1 Toward a Federal Cybersecurity Research Agenda: Three Game-changing Themes
2 Toward a Federal Cybersecurity Research Agenda: Three Game-changing Themes Dr. Jeannette Wing Assistant Director for Computer & Information Science and Engineering (CISE), National Science Foundation (NSF) Dr. Carl Landwehr Program Director, Trustworthy Computing Program, National Science Foundation (NSF) Dr. Patricia Muoio Science and Technology Lead for Cyber, Office of the Director of National Intelligence (ODNI) Dr. Douglas Maughan Program Manager, Cyber Security R&D, Science & Technology Directorate, Department of Homeland Security (DHS S&T) Presented by Federal NITRD Program May 19, 2010 Claremont Hotel 41 Tunnel Road Berkeley, California
3 Federal Cybersecurity R&D: National Dialogue NSA IA NSF Cyber Trust DSB NCW SS SCW POTUS / DNI NCDI CNCI DoE Grassroots LA WS NCDI CI WS SSG NCLY RFI DoE RA DARPA IA Programs DTO/ IARPA IA House DoD Roadmapping CSIS/Comm. on CS for 44th DoD RA POTUS IRC HPL 1 IRC HPL 2 Senate DHS Roadmapping I3P DHS RA
4 Cybersecurity: A Crisis Of Prioritization DHS Roadmap For Cybersecurity Research National Strategy To Secure Cyberspace Cyberspace Policy Review Fed Plan For Cyber Security & Info. Assurance R&D CRA: Grand Challenges In Trustworthy Computing IRC: Hard Problem List NRC: Toward a Safer & Secure Cyberspace CSIS: Securing Cyberspace For The 44 th Presidency National Cyber Leap Year
5 Say No! to Business as Usual
6 Coordinated Effort on Game-Changers It s about trustworthiness of digital infrastructure Security, reliability, resiliency, privacy, usability How can we: Enable risk-aware safe operations in compromised Locution environments for radical thinking Minimize critical system risk while increasing adversaries costs and exposure Support informed trust decisions, necessitating flexible [P. Muoio] security strategies, and allowing for effective risk/benefit analyses and implementations Strong commitment to focus on game-changing technologies for coordinated cybersecurity R&D agenda Comprehensive National Cybersecurity Initiative, Cyberspace Policy Review: Aneesh Chopra, US Chief Technology Officer Howard Schmidt, President s Cybersecurity Coordinator NITRD Senior Steering Group, Interagency WGs CSIA,
7 Three Themes Tailored trustworthy spaces Supporting context specific trust decisions Moving target Providing resilience through agility Cyber economics Providing incentives to good security Remember: These are just starting points.
8 Tailored Trustworthy Spaces Game Changing Theme Carl E. Landwehr National Science Foundation Program Director Trustworthy Computing Program
9 What is a Tailored Trustworthy Space? In the physical world, we operate in many spaces with many characteristics Home, school, workplace, shopping mall, doctor s office, bank, theatre Different behaviors and controls are appropriate in different spaces Today s cyberspace recreates those environments, but blurs the boundaries -- sometimes merges them The vision is of a flexible, distributed trust environment that can support functional, policy, and trustworthiness requirements arising from a wide spectrum of activities in the face of an evolving range of threats
10 New Paradigm Users can select different environments for different activities (e.g., online banking, commerce, healthcare, personal communications) providing operating capabilities across many dimensions, including confidentiality, anonymity, data and system integrity, provenance, availability, performance Users can negotiate with others to create new environments with mutually agreed characteristics and lifetimes
11 EXAMPLE: Healthcare subspaces in Cyberspace Patient employer coverage Insurance Coverage Outbreak information Checking insurance coverage Checking patient records Insurance Coverage Schedule Appointment Services Keys Authentication Integrity Privacy Research virus information High Medium Low
12 Enabling Informed Trust Decisions Provide users with: Context-specific trust services Coherent policy implementation: an integrated set of security choices (or defaults) appropriate to the tasks at hand User/provider/system visible rules and attributes Means to negotiate boundaries and rules of the space
13 Challenge: Identifying dimensions of a tailored trustworthy space Degree of identification / authentication Information flow rules Strength of separation mechanisms Degree of monitoring / violation detection
14 Challenge: Policy Specification and Management Convenient specification of a tailored space Convenient mechanisms to know it Convenient mechanisms to change it
15 Challenge: Validation of platform integrity Challenge: Violation detection Challenge: Verifiable separation of spaces... and many more
16 What s New? Nothing. Few of these individual problems or component technologies are novel Everything. A structure that puts the pieces together to provide integrated, usable support for diverse trust environments would change the game.
17 Which technology areas matter? Identity management Component assurance Composition methods and logics Trust negotiation and management...
18 Moving Target Game Changing Theme Patricia A. Muoio ODNI Science and Technology Lead for Cyber
19 What is Moving Target Controlled change across multiple system dimensions to: Increase uncertainty and apparent complexity for attackers, reduce their windows of opportunity, and increase their costs in time and effort Increase resiliency and fault tolerance within a system
20 New Paradigm All systems are compromised; perfect security is unattainable Objective is to continue safe operation in a compromised environment, to have systems that are defensible, rather than perfectly secure Cybersecurity is an adversarial science
21 Seizing the Advantage By establishing controlled movement across multiple system dimensions, we can shift the advantage to the defender by increasing: The costs to an attacker in time and resources for reconnaissance, planning, and development the degrees of uncertainty for the attacker the apparent complexity of an individual target the apparent diversity across any set of targets The range of defense strategies available to the defender The resiliency and fault tolerance of the target through redundant paths, resources, and configurations
22 Challenge: Managing Moving Target Systems Moving target systems should confound the adversary, not the user Need system management and configuration capabilities that can support correct use of highly complex systems Need cognitive interfaces to moving target systems Deployment of moving target mechanisms requires complex cost/benefit analysis Need metrics and analytic methods to enable such analysis Each moving target mechanism addresses only a subset of the attack vectors Need decision support mechanism for deployment of moving target systems
23 Challenge: Smart Movement Moving targets need to be agile We need to consider autonomic behavior and concepts learned from analysis of immune systems, species evolution, and other natural responses to threat Moving target mechanisms need to adapt quickly We need to get within the adversaries re-design loop Moving target mechanisms have performance costs We need system control mechanisms that enable real-time threat-appropriate selection of moving target protections
24 Challenge: Developing a Cyber Ecosystem to Support Agility Keyed random moving target systems present key management challenges Need systems that accommodate ad hoc key distribution, rapid rekeying Moving target mechanisms require complex decisions Need enhanced capabilities to provide situational awareness of system state and current threats Need metrics to support both human and machine decision making Moving target at scale may result in highly complex systems Need new methods to model, test and evaluate such systems
25 Cyber Economic Incentives Game Changing Theme W. Douglas Maughan DHS Science and Technology (S&T) Program Manager
26 What is Cyber Economic Incentives? An examination to determine what impacts cyber economics and what incentives can be provided to enable ubiquitous security: New theories and models of investments, markets, and the social dimensions of cyber economics Data, data, and more data with measurement and analysis based on that data Improved SW development models and support for personal data ownership
27 What needs to change? Promotion of science-based understanding of markets, decision-making and investment motivation Develop new theories and models Promote the role of economics as part of that understanding Creation of environments where deployment of security technology is balanced Incentives to engage in socially responsible behavior Deterrence for those who participate in criminal and malicious behavior
28 Challenge: Cyberspace Data Legal and ethical collection, protection and distribution Ensure *all* data types/categories are available to the R&D community, including international sharing Provide protections to data providers, e.g., anonymization Lack of appropriate data to support effective economic analysis Why isn t there cyber insurance actuarial information? Current incident trending information inadequate for decision-makers (e.g., no ground truth for malware, incidents, etc.)
29 Challenge: Personal Info/Behavior Educating users about the benefits of secure practices and acceptable cyber behavior Currently, the user is the weakest link Will improved usability impact the security deployment picture? Personal Data Lack of understanding and agreement of what it is Who s ultimately responsible for *my* personal data? Can I hold them accountable? Do I actually *own* it? What economic issues are associated with personal data?
30 Challenge: Empowerment of critical infrastructure providers Assess economic benefits and costs of protecting critical infrastructure against disruption Educate vendors about their role w.r.t. secure software Provide legal frameworks allowing service providers to be more active in defense of their systems/services What is allowable scope of action in active response, within the context of global legal capacities and partnerships? How do we empower providers to reduce abusive or criminal behavior and provide appropriate law enforcement support?
31 What is the end result? Data for everyone, anytime, anywhere Security deployment decisions based on knowledge, metrics, and proper motivations Properly incentivized vendors Individual users taking ownership of their personal data Critical infrastructure providers able to better defend their networks and systems
32 Why Should You Care? How Can You Get Involved?
33 We Want Your Input and Comments Federal R&D agencies will use your input to refine the R&D themes, to structure research activities, and to provide the basis for requests for additional Federal research funding Contribute ideas Share results Public Comment Period (5/19-6/18, 2010) Visit: to share your comments and participate in the Forum to: Mail to: NCO/NITRD, Suite II-405, 4201 Wilson Boulevard, Arlington, Virginia 22230
34 It s a Collective Effort: Examples Shared datasets Red Teaming System stress tests Shared common problem to tackle Academia ecosystem Industry Government New models of engagement Sustained investment models Lightweight submission and reporting
35 Think Big, Think Novel It s about making our nation more cybersecure, not about the quest for the next 12-month, 12-page chunk of work.* *J.M.Wing, CACM Blog Entry Breaking the Cycle, August
Testimony of Farnam Jahanian, Ph.D. Assistant Director Computer and Information Science and Engineering Directorate Before the Committee on Science, Space, and Technology Subcommittee on Technology and
Vol. 19 No. 4 2012 Building a national program for cybersecurity science Globe at a Glance According to the Experts Pointers Spinouts GUEST Editor s column Frederick R. Chang, PhD Considered by most to
THE PRESIDENT S NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE NSTAC Report to the President on the Internet of Things November 19, 2014 TABLE OF CONTENTS EXECUTIVE SUMMARY... ES-1 1.0 INTRODUCTION...
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
Designed-In Cyber Security for Cyber-Physical Systems Workshop Report by the Cyber Security Research Alliance 4-5 April 2013 in Gaithersburg, Maryland Co-sponsored with the National Institute of Standards
Cyber Security: Designing and Maintaining Resilience White paper presented by: Georgia Tech Research Institute Cyber Technology and Information Security Laboratory Dr. George A. Wright Chief Engineer Terrye
WHITE PAPER Cybersecurity in Modern Critical Infrastructure Environments SECURE-ICS Be in Control Securing Industrial Automation & Control Systems This document is part of CGI s SECURE-ICS family of cyber
National Cyber Security Research and Development Challenges Related to Economics, Physical Infrastructure and Human Behavior An Industry, Academic and Government Perspective 2009 A report to the Chairman
Connecting Health and Care for the Nation A Shared Nationwide Interoperability Roadmap DRAFT Version 1.0 Table of Contents Letter from the National Coordinator... 4 Questions on the Roadmap... 6 Executive
Summit on Education in Secure Software Final Report Dr. Diana L. Burley The George Washington University Dr. Matt Bishop University of California, Davis GW: UCD: Report GW-CSPRI-2011-7 Technical Report
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Transforming the Way Government Builds Solutions > ACT-IAC Institute for Innovation 2013 American)Council)for)Technology Industry)Advisory)Council:)) The American Council for Technology (ACT) is a non-profit
110101001101101101010011000 11011010100110110101001100 11011010011011010100110000 10100110110101001100010010 Protecting Information The Role of Community Colleges in Cybersecurity Education A Report from
Fiscal Year 2011 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002 March 7, 2012 Table of Contents I. Introduction: Current State of Federal Information
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
ericsson White paper Uen 307 23-3230 February 2014 Guiding principles for security in a networked society The technological evolution that makes the Networked Society possible brings positive change in
Cyber Security Capability Maturity Model (CMM) - Pilot Global Cyber Security Capacity Centre University of Oxford 12/15/2014 1 Table of Contents Introduction... 3 Cyber Security Capability Maturity Model...
National Spatial Data Infrastructure Strategic Plan 2014 2016 Federal Geographic Data Committee December 2013 Federal Geographic Data Committee Federal Geographic Data Committee, Reston, Virginia: 2013
Cyber Security Strategy of the United Kingdom safety, security and resilience in cyber space O C S UK Office of Cyber Security C S O C UK Cyber Security Operations Centre June 2009 Cyber Security Strategy
Green Paper on Citizen Science Citizen Science for Europe Towards a better society of empowered citizens and enhanced research Green Paper on Citizen Science Citizen Science for Europe Towards a better
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to