Introduction. Opening Presentation. 1

Transcription

1 National Conversation A Trusted Cyber Future Minneapolis Led by Dr. Douglas Maughan, Division Director and Dr. Daniel Massey, Program Manager Department of Homeland Security Science and Technology Directorate (DHS S&T) Hosted by University of Minnesota September 16, 2015 Introduction The National Conversation A Trusted Cyber Future includes a series of in-person community engagements at meetings and conferences, as well as an online collaboration community where ideas can be posted, ranked, and discussed. A National Conversation meeting was held at the University of Minnesota in Minneapolis, MN on September 16, Dr. Douglas Maughan, Director of the Cyber Security Division (CSD) within the Department of Homeland Security Science and Technology Directorate (DHS S&T), and Dan Massey, a Program Manager with CSD, led the meeting. Approximately 34 researchers and key stakeholders from industry, academia, and government participated in a three and a half hour meeting. The objectives of this meeting were to gain input and responses to questions that will help shape DHS S&T and federal cybersecurity research and development (R&D) for the next five years. Opening Presentation Dr. Maughan opened the meeting by presenting a brief overview and context. The purpose of the meeting is to seek input on the following activities: What areas of research of the 2011 Federal R&D Strategic Plan do not need to be prioritized anymore? What objectives not included in the 2011 Federal R&D Strategic Plan should be a priority for federally funded R&D in cybersecurity in the 2015 Federal R&D Strategic Plan? Furthermore, as DHS S&T moves forward to produce its own 5-year Strategic Plan for Cyber Security R&D: What areas identified above should DHS S&T focus on? Given the 2013/2014 requirements list, which of these areas do you consider most important for S&T to consider? What other issues need to be taken into account, e.g. transition? NITRD and a number of member agencies, including DHS, NSF, NIST, DOE, and others coordinate US Federal cybersecurity R&D. The group produced the 2011 Federal Cybersecurity R&D Plan 1, which identities a number of areas and themes: 1

2 Research Themes o Tailored Trustworthy Spaces o Moving Target o Cyber Economic Incentives o Designed-In Security Science of Cyber Security Support for National Priorities Transition to Practice The Cybersecurity Enhancement Act of was signed into law by Congress in December 2014 and directs federal agencies to develop an updated Federal Cybersecurity Research and Development Strategic Plan, by December The law requires: a broad scope of cybersecurity R&D, coordination with academia, industry, and national labs; fostering transition to practice; establishing a national research infrastructure; and quadrennial updates to the strategic plan. The strategic plan will influence, shape, and prioritize future federal cybersecurity R&D spending and activities. In January 2013, President Obama issued Executive Order (EO) on Improving Critical Infrastructure Cybersecurity 3 and Policy Presidential Directive (PPD) 21 on Critical Infrastructure Security and Resilience 4. A National Critical Infrastructure Security and Resilience R&D Plan has been developed and will be published soon. The DHS S&T Cybersecurity Division (CSD) 5 gets its research requirements from multiple sources, including: the White House and various Federal strategies, plans, and programs, DHS components, other government agencies, critical infrastructure sectors (privacy industry), state and local government, and international partners. The CSD mission is to: develop and deliver new technologies, tools and techniques to defend and secure current and future systems and networks; conduct and support technology transition efforts; and provide R&D leadership and coordination within the government, academia, private sector and international cybersecurity community. A 2013/2014 CSD Cybersecurity R&D Strategic Plan 6 identifies 39 priority areas with 320+ focus areas, organized into the following themes: Cybersecurity Research Infrastructure Software Assurance Network Security Mobile, Web, and Cloud Security Identity Management and Privacy Strategy-CSD_Final_ pdf 2

3 Usability and Metrics Cyber Security Education and Training Comprehensive National Cybersecurity Initiative (CNCI) Securing Critical Infrastructure Law Enforcement Needs In addition to conducting National Conversation meetings around the Federal Cybersecurity R&D Strategic Plan and the CSD Cybersecurity R&D Strategic Plan, DHS S&T is holding a broader discussion around the following questions: Is a shift needed in the way the government approaches cybersecurity research? How can the government and the research community maximize the impact of cybersecurity research? What areas should cybersecurity research focus on over the next five years? What needs to be done to accelerate the transition of cybersecurity solutions into the marketplace? What will be the biggest key to improving cybersecurity over the next five years? The community is encouraged to discuss these questions via the IdeaScale portal 7. The site also contains reference material and notes from the various National Conversation meetings 8. Asked what would be a great outcome from the meeting, Dr. Maughan said it would be great if the group comes up with some real aha s in terms of technologies that are not addressed in the current Federal Plan. For example, one area that has come up in other discussions is deterrence and deception. Another question to consider is how much of the limited R&D budget should be spent on supporting law enforcement as opposed to other areas like privacy and software assurance. Breakout Groups The participants split into two breakout groups to discuss the topics and questions raised and then reconvened to report out on their discussions. David Balenson from SRI International led one of the groups and Paul Barford from the University of Wisconsin-Madison led the other group. The two groups spent their time discussing a broad range of topics around the Federal Cybersecurity R&D Strategic Plan and the CSD Cybersecurity R&D Strategic Plan. Breakout Group 1 Breakout Group 1 was comprised of 12 people: 10 representing academia and 2 from industry. The group started by reflecting upon the 2011 Federal Cybersecurity R&D Plan, then it discussed missing research directions that need to be added to the

4 2015 plan. Finally, the group voted on the themes in the DHS S&T Cybersecurity R&D Strategic Plan. Tailored Trustworthy Security Spaces (TTS) Financial industry institutions, e.g., banks, have few secure networks such as their transactional networks; however, they are facing serious challenges in the secure communications domains. For instance, there is no bulletproof communication system. Thus, one of the first steps is to strengthen the current communication systems mainly from the authentication and confidentiality perspectives. The level of trust needs to be defined based on the context since a 100% trustworthy environment is very hard to achieve. For instance, for a specific space, we need to define context, mission, and how much risk can be tolerated. We need systems to be trustworthy enough, as well as scalable. Solutions need to be developed to address the lack of trust in end user devices and compensate for it, e.g., how much can be moved from devices to a more protected domain? Tailored trustworthy spaces need to be mission-based. Need infrastructure/service providers to provide a trustworthy infrastructure. Different contexts need different levels of trust. Science of Cyber Security Continues to be important. The question is whether can we come up with basic laws, theories, and axioms about how things operate and interact, like with quantum physics. Expand to include Cyber Sciences. The Cyber Education Project (CEP) 9 is a new nation wide project that started one year ago to develop undergraduate programs in the Cyber Sciences that includes computer science as well as aspects of law, policy, human factors, ethics, risk management, etc. This project aims to add elements of cybersecurity components to all computer science classes instead of having one elective security class. The project is led by the US Naval Academy and US Military Academy. Need automated verification and mathematical guarantees. Must be able to partition the system and scale. Include human factors. Need to be able to add insecure devices and still be able to secure the overall system. Verification should be automated so systems can quickly evolve as the requirements change

5 Transition to Practice (TTP) TTP needs to be included. It is a crosscutting area that should be considered and integrated with all the other research themes. DHS can provide incentives to companies to adopt solutions that result from academic research to facilitate moving these ideas to practice. Need to engage end users and industry, early and often, to accelerate transition, and have more elastic ways to make transition, instead of restarting everything from the beginning. It is difficult to secure certain areas of systems that were built using technology that existed 20 years ago. Knowledge is available; however, companies are not willing to spend extra cost to bring their systems to compliance, because their competitors do not provide it as well. Moving Target (MT) Lots of progress in moving target techniques. Are they sufficiently available? Some techniques have been successful and are included in operating systems and compilers. What has been covered? What has not been covered? How do we combine existing techniques to improve moving target defense? The simpler the environment, the easier to defend. There s a concern that making changes to a complicated infrastructure can bring the whole system down. Apply moving target techniques to hardware and infrastructure too, not only software, to be more resilient. Broaden the notion of moving target to a set of goals instead of specific techniques. Designed-in Security Endpoint security for end user devices and IoT devices, and especially for devices used in trustworthy tailored spaces. Design security into education curriculum, and change the way we think about problems to make security a first-class citizen. Make sure software and hardware have proper security engineering process. I.e., secure system development life cycle (SDLC). Need secure networking architectures. Broaden cybersecurity to include human element from both technology and human perspectives technology must be able to work well work with people and people must be able to work with the technology. 5

6 Internet of Things (IoT) Are we ahead of or behind the IoT curve? o Provide bolt on solutions to deal with legacy devices. For example, provide off the shelf components that can be plugged into existing devices to provide authentication and encryption. o Make security an integral part of new devices. It is very hard to secure every device in IoT, but only secured devices should be allowed in the system. The FCC can impose security requirements in order to get access to wireless space. Consider security of the overall system, i.e., secure composition. Cyber Economics Incentives Incentivize good security hygiene, especially for critical infrastructure and cloud services. What is good security hygiene? Use carrots and sticks. Provide incentives for companies to secure their products, and penalize companies that do not apply security measures to their products. We need to hold software developers accountable. Regularly evaluate and accredit software against standard measures and levels. Protection is needed against the failure of big cloud providers since they make it harder to detect malicious users. For instance, in the old days we could block a bad service, however, today this bad service can be hosted in a reputable cloud provider. Therefore cloud providers must be encouraged to detect and remove these bad services. New Objectives Human Element o Consider human factors and human-technology interaction. o Educate people about standard security practices and social engineering attacks. o Multidisciplinary research where mathematicians, computer scientists, psychologists, and others work together. o Develop off the shelf components that humans can use in their systems instead of implementing their own solutions, e.g., authentication modules, encryption modules, secure channels, etc. o Modeling human behavior when they interact with technology based on predictions to be able to stop something before it happens. Resiliency o Explore more solutions in the detection and response areas instead of focusing on the defensive solutions. For example, anomaly detection 6

7 solutions that detect outliers in the normal behavior, and isolate them from the rest of the system. o Automated mission assurance. o A standard framework for detection and response measures, like the NIST Framework. Attribution o Attribute the attack to specific persons or groups of people. o Differentiate between non-nation-state launched attacks and nationstate launched attacks. o Supports prosecution of cybercriminals, adjusting defenses and responses, and proper economic incentives. o Differentiate between inside attacks that can be isolated immediately, and outside attacks that need to be shared with others securely for fast response and minimal damages to the global networked systems. The group voted on the top priorities from among the 10 themes in the CSD Cybersecurity R&D Strategic Plan. Each member of the group was given three votes. The most votes went to: Cyber Security Education and Training Securing Critical Infrastructure Network Security Mobile, Web, and Cloud Security Breakout Group 2 Breakout Group 2 was comprised of a number of people from industry and a few from academia. The group started by voting on the top priorities from among the 10 themes in the CSD Cybersecurity R&D Strategic Plan. The top vote getters were: Mobile, Web, and Cloud Security Securing Critical Infrastructure Identity Management and Privacy Cyber Security Education and Training The group then addressed a number of the questions driving the National Conversation meetings. Is a shift needed in the way the government approaches cybersecurity research? A decade ago, cybersecurity was never considered an important aspect or factor in the technological ecosystem. People either didn t know or overlooked it. However in the recent decade, there has been a huge shift in the focus on cybersecurity. This is mainly attributed towards the serious problems caused by cybersecurity breaches, etc. its implications, and the existence of additional room to make a positive change to prevent such instances. Overall there has been a generational view over cybersecurity. 7

8 People argued that majority of the security breaches are caused due to software problems, flaws, and bugs, most of which are known problems with known solutions. However due to human factors, poor software and hardware gets out into the marketplace. Many security breaches and problems can be fixed with increased awareness, education and training. Should government funds be directed towards areas like improving software development practices and software assurance techniques, which indirectly help resolve security issues? An argument over this point is that software bugs come out even by the smartest people from the biggest technological companies; so the question becomes is there even a perfect solution to completely eradicating software bugs, etc.? If so, how? There could be multiple reasons causing such effects. Modern day software applications and hardware devices have become more and more complex; it goes beyond the normal human comprehension to design complex systems in a foolproof manner. Another roadblock is that young engineers are aware of the best up-to-date software development practices however due to pressure by the mid-level managers who handle time deadlines and budget constraints, they don t consider security as a major threat to the immediate milestone. How do we tackle such issues? Moreover, risk perception varies across organizations and levels. Risk perception and cybersecurity prioritization varies, depending on a person s role in the organization. How do we change human behavior and perception to be better secured? Are we able to proliferate what we know widely and quickly across industry and infrastructure. Translating research findings sitting inside documents into software and hardware vulnerabilities known to marketplace developers is crucial and is a challenge. Government agencies can think about how to address such issues. The awareness challenge of what people should do and how they should do; tension between encouraging innovation and security-based compliance regulation may be trade-off, how can this tension be reduced? People agree that the main motivator for conducting a cyber attack is money. Are there other motivators? Should the government think about funding research on developing offensive techniques to tackle cybersecurity challenges? Is a good offense part of a good defense? DHS S&T is researching defensive techniques for law enforcement, but they don t have authority to work on offensive capabilities. A good defense understands the offense. Is red teaming a solution? Red teams will help people think outside the box about their technology and will drive the research and ultimately strengthen it. If you are good at defense, you should be also applying those experiences to offense. The Internet of Things (IoT), also known as the Internet of Everything, has been a hyped area with cybersecurity challenges. What is IoT? Does the 8

9 definition or perception about IoT change over individuals or organizations? If so why? How can we find common grounds? Are IoT software, applications, and hardware already out there? There is a mixed opinion over this. While some cite examples like IP cameras, smart sprinkler systems, smart garage doors to justify the existence of IoT in the marketplace, others argue that all such systems use standard boxes, no different than our everyday laptops, etc. Hence what is the difference in handling such small-factor devices and normal computers as both of them are using the same standard operating systems or network stacks? If there are proprietary solutions or standard technologies built into devices, then how do we go about securing them? It may not be wise for a security researcher to try to tackle this issue with an Internet of Everything that subsumes IoT, data, processes and people? Other important areas in which government agencies can fund research include how to make cybersecurity solutions cost effective? Securing critical infrastructure such as power grids is also important. How can the government and the research community maximize the impact of cybersecurity research? Consider better ways to communicate research results. Academia publishes research papers and so does the government, but many people publish in narrow communities. Some great research results may never be published. Is there a way the government can facilitate the communications of research results to the broader community? This should also include commercial entities as it provides the most immediate way of impacting the cybersecurity research. DHS should able to develop those guidelines and policies so that academic and industry results reach the broader community. Facilitate a way for academia to understand the correct research area, i.e., know the in the trench problems, so the research can be used in the real world. Academic research needs to be focused on longer term, but also based on the reality. Corporate companies should be more open to collaborating with academia and government to help solve a problem. Enhance the skills of students in advanced cybersecurity research. Providing better tools and infrastructure for their research can do this. In addition, academia should focus less on producing results for publications and papers and consider making their research applicable in real world as a product. Provide important resources such as rich datasets. Due to lack of data there are certain important cybersecurity problems that have not received attention so far. Quality of data can also impact the research results and therefore should be collected properly and made available to public. DHS S&T should encourage the efforts such as the PREDICT 10 data repository and 10 Protected Repository for the Defense of Infrastructure Against Cyber Threats, 9

10 DETER 11 advanced cybersecurity testbed facility. Such efforts need to be increased to make a wider research impact. There was discussion on whether academia should focus on research problems that are core to industry in order to have a more direct impact. One of the perks of being in academia is to pursue your own problem of interest and to not be limited in anyway. Researchers should at least have the opportunity to explore the core problems of industry and should not be bounded in anyway. DHS S&T should work to influence government procurement practices and support industry standards. Industry should employ standards instead of using proprietary techniques for wide applicability and adaptability. DHS needs to be a leader and influencer of adopting research technology. When DHS influences standards and requires industry to adopt technologies (e.g., STIX and TAXII) the adoption process could go faster and smoother if the government does it in parallel. The term eat your own dog food needs to be thought about in this instance. What areas should cybersecurity research focus on over the next five years? Privacy o Location based services: you can know where a person lives, shops, vacations, and based on the locations a person visits. And with that information someone can create a detailed profile of that person. You don t need to know a phone number, etc. o Each of us controls how our information is spread and what information we want people to know about it. But how do we control what device houses information on us? Sometimes you have to enable a lack of privacy to use a tool. Daily, people are giving up their privacy, may not be known, to use a tool. o Consumer protection: Is this area of interest in DHS S&T s lane. Yes, we want to make sure we are getting the right trade off to protect infrastructure. o Identity infrastructure: find common approach across the same critical infrastructure. Example user name and passwords across a variety of hospitals. Identity Management o How do we get way from user name/ passwords? A person needs to manage too many identities and passwords. Is there an inexpensive authentication approach? Data for cross validation of identity needs to be secure. Commercial Markets o Federal research dollars need to be directed to where there will be a lack of a market or a market failure so research can improve or create 11 Cyber Defense Technology Experimental Research, 10

11 that market. It s suggested to put money into a market that has no commercial incentive. Internet of Things (IoT) o There are a lot of small players in IoT that play fast and have nothing to lose. If it doesn t work, the company can fold and start something new. o We need to educate manufacturers and consumers about security risks, create IoT security standards, and incentivize manufacturers to develop secure products. Mobile, Web, and Cloud Computing o This area has a lot of market pressure to have secure environments. Cloud services are being used to put technology to market and can also impact critical infrastructure. o The liability for cloud services is minimal. If we depend on the cloud, how can we minimize risk and make it more secure? Research Infrastructure o Cybersecurity research infrastructure is required to perform research in the other areas, such as mobile, web, and cloud. It s a foundational piece that is needed to allow the research community to conduct tests and experiments. o Cybersecurity research infrastructure can be expensive and could be solved through shared resources. o However with a diverse set of device types, does the infrastructure need to be tailored to each type and does this make sense? o PREDICT, DETER, and SWAMP 12 are current DHS S&T research infrastructure projects. Software Assurance o Good, quality software is needed. o Poor code is proven to be a major threat to commercial products. o Vulnerabilities and flaws often happen in the design as well as in the code. How do we get out ahead of this challenge? o Many source code checkers are available and some of them are free, e.g., the SWAMP from the University of Wisconsin. o Some companies and developers are reluctant to submit their proprietary source code. Critical Infrastructure o Vulnerabilities in critical infrastructure could lead to global catastrophes and thus need special attention. 12 Software Assurance Marketplace, 11

12 o Current mechanisms for securing critical infrastructures are not effective; there needs to be better protection solutions. What needs to be done to accelerate the transition of cybersecurity solutions into the marketplace? How do we close the gap and transition good technologies to the marketplace? o A lot of companies compete against each other and the market determines the winner, which can be wasteful. o Today s younger generation has ideas, but doesn t have experience and doesn t know how to engage decision makers. o DHS S&T has been helping the research community to close the communication gap between researchers and companies: Speed dating events, where DHS S&T researchers can present their products to companies. Elevator pitch workshops for DHS S&T researchers. If a new, innovative technology is created by DHS, it should be used by DHS. The government should help startup companies with great cybersecurity solutions succeed in the market. Successful startups like Microsoft and Facebook had a lot of enthusiasm, energy, and ideas and were fortunate enough to attract huge customers and build a large market for themselves. Not every startup company with good ideas is so lucky. Without customers, a company cannot grow. The government can create programs at the federal or state level that foster entrepreneurship. For example, states could be more proactive and create consortiums of larger companies that commit to pay for and use good cybersecurity products from small startup companies. The federal or state government can help incentivize and fund these programs. Such programs would help the small startup companies get customers, which in turn helps them grow their businesses and succeed. Closing Dr. Maughan mentioned that cybersecurity is not a problem the federal government alone can solve. We need to think about how to fix it locally and regionally as well. DHS has funded programs in other regions and would be willing to work with people in the Minneapolis area to bring technologies to the table and fund pilots. Dr. Maughan thanked people for taking time off from their day jobs and spending time thinking about the future. Dr. Maughan asked the participants for suggestions on what could be done to improve the meeting. Ideas included more industry participants, making the homework (reading) assignments clearer, and providing more information about the current R&D topics to help orient the participants. 12

13 Dr. Maughan noted DHS would put out notes summarizing the discussions, including the breakouts and the closing discussion. Notes from other National Conversation meetings are also available (via the IdeaScale portal noted above). Two more National Conversation meetings will be held shortly, one in San Antonio, TX and the other in Boston, MA. DHS S&T and the White House will spend October to December updating the Federal Cybersecurity R&D Plan, and the DHS S&T CSD Cybersecurity R&D Plan will be updated shortly thereafter. Dr. Maughan again thanked all for participating in the meeting and he thanked the University of Minnesota for hosting. He looks forward to continuing the dialogue going forward. 13