Participants: Introduction:

Transcription

1 National Conversation A Trusted Cyber Future Discussion Led by Dan Massey, CSD Program Manager Moderator: Joe Gersch (Secure 64) Department of Homeland Security Science and Technology Directorate (DHS S&T) Hosted by the University of Colorado-Boulder August 6 th, :30am-12:30pm Participants: - Government o Dan Massey, DHS S&T o Doug Maughan, DHS S&T o Ann Cox, DHS S&T o Tammi Fisher, DHS S&T o Kyshina Dickerson, DHS S&T - Other attendees o A combination of 16 participants representing industry and academia Introduction: The National Conversation A Trusted Cyber Future includes a series of in-person community engagements at meetings and conferences, as well as an online collaboration community where ideas can be posted, ranked, and discussed. A National Conversation meeting was held at the University of Colorado-Boulder on August 6, Dan Massey, Program Manager for the Cybersecurity Division (CSD) within the Department of Homeland Security Science and Technology Directorate (DHS S&T), provided an introduction for Joe Gersch (Secure 64) who ultimately served as moderator for the meeting. Approximately 21 researchers and key stakeholders from industry, academia, and government participated in the 3½-hour session. The objectives of this meeting were to gain input and responses to questions that will help shape DHS S&T and federal cybersecurity research and development (R&D) for the next five years. Opening Presentation: CSD Division Director, Dr. Douglas Maughan opened the Conversation by presenting a brief overview detailing the purpose of the National Conversation, information sharing, and referring to the 2013/2014 CSD Cybersecurity R&D Strategic Plan, which identified 39 priority areas with 320+ focus areas, organized into the following themes below 1. Software Assurance Network Security 1

2 Mobile, Web, and Cloud Security Identity Management and Privacy Usability and Metrics Cyber Security Education and Training Comprehensive National Cybersecurity Initiative (CNCI) Securing Critical Infrastructure Law Enforcement Needs Dr. Maughan further explained that NITRD and a number of member agencies, including DHS, NSF, NIST, DOE, and others coordinated on the US Federal cybersecurity R&D. The group produced the 2011 Federal Cybersecurity R&D Plan, which identities a number of areas and themes: Research Themes o Tailored Trustworthy Spaces o Moving Target o Cyber Economic Incentives o Designed-In Security Science of Cyber Security Support for National Priorities Transition to Practice The DHS S&T Cybersecurity Division (CSD) 2 receives research requirements from multiple sources, including: the White House and various Federal strategies, plans, and programs, DHS components, other government agencies, critical infrastructure sectors (privacy industry), state and local government, and international partners. The CSD mission is to: develop and deliver new technologies, tools and techniques to defend and secure current and future systems and networks; conduct and support technology transition efforts; and provide R&D leadership and coordination within the government, academia, private sector and international cybersecurity community. The private sector has more information than the government especially when you think about the internet and critical infrastructure. Information sharing questions asked by attendees: What are the incentives for sharing? Provide data back to the research community to build better tools for the next generation Questions that come up in the community are: 1. Who owns the information? 2. Who can I share the information with? 3. Who should not receive the information? 4. What are the mechanisms for information sharing? 2

3 What is the difference between ISAC and ISAO s? ISAC s are private sector focused ISAO s are State and Local driven How does CSD fund research? Based on the maturity of the technology months basis Funding depends on the budget we receive from Congress Main Discussion: Is a shift needed in a way that the government approaches cyber research? Possibly consider an insurance model. There have been suggestions in the past where people have said you will never stop hackers. Car insurance and home insurance for example, where you have people contribute to protect themselves from tragedy. We then ultimately cover ourselves: o Have everyone contribute o Accept some liability o Accept some level of fraud o Accept some level of risk Realistically it s the consumer that will bear most of the liability. It should be the liability of the company at fault, not the consumer. It s just a myriad of threats. Software assurance. Combine network security with mobile and cloud for extra protection. How can we make a decision without data? Over time you would access the claims and build up a database Physical security Cyber security Software assurance most of the problems come from crappy code o Software assurance is the correctness of software o Combine network security and mobile cloud Cyber security and loss of life is it going to take loss of life to change the balance? It s just a matter of time before it happens It may not be something malicious

4 What will be the most pertinent cyber-security concerns of the next 5 years? Internet of Things (IoT) comes to mind. Market research states that this is going to be a fast growing space. We need to be concerned about how to protect those assets and make those devices that are mission critical secure. Level of trust issue regarding personal information: Getting to a level of trust with smart phones and laptops, we know who we trust with people but not quite there with computability, because the complexity of technology is also an issue. You can change the culture but if you re going to be secure you re going to have to do what s necessary to make things secure. How do you change some of the software that does not make things secure without getting to the point where you build security in later? We would really have to undertake an effort to make things secure. What is the view on the current academic code of teaching for security? Students not typically judged on how secure something is, but more so the performance. If workforce development is important we need to get kids informed early. By the time they go through 6 years of penetration testing and go to college, they re getting hired right out of school. If the knowledge of security is built in at an early age it makes more sense. Some of those individuals who are younger and learning how to hack tend to seek resources that lead them down a dark path. If we can lead them into a more positive way we can avoid some of this hacking. We need to ask for help from our current national education systems. When do we teach cyber security and ethics that go along with it? We are at a point where the security conversation will change. In the past security was considered to be someone else s problem. Now, we are at a point where it will truly start to affect people s lives. We need to start thinking about different security models. Identity Management o How to get away from using passwords for authentication o Guarantee privacy o How to authenticate the user is who they say they are o Build levels of trust in computing Usability because of complexity Cultural shift in order to build things Make secure coding How do we change the culture of building secure technology? Developing software and hardware that s secure Make secure coding a part of the infrastructure that s being used

5 How do you think secure coding is included in curriculum today? Think about defenses Judged on functionality not on security Design curriculum to build security into as a design process At what age should we start teaching cyber security? Possibly in elementary school, have kids familiarize themselves at a younger age. Grow with technology. If a competition is available, get children involved. Schools are now offering cyber security, computer science, and/or robotics classes. Develop age specific curriculum What technology areas would you fund to prevent critical infrastructure? Hacking is an attitude: Smart sensors Different security models Biological defense mechanisms Static code analysis Wireless networking The enemy is the human: training for every day people What needs to be done to accelerate the transition of cyber security solutions into the marketplace? How is it going and how can we improve it? Micro loans Broker model Developers and end users o An accelerated way to find technologies that are needed Accelerator model corporate partners provides requirements o What s needed? o What s out there? o Mentoring o Pair with the appropriate entity o Create a path to customer o Seeing products that are duplicating each other o Curate the market better o Incubator period 4 months ($50,000) Cyber threats are like bird flu the solution is putting pressure on people commercially to change things o See where the culprits are o Is there a better way to call them out? Improve relationships in government and with government and industry.

6 Open Source Solutions? Is there a place where the end-users can transition their technology? Need to know what technologies people are looking for? Even if issues are fixed, it doesn t mean the resolution will be consistent. Get involved with FISMA and Fedramp. Get to a place where some of the small communities can play in the Fed space Can the government make their operational requirements known to the small investment community? What will be the biggest key to improving cyber security over the next five years? Dark net what s going to happen next Good and bad uses of anonymity Privacy: o Preserving privacy o Not a clear understanding o European vs American view of privacy People aren t willing to offer information about themselves: o Assumption that there won t be unauthorized access o What s authorized is different from what the user thinks Changing the landscape of cyber security as a whole. Think space race: how the 60 s changed when people landed on the moon. Encouraging women and other minorities to get involved in the area of cyber security and computer science. Closing/Conclusion: Dr. Maughan informed participants that there is The National Conversation A Trusted Cyber Future which includes a series of in-person community engagements at meetings and conferences, as well as an online collaboration community at where ideas can be posted, ranked, and discussed. He encouraged participants to engage in online discussions via the IdeaScale portal 3. Background information and notes from the various National Conversation meetings are also available on these site