment phase) Type III (Mature Technologies) Mature technology with a deployment phase only. Funding not to exceed 12 months 10 December

21 BAA Technical Topic Areas Botnets and Other Malware: Detection and Mitigation 2 papers at ACSAC from Georgia Tech Composable and Scalable Secure Systems Cyber Security Metrics Network Data Visualization for Information Assurance Internet Tomography / Topography Routing Security Management Tools 1 paper at ACSAC from Colorado State Process Control System Security Secure and Reliable Wireless Communication for Control Systems Real-Time Security Event Assessment and Mitigation Data Anonymization Tools and Techniques Insider Threat Detection and Mitigation 10 December

22 Next Generation Technologies (2) Two Solicitations 2004 and topics, 17 awards totaling $13.9M 9 Academic (CA,GA,DE,NJ,VA,MI,NH) 8 Private Sector (NY,MD,MN,NJ,MA,TX) 8 commercial products, 2 open source products topics, 17 awards totaling $13.7M 6 Academic (CA,GA,WA,CO,MD) 10 Private Sector (NY,CO,CA,FL,WI,VA) 1 National Lab (NM) 2 commercial products, 4 open source products (so far) Expect another BAA in FY10 10 December

23 Sample Product List Grammatech Binary Analysis tools Coverity Open Source Hardening (SCAN) Telcordia Automated Vulnerability Analysis GMU Network Topology Analysis (Cauldron) Stanford Anti-Phishing Technologies Ironkey Secure USB USURF Cyber Exercise Planning tool HBGary Memory and Malware Analysis Secure Decisions Data Visualization Secure64 DNSSEC Automation 10 December

24 Cyber Forensics Initial requirements working group held 11/20/08 Attendees from USSS, CBP, ICE, FLETC, FBI, NIJ, TSWG, NIST, Miami-Dade PD, Albany NY PD Initial list of projects Mobile device forensic tools GPS forensics tools LE First responder field analysis kit Combined High-speed data capture and deep packet inspection Live stream capture for gaming systems Memory analysis and malware tools Information Clearing House S&T initiated 6 projects in FY09 totaling $2M 10 December

25 Homeland Open Security Technology (HOST) Promote the development and implementation of open source solutions within US Federal, state and municipal government agencies Initial list of projects Federal Government Open Source Census GovernmentForge Open Source Software Repository Work with Open Information Security Foundation New open source IDS Work with community on open source software quality analysis US Government security evaluation processes OpenSSL FIPS validation S&T initiated projects in FY09 totaling $1.5M 10 December

26 Agenda Information Infrastructure Security Critical Infrastructure and Key Resources (CI/KR) National Research Infrastructure Next Generation Technologies Broad Agency Announcements (BAAs) Two new program areas (2009) Cyber Forensics and Homeland Open Security Technology (HOST) SBIRs, Experimental Deployments, Outreach New Emphasis Areas Software Assurance Education, Competitions, Challenges Research Landscape 10 December

27 Small Business Innovative Research (SBIR/STTR) FY04 Cross-Domain Attack Correlation Technologies (2) Real-Time Malicious Code Identification (2) Advanced Secure Supervisory Control and Data Acquisition (SCADA) and Related Distributed Control Systems (5) FY05 Hardware-assisted System Security Monitoring (4) FY06 Network-based Boundary Controllers (3) Botnet Detection and Mitigation (4) FY07 Secure and Reliable Wireless Communication for Control Systems (2) FY09 Software Testing and Vulnerability Analysis 10 December

28 Small Business Innovative Research (SBIR) Important program for creating new innovation and accelerating transition into the marketplace Since 2004, DHS S&T Cyber Security has had: 47 Phase I efforts 22 Phase II efforts 12 efforts currently in progress 8 commercial products available Three acquisitions Komoku, Inc. (MD) acquired by Microsoft in March 2008 Endeavor Systems (VA) acquired by McAfee in January 2009 Solidcore (CA) acquired by McAfee in June December

29 Experimental Deployments NCSD / US-CERT Botnet Detection and Mitigation technology from Univ of Michigan Data Visualization technology from Secure Decisions DHS S&T CIO Secure USB technology from IronKey (CA) user deployment within S&T Secure Wireless Access Prototype from BAE Systems (VA) 50 user deployment within S&T Botnet Detection and Mitigation technology from Georgia Tech (GA) and Milcord (MA) Deployment on S&T Labnet and DREN (DOD Research and Engineering Network) SCADA system event detection technology from Digital Bond (FL) Deployment on S&T Plum Island system Regional Technology Integration Initiative (S&T IGD partner) City of Seattle and surrounding cities Botnet Detection and Mitigation technology from Univ of Michigan 10 December

30 Outreach System Integrator Forum held twice in WDC Assist DHS S&T-funded researchers in transferring technology to larger, established security technology companies Information Technology Security Entrepreneurs Forum (ITSEF) held three times at Stanford in Palo Alto, CA Partner with the venture capital community to assist entrepreneurs and small business better understand both the government marketplace and the venture community Next one in March 2010; Another one in WDC in October 2010 Information Security Technology Transition Council (ITTC) Held tri-annually in Menlo Park, CA Attendees include venture capitalists, industry, law enforcement, academia, and government WDC Conferences CATCH March 3-4, 2009; Global Cyber Security Conference August 4-6, December

31 Agenda Information Infrastructure Security Critical Infrastructure and Key Resources (CI/KR) National Research Infrastructure Next Generation Technologies Broad Agency Announcements (BAAs) Two new program areas (2009) Cyber Forensics and Homeland Open Security Technology (HOST) SBIRs, Experimental Deployments, Outreach New Emphasis Areas Software Assurance Education, Competitions, Challenges Research Landscape 10 December

32 DHS S&T SBIR Solicitation FY09.2 Topic H-SB Software testing and Vulnerability Analysis Objective: Develop services and capabilities to rigorously and routinely build, test, and analyze source and binary forms of software in realistic conditions representative of operational environments in Federal Government and other critical infrastructures. Most proposals (38) received among all topics 7 Phase I awards made for up to $100K each 10 December

33 SBIR Phase I Awards See for abstracts Software Assurance Analysis and Visual Analytics Applied Visions, Inc. (NY) Eliminating barriers to code quality and security with increased timeliness and accuracy of analysis Coverity, Inc. (CA) Run Time Tools Output Integration Framework Data Access Technologies, Inc. (VA) Concolic Testing with Metronome Grammatech, Inc. (NY) CodeSonar with Metronome Grammatech, Inc. (NY) Concurrency vulnerabilities: Combining dynamic and static analyses for detection and remediation SureLogic, Inc. (PA) Virtualization and Static Analysis to Detect Memory Overwriting Vulnerabilities Zephyr Software, LLC (VA) 10 December

34 Statement of Problem Problem: The U.S. is not producing enough computer scientists and CS degrees CS/CE enrollments are down 50% from 5 years ago 1 CS jobs are growing faster than the national average 2 Taulbee Survey, CRA BLS Computer Science/STEM have been the basis for American growth for 60 years The gap in production of CS threatens continued growth and also national security Defense, DHS, CNCI and industry all need more CS and CE competencies now 1 Taulbee Survey , Computer Research Association, May 2008 Computing Research News, Vol. 20/No. 3 2 Nicholas Terrell, Bureau of Labor Statistics, STEM Occupations, Occupational Outlook Quarterly, Spring December

35 Future Cyber Crime Fighter = Middle School or High School Student (12-18 years old) Or 55 Year-old Retiree? WHICH IS IT? BOTH (and everywhere in between) 10 December

36 Think about.. What does a 10-year or 20-year cyber crime veteran look like? How many do we actually have (as a nation)? Are there well-defined career paths and HR mechanisms in place to ensure progression and promotion of a cyber crime fighter? What incentives are in place to enable a mid-life career change? Where is the initiative that s going to create all of these future cyber crime fighters and who s going to pay the bill to train and deploy them? 10 December

37 CCDC Mission The mission of the Collegiate Cyber Defense Competition (CCDC) system is to provide institutions with an information assurance or computer security curriculum a controlled, competitive environment to assess a student's depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems. CCDC Events are designed to: Build a meaningful mechanism by which institutions of higher education may evaluate their current educational programs Provide an educational venue in which students are able to apply the theory and practical skills they have learned in their course work Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams Create interest and awareness among participating institutions and students 10 December

38 CCDC Program 10 December

39 2009 CCDC Northwest Regional North Central Regional Midwest Regional Northeast Regional West Coast Regional MidAtlantic Regional Southwest Regional Southeast Regional 10 December

40 2009 CCDC 8 Regional competitions in New regionals for 2009 Northwest: University of Washington North Central: Dakota State University NCCDC April 17-19, 2009 in San Antonio Baker College * Texas A&M * University of North Carolina at Charlotte * Cal Poly Pomona University of Washington Dakota State University University of Pittsburgh Northeastern University * previous winners 2009 Winner: Baker College of Flint, Michigan 10 December

41 U.S. Cyber Challenge DC3 Digital Forensics Challenge An Air Force Association national high school cyber defense competition CyberPatriot Defense Competition A Department of Defense Cyber Crime Center competition focusing on cyber investigation and forensics Netwars Capture-the-Flag Competition A SANS Institute challenge testing mastery of vulnerabilities 10 December

42 Agenda Information Infrastructure Security Critical Infrastructure and Key Resources (CI/KR) National Research Infrastructure Next Generation Technologies Broad Agency Announcements (BAAs) Two new program areas (2009) Cyber Forensics and Homeland Open Security Technology (HOST) SBIRs, Experimental Deployments, Outreach New Emphasis Areas Software Assurance Education, Competitions, Challenges Research Landscape 10 December

43 Timeline of Past Research Reports President s Commission on CIP (PCCIP) NRC CSTB Trust in Cyberspace I3P R&D Agenda National Strategy to Secure Cyberspace Computing Research Association 4 Challenges NIAC Hardening the Internet PITAC - Cyber Security: A Crisis of Prioritization IRC Hard Problems List NSTC Federal Plan for CSIA R&D NRC CSTB Toward a Safer and More Secure Cyberspace All documents available at 10 December

44 Areas of Potential Research Global Scale Identity Management Scalable Trustworthy Systems Survivability of Time-Critical Systems Situational Understanding and Attack Attribution Combating Insider Threats Data Provenance Privacy-Aware Security Enterprise Level Metrics Coping with Malware and Botnets Usability and Security System Evaluation Lifecycle Network recovery and reconstitution Cyber Security economic modeling Modeling of Internet Attacks - critical infrastructure Process Control System (PCS) security Software Quality Assurance Finance Sector R&D Agenda 10 December

45 DHS S&T Roadmap Original 8 topics from the IRC Hard Problems List Usability and Security Coping with Malware and Botnets System Lifecycle Evaluation Publication in December 2009 Will be available at and also in hardcopy Source for future solicitations 10 December

46 Summary DHS has a difficult mission many supporters, many critics, continues to make improvements Activities around Washington, DC having an impact on operational and research agendas DHS S&T is moving forward with an aggressive cyber security research agenda Working with the community to solve the cyber security problems of our current (and future) infrastructure Working with academe and industry to improve national research infrastructure Looking at future R&D agendas with the most impact for the nation 10 December

47 Conclusion Together we must make a difference to improve the cyber security landscape of our country and world 10 December

48 Douglas Maughan, Ph.D. Branch Chief / Program Mgr. douglas.maughan@dhs.gov / For more information, visit 10 December