Toward a Federal Cybersecurity Research Agenda: Three Game-changing Themes.

Slides:



Advertisements
Similar presentations
AFCEA DC Cyber Security Symposium Military Joint Cyber Command Panel Harry Raduege Lieutenant General, USAF (Ret) Chairman, Center for Network Innovation.
Advertisements

Course: e-Governance Project Lifecycle Day 1
 Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia.
IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair
Bill Newhouse Two Government Cybersecurity Initiatives NIST.
Cyber Security R&D Challenges: A Homeland Security Perspective Simon Szykman, Ph.D. Director, Cyber Security R&D
DHS, National Cyber Security Division Overview
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
WEIS 2011 Workshop on the Economics of Information Security Chris Greer Assistant Director for Information Technology R&D White House Office of Science.
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
Global Cyber Security Capacity Maturity Model - CMM WSIS Forum 2015 – Geneva Dr Maria Bada 25/05/2015.
Remarks: Roadmapping and Hard Problems Sally E. Howe, Ph.D. Associate Director National Coordination Office for Networking and Information Technology Research.
(Geneva, Switzerland, September 2014)
BIG DATA AND THE HEALTHCARE REVOLUTION FORD+SSPG 2014.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Strategic Information Systems Planning
Patricia A. Muoio Chief National Information Assurance Research Lab.
Secure and Trustworthy Cyberspace (SaTC) Program Presentation to NSF/DIMACS Workshop for Aspiring PIs in SaTC SaTC Program Directors National Science Foundation.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Network Security Resources from the Department of Homeland Security National Cyber Security Division.
CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC) Presentation to: Insider Threat SOAR Workshop.
BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT
Department of Health and Human Services Where do we go from here? RADM Dushanka V. Kleinman Assistant Surgeon General Chief Dental Officer, United States.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
ESA/ESTEC, TEC-QQS August 8, 2005 SAS_05_ESA SW PA R&D_Winzer,Prades Slide 1 Software Product Assurance (PA) R&D Road mapping Activities ESA/ESTEC TEC-QQS.
Cyber Authentication Renewal Project Executive Overview June – minute Brief.
Critical Infrastructure Protection: Program Overview
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
IT Requirements Management Balancing Needs and Expectations.
The Architecture Lecture September 2006 Cem Kaner CSE 1001.
Research Recommendations for the Broadband Taskforce Agenda November 23, 2009.
CHALLENGING BOUNDARIES Rhodia way, The way we do business.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
National Science Foundation Directorate for Computer & Information Science & Engineering (CISE) Trustworthy Computing and Transition to Practice Secure.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Responding to the Unexpected Yigal Arens Paul Rosenbloom Information Sciences Institute University of Southern California.
Community-Driven Development: An Overview of Practice Community Development Strategies – how to prioritize, sequence and implement programs CommDev Workshop.
Federal Cybersecurity Research Agenda June 2010 Dawn Meyerriecks
International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
The State Climatologist Program and a National Climate Services Initiative Mark A. Shafer Oklahoma Climatological Survey University of Oklahoma.
From Information Assurance to Trusted Systems – A Strategic Shift Patricia A. Muoio Chief, NSA Trusted Systems Research (formerly known as National Information.
Livia Bizikova and Laszlo Pinter
Emergency Services Workshop, 21th-24 th of October, Vienna, Austria Page 1 IP-Based Emergency Applications and Services for Next Generation Networks PEACE.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
Foundations of Information Systems in Business. System ® System  A system is an interrelated set of business procedures used within one business unit.
Jacques Bus Head of Unit, DG INFSO-F5 “Security” European Commission FP7 launch in the New Member States Regional on-line conference 22 January 2007 Objective.
UNCLASSIFIED 1 National Security in Cyberspace: It Takes a Nation Sandra Stanar-Johnson NSA/CSS Representative to the Department of Homeland Security February.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Strategies for making evaluations more influential in supporting program management and informing decision-making Australasian Evaluation Society 2011.
Latest Strategies for IT Security Margaret Myers Principal Director, Deputy CIO United States Department of Defense North American Day 2006.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
CNCI-SCRM STANDARDIZATION Discussion Globalization Task Force OASD-NII / DoD CIO Unclassified / FOUO.
Expedition Workshop Strategic Leadership For Networking and Information Technology Education September 16, 2008 Chris Greer Director, NCO.
Supporting measurement & improvement of primary health care (PHC) at the facility and community levels Dr. Jennifer Adams, Deputy Assistant Administrator,
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Cyber Security for the real world Tim Brown Dell Fellow and CTO Dell Security Solutions.
Existing Programs to support development of micro-enterprise for informal economy workers and other poverty reduction programs 16 March 2012 Banyan tree.
GEO Strategic Plan : Implementing GEOSS Douglas Cripe GEO Work Programme Symposium 2-4 May 2016, Geneva.
Update from the Faster Payments Task Force
From “Groundhog Day” to “Independence Day”
Cybersecurity EXERCISE (CE) ATD Scenario intro
Wenjing Lou Complex Networks and Security Research (CNSR) Lab
8 Building Blocks of National Cyber Strategies
Making Information Security Manageable with GRC
HLN Consulting, LLC® November 8, 2006
Presentation transcript:

Toward a Federal Cybersecurity Research Agenda: Three Game-changing Themes

Dr. Jeannette Wing Assistant Director for Computer & Information Science and Engineering (CISE), National Science Foundation (NSF) Dr. Carl Landwehr Program Director, Trustworthy Computing Program, National Science Foundation (NSF) Dr. Patricia Muoio Science and Technology Lead for Cyber, Office of the Director of National Intelligence (ODNI) Dr. Douglas Maughan Program Manager, Cyber Security R&D, Science & Technology Directorate, Department of Homeland Security (DHS S&T) Toward a Federal Cybersecurity Research Agenda: Three Game-changing Themes Presented by Federal NITRD Program May 19, 2010 Claremont Hotel 41 Tunnel Road Berkeley, California

Federal Cybersecurity R&D: National Dialogue NCDI CNCI DoE “Grassroots” DHS Roadmapping IRC HPL 1 DSB NCW SS IRC HPL SCW LA WS NSF Cyber Trust DARPA IA Programs CSIS/Comm. on CS for 44th SSG NCLY RFI NCDI CI WS DHS RA DoE RA DTO/ IARPA IA NSA IA I3P DoD Roadmapping DoD RA POTUS House Senate POTUS / DNI

Cyberspace Policy ReviewDHS Roadmap For Cybersecurity Research CSIS: Securing Cyberspace For The 44 th Presidency National Cyber Leap Year NRC: Toward a Safer & Secure Cyberspace Fed Plan For Cyber Security & Info. Assurance R&D IRC: Hard Problem List CRA: Grand Challenges In Trustworthy Computing Cybersecurity: A Crisis Of Prioritization National Strategy To Secure Cyberspace

Say “No!” to Business as Usual

Coordinated Effort on Game-Changers It’s about trustworthiness of digital infrastructure –Security, reliability, resiliency, privacy, usability –How can we: Enable risk-aware safe operations in compromised environments Minimize critical system risk while increasing adversaries’ costs and exposure Support informed trust decisions, necessitating flexible security strategies, and allowing for effective risk/benefit analyses and implementations Strong commitment to focus on game-changing technologies for coordinated cybersecurity R&D agenda –Comprehensive National Cybersecurity Initiative, Cyberspace Policy Review: –Aneesh Chopra, US Chief Technology Officer –Howard Schmidt, President’s Cybersecurity Coordinator –NITRD Senior Steering Group, Interagency WGs CSIA, … “Locution for radical thinking” [P. Muoio]

Three Themes Tailored trustworthy spaces – Supporting context specific trust decisions Moving target –Providing resilience through agility Cyber economics – Providing incentives to good security Remember: These are just starting points.

Tailored Trustworthy Spaces Game Changing Theme Carl E. Landwehr National Science Foundation Program Director Trustworthy Computing Program

What is a Tailored Trustworthy Space? In the physical world, we operate in many spaces with many characteristics Home, school, workplace, shopping mall, doctor’s office, bank, theatre Different behaviors and controls are appropriate in different spaces Today’s cyberspace recreates those environments, but blurs the boundaries -- sometimes merges them The vision is of a flexible, distributed trust environment that can support functional, policy, and trustworthiness requirements arising from a wide spectrum of activities in the face of an evolving range of threats

New Paradigm Users can select different environments for different activities (e.g., online banking, commerce, healthcare, personal communications) providing operating capabilities across many dimensions, including confidentiality, anonymity, data and system integrity, provenance, availability, performance Users can negotiate with others to create new environments with mutually agreed characteristics and lifetimes

EXAMPLE: Healthcare sub- spaces in Cyberspace Authentication Integrity Privacy Services Keys LowHighMedium Outbreak information Checking patient records Checking insurance coverage Insurance Coverage Patient employer coverage Schedule Appointment Research virus information

Enabling Informed Trust Decisions Provide users with: – Context-specific trust services – Coherent policy implementation: an integrated set of security choices (or defaults) appropriate to the tasks at hand – User/provider/system visible rules and attributes – Means to negotiate boundaries and rules of the space

Challenge: Identifying dimensions of a tailored trustworthy space Degree of identification / authentication Information flow rules Strength of separation mechanisms Degree of monitoring / violation detection

Challenge: Policy Specification and Management Convenient specification of a tailored space Convenient mechanisms to know it Convenient mechanisms to change it

Challenge: Validation of platform integrity Challenge: Violation detection Challenge: Verifiable separation of spaces... and many more

What’s New? Nothing. Few of these individual problems or component technologies are novel Everything. A structure that puts the pieces together to provide integrated, usable support for diverse trust environments would change the game.

Which technology areas matter? Identity management Component assurance Composition methods and logics Trust negotiation and management...

Moving Target Game Changing Theme Patricia A. Muoio ODNI Science and Technology Lead for Cyber

What is Moving Target Controlled change across multiple system dimensions to: –Increase uncertainty and apparent complexity for attackers, reduce their windows of opportunity, and increase their costs in time and effort –Increase resiliency and fault tolerance within a system

New Paradigm All systems are compromised; perfect security is unattainable Objective is to continue safe operation in a compromised environment, to have systems that are defensible, rather than perfectly secure Cybersecurity is an adversarial science

Seizing the Advantage By establishing controlled movement across multiple system dimensions, we can shift the advantage to the defender by increasing: –The costs to an attacker in time and resources for reconnaissance, planning, and development the degrees of uncertainty for the attacker the apparent complexity of an individual target the apparent diversity across any set of targets –The range of defense strategies available to the defender –The resiliency and fault tolerance of the target through redundant paths, resources, and configurations

Challenge: Managing Moving Target Systems Moving target systems should confound the adversary, not the user –Need system management and configuration capabilities that can support correct use of highly complex systems –Need cognitive interfaces to moving target systems Deployment of moving target mechanisms requires complex cost/benefit analysis –Need metrics and analytic methods to enable such analysis Each moving target mechanism addresses only a subset of the attack vectors –Need decision support mechanism for deployment of moving target systems

Challenge: Smart Movement Moving targets need to be agile –We need to consider autonomic behavior and concepts learned from analysis of immune systems, species evolution, and other natural responses to threat Moving target mechanisms need to adapt quickly –We need to get within the adversaries re-design loop Moving target mechanisms have performance costs –We need system control mechanisms that enable real-time threat-appropriate selection of moving target protections

Challenge: Developing a Cyber Ecosystem to Support Agility Keyed random moving target systems present key management challenges –Need systems that accommodate ad hoc key distribution, rapid re- keying Moving target mechanisms require complex decisions –Need enhanced capabilities to provide situational awareness of system state and current threats –Need metrics to support both human and machine decision making Moving target at scale may result in highly complex systems –Need new methods to model, test and evaluate such systems

Cyber Economic Incentives Game Changing Theme W. Douglas Maughan DHS Science and Technology (S&T) Program Manager

What is Cyber Economic Incentives? An examination to determine what impacts cyber economics and what incentives can be provided to enable ubiquitous security: –New theories and models of investments, markets, and the social dimensions of cyber economics –Data, data, and more data with measurement and analysis based on that data –Improved SW development models and support for “personal data ownership”

What needs to change? Promotion of science-based understanding of markets, decision-making and investment motivation –Develop new theories and models –Promote the role of economics as part of that understanding Creation of environments where deployment of security technology is balanced –Incentives to engage in socially responsible behavior –Deterrence for those who participate in criminal and malicious behavior

Challenge: Cyberspace Data Legal and ethical collection, protection and distribution –Ensure *all* data types/categories are available to the R&D community, including international sharing –Provide protections to data providers, e.g., anonymization Lack of appropriate data to support effective economic analysis –Why isn’t there cyber “insurance actuarial information”? –Current incident trending information inadequate for decision-makers (e.g., no “ground truth” for malware, incidents, etc.)

Challenge: Personal Info/Behavior Educating users about the benefits of secure practices and acceptable cyber behavior –Currently, the “user” is the weakest link –Will improved usability impact the security deployment picture? “Personal Data” –Lack of understanding and agreement of what it is –Who’s ultimately responsible for *my* personal data? Can I hold them accountable? Do I actually *own* it? What economic issues are associated with “personal data”?

Challenge: Empowerment of critical infrastructure providers Assess economic benefits and costs of protecting critical infrastructure against disruption –Educate vendors about their role w.r.t. “secure” software Provide legal frameworks allowing service providers to be more active in defense of their systems/services –What is allowable scope of action in “active response”, within the context of global legal capacities and partnerships? –How do we empower providers to reduce abusive or criminal behavior and provide appropriate law enforcement support?

What is the end result? Data for everyone, anytime, anywhere Security deployment decisions based on knowledge, metrics, and proper motivations Properly incentivized vendors Individual users taking ownership of their personal data Critical infrastructure providers able to better defend their networks and systems

Why Should You Care? How Can You Get Involved?

We Want Your Input and Comments Public Comment Period (5/19-6/18, 2010) –Visit: to share your comments and participate in the Forumhttp://cybersecurity.nitrd.gov – to: –Mail to: NCO/NITRD, Suite II-405, 4201 Wilson Boulevard, Arlington, Virginia Contribute ideas Share results Federal R&D agencies will use your input to refine the R&D themes, to structure research activities, and to provide the basis for requests for additional Federal research funding

It’s a Collective Effort: Examples Shared datasets Red Teaming System stress tests Shared common problem to tackle … New models of engagement Sustained investment models Lightweight submission and reporting … Academia IndustryGovernment ecosystem

Think Big, Think Novel It’s about making our nation more cybersecure, not about the quest for the next 12-month, 12-page chunk of work.* *J.M.Wing, CACM Blog Entry “Breaking the Cycle”, August