CACR Director's Update 2015

CACR Director’s Update Von Welch

Director, CACR

CACR Seminar Series January 22nd, 2015

Welcome 2015 Spring Seminar Series

•  02/05/2015 Cornell University's Rafael Pass •  02/19/2015 Penn State's Christopher French •  03/05/2015 Northeastern University's Engin Kirda •  04/02/2015 Duke's Aswin Machanavajjhala, PhD •  04/16/2015 Indiana University's ScoR Shakelford

Latest: hRp://www.cacr.iu.edu/events/674

January 22, 2015 CACR Director's Report

Thank yous •  Marjorie Young •  Marion Conaty •  Dara Eckart •  Sarah Portwood •  And everyone else who make these talks possible


Thank you to Fred H. Cate

Founding CACR Director 2003-‐2014 Now a CACR Senior Policy Fellow


CACR Administration and Staff •  David Delaney

Deputy Director

•  Dara Eckart Administra\ve Director

Associate Directors: •  Bill BarneR •  Mark Bruhn •  ScoR Orr

•  Leslee Cooper •  Randy Heiland •  Craig Jackson •  Ryan Kiser •  Mark Krenz •  Sarah Portwood •  Susan Sons •  Marjorie Young Plus many fellows and students…


THE CYBERSECURITY LANDSCAPE


Software Foundation •  Heartbleed, ShellShock, NTP…

•  Founda\onal socware of the Internet isn’t as solid as we would like.


Breaches, breaches, breaches… •  Target, Home Depot, etc.

•  Cybercrime is geeng more organized, aiming higher and geeng beRer.

•  Our different networks are integrated.


We’re not changing behavior •  Password “123456” reigns supreme in 2014 … Again! •  Caveat – this is from “leaked

passwords”

•  Why not? •  Are people not directly effected? •  Consequences too distant?


Adoption of Two-‐Factor Auth and Password Managers


Cybersecurity as Risk Management Growing need by cybersecurity professionals to understand cybersecurity’s role in suppor\ng the mission of the organiza\on by managing risk.


Transition to Practice •  Widening gap between sophis\ca\on of cybersecurity research and what is applied.

•  Programs in NSF, DHS, etc. focusing on geeng research into prac\ce.


We’re still waiting for the big one…


MY WISH LIST


Learn from our mistakes •  Breach repor\ng is nice, but knowing what actually went wrong is much beRer.

•  Think Na\onal Transporta\on Safety Board reports – not fast, but detailed. •  Mandiant APT1 is a good example.

•  More sharing of intelligence, mistakes in the community – too closed right now.


Better Software/ConTiguration Checking Tools •  Economics are against cybersecurity •  Race to develop, deploy, reconfigure, sell

trumps cybersecurity in most cases.

•  Need immediate feedback -‐ tools to check socware and configura\on of systems. •  Easy, integrated, real \me and clear.


More funding spanning research and operations •  We need to bring together those wrestling with real-‐world problems and those with innova\ve research ideas.

•  Span from brainstorming workshops, through experimenta\on, prototypes, and deployment.

•  Culture change needed to create this sort of collabora\on.


TURNING TO CACR


About CACR •  Part of Pervasive Technology Ins\tute •  p\.iu.edu

•  Supported by VPIT, NSF, DHS, DOE. •  Partnership with University Informa\on Technology Services, School of Informa\cs and Compu\ng, Maurer School of Law, Kelly School of Business.


CACR VISION •  Interweave technical and policy exper\se. •  Draw on Indiana University’s wide range of scholarly exper\se in computer science, informa\cs, accoun\ng and informa\on systems, criminal jus\ce, law, organiza\onal behavior, public policy, and other disciplines.

•  Bridge with Indiana University’s extensive prac\cal experience in cybersecurity of its opera\onal units.


CACR And IU •  CACR exists to serve the Na\on, State and IU. •  Per our vision, we aim to improve cybersecurity at IU and IU through cybersecurity.

•  Talk to us about coordina\on of cybersecurity ac\vi\es, or collabora\on on cybersecurity policy, opera\onal, or applied research.


Cybersecurity @ Indiana University

Impressive! • CACR • REN-‐ISAC • SOIC -‐-‐ Master’s Degree in Cybersecurity • University Informa\on Security Office • University Informa\on Policy Office • Many researchers and prac\\oners in other schools and offices.


CACR ACTIVITIES


Trustworthy Science

Maintaining the trust of scien\sts and the public in the CI, data and science is cri\cal.

Challenge is understanding increasing

threats to computa\onal science, cultural and requirements of individual domains, large distribute science communi\es,

unique assets such as instruments, data, etc.


Science pushes IT hard!


HPC HTC

Science Gateways

Big Data

Distributed Everything

Bleeding-‐edge Networks

TrustedCI.org: Center for Trustworthy ScientiTic Cyberinfrastructure

Providing leadership and addressing cybersecurity challenges for the NSF community.


CTSC Accomplishments •  Engaged with over a dozen NSF projects -‐ 5 large facili\es.

•  Organized NSF Cybersecurity Summits for Large Facili\es and CI

•  Training, best prac\ces

•  Developed Cybersecurity Program Guide for NSF CI

•  Authoring cybersecurity chapter for NSF Large Facili\es Manual


We rely increasingly on our socware stacks – both the ones we write and

others.

Open nature leads to large aRack surfaces.

Socware integrity is

cri\cal.

A joint effort: Morgridge Ins\tute for

Research (lead) University of Illinois Urbana Champaign

University of Wisconsin – Madison

Indiana University

Funded by DHS


Miron Livny, MIR

Jim Basney, UIUC

Bart Miller, UW

Von Welch, IU

https://continuousassurance.org/

A Framework for Software Assurance


Results

Package Package Package

Tool Tool Tool

Pla'orm Pla'orm Pla'orm

Current: 396 & bring your own

Current: 8

Perform Assessment

Result Viewer Result Viewer Result Viewer

Current: 2

Current: 700+ Cores

View Results

Parse Results Parsed

Results

Current: 9

IU’s Role in SWAMP

•  CACR: Cybersecurity

•  RT/ High Throughput Compu\ng (w/Global Research NOC): User Support and Monitoring


XSIM: Extreme Scale Identity Management for Science

Tradi\onal compu\ng with users all managed by data center.


Image credit: Ian Bird/CERN Image credit: Lawrence Livermore National Laboratory (via Wikipedia)

Modern science has large mulL-‐site collaboraLons.

Science collaboratory identity management

•  Based on interviews with 18 sites and projects. •  Simple model for describing collaboratory IdM.


•  IdenLfied factors that inhibit and encourage delegaLon from compuLng center to collaboraLon.

IU NSA CertiTication •  Indiana University designated as a Na\onal Center of Academic Excellence in Informa\on Assurance/Cybersecurity through academic year 2021.

•  Many thanks to ScoR Orr, Drew Simshaw, and all the faculty and staff who gather needed informa\on.


Indiana National Guard •  Par\cipate in community-‐building cyber discussions with the Indiana Na\onal Guard

•  Facilitate tour of ING cyber training facili\es at Muscatatuck by senior homeland security officials

•  Contribute to IU leRer of support for ING’s efforts to expand its cyber force.


Consultation to NSA on Cyber •  In the wake of Edward Snowden’s disclosures,

organized a day-‐long discussion between faculty and senior NSA officials at NSA headquarters in Fort Meade, Maryland.

•  Guidance on privacy, whistleblowing, transparency, secrecy, and related topics.

•  Maurer School of Law Prof. and CACR Senior Fellow David Fidler’s appointment as Scholar in Residence of the President’s Privacy and Civil Liber\es Oversight Board (Jan-‐Aug 2015).


DOD Minerva Proposal Coordinated the development of a mul\disciplinary cyber research proposal through the defense department’s MINERVA social science research ini\a\ve.

Seven faculty from six IU disciplines (law, journalism, psychology, policy, linguis\cs, interna\onal affairs) joined the effort to propose a study of societal trust and stability.


CACR Strategic Plan •  Strategic Planning ac\vi\es Oct’14-‐March’15 •  Expect to…

Refresh the fellows program Establish strong connec\ons with more schools and other IU campuses

Define opportuni\es to provide exper\se to the community; etc.

Refine and focus Security MaRers •  Thoughts? Input? We’re happy to chat.


2014 CACR Cybersecurity Summit •  June 2014 Summit in Indianapolis •  Featured two senior Homeland Security officials responsible for cyber opera\ons and R&D.

News about 2015 CACR Cybersecurity Summit coming soon!


Cyber Faculty Discussion •  Feb. 25 •  Extending from the MINERVA collabora\on. •  Professors Shannon Mar\n and Tony Fargo are featured speakers in a faculty discussion of their cyber research interests and establishing collabora\ve research teams at IU.

January 22nd, 2015 CACR Director's Report

Thank you

cacr.iu.edu


CACR Director's Update 2015

Documents

Transcript of CACR Director's Update 2015