The New England Cybersecurity Consortium

Transcription

1 The New England Cybersecurity Consortium A Paradigm Shift in Education and Workforce Development in Security Fields ACSC: Launched and supported by:

2

3 Executive Summary 3 This New England Cyber Security Consortium plan proposes the integration of New England s significant constellation of existing Cyber Security assets around a central physical intellectual hub or Center of Excellence which will bring together Cyber security academics, R&D investigators, and industry partners; students and faculty, as well as visitors, government officials, and policy makers around major Cyber security topics. The Cyber Security Challenge Our increasingly open digital global world presents both extraordinary opportunities and equally extraordinary levels of risk. The scale of vulnerability, the means and unanticipated timing of threats on our cyber and physical infrastructure are bringing into question the nature of national security and the way in which individual citizens, businesses, cities, and regions protect themselves from potentially debilitating cyber-attacks. New England s Cyber Security Assets The energy and special glue provided by the New England constellation of Cyber security assets and the more than 300,000 talented students studying in the area, place the envisioned consortium in a strong position to become an example for other regional efforts, and to emerge as one of the main architects of the nation s cyber security strategy. The existing Advanced Cyber Security Center (ACSC) is a nonprofit corporation with membership of the universities in the Massachusetts Green High Performance Computing Consortium (MGHPCC), a group of more than twenty corporate members, as well as the Massachusettsbased Federally Funded Research and Development Centers (MITRE, MIT Lincoln Labs and Draper Labs), and the Commonwealth of Massachusetts. The ACSC is developing unique approaches to sharing cyber threat information, to engaging in next-generation cyber security research and development, and to creating education programs to address the shortfall in cyber talent. The ACSC is currently 100% funded by our members. The Vision Qualitatively enhancing the resilience of our cyber infrastructure will necessitate large systemic changes in many areas and on many levels. The Center will provide the hub for coordination and integration of efforts among multi-disciplinary academic, industrial, and governmental partners in driving initiatives to support attainment of this goal and the following sub-goals. Transform education to familiarize and sensitize all levels of society to notions of cyber risk in their personal lives, and to the importance of cyber-safe habits. Dramatically increase the workforce capable of inventing, implementing, and managing the next generation live and intelligent cyber environment. Transition to a new infrastructure, based on novel trusted technologies that incorporate reliability and adaptability as principal features of their design. Explore new entrepreneurial models at the regional, national and global levels. The path forward requires a dramatic leap ahead with multiple substantial cross disciplinary research efforts supporting a new vision for a more secure cyber space. The Path Forward The ACSC represents a major resource for the region and the country; and has the human capital, academic reputation, the broad industry and business leadership and the government support to assume a major role in shaping our nation s cyber security strategy. The existing ACSC will serve as the coordinating body for the development and implementation of the expanded Cyber Security Center described in this proposal. University Technology Research and Development: 7 MIT s Computer Science and Artificial Intelligence Laboratory (CSAIL) 14 Hariri Institute for Computing and Computational Science & Engineering 11 George J. Kostas Institute for Homeland Security. 15 The University of Massachusetts Cyber Security Cluster 13 The MIT Geospatial Data Center (GDC) 6 The Massachusetts Green High Performance Computing Center (MGHPCC) Social sciences including economics, psychology, sociology, law, public policy: 9 The Berkman Center for Internet and Society at Harvard University 8 The Belfer Center at Harvard University Kennedy School 10 The Data Privacy Lab, Institute for Quantitative Social Science (IQSS) at Harvard University 12 The Institute for Infrastructure Protection (I3P) at Dartmouth College 17 The New England Public Policy Center of the Federal Reserve Bank of Boston Not-for Profit National Security Research and Development Laboratories: 2 The MITRE Corporation 5 MIT Lincoln Laboratory 4 Draper Laboratory Leading security technology corporations: 1 RSA Laboratories, research center of RSA, The Security Division of EMC 3 Akamai Technologies 16 Veracode Other leading enterprises with large security operations and development programs: Financial Services (including Federal Reserve Bank of Boston), Life Sciences/Bio-tech, Healthcare, Defense, Utilities Sectors Entrepreneurship: New England venture capital University technology management offices

4 The Cyber Security Challenge Protecting our society and its economic and political foundations from unpredictable and rapidly-evolving types of attacks on our cyber and physical infrastructure requires a paradigm shift in our approach to all levels of education in computer sciences and technical fields, and in other areas relevant to security. The workforce pipeline of the quality and sophistication required to establish and manage a resilient and adaptable next generation cyber and physical infrastructure cannot be sustained without a fundamental and continued long-term integration of education, basic and applied research, technological innovation and translation into practice. This integration requires a sense of urgency and purpose, and a level of commitment to collaboration and information sharing across academia, industry, the financial sector, and government that are unprecedented in the history of technology. The Boston area and, more generally, the New England region, is uniquely placed to deliver on these challenges and lead the paradigm shift alluded to above. The implementation of this integrated vision will have a transformational impact on the recruitment and retention of talent, on the scope and reputation of our already world-class research and R&D efforts in security fields, and on economic development in the region, and will establish I-95 through the region as the security innovation corridor of the nation. Motivation: Our increasingly open digital global world presents both extraordinary opportunities and equally extraordinary levels of risk. The scale of vulnerability, the means and unanticipated timing of threats on our cyber and physical infrastructure are bringing into question the nature of national security and the way in which individual citizens, businesses, cities, and regions protect themselves from potentially debilitating cyber attacks. Qualitatively enhancing the resilience of our cyber and physical infrastructure while preserve critical functionality while under active attack, and increasing personal and community security, redefining rules of law and diplomacy, and defining and enforcing appropriate behavior in digital world will necessitate large systemic changes in many areas and on many levels: We must transform general education and primarily social science, computational sciences, engineering, as well as professional education by familiarizing and sensitizing all levels of society -- starting with the youngest K-12 population to notions of risk and security in their personal lives, and to the importance of developing cyber-safe habits. We must develop and transition to a new infrastructure, based on novel trusted technologies, both digital and physical, that incorporate reliability and adaptability as principal features of their design. We must dramatically increase the workforce capable of mitigating the current level of threats and of inventing, implementing, and managing the next live and intelligent cyber environment. At every level of experience college graduates, Masters, and PhD this workforce must be highly sophisticated: (a) it must have expertise at the forefront of disciplines across computational sciences and engineering as well as the social sciences, law, business, and policy -- important for the security fields; (b) it must understand the technical and operational complexities of trusted architectures but also build solid knowledge and intuition about real-time practical challenges facing specific sectors of society; and (c) it must be sufficiently skilled and flexible to adapt and respond in real time to substantial changes in the nature and extent of threats. Moreover, establishing a stable long-term resilient framework for healthy competition but peaceful cyber coexistence a living cyber immune system is intrinsically connected to the exploration of new entrepreneurial collaborative models, innovative businesses and longterm sustainable economic development at the local, regional, national, and global levels. 4

5 The New England Cybersecurity Consortium This white paper outlines a vision for developing Boston, the Commonwealth of Massachusetts, and the New England area into the premier incubator for the next generation of academic, industry, and government leaders and entrepreneurs who, together, will address the growing cyber challenge. The Advanced Cyber Security Center (ACSC) is a 501c3 corporation, by Mass Insight Global Partnerships and with membership of the universities in the Massachusetts Green High Performance Computing Consortium (MGHPCC) (Boston University, Harvard, MIT, Northeastern, and the University of Massachusetts). In addition to the five MGHPCC institutions, the ACSC includes a group of more than twenty corporate members (see appendix), as well as the Massachusetts-based Federally Funded Research and Development Centers (MITRE, MIT Lincoln Labs and Draper Labs), and the Commonwealth of Massachusetts. The ACSC will serve as the coordinating body for the development and the implementation of this vision. Taken in its totality, the ACSC represents a major resource for the region and the country; and has the human capital, the knowledge base and international academic reputation, the broad industry and business leadership, and the government support, both at the local and federal levels, to assume a major role in shaping our nation s cybersecurity strategy. The Vision Achieving the substantive changes implied in these aspirational goals requires levels of coordination, collaboration and integration of talent, expertise, and resources across all areas of society that are unprecedented and transformational. Here we focus on a number of illustrative examples that represent in our view critical elements on the path to addressing the cyber security challenges. I. Cybersecurity and Big Data : Two Sides of the Same Coin Absolutely key to understanding and developing solutions to short- and long-term cyber security problems is sharing experiences as well as quantitative data across related institutions and sectors of industry, among different sectors, and with academic and R&D researchers. The primary goal is to collect, organize, curate, and analyze large data sets on attacks of various scales across a broad range of institutions with the hope of learning to read the tea leaves, premonisce and possibly isolate the impact of attacks and viruses as they unravel. More generally, with the proliferation of data across all areas of human activities the competitiveness of many entities is beginning to depend on data driven processes and metrics, even when data was not traditionally relevant to the entity s mission or business, or profit model. Fundamental to the relevance and usefulness of the data is the integrity and security of the data itself, as well as the resilience of the infrastructure used to collect, curate, store, manipulate, and interpret this data. For example, the vulnerability of wireless devices and the fragility of processes involved in managing and carrying out computations on data outsourced to the cloud (cloud computing) are major challenges across virtually all for-profit or not-for-profit human activities. As most entities do not have the resources and expertise to (a) collect, curate and store their own data; (b) share data sets, with appropriate security, privacy, and anonymity controls, when willing to do so; and (c) extract useful information from this data. As a result, dealing with the cyber security issues raised by big data while at the same time maximizing the use of the information stored in big data to drive positive change in the world in which we live, suggest that free societies will have to: (a) adopt a more open, transparent, yet secure framework for sharing data; and (b) develop a secure distributed shared infrastructure for organizing, curating, and mining this data 5

6 II. A Paradigm Shift in Education and Workforce Development Addressing the breadth of issues outlined above will require a major transformation of the way we educate and mentor students interested in a career in security and, more generally, students in all related fields. This transformation is based on three qualitatively different but equally important areas of integration: (i) integration of disciplines, from computer and computational sciences, to the social sciences, economics, law, and policy, to psychology and ethics; (ii) the integration of basic, applied, and translational research with manufacturing and commercialization of cybersecurity and privacy tools and services; and (iii) the partnership between academia, government, industry, and venture capitalists in exploring, developing, and implementing new frameworks, practices, and policies, that support innovation in security fields under weaker constraints than those connected with traditional academic environments. These three areas of integration shape some of the design elements we are adopting in developing our strategy to mentoring and workforce development in security fields: Cyber security cannot be taught as an independent, self-contained subject, (except in advanced specialized courses). The long term goal is to change the curricula so that security is emphasized in all courses on programming, software engineering, networking, operating systems, control systems, databases, electronics and computer engineering, and in some of the courses in other areas relevant to security, such as psychology, economics, management, and policy. Security is an applied, solution-oriented field and integrating the knowledge gained in courses into real-world effective solutions requires serious hands-on practical training, at every level of professional experience. In addition to laboratory courses, all students with interest in areas of security should be involved in rotations, internships, and coops to be hosted and resourced by industry and/or national laboratories. These practical training programs (a) give students the opportunity to learn about the management of risks and threats in different sectors, or develop in-depth knowledge of the critical problems faced by a particular industry; and (b) provide industry with extended opportunities to train, evaluate and recruit potential permanent employees. Another potential connection with industry is to establish student/post-doc run consulting groups, overseen by senior researchers, that assist industry clients in addressing industryspecific short-term problems. Another feature of our educational vision is that courses and programs will be organized jointly among five or more institutions in the Boston area and New England. As a result of the larger number of faculty and areas of expertise represented in the program the curriculum is both broader and deeper than what could be offered by any single institution. Increasing the scale of the program accelerates learning through enhanced interactions among students and their exposure to a larger number of ideas, relationships among different ideas, and different points of view. Moreover, with a large pool of teachers and mentors, faculty have more time available for research, advising advanced graduate students, and teaching more advanced courses. 6

7 III. Leading-Edge Research and Development Basic research has always represented the principal driver for innovative technologies, yet as the technology matured basic discoveries led to substantive changes only sporadically. The case of cybersecurity is, however, unique: as the nature, frequency and seriousness of cyber attacks evolve, once powerful deterrents become ineffective and novel strategies must be urgently deployed to re-establish resilient functionality of the system. Ensuring access to state-ofthe-art ideas and tools on an ongoing basis requires that basic academic research is a critical ingredient in the development of real-time strategies and solutions across all sectors of society. It is important to realize that, due to the open-ended and visionary character of basic research, the relevance of some important transformational ideas may not be recognized for decades, while the results of other research directions could be applied immediately. This broad mix of readiness for primetime that characterizes the output of the research enterprise is essential to creating an ecosystem of people, ideas, hard results, and technology, which serves as the incubator for solutions to security threats that ultimately preserve the long-term viability of system. In turn, excellence in research attracts high quality faculty and students, drives excellence in education and training, and creates the workforce that fuels the innovation economy and economic development of the region and the nation. This cycle generates the competitive advantage of the region, and provides the strategies for its own resilience and long-term sustainability. IV. An Engine for Economic Development There are many opportunities for economic development based on cybersecurity-related innovation and technologies: First, there are typical cyber security startups and established companies that provide the security technology and services needed by a broad range of companies and agencies and branches of the government. In the right climate existing companies and universities will spin off new companies, as needs and new security-focused technologies develop. The evolution towards a drastic redesign of our infrastructure systems across most aspects of our public and private institutions will drive many opportunities for economic growth based on advances in trusted software and hardware engineering, and by the implementation of designs for various components and networks of components of physical infrastructure systems. The development of new secure platforms and new trusted modalities for interacting in cyber space will lead to the emergence of new types of services, transactions and businesses. For example, in the mid-1990s, e-commerce companies began to grow at an incredible pace once basic, but necessary, security mechanisms were put in place to secure communications on the Internet. Also, as new legal and regulatory frameworks are defined and accepted, a cyber mediation and litigation industry will develop to enforce codes of behavior and to protect the security of those involved in interactions and transactions in cyber space. Economic development is a critical aspect (a) of our model for cybersecurity education, and the integration of training with hands-on industrial experience, (b) of our basic, applied and translational research; and (c) of the industry-government-academia collaborations across the broad range of security technologies and services. 7

8 V. Cybersecurity: a Global National Issue Although the focus of this white paper is a New England-centric, regional one, establishing a sustainable framework for securing our cyber and physical infrastructure requires strong coordination and collaboration at the national level, among cities, states, regions across public and private sectors. In order to integrate our initiatives with national programs, we have framed our research and educational programs in a way that is consistent with national priorities. In going forward with our regional effort, we are planning to collaborate closely with federal agencies (for example, on such programs as the National Initiative for Cyber security Education and the National Strategy for Trusted Identities in Cyberspace). We are also working with selected state and industry organizations, as well as with the cyber security efforts at other academic institutions and major national laboratories. Addressing the scope and urgency of the cyber security challenge requires the coordination of talent, expertise, effort, and resources at a national level across all sectors of society and all areas of knowledge, including information technology, electronic and computer engineering, management, economics, law, psychology, public policy, public health, and others. Finally, our national cybersecurity strategies should be shared with and ultimately inform the approach to a cyber-secure, highly-connected global world. VI. Why New England? The New England region is in a unique position to play a leadership role in realizing the goals outlined above through a collaborative initiative bringing together academia, industry, and government. Key ingredients for this initiative are already in place: i. The MGHPCC university consortium represents a powerhouse with unmatched intellectual power and breadth of expertise in computer science, mathematics, cyber security, cryptography, quantum computing, systems engineering, law, economics, social network science, psychology, and public policy, as well as other disciplines critical to the development of novel security strategies. The world-class quality and volume of security relevant research translates into an annual research budget of more than $2 Billion for the MGHPCC university consortium. In addition, the university consortium trains more than 2500 undergraduates, and 1700 graduate students, and mentors of the order of 170 postdocs in computer science and security-related disciplines, annually. ii. The Boston/New England area has already built a significant constellation of facilities that can help to attract and support research and education in fields related to security. These include (a) facilities connected with academic institutions such as the MGHPCC in Holyoke, the Computer Science and Artificial Intelligence Laboratory (CSAIL) at MIT, the George J. Kostas Research Institute for Homeland Security at Northeastern, the Hariri Institute for Computing and Computational Science & Engineering at Boston University, the Data Privacy Lab and the Berkman Center for Internet & Society at Harvard, and the National Center for Digital Government at the University of Massachusetts; and (b) mature R&D laboratories, such as Microsoft Research, IBM, Google, RSA, Lincoln Labs, Draper Labs, EMC, and MITRE, along with leaders of industry. 8

9 iii. The envisioned plan calls for a consolidation of this impressive constellation of existing assets around a central physical intellectual hub which will bring together academics, R&D investigators, and industry partners; students, post-docs and faculty, as well as visitors, government officials, and policy makers around major cybersecurity topics. This central facility will also serve as the convener for joint seminars, colloquia, and classes, as well as the host outreach activities and longer-term visiting scholars. iv. The Commonwealth has a long history of partnerships between academia and industry to develop and commercialize new technologies, especially through incubating and launching of new businesses. The technology licensing offices at our universities negotiate hundreds of deals each year and have a strong track record in helping to launch new efforts. Moreover, industry and government sponsored research on our campuses in relevant technology areas exceeds hundreds of $M each year. v. The security challenge has been driving a substantially increased level of commitment by state, local, and federal governments towards supporting an integrated innovation pipeline from academic research, to new product development, to business incubation with the expectation that this integrated pipeline will translate into sustainable workforce and economic development. vi. The critical ingredient, the special glue that make New England unique is the talent, creativity, and energy embodied in the more than 300,000 young people who study in this area. We believe that the integrative approach to education, workforce development, and innovation outlined above, together with a renewed emphasis on creative thinking and risk-taking as critical tenets of our innovation ecosystem will (a) increase the retention rate of young talent, and (b) help us realize the remarkable economic development potential of our region. Summary New England has tremendous capabilities across its academic, industrial, business, financial, legal, healthcare, government, social and public service sectors, unmatched anywhere in the country. On one hand, in view of the constantly increasing security threats on every aspect of our cyber and physical infrastructure, this makes this region particularly vulnerable to debilitating attacks. On the other the hand, i. the critical importance of the coordination and integration of efforts among academic, industrial, and governmental partners in shaping and sustaining a threat-resilient cyber environment, ii. the remarkable recent increase in substantive interactions and collaborations among New England institutions, and especially iii. the unlimited energy and special glue provided by the more than 300,000 extraordinarily talented young women and men studying in the area, place the envisioned consortium in a uniquely strong position to become an example for other regional efforts, and to emerge as one of the main architects of the nation s cybersecurity strategy. Detailed Plan & Resource- Needs Projections Appendices I, II, and III outline plans for the different components of the initiative, respectively: i. The organization of the constellation of facilities and the resources needed to coordinate the research and educational assets through the launching of physically dedicated intellectual hub; ii. iii. The organization and coordination of the collaborative research activities of the consortium partners focused on addressing some of the major security challenges facing society and the resources required to support these activities; and The plan for joint educational programs and practical training opportunities offered by industry and R&D partners. 9

10 10

11 Appendices I-III Appendix I: Constellation of Strategic New England Assets for Addressing the Cyber Security Challenges Appendix II: The Cyber Security Research Agenda Appendix III: Education and Workforce Development Strategy ACSC: Launched and supported by: 11

12 Appendix I: Constellation of Strategic New England Assets for Addressing the Cyber Security Challenges The growth of the Internet and the integration of computing and networking into all aspects of our critical infrastructure will lead the field of cyber security to evolve significantly during the next decade. Making significant progress on these emerging cyber security issues requires expertise from many disciplines including national and homeland security, economics, law, psychology, sociology, and public policy in addition to mathematics, engineering, and computer science. It also requires significant collaboration with Industry to move research and education innovations into significant commercial operations. The ACSC draws on key elements of leading universities, research laboratories and Industry leaders to enable the region to make significant contributions to addressing the Nations cyber security challenges. We will leverage the capabilities of these assets in building our vision and strategy. University Technology Research and Education The combination of leading technology research centers, collaborating through the unifying force of the ACSC is central to our plan to address the emerging cyber threat. Our capacity to work with classified information and other types of sensitive data sets, equipment, and protocols as well as accessing the resources of the ACSC-affiliated centers. The Mass Green High Performance Computing Center (MGHPCC) represents critical infrastructure that will allow us to attract the best scientists, secure federal and private funding to support scientific research. Innovative collaboration programs integrate people in government and business through courses, study groups, seminars, workshops, electronic resources, and executive programs. University Social sciences including economics, psychology, sociology, law, public policy Broad strength in Social Sciences means technical solutions will be aligned with legal & political regimes to meet societal norms. Plans for integrated fellowship programs and coordinated cross discipline academic programs to foster collaboration. Provide intellectual leadership to society in shaping the evolving relationship between technology and the legal right to or respective public expectation of data privacy. Investigate boundaries in cyberspace between open & closed systems of code, of commerce, of governance and of education, and the relationship of law to each. Not-for Profit National Security Research and Development Laboratories National research labs provide recognized leadership in Threat Sharing and Threat Fusion activities. Industry threat sharing program provides a laboratory for fast tracking new fusion techniques and tools. Laboratory s work with industry to transition new concepts and technology for system development and deployment. Leading security technology corporations RSA Labs provides access to cutting edge cryptography, data security and authentication methodologies Akamai provides access to industry leadership edge based support techniques with volumes exceeding 18M HTTP hits per second and capacity to successfully defend their network against 300+ attacks per day. Veracode s on-demand service forms the backbone of application risk management for Fortune 500 to mid-market enterprises worldwide with a rich threat repository built from customer experiences. Leading corporations with large security operations and development programs A multi-industry collection of leadership enterprises invite broad collaboration with representatives from Financial Services, Legal Profession, State Government, Healthcare and Bio/Pharmaceutical industries. Active threat sharing community provides opportunity to see and address new threats real time. Access to large data sets to facilitate academic research into big data challenges in correlating events/indicators. Entrepreneurship ACSC provides a focal point for University Technology Transfer Offices to ensure new cyber security solutions make the transition from research labs to companies with potential for conversion into commercially viable products. Envisioned incubation space for new early stage cyber security startups. Previous technological innovations have spawned 100s of spin-offs, such as Akamai, RSA, StreamBase, and Vertica. 12

13 Further information about each major New England asset is listed below: University Technology Research and Education MIT s Computer Science and Artificial Intelligence Laboratory (CSAIL) CSAIL is MIT s largest laboratory and is located in their Cambridge MA campus. The CSAIL legacy spans many areas of computer science including public-key encryption, workstations, networks, computer architecture, computer vision, robotics, and speech. Over the past four decades, CSAIL has also played a major role in standards setting, including TCP/IP, GNU, X-windows, and the Worldwide Web. In particular, four CSAIL faculty members have received the Turing Award for their work in cyber security-related research. Hariri Institute for Computing and Computational Science & Engineering Part of the Boston University campus in downtown. The mission of the Hariri Institute is to initiate, catalyze, and propel collaborative, interdisciplinary research and training initiatives. The Institute focuses on promoting discovery and innovations with computational and data-driven approaches, as well as advances in the science of computing inspired by challenges in arts and sciences, engineering, and management disciplines George J. Kostas Institute for Homeland Security Part of Northeastern University s Burlington MA campus, the Kostas Institute is located near Route 128. This 70,000 square facility is dedicated to addressing use-inspired and user-informed homeland security challenges, notably including cyber security. Its research will provide modeling and technology solutions to detect, mitigate, and respond to the cyber threats improving the resilience of critical local and regional systems and infrastructure. The Institute has the capacity to work with classified information and other types of sensitive data sets, equipment, and protocols. The University of Massachusetts Cyber Security Cluster is an interdisciplinary cybersecurity unit sponsored by the five departments of Finance and Operations Management, Political Science, Communication, Electrical and Computer Engineering, and Computer Science. The interdisciplinary focus of the cluster enables collaboration across traditional disciplines that are needed to face cyber-security challenges. The MIT Geospatial Data Center (GDC) is dedicated to excellence in high performance computing geospatial education and research. It is equally committed to bridging the gap between the state of the art and state of the practice. The MIT GDC consists of the MIT Auto-ID Lab, MIT Geonumerics Group, MIT Center for Grid Computing, and the MIT Intelligent Engineering Systems Laboratory. Cyber security is an increasingly significant issue in all of these labs. The Massachusetts Green High Performance Computing Center (MGHPCC) is a ground breaking collaboration of five of the state s most research-intensive universities, state government and private industry the most significant collaboration among government, industry and public and private universities in the history of the Commonwealth, and the first facility in the nation of its kind. The MGHPCC facility will provide a state-of-the-art computational infrastructure, indispensable in the increasingly data-rich environment of the post-genomic revolution. Social sciences including economics, psychology, sociology, law, public policy The Berkman Center for Internet and Society at Harvard University was founded to explore cyberspace, share in its study and help pioneer its development and represents a network of faculty, students, fellows, entrepreneurs, lawyers, and virtual architects working to identify and engage with the challenges and opportunities of cyberspace. They do this through active rather than passive research, believing that the best way to understand cyberspace is to actually build out into it. The Center for Research on Computation and Society (CRCS) has joined forces with Harvard s Berkman Center. The CRCS brings computer scientists together with a broad range of researchers, neuroscientists and other academic colleagues. The Belfer Center is the hub of the Harvard Kennedy School s research, teaching, and training in international security affairs, environmental and resource issues and science and technology policy. The Center has a dual mission: (1) to provide leadership in advancing policy-relevant knowledge about the most important challenges of international security and other critical issues where science, technology, environmental policy, and international affairs intersect; and (2) to prepare future generations of leaders for these arenas. The Data Privacy Lab at Harvard University is a program in the Institute for Quantitative Social Science (IQSS) at Harvard University and offers thought leadership, research, and discussion on privacy and technology, working directly with researchers at IQSS and leveraging colleagues across Harvard School of Engineering and Applied Sciences, Harvard Medical School, Harvard Law School, and MIT. The Lab has had dramatic impact on privacy technology developments and policy. The Institute for Infrastructure Protection at Dartmouth College (I3P) has been a cornerstone in the coordination of cyber security research and development. The I3P brings together researchers, government officials, and industry representatives to address cyber security challenges affecting the nation s critical infrastructures. The New England Public Policy Center of the Federal Reserve Bank of Boston promotes better public policy in New England by conducting and disseminating objective, high-quality research and analysis of strategically identified regional economic and policy issues. When appropriate, the NEPPC works with regional and Bank partners to advance identified policy options. 13

14 Not-for Profit National Security Research and Development Laboratories The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. MITRE manages federally funded research and development centers (FFRDCs): one for the Department of Defense (known as the National Security Engineering Center), and one for the Department of Homeland Security (the Homeland Security Systems Engineering and Development Institute), as well as other FFRDC s MIT Lincoln Laboratory is a federally funded research and development center that applies advanced technology to problems of national security. Research and development activities focus on long-term technology development as well as rapid system prototyping and demonstration. Draper Laboratory is a not-for-profit research and development laboratory focused on the design, development, and deployment of advanced technological solutions for our nation s most challenging and important problems in security, space exploration, healthcare, and energy. Their expertise includes guidance, navigation, and control systems; fault-tolerant computing; advanced algorithms and software solutions; modeling/simulation; and MEMS/multichip module technology. Leading security technology corporations RSA Laboratories is the research center of RSA, The Security Division of EMC, and the security research group within the EMC Innovation Network. The group was established in 1991 at RSA Data Security, the company founded by the inventors of the RSA public-key cryptosystem. Through its applied research program and academic connections, RSA Laboratories provides state-of-the-art expertise in cryptography and data security for the benefit of RSA, EMC, and their customers. Veracode offers the people, process and technology needed to deliver a scalable and cost effective software security program. They built the first cloud-based application security testing platform which provides automated static and dynamic application security testing software and remediation services. Akamai helps businesses connect the hyperconnected, empowering them to transform and reinvent their business online. They remove the complexities of technology, enabling customers to embrace trends like mobile and cloud, while overcoming the challenges presented by security threats and the need to reach users globally. Leading corporations with large security operations and development programs Member corporations span a variety of industries and share a commitment to collaboration as a key weapon in fighting the cyber threat. In particular, the financial services industry has significant cyber security operations and many development programs. ACSC members include: Financial Services: Fidelity, John Hancock, Liberty Mutual, State Street Corporation, Federal Reserve Bank of Boston Biotech/Pharmaceuticals: Boston Scientific Corporation, Biogen Idec, Pfizer Inc. Health Care: Blue Cross Blue Shield MA, Harvard Pilgrim, Partners HealthCare Government/Legal : Commonwealth of Massachusetts, Foley Hoag Entrepreneurship New England venture capital continues to be very strong and currently (e.g., 1Q 2012) is the second leading US region in both funding and deals. In particular, software and IT services are significant areas related to cyber security and are significant aspects of New England venture activity. University technology management offices are very active in New England. In particular, there are more than 30 active technology transfer offices in Massachusetts universities and nonprofit research institutes supporting the commercialization of research. 14

15 Appendix II: The Cyber Security Research Agenda The research agenda of the Advanced Cyber Security Center brings together four main components: 1. The current research strengths of the partner universities as well as corporate research and Federally-funded Research and Development Centers 2. Federal research priorities for cyber security 3. A unique partnership with industry to inform academic research with both practical challenges and real-world data 4. A central staff dedicated to accelerating deployment of technology and other research results to industry and government Current research strengths It is increasingly evident that cyber security challenges cannot be addressed unless we are able to take cyber-security beyond point solutions, by recognizing the necessity for models and solutions to interact, compose, and federate along a number of dimensions, spanning not only technological but also social, economic, and legal considerations. Drivers for basic research are concrete yet broad applications for which point solutions do not work, and in which various NE academic constituents can sink their teeth in a multi/cross/inter-disciplinary manner. Catalysts for applied R&D are projects that address immediate and pressing practical needs, and which leverage unique NE assets. Broadly speaking, the majority of cyber security research in New England currently falls into one or more of the following research thrusts: Trusted Interactions in Cyberspace: challenges at the nexus of security and society. These challenges leverage New England s unique strengths in social sciences, law, business, and government studies, including nationally unique research centers (e.g., Harvard s Berkman and CRCS centers, and UMass Center for Forensics). Also, these challenges involve applications to important sectors of the local economy, including healthcare and e-commerce. They demand solutions combining technology with policy, law, and psychology. Certifiable Software and Systems: challenges at the nexus of security and high-assurance systems. These challenges leverage significant strength in academic research on formal methods, software verification, trusted platforms and clean-slate architectures, medical devices, and embedded and CPS/SCADA systems. Also, they are aligned with the significant presence in NE of major R&D players (e.g., Lincoln Labs, MITRE, Raytheon, and BBN). Secure Outsourcing of Data and Computation: challenges at the nexus of security and cloud computing. These challenges leverage significant strength in basic research in a number of areas, ranging from purely theoretical ones (e.g., homomorphic encryption and obfuscation) to highly applied ones (e.g., operating systems and distributed systems). Also, this area connects well with the MGHPCC effort and with the interests of local/mghpcc industries (e.g., VMware, Microsoft, and Cisco). Cyber Situational Awareness: challenges at the nexus of security and information systems operations. These challenges leverage significant strength in academic research in NE on network measurement, characterization, and anomaly detection. Also, it is aligned with the current ACSC focus, reflecting the critical need of local companies, especially in the financial sector. 15

16 Federal priorities for cyber security research The research thrusts above are also closely tied to the Federal priorities for cyber security research. Pursuing basic and applied research in support of integrative solutions to cybersecurity (i.e., those that go beyond point solutions) is evident in all recently spelled-out priorities of federal agencies and recently announced funding initiatives. Indeed, the cybersecurity thrusts recently announced by the White House National Science and Technology Council (NSTC) clear demonstrate the of focusing on capabilities and technologies at the nexus of multiple security research areas or at the intersection of a subset of these areas with practice. Specifically, The Designed-In Security thrust focuses on integrating security and software engineering practices (or at least the software development process), including the need for metrics, models, and analytics to effectively manage risk, cost, schedule, quality, and complexity. The Tailored Trustworthy Spaces thrust focuses on synthesizing security for specific scenarios/contexts, which requires the alignment of the levers we design in our systems (or the assumptions we make in our models) with the functional and policy requirements arising from a wide spectrum of activities. The Moving Target Defense thrust projects security in a dynamic/control-theoretic framework, requiring us to develop the basic building blocks that can be composed into an evolving system with security mechanisms and strategies that continually shift and change over time to increase complexity and cost for attackers. The Cyber Economic Incentives thrust is concerned with the intersection between security and economics at multiple levels, requiring the development of not only sound metrics that allow for cost risk analysis, but also it requires understanding (and modeling) the motivations and vulnerabilities of markets and humans and how [they] interact with technical systems. One should note that the above four NSTC thrusts in addition to being highly interdisciplinary share some common characteristics, most notably, the need for security models and metrics that could provide the glue for composition, interaction, and integration of various point solutions. Industrial partnership The ACSC has also developed a unique partnership with industry to inform academic research with both practical challenges and real-world data. The traditional approach to industry-research relations involves technology providers who commercialize university research results in a variety of ways. The ACSC has demonstrated the value of bringing the customers for security solutions to the research table as well, notably (so far) including both financial services and health care companies. Connecting end users with researchers has several key benefits: Researchers benefit from a better understanding of the current reality and challenges for securing systems, including real-world constraints that should be captured in research models 1. Researchers also benefit from access to real-world data on network behavior and attacks that cannot be obtained in any other way. In this area, the ACSC can build on its current work in threat-sharing among the members. 2. End users can benefit from immediate applications of the experience from researchers, or even make operational changes based on new research results 3. End users have an early preview of the technology in the development pipeline, enabling them to help shape the development of those ideas into truly useful products and services. 4. Of course, there will continue to be strong involvement of traditional means of commercializing technology from the research, involving both established companies and startups in New England s vigorous technology economy. Central Staff Solving real-world cyber security challenges requires more than research. Experience shows that security solutions are often a combination of many different ideas and technologies, and not all research results are immediately ready for commercialization or deployment. The ACSC proposes to create a core staff at the hub of the research constellation that can accelerate the transition of research results to commercialization or open source deployment, with particular emphasis on combining the results from different projects into effective larger-scale solutions. Co-locating the transition team with the research hub maximizes the opportunities to move quickly from the lab to the end users. 16

17 Appendix III: Education and Workforce Development Strategy The Advanced Cyber Security Consortium (ACSC) was established to bring together industry, academia, government, the federally-funded research and development corporations (FFRDCs), and not-for-profits to build a strong sector of the regional economy around cyber and cyber-physical security (C&CPS). Advanced technology based economic sectors are not built through single programs alone. In order to achieve its goals, the ACSC and its members must execute a three-pronged effort in economic development, technology development and workforce development. C&CPS economic development programs reduce barriers to, and aid, the launch, growth and success of companies, foster pre-competitive cooperation especially on threats, and support the engagement of the intellectual talent present in universities with corporations. C&CPS technology development programs support the translation of basic and applied research through cross-university teams, foster earlier investment of corporate resources in new technologies, and fund the earliest work on potentially revolutionary, but high risk ideas within the universities. Workforce development programs provide the numbers and quality of technical workers at all necessary skill levels for operational, product development and research needs in cyber and cyber-physical security. Thus, a successful education, training, and workforce development initiative is critical to the ACSC achieving its mission and therefore must be a key component of ACSC strategy. This document outlines basic principles, potential initiatives, a proposed approach, and a prioritization of activities in workforce development for the ACSC. A successful education, training, and workforce development program will be characterized as follows. Leverages regional assets to achieve vertical integration and topical coverage See A Model of Vertically-Integrated Education in Cyber Security below. Facilitates access through partnering and articulation agreements Becomes a regional, national and international attractor of talent Provides workforce needs to corporate, government and non-profit sectors Addresses a national need CSIS Commission on Cybersecurity for the 44th President, A Human Capital Crisis in Cybersecurity, Center for Strategic and International Studies, Washington DC, November 2010 A wide cross-section of institutions in the region will be required to build a comprehensive education, training, and workforce development initiative, including K-12 schools, community colleges, universities FFRDCs, and corporations. Success will depend on the region s ability to create a pipeline of students interested in the disciplines underlying C&CPS and on its abilities to attract and retain students at the undergraduate and graduate education levels. The education, training, and workforce development initiative must also provide the intellectual and career advancement incentives to attract working professionals to the region. K-12 Initiatives At the elementary school level, student use of, and familiarity with, computers should be expanded across the region. Importantly, this should include an introduction to programming through the use of new education products and projects that provide easy entrée for young students. All students must be introduced to the basic concepts of computer safety and security for personal use and protection; these efforts should build a foundation for a secure, lifetime engagement with computers. A proposed set of C&CPS topics for K-12 curricula are included below in A Model of Vertically-Integrated Education in Cyber Security. Programs that attract, educate, and provide learning resources to teachers will accelerate the success of this effort. In order to attract teachers, their awareness must be increased of the pervasive presence of computers and information networks in their and their student s world, and the importance of cybersecurity. Programs for teachers could include certification with online testing and will be most powerful when linked to state-level teacher career development and K-12 education program requirements. At the secondary school level, new STEM programs must be developed through which students are exposed to the foundational concepts in computer science and the use of computers with physical systems. Enrollment and student success in advanced placement courses in mathematics, computer science and physics should be driven across the region. Such efforts at the K-12 level are often most successful when executed as partnerships between schools, colleges and universities, and non-profit organizations. Examples of successful programs that motivate students and rely on partnerships are capture the flag and other contests. The ACSC should provide leadership/sponsorship for Cyber contests such as Cyber Patriot to encourage student interest in the Cybersecurity field. 17

18 Community College Undergraduate Education Initiatives Curricula in computer science and engineering containing C&CPS components should be designed by a team of faculty from community colleges, university faculty and corporate engineers. The program should be targeted at the production of graduates with competencies necessary to move into corporate teams responsible for: Protection of an organization s critical information and information systems through the implementation of cybersecurity policies, processes, and technology Analysis of cyber threats and deployment of countermeasures and defensive exercises Participation in forensic analysis of cyber incidents and assistance in recovery of operations. Universities and Community Colleges should develop articulation agreements that provide a path for students to move from two-year to four-year degree programs in mathematics, the sciences or engineering. These agreements should specifically enable student graduates of the Community College computer science and engineering program to move into any of the above four-year programs. Undergraduate Education Initiatives Undergraduate level education in C&CPS must reach across multiple disciplines. The ACSC provides a description of an example undergraduate interdisciplinary cybersecurity program below within A Model of Vertically-Integrated Education in Cyber Security. Secure Interaction with Computers should be required as a baseline education module for all students as they enter colleges or universities. This program might be offered through mandatory online training (as is done with laboratory safety, sexual harassment, binge drinking, etc.), perhaps run through the departments with responsibility over the institutional information technology systems. The university members of the ACSC should be encouraged to launch this initiative as a best in the nation practice. For all students majoring in science and technology fields, the technical basics of cyber and cyber-physical security should be taught within courses required for graduation. The development of C&CPS modules by ACSC institutions will facilitate this integration. These modules should educate students to the attainment of an expected set of competencies. The development of these modules could be the subject of education proposals with the created modules becoming a product available for dissemination to other institutions or placed online for access to a broad population. Education programs can be enhanced through participation in cyber security competitions at the university level, including: National Collegiate Cyber Defense Competition Regional Collegiate Cyber Defense Competition Capture the Flag National Collegiate League on Cyber Defense (in planning phase). C&CPS minors should be designed and made available to students majoring in computer science, engineering, the sciences, social sciences including criminal justice, business or mathematics. Curricula and syllabi for minors comprised of four or five courses could be developed as an educational product of the ACSC institutions through grant or internal support. The university members of the ACSC should consider entering into course-sharing arrangements to facilitate the accelerated launch of these educational options. The ACSC should engage in an aggressive effort to expand offerings of internships and cooperative education experiences for undergraduate students at corporations. This effort will be most fruitful if it is designed by a team including university undergraduate advisors and company representatives from both the human resource and technical departments. The ACSC should consider developing matchmaking capability to connect students with opportunities in industry. 18

19 Masters Level Education Initiative C&CPS Education at the Masters Level The ACSC can promote the development of cybersecurity specialists through Masters level programs, organized within a similar interdisciplinary context as undergraduate programs and including additional and more advanced material, and intense realworld experiences. Such an approach is described in more detail below within A Model of Vertically-Integrated Education in Cyber Security. C&CPS Education in Business Schools and Schools of Management Cyber security is recognized as an increasingly important component of comprehensive risk management programs within organizations. Losses due to cyber security shortcomings represent significant operational risk exposure. The ACSC has a unique combination of cross-industry technical and management perspectives. The ACSC can provide direction and educational materials to business schools and schools of management to prepare their graduates for current and future threats. These materials can be integrated into existing risk management curricula and also be used to develop a concentration in cyber security. PhD Graduate Education Initiative World-recognized C&CPS research and PhD education programs at member universities are necessary foundational components enabling the ACSC to achieve its mission to create the nation s leading consortium in C&CPS. The attractiveness of the region s PhD graduate education will depend, in important part, on the quality of the student s educational experience including the reputation of the faculty by whom students will be educated in their courses. Course-sharing and joint degree programs provide tremendous opportunities for ACSC members to deliver world-class education to students, attract the best student and faculty talent, and accelerate regional growth in reputation, impact, and scale of research programs. The high geographic density of great research universities presents a differential advantage to the ACSC to succeed in this domain. Students desire a wider selection of graduate courses taught by world-leading subject matter authorities. At the same time, technological advances have enabled faculty to provide a seamless, high-quality classroom experience to students in multiple locations simultaneously. Finally, cost considerations are driving universities to explore means by which faculty productivity can be increased without adding additional excessive burdens on the faculty. Course sharing at the graduate level by ACSC member universities will allow leading faculty across the universities to offer more C&CPS graduate courses in their areas of expertise to a gratifyingly larger number of students. This is especially true of advanced graduate courses, for which administrators can justify the expense based on the larger number of students while experiencing the reward of offering a higher quality experience to their students. ACSC member universities should enter into agreements through which courses are shared; these agreements should be based on the principle of shared benefit, requiring that student tuition and fees would only be spent or applied at home institutions. Joint degree programs between universities provide benefits to students in terms of educational offerings tailored to their interests, and to institutions as they typically provide differentially higher visibility and gains in reputation. ACSC member universities should explore the creation of joint graduate degree programs in C&CPS. Executive/Continuing Education Initiatives There is a significant Cybersecurity Training business driven by third parties such as SANs and to a limited extent by Universities which partially serves this current need. Development of a rich curriculum of Cybersecurity courses for degree programs will create opportunities to apply these offerings to adult learners in corporate or public executive education settings. A superior solution can be provided through non-credit executive education offerings in a University setting which provide the opportunity for students to receive high quality Cybersecurity instruction and the ability to seamlessly extend their studies into certificate and degree programs. Other Initiatives The ACSC should foster exchange or sabbatical programs through which industry professionals from member companies can spend extended time periods working in university research groups and professors from member university faculties can join corporate groups working on industry problems. 19

20 Approach The above programs comprise an ambitious agenda for the ACSC in education, training and workforce development. Some of these programs can (should) be achieved within the ACSC absent engagement with external organizations or agencies. Near term opportunities that can be achieved within the ACSC should be executed with dispatch in order to build regional momentum in C&CPS workforce development. Other programs will require support from external agencies in order to be achieved. For these programs, the following approaches should guide the ACSC activities. Develop innovative approaches to critical issues in order to produce credible and competitive proposals Partner across universities, companies, agencies and organizations as a means to distinguish ACSC efforts and to realize superior discoveries, products and innovations Emphasize multi-disciplinary, multi-institutional proposals that can realize substantial support, for example multi-million dollar funding All efforts of the ACSC should be examples that demonstrate leadership in C&CPS to federal agencies in the National Initiative for Cybersecurity Education. Setting Priorities Near-term opportunities The following initiatives provide opportunity for near-term program growth, while enabling ACSC to further its reputation as a forward-acting consortium in C&CPS. Internship and Cooperative Education The ACSC has convened a sub-committee of the Education Working Group, which includes corporate and university professionals responsible for student internships and cooperative education experiences, charged to expand the number of students from ACSC member universities working at ACSC member companies. University Undergraduate Curricula in Cybersecurity The ACSC through its Education Working Group should begin a dialogue among corporate and university members on university undergraduate education in cybersecurity. The discussion should include goals, design, content and expected competencies gained. Design Projects (Capstones) for Senior Undergraduate Students The ACSC should convene a subcommittee of the Education Working Group including corporate engineers and managers and university professors with the charge to expand the number of company-conceptualized capstone design projects for undergraduate students from ACSC member universities. This task will be a second initiative of the Internship and Cooperative Education Sub-Committee. University Cooperation on PhD-level Graduate Courses The ACSC Education Working Group should task a committee with the creation of a course-sharing system for advanced graduate courses related to cybersecurity among member universities. This system will enable an increased number of students to have access to an increased number of advanced courses taught by leading faculty researchers. Community College Partnership Proposal The ACSC Education Working Group should reach out to regional community colleges to ascertain the possibility of pursuing federal funding for cooperative education program development and execution in cybersecurity. High School Cybersecurity Efforts The ACSC should bring together high schools, companies, academic institutions to foster student engagement with Cyber Patriot. Initial emphasis should be placed on high schools that participate in the regional program in Advanced Placement education funded through the National Math and Science Initiative. The ACSC should increase its marketing and publicity of its university/industry partnership initiatives. The following initiatives are viewed as longer term priorities for the ACSC Creation of a Clearinghouse for Educational Programs and Internship Matchmaking on ACSC Website Expansion of Secondary School Advanced Placement Programs Foster Articulation Agreements Between Community Colleges and Universities Creation and Marketing Certificate Programs for Professional Education Development of ACSC Cybersecurity Certifications. 20