Government Research Needs: Who Funds What?

ACSAC 2009Honolulu, HIDecember 10, 2009

Dept. of Homeland Security Science & Technology Directorate

Douglas Maughan, Ph.D.Branch Chief / Program Mgr.douglas.maughan@dhs.gov202-254-6145 / 202-360-3170

10 December 2009 2

Science and Technology (S&T) Mission

Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.

10 December 2009 3

R&D

SBIRsBAAs

DNSSEC

Cyber SecurityAssessment

SPRI

Emerging Threats

Cyber Forensics HOST

R&D Execution Model

Solicitation Preparation

Pre R&D

CIP Sector Roadmaps

Workshops

Customers

Critical Infrastructure

Providers

Critical Infrastructure

Providers

Customers* CS&C* NCSC* OCIO* USSS* National

Documents

Other Sectorse.g., Banking &

Finance

PrioritizedRequirements

R&DCoordination –

Government & Industry

Experimentsand Exercises

Post R&D

Outreach – Venture Community &

Industry

Supporting Programs

PREDICTDETER

10 December 2009 4

Agenda

Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies

Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)

SBIRs, Experimental Deployments, OutreachNew Emphasis Areas

Software AssuranceEducation, Competitions, Challenges

Research Landscape

10 December 2009 5

National Strategy to Secure Cyberspace

The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness

NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNSThe security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.

10 December 2009 6

Information Infrastructure SecurityDNSSEC – Domain Name System Security

Working with OMB, GSA, NIST to ensure USG is leading the global deployment efforts

http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdfWorking with vendor community to ensure solutions

http://www.govsecinfo.com/the-keys-to-deploying-dnssec.html

SPRI – Secure Protocols for Routing InfrastructureWorking with global registries to deploy Public Key Infrastructure (PKI) between ICANN/IANA and registry and between registry and ISPs/customersWorking with industry to develop solutions for our current routing security problems and future technologies

10 December 2009 7

History of Routing OutagesCommercial Internet -- specific network outages

Apr 1997 – AS 7007 announced routes to all the InternetApr 1998 – AS 8584 mis-announced 100K routesDec 1999 – AT&T’s server network announced by another ISP – misdirecting their traffic (made the Wall Street Journal)May 2000 – Sprint addresses announced by another ISPApr 2001 – AS 15412 mis-announced 5K routesDec 24, 2004 – thousands of networks misdirected to TurkeyFeb 10, 2005: Estonian ISP announced a part of Merit address spaceSep 9, 2005 – AT&T, XO and Bell South (12/8, 64/8, 65/8) misdirected to Bolivia [the next day, Germany – prompting AT&T to deaggregate]Jan 22, 2006 – Many networks, including PANIX and Walrus Internet, misdirected to NY ISP (Con Edison (AS27506))Feb 26, 2006 - Sprint and Verio briefly passed along TTNET (AS9121 again?) announcements that it was the origin AS for 4/8, 8/8, and 12/8Feb 24, 2008 –Pakistan Telecom announces /24 from YouTubeMarch 2008 – Kenyan ISP’s /24 announced by AboveNetFrequent full table leaks, e.g., Sep08 (Moscow), Nov08 (Brazil), Jan09(Russia)

10 December 2009 8

SPRI Roadmap

http://www.cyber.st.dhs.gov/docs/spriRoadmap.pdfCOMMENTS ARE ENCOURAGED!!!

Roadmap OutlineThreatsTwo major areas

Deployment– Mechanisms (e.g., BCPs)– Protocol Issues

Research– Near term research– Long term research– Other research problems

10 December 2009 9

SPRI Deployment ActivitiesWorking with registries to deploy PKI between ICANN/IANA and registry and between registry and ISPs/customers

Pilot project with the Asia-Pacific Network Information Center (APNIC) to add public key infrastructure to registration operations

BGPSEC Protocol Design TeamRouter Vendors, ISPs, Standards, AcademicsEnd Goal: “Agreed upon” secure routing protocol that can be expedited through the Internet standards process, implemented by router vendors, and deployed by ISPs

Tools to help current routing research and operationsCheck out “new” RouteViews – Real-time data feedsTool for Prefix Hijack Alert System (PHAS / Cyclops)Tool for Prefix Checker (PCH)

10 December 2009 10

DECIDE (Distributed Environment for Critical Infrastructure Decision-making Exercises)

Provide a dedicated exercise capability for several critical infrastructures in the U.S.

Beginning with Banking and FinanceFoster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats

Enterprises will be able to initiate their own large-scale exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity, all from their desktops

Think through sector impacts and responses to operational disruptions of market-based transactions across networks of the National Planning Scenarios

Enhance coordination during a large-scale disruption to key infrastructures

The concept has been reviewed by and developed with input from experts at ChicagoFIRST, the Options Clearing Corporation, ABN-AMRO, Eurex, Archipelago, Bank of New York, and CitiBank. The Financial Services Sector Coordinating Council R&D Committee has organized a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years.

10 December 2009 11

LOGIIC – Linking Oil & Gas Industry to Improve Cybersecurity

A collaboration of oil and natural gas companies and DHS S&T to facilitate cooperative research, development, testing, and evaluation procedures to improve cyber security in Industrial Automation and Control Systems.

Consortium under the Automation Federation

Industry determines the R&D projects and then government, industry, and national labs help them execute the projects and then promote the results to the rest of the sector Raising awareness for the whole community

10 December 2009 12

TCIPG – Trustworthy Computing Infrastructure for the Power Grid

Drive the design of an adaptive, resilient, and trustworthy cyber infrastructure for transmission & distribution of electric power

Protecting the cyber infrastructureMaking use of information to detect and respond to attacksSupporting greatly increased throughput and timeliness requirements

Support the provisioning of a new resilient “smart”power grid that

Enables advanced energy applicationsHigh-speed monitoring and asset control, advanced metering, diagnostics & maintenance

12

10 December 2009 13

Agenda

Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies

Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)

SBIRs, Experimental Deployments, OutreachNew Emphasis Areas

Software AssuranceEducation, Competitions, Challenges

Research Landscape

10 December 2009 14

National Research InfrastructureDETER - http://www.isi.edu/deter/

Researcher and vendor-neutral experimental infrastructurethat is open to a wide community of users to support the development and demonstration of next-generation cyber defense technologiesOver 170 users from 14 countries (and growing)

PREDICT – https://www.predict.orgRepository of network data for use by the U.S.- based cyber security research communityPrivacy Impact Assessment (PIA) completedOver 330 datasets; Over 100 active users (and growing)

End Goal: Improve the quality of defensive cyber security technologies

End Goal: Improve the quality of defensive cyber security technologies

10 December 2009 15

DETER – Map of Global Users

Over 170 users from 14 countries (and growing)

10 December 2009 16

DETER Projects

DoSWorms and malwareOverlays, routing, replic.Hw, sw and netw. testTraceback and attributionModels, policiesClassesDiagnosis and recoveryMulticast, group comm.Collaborative securityScanningAuthenticationDNSSpamSpoofingBotnetsWireless

10 December 2009 17

Data Collection Activities

Classes of data that are interesting, people want collected, and seem reasonable to collect

NetflowPacket traces – headers and full packet (context dependent)Critical infrastructure – BGP and DNS dataTopology dataIDS / firewall logsPerformance dataNetwork management data (i.e., SNMP)VoIP (2200 IP-phone network)Blackhole Monitor traffic

10 December 2009 18

Agenda

Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies

Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)

SBIRs, Experimental Deployments, OutreachNew Emphasis Areas

Software AssuranceEducation, Competitions, Challenges

Research Landscape

10 December 2009 19

Next Generation Technologieshttp://baa.st.dhs.govR&D funding model that delivers both near-term and medium-term solutions:

To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. To perform research and development (R&D) aimed at improving the security of existing deployed technologiesand to ensure the security of new emerging systems;To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.

10 December 2009 20

BAA Program / Proposal StructureNOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in (DHS) “customer” environmentsType I (New Technologies)

New technologies with an applied research phase, a development phase, and a deployment phase (optional)

Funding not to exceed 36 months (including deployment phase)

Type II (Prototype Technologies)More mature prototype technologies with a development phase and a deployment phase (optional)

Funding not to exceed 24 months (including deployment phase)

Type III (Mature Technologies)Mature technology with a deployment phase only.

Funding not to exceed 12 months

10 December 2009 21

BAA 07-09 Technical Topic AreasBotnets and Other Malware: Detection and Mitigation

2 papers at ACSAC from Georgia TechComposable and Scalable Secure SystemsCyber Security MetricsNetwork Data Visualization for Information AssuranceInternet Tomography / TopographyRouting Security Management Tools

1 paper at ACSAC from Colorado StateProcess Control System Security

Secure and Reliable Wireless Communication for Control SystemsReal-Time Security Event Assessment and Mitigation

Data Anonymization Tools and TechniquesInsider Threat Detection and Mitigation

10 December 2009 22

Next Generation Technologies (2)Two Solicitations – 2004 and 20072004 – 7 topics, 17 awards totaling $13.9M

9 Academic (CA,GA,DE,NJ,VA,MI,NH)8 Private Sector (NY,MD,MN,NJ,MA,TX)8 commercial products, 2 open source products

2007 – 9 topics, 17 awards totaling $13.7M6 Academic (CA,GA,WA,CO,MD)10 Private Sector (NY,CO,CA,FL,WI,VA)1 National Lab (NM)2 commercial products, 4 open source products (so far)

Expect another BAA in FY10

10 December 2009 23

Sample Product List

Grammatech – Binary Analysis toolsCoverity – Open Source Hardening (SCAN)Telcordia – Automated Vulnerability AnalysisGMU – Network Topology Analysis (Cauldron)Stanford – Anti-Phishing TechnologiesIronkey – Secure USBUSURF – Cyber Exercise Planning toolHBGary – Memory and Malware AnalysisSecure Decisions – Data VisualizationSecure64 – DNSSEC Automation

10 December 2009 24

Initial requirements working group held 11/20/08Attendees from USSS, CBP, ICE, FLETC, FBI, NIJ, TSWG, NIST, Miami-Dade PD, Albany NY PD

Initial list of projectsMobile device forensic toolsGPS forensics toolsLE First responder “field analysis kit”High-speed data capture and deep packet inspectionLive stream capture for gaming systemsMemory analysis and malware toolsInformation Clearing House

S&T initiated 6 projects in FY09 totaling $2M

Cyber Forensics

Combined

10 December 2009 25

Homeland Open Security Technology (HOST)

Promote the development and implementation of open source solutions within US Federal, state and municipal government agenciesInitial list of projects

Federal Government Open Source Census GovernmentForge Open Source Software RepositoryWork with Open Information Security Foundation

“New” open source IDSWork with community on open source software quality analysisUS Government security evaluation processes

OpenSSL FIPS validation

S&T initiated projects in FY09 totaling $1.5M

10 December 2009 26

Agenda

Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies

Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)

SBIRs, Experimental Deployments, OutreachNew Emphasis Areas

Software AssuranceEducation, Competitions, Challenges

Research Landscape

10 December 2009 27

Small Business Innovative Research (SBIR/STTR)

FY04Cross-Domain Attack Correlation Technologies (2)Real-Time Malicious Code Identification (2)Advanced Secure Supervisory Control and Data Acquisition (SCADA)and Related Distributed Control Systems (5)

FY05Hardware-assisted System Security Monitoring (4)

FY06Network-based Boundary Controllers (3)Botnet Detection and Mitigation (4)

FY07Secure and Reliable Wireless Communication for Control Systems (2)

FY09Software Testing and Vulnerability Analysis

10 December 2009 28

Small Business Innovative Research (SBIR)Important program for creating new innovation and accelerating transition into the marketplaceSince 2004, DHS S&T Cyber Security has had:

47 Phase I efforts22 Phase II efforts12 efforts currently in progress

8 commercial products availableThree acquisitions

Komoku, Inc. (MD) acquired by Microsoft in March 2008Endeavor Systems (VA) acquired by McAfee in January 2009Solidcore (CA) acquired by McAfee in June 2009

10 December 2009 29

Experimental DeploymentsNCSD / US-CERT

Botnet Detection and Mitigation technology from Univ of MichiganData Visualization technology from Secure Decisions

DHS S&T CIOSecure USB technology from IronKey (CA)

1000+ user deployment within S&TSecure Wireless Access Prototype from BAE Systems (VA)

50 user deployment within S&TBotnet Detection and Mitigation technology from Georgia Tech (GA) and Milcord (MA)

Deployment on S&T Labnet and DREN (DOD Research and Engineering Network)

SCADA system event detection technology from Digital Bond (FL)Deployment on S&T Plum Island system

Regional Technology Integration Initiative (S&T IGD partner)City of Seattle and surrounding citiesBotnet Detection and Mitigation technology from Univ of Michigan

10 December 2009 30

OutreachSystem Integrator Forum – held twice in WDC

Assist DHS S&T-funded researchers in transferring technology to larger, established security technology companies

Information Technology Security Entrepreneurs Forum (ITSEF) – held three times at Stanford in Palo Alto, CA

Partner with the venture capital community to assist entrepreneurs and small business better understand both the government marketplace and the venture community

Next one in March 2010; Another one in WDC in October 2010

Information Security Technology Transition Council (ITTC)Held tri-annually in Menlo Park, CAAttendees include venture capitalists, industry, law enforcement, academia, and government

WDC Conferences CATCH – March 3-4, 2009; http://www.cyber.st.dhs.gov/catch.htmlGlobal Cyber Security Conference – August 4-6, 2009

10 December 2009 31

Agenda

Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies

Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)

SBIRs, Experimental Deployments, OutreachNew Emphasis Areas

Software AssuranceEducation, Competitions, Challenges

Research Landscape

10 December 2009 32

DHS S&T SBIR Solicitation FY09.2

Topic H-SB09.2-004 – “Software testing and Vulnerability Analysis”

Objective: “Develop services and capabilities to rigorously and routinely build, test, and analyze source and binary forms of software in realistic conditions representative of operational environments in Federal Government and other critical infrastructures.”

Most proposals (38) received among all topics7 Phase I awards made for up to $100K each

10 December 2009 33

SBIR Phase I AwardsSee https://www.sbir.dhs.gov/Awards.asp for abstracts“Software Assurance Analysis and Visual Analytics” – Applied Visions, Inc. (NY)“Eliminating barriers to code quality and security with increased timeliness and accuracy of analysis” – Coverity, Inc. (CA)“Run Time Tools Output Integration Framework” – Data Access Technologies, Inc. (VA)“Concolic Testing with Metronome” – Grammatech, Inc. (NY)“CodeSonar with Metronome” – Grammatech, Inc. (NY)“Concurrency vulnerabilities: Combining dynamic and static analyses for detection and remediation” – SureLogic, Inc. (PA)“Virtualization and Static Analysis to Detect Memory Overwriting Vulnerabilities” – Zephyr Software, LLC (VA)

10 December 2009 34

Statement of Problem

Problem: The U.S. is not producing enough computer scientists and CS degrees

• CS/CE enrollments are down 50% from 5 years ago1

• CS jobs are growing faster than the national average2

1Taulbee Survey 2006-2007, Computer Research Association, May 2008 Computing Research News, Vol. 20/No. 32Nicholas Terrell, Bureau of Labor Statistics, STEM Occupations, Occupational Outlook Quarterly, Spring 2007

Taulbee Survey, CRA BLS

Computer Science/STEM have been the basis for American growth for 60 years

The gap in production of CS threatens continued growth and also national security

Defense, DHS, CNCI and industry all need more CS and CE competencies now

10 December 2009 35

Future Cyber Crime Fighter =

Middle School or High School Student(12-18 years old)

Or55 Year-old Retiree?

WHICH IS IT?

BOTH (and everywhere in between)

10 December 2009 36

Think about …..

What does a 10-year or 20-year cyber crime veteran look like? How many do we actually have (as a nation)?Are there well-defined career paths and HR mechanisms in place to ensure progression and promotion of a “cyber crime fighter”?What incentives are in place to enable a mid-life career change?Where is the initiative that’s going to create all of these future cyber crime fighters and who’s going to pay the bill to train and deploy them?

10 December 2009 37

CCDC MissionThe mission of the Collegiate Cyber Defense Competition (CCDC) system is to provide institutions with an information assurance or computer security curriculum a controlled, competitive environment to assess a student's depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems.

CCDC Events are designed to:Build a meaningful mechanism by which institutions of higher education may evaluate their current educational programs Provide an educational venue in which students are able to apply the theory and practical skills they have learned in their course work Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams Create interest and awareness among participating institutions and students

10 December 2009 38

CCDC Program

10 December 2009 39

2009 CCDC

NorthwestRegional

SouthwestRegional

SoutheastRegional

West Coast

Regional

NortheastRegional

North Central

Regional MidwestRegional

MidAtlanticRegional

http://www.nationalccdc.org

10 December 2009 40

2009 CCDC8 Regional competitions in 2009

2 New regionals for 2009Northwest: University of WashingtonNorth Central: Dakota State University

NCCDC April 17-19, 2009 in San AntonioBaker College *Texas A&M *University of North Carolina at Charlotte *Cal Poly PomonaUniversity of WashingtonDakota State UniversityUniversity of PittsburghNortheastern University * previous winners

2009 Winner: Baker College of Flint, Michigan

10 December 2009 41

U.S. Cyber Challenge

DC3 Digital Forensics ChallengeAn Air Force Association national high school cyber defense competition

CyberPatriot Defense CompetitionA Department of Defense Cyber Crime Center competition focusing on cyber investigation and forensics

Netwars Capture-the-Flag CompetitionA SANS Institute challenge testing mastery of vulnerabilities

10 December 2009 42

Agenda

Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies

Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)

SBIRs, Experimental Deployments, OutreachNew Emphasis Areas

Software AssuranceEducation, Competitions, Challenges

Research Landscape

10 December 2009 43

Timeline of Past Research Reports

1997 1998 2000 2001 2003 2004 2005 20061999 2002 2007

President’s Commission on CIP (PCCIP)NRC CSTB Trust in Cyberspace

I3P R&D AgendaNational Strategy to Secure Cyberspace

Computing Research Association – 4 ChallengesNIAC Hardening the Internet

PITAC - Cyber Security: A Crisis of PrioritizationIRC Hard Problems List

NSTC Federal Plan for CSIA R&DNRC CSTB Toward a Safer and More Secure Cyberspace

All documents available at http://www.cyber.st.dhs.gov

10 December 2009 44

Areas of Potential ResearchGlobal Scale Identity ManagementScalable Trustworthy SystemsSurvivability of Time-Critical SystemsSituational Understanding and Attack AttributionCombating Insider ThreatsData ProvenancePrivacy-Aware SecurityEnterprise Level MetricsCoping with Malware and Botnets

Usability and SecuritySystem Evaluation LifecycleNetwork recovery and reconstitutionCyber Security economic modelingModeling of Internet Attacks -critical infrastructureProcess Control System (PCS) securitySoftware Quality AssuranceFinance Sector R&D Agenda

10 December 2009 45

DHS S&T Roadmap

Original 8 topics from the IRC Hard Problems ListUsability and SecurityCoping with Malware and BotnetsSystem Lifecycle Evaluation

Publication in December 2009Will be available at http://www.cyber.st.dhs.gov and also in hardcopy

Source for future solicitations

10 December 2009 46

Summary

DHS has a difficult mission – many supporters, many critics, continues to make improvementsActivities around Washington, DC having an impact on operational and research agendasDHS S&T is moving forward with an aggressive cyber security research agenda

Working with the community to solve the cyber security problems of our current (and future) infrastructureWorking with academe and industry to improve national research infrastructureLooking at future R&D agendas with the most impact for the nation

10 December 2009 47

Conclusion

Together we mustmake a difference to improve the cyber security landscape of our country and world

10 December 2009 48

Douglas Maughan, Ph.D.Branch Chief / Program Mgr.douglas.maughan@dhs.gov202-254-6145 / 202-360-3170

For more information, visithttp://www.cyber.st.dhs.gov