Government Research Needs: Who Funds What?
ACSAC 2009Honolulu, HIDecember 10, 2009
Dept. of Homeland Security Science & Technology Directorate
Douglas Maughan, Ph.D.Branch Chief / Program [email protected] / 202-360-3170
10 December 2009 2
Science and Technology (S&T) Mission
Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.
10 December 2009 3
R&D
SBIRsBAAs
DNSSEC
Cyber SecurityAssessment
SPRI
Emerging Threats
Cyber Forensics HOST
R&D Execution Model
Solicitation Preparation
Pre R&D
CIP Sector Roadmaps
Workshops
Customers
Critical Infrastructure
Providers
Critical Infrastructure
Providers
Customers* CS&C* NCSC* OCIO* USSS* National
Documents
Other Sectorse.g., Banking &
Finance
PrioritizedRequirements
R&DCoordination –
Government & Industry
Experimentsand Exercises
Post R&D
Outreach – Venture Community &
Industry
Supporting Programs
PREDICTDETER
10 December 2009 4
Agenda
Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies
Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)
SBIRs, Experimental Deployments, OutreachNew Emphasis Areas
Software AssuranceEducation, Competitions, Challenges
Research Landscape
10 December 2009 5
National Strategy to Secure Cyberspace
The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness
NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNSThe security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.
10 December 2009 6
Information Infrastructure SecurityDNSSEC – Domain Name System Security
Working with OMB, GSA, NIST to ensure USG is leading the global deployment efforts
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdfWorking with vendor community to ensure solutions
http://www.govsecinfo.com/the-keys-to-deploying-dnssec.html
SPRI – Secure Protocols for Routing InfrastructureWorking with global registries to deploy Public Key Infrastructure (PKI) between ICANN/IANA and registry and between registry and ISPs/customersWorking with industry to develop solutions for our current routing security problems and future technologies
10 December 2009 7
History of Routing OutagesCommercial Internet -- specific network outages
Apr 1997 – AS 7007 announced routes to all the InternetApr 1998 – AS 8584 mis-announced 100K routesDec 1999 – AT&T’s server network announced by another ISP – misdirecting their traffic (made the Wall Street Journal)May 2000 – Sprint addresses announced by another ISPApr 2001 – AS 15412 mis-announced 5K routesDec 24, 2004 – thousands of networks misdirected to TurkeyFeb 10, 2005: Estonian ISP announced a part of Merit address spaceSep 9, 2005 – AT&T, XO and Bell South (12/8, 64/8, 65/8) misdirected to Bolivia [the next day, Germany – prompting AT&T to deaggregate]Jan 22, 2006 – Many networks, including PANIX and Walrus Internet, misdirected to NY ISP (Con Edison (AS27506))Feb 26, 2006 - Sprint and Verio briefly passed along TTNET (AS9121 again?) announcements that it was the origin AS for 4/8, 8/8, and 12/8Feb 24, 2008 –Pakistan Telecom announces /24 from YouTubeMarch 2008 – Kenyan ISP’s /24 announced by AboveNetFrequent full table leaks, e.g., Sep08 (Moscow), Nov08 (Brazil), Jan09(Russia)
10 December 2009 8
SPRI Roadmap
http://www.cyber.st.dhs.gov/docs/spriRoadmap.pdfCOMMENTS ARE ENCOURAGED!!!
Roadmap OutlineThreatsTwo major areas
Deployment– Mechanisms (e.g., BCPs)– Protocol Issues
Research– Near term research– Long term research– Other research problems
10 December 2009 9
SPRI Deployment ActivitiesWorking with registries to deploy PKI between ICANN/IANA and registry and between registry and ISPs/customers
Pilot project with the Asia-Pacific Network Information Center (APNIC) to add public key infrastructure to registration operations
BGPSEC Protocol Design TeamRouter Vendors, ISPs, Standards, AcademicsEnd Goal: “Agreed upon” secure routing protocol that can be expedited through the Internet standards process, implemented by router vendors, and deployed by ISPs
Tools to help current routing research and operationsCheck out “new” RouteViews – Real-time data feedsTool for Prefix Hijack Alert System (PHAS / Cyclops)Tool for Prefix Checker (PCH)
10 December 2009 10
DECIDE (Distributed Environment for Critical Infrastructure Decision-making Exercises)
Provide a dedicated exercise capability for several critical infrastructures in the U.S.
Beginning with Banking and FinanceFoster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats
Enterprises will be able to initiate their own large-scale exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity, all from their desktops
Think through sector impacts and responses to operational disruptions of market-based transactions across networks of the National Planning Scenarios
Enhance coordination during a large-scale disruption to key infrastructures
The concept has been reviewed by and developed with input from experts at ChicagoFIRST, the Options Clearing Corporation, ABN-AMRO, Eurex, Archipelago, Bank of New York, and CitiBank. The Financial Services Sector Coordinating Council R&D Committee has organized a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years.
10 December 2009 11
LOGIIC – Linking Oil & Gas Industry to Improve Cybersecurity
A collaboration of oil and natural gas companies and DHS S&T to facilitate cooperative research, development, testing, and evaluation procedures to improve cyber security in Industrial Automation and Control Systems.
Consortium under the Automation Federation
Industry determines the R&D projects and then government, industry, and national labs help them execute the projects and then promote the results to the rest of the sector Raising awareness for the whole community
10 December 2009 12
TCIPG – Trustworthy Computing Infrastructure for the Power Grid
Drive the design of an adaptive, resilient, and trustworthy cyber infrastructure for transmission & distribution of electric power
Protecting the cyber infrastructureMaking use of information to detect and respond to attacksSupporting greatly increased throughput and timeliness requirements
Support the provisioning of a new resilient “smart”power grid that
Enables advanced energy applicationsHigh-speed monitoring and asset control, advanced metering, diagnostics & maintenance
12
10 December 2009 13
Agenda
Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies
Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)
SBIRs, Experimental Deployments, OutreachNew Emphasis Areas
Software AssuranceEducation, Competitions, Challenges
Research Landscape
10 December 2009 14
National Research InfrastructureDETER - http://www.isi.edu/deter/
Researcher and vendor-neutral experimental infrastructurethat is open to a wide community of users to support the development and demonstration of next-generation cyber defense technologiesOver 170 users from 14 countries (and growing)
PREDICT – https://www.predict.orgRepository of network data for use by the U.S.- based cyber security research communityPrivacy Impact Assessment (PIA) completedOver 330 datasets; Over 100 active users (and growing)
End Goal: Improve the quality of defensive cyber security technologies
End Goal: Improve the quality of defensive cyber security technologies
10 December 2009 15
DETER – Map of Global Users
Over 170 users from 14 countries (and growing)
10 December 2009 16
DETER Projects
DoSWorms and malwareOverlays, routing, replic.Hw, sw and netw. testTraceback and attributionModels, policiesClassesDiagnosis and recoveryMulticast, group comm.Collaborative securityScanningAuthenticationDNSSpamSpoofingBotnetsWireless
10 December 2009 17
Data Collection Activities
Classes of data that are interesting, people want collected, and seem reasonable to collect
NetflowPacket traces – headers and full packet (context dependent)Critical infrastructure – BGP and DNS dataTopology dataIDS / firewall logsPerformance dataNetwork management data (i.e., SNMP)VoIP (2200 IP-phone network)Blackhole Monitor traffic
10 December 2009 18
Agenda
Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies
Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)
SBIRs, Experimental Deployments, OutreachNew Emphasis Areas
Software AssuranceEducation, Competitions, Challenges
Research Landscape
10 December 2009 19
Next Generation Technologieshttp://baa.st.dhs.govR&D funding model that delivers both near-term and medium-term solutions:
To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. To perform research and development (R&D) aimed at improving the security of existing deployed technologiesand to ensure the security of new emerging systems;To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.
10 December 2009 20
BAA Program / Proposal StructureNOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in (DHS) “customer” environmentsType I (New Technologies)
New technologies with an applied research phase, a development phase, and a deployment phase (optional)
Funding not to exceed 36 months (including deployment phase)
Type II (Prototype Technologies)More mature prototype technologies with a development phase and a deployment phase (optional)
Funding not to exceed 24 months (including deployment phase)
Type III (Mature Technologies)Mature technology with a deployment phase only.
Funding not to exceed 12 months
10 December 2009 21
BAA 07-09 Technical Topic AreasBotnets and Other Malware: Detection and Mitigation
2 papers at ACSAC from Georgia TechComposable and Scalable Secure SystemsCyber Security MetricsNetwork Data Visualization for Information AssuranceInternet Tomography / TopographyRouting Security Management Tools
1 paper at ACSAC from Colorado StateProcess Control System Security
Secure and Reliable Wireless Communication for Control SystemsReal-Time Security Event Assessment and Mitigation
Data Anonymization Tools and TechniquesInsider Threat Detection and Mitigation
10 December 2009 22
Next Generation Technologies (2)Two Solicitations – 2004 and 20072004 – 7 topics, 17 awards totaling $13.9M
9 Academic (CA,GA,DE,NJ,VA,MI,NH)8 Private Sector (NY,MD,MN,NJ,MA,TX)8 commercial products, 2 open source products
2007 – 9 topics, 17 awards totaling $13.7M6 Academic (CA,GA,WA,CO,MD)10 Private Sector (NY,CO,CA,FL,WI,VA)1 National Lab (NM)2 commercial products, 4 open source products (so far)
Expect another BAA in FY10
10 December 2009 23
Sample Product List
Grammatech – Binary Analysis toolsCoverity – Open Source Hardening (SCAN)Telcordia – Automated Vulnerability AnalysisGMU – Network Topology Analysis (Cauldron)Stanford – Anti-Phishing TechnologiesIronkey – Secure USBUSURF – Cyber Exercise Planning toolHBGary – Memory and Malware AnalysisSecure Decisions – Data VisualizationSecure64 – DNSSEC Automation
10 December 2009 24
Initial requirements working group held 11/20/08Attendees from USSS, CBP, ICE, FLETC, FBI, NIJ, TSWG, NIST, Miami-Dade PD, Albany NY PD
Initial list of projectsMobile device forensic toolsGPS forensics toolsLE First responder “field analysis kit”High-speed data capture and deep packet inspectionLive stream capture for gaming systemsMemory analysis and malware toolsInformation Clearing House
S&T initiated 6 projects in FY09 totaling $2M
Cyber Forensics
Combined
10 December 2009 25
Homeland Open Security Technology (HOST)
Promote the development and implementation of open source solutions within US Federal, state and municipal government agenciesInitial list of projects
Federal Government Open Source Census GovernmentForge Open Source Software RepositoryWork with Open Information Security Foundation
“New” open source IDSWork with community on open source software quality analysisUS Government security evaluation processes
OpenSSL FIPS validation
S&T initiated projects in FY09 totaling $1.5M
10 December 2009 26
Agenda
Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies
Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)
SBIRs, Experimental Deployments, OutreachNew Emphasis Areas
Software AssuranceEducation, Competitions, Challenges
Research Landscape
10 December 2009 27
Small Business Innovative Research (SBIR/STTR)
FY04Cross-Domain Attack Correlation Technologies (2)Real-Time Malicious Code Identification (2)Advanced Secure Supervisory Control and Data Acquisition (SCADA)and Related Distributed Control Systems (5)
FY05Hardware-assisted System Security Monitoring (4)
FY06Network-based Boundary Controllers (3)Botnet Detection and Mitigation (4)
FY07Secure and Reliable Wireless Communication for Control Systems (2)
FY09Software Testing and Vulnerability Analysis
10 December 2009 28
Small Business Innovative Research (SBIR)Important program for creating new innovation and accelerating transition into the marketplaceSince 2004, DHS S&T Cyber Security has had:
47 Phase I efforts22 Phase II efforts12 efforts currently in progress
8 commercial products availableThree acquisitions
Komoku, Inc. (MD) acquired by Microsoft in March 2008Endeavor Systems (VA) acquired by McAfee in January 2009Solidcore (CA) acquired by McAfee in June 2009
10 December 2009 29
Experimental DeploymentsNCSD / US-CERT
Botnet Detection and Mitigation technology from Univ of MichiganData Visualization technology from Secure Decisions
DHS S&T CIOSecure USB technology from IronKey (CA)
1000+ user deployment within S&TSecure Wireless Access Prototype from BAE Systems (VA)
50 user deployment within S&TBotnet Detection and Mitigation technology from Georgia Tech (GA) and Milcord (MA)
Deployment on S&T Labnet and DREN (DOD Research and Engineering Network)
SCADA system event detection technology from Digital Bond (FL)Deployment on S&T Plum Island system
Regional Technology Integration Initiative (S&T IGD partner)City of Seattle and surrounding citiesBotnet Detection and Mitigation technology from Univ of Michigan
10 December 2009 30
OutreachSystem Integrator Forum – held twice in WDC
Assist DHS S&T-funded researchers in transferring technology to larger, established security technology companies
Information Technology Security Entrepreneurs Forum (ITSEF) – held three times at Stanford in Palo Alto, CA
Partner with the venture capital community to assist entrepreneurs and small business better understand both the government marketplace and the venture community
Next one in March 2010; Another one in WDC in October 2010
Information Security Technology Transition Council (ITTC)Held tri-annually in Menlo Park, CAAttendees include venture capitalists, industry, law enforcement, academia, and government
WDC Conferences CATCH – March 3-4, 2009; http://www.cyber.st.dhs.gov/catch.htmlGlobal Cyber Security Conference – August 4-6, 2009
10 December 2009 31
Agenda
Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies
Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)
SBIRs, Experimental Deployments, OutreachNew Emphasis Areas
Software AssuranceEducation, Competitions, Challenges
Research Landscape
10 December 2009 32
DHS S&T SBIR Solicitation FY09.2
Topic H-SB09.2-004 – “Software testing and Vulnerability Analysis”
Objective: “Develop services and capabilities to rigorously and routinely build, test, and analyze source and binary forms of software in realistic conditions representative of operational environments in Federal Government and other critical infrastructures.”
Most proposals (38) received among all topics7 Phase I awards made for up to $100K each
10 December 2009 33
SBIR Phase I AwardsSee https://www.sbir.dhs.gov/Awards.asp for abstracts“Software Assurance Analysis and Visual Analytics” – Applied Visions, Inc. (NY)“Eliminating barriers to code quality and security with increased timeliness and accuracy of analysis” – Coverity, Inc. (CA)“Run Time Tools Output Integration Framework” – Data Access Technologies, Inc. (VA)“Concolic Testing with Metronome” – Grammatech, Inc. (NY)“CodeSonar with Metronome” – Grammatech, Inc. (NY)“Concurrency vulnerabilities: Combining dynamic and static analyses for detection and remediation” – SureLogic, Inc. (PA)“Virtualization and Static Analysis to Detect Memory Overwriting Vulnerabilities” – Zephyr Software, LLC (VA)
10 December 2009 34
Statement of Problem
Problem: The U.S. is not producing enough computer scientists and CS degrees
• CS/CE enrollments are down 50% from 5 years ago1
• CS jobs are growing faster than the national average2
1Taulbee Survey 2006-2007, Computer Research Association, May 2008 Computing Research News, Vol. 20/No. 32Nicholas Terrell, Bureau of Labor Statistics, STEM Occupations, Occupational Outlook Quarterly, Spring 2007
Taulbee Survey, CRA BLS
Computer Science/STEM have been the basis for American growth for 60 years
The gap in production of CS threatens continued growth and also national security
Defense, DHS, CNCI and industry all need more CS and CE competencies now
10 December 2009 35
Future Cyber Crime Fighter =
Middle School or High School Student(12-18 years old)
Or55 Year-old Retiree?
WHICH IS IT?
BOTH (and everywhere in between)
10 December 2009 36
Think about …..
What does a 10-year or 20-year cyber crime veteran look like? How many do we actually have (as a nation)?Are there well-defined career paths and HR mechanisms in place to ensure progression and promotion of a “cyber crime fighter”?What incentives are in place to enable a mid-life career change?Where is the initiative that’s going to create all of these future cyber crime fighters and who’s going to pay the bill to train and deploy them?
10 December 2009 37
CCDC MissionThe mission of the Collegiate Cyber Defense Competition (CCDC) system is to provide institutions with an information assurance or computer security curriculum a controlled, competitive environment to assess a student's depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems.
CCDC Events are designed to:Build a meaningful mechanism by which institutions of higher education may evaluate their current educational programs Provide an educational venue in which students are able to apply the theory and practical skills they have learned in their course work Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams Create interest and awareness among participating institutions and students
10 December 2009 38
CCDC Program
10 December 2009 39
2009 CCDC
NorthwestRegional
SouthwestRegional
SoutheastRegional
West Coast
Regional
NortheastRegional
North Central
Regional MidwestRegional
MidAtlanticRegional
http://www.nationalccdc.org
10 December 2009 40
2009 CCDC8 Regional competitions in 2009
2 New regionals for 2009Northwest: University of WashingtonNorth Central: Dakota State University
NCCDC April 17-19, 2009 in San AntonioBaker College *Texas A&M *University of North Carolina at Charlotte *Cal Poly PomonaUniversity of WashingtonDakota State UniversityUniversity of PittsburghNortheastern University * previous winners
2009 Winner: Baker College of Flint, Michigan
10 December 2009 41
U.S. Cyber Challenge
DC3 Digital Forensics ChallengeAn Air Force Association national high school cyber defense competition
CyberPatriot Defense CompetitionA Department of Defense Cyber Crime Center competition focusing on cyber investigation and forensics
Netwars Capture-the-Flag CompetitionA SANS Institute challenge testing mastery of vulnerabilities
10 December 2009 42
Agenda
Information Infrastructure Security – Critical Infrastructure and Key Resources (CI/KR)National Research InfrastructureNext Generation Technologies
Broad Agency Announcements (BAAs)Two new program areas (2009) – Cyber Forensics and Homeland Open Security Technology (HOST)
SBIRs, Experimental Deployments, OutreachNew Emphasis Areas
Software AssuranceEducation, Competitions, Challenges
Research Landscape
10 December 2009 43
Timeline of Past Research Reports
1997 1998 2000 2001 2003 2004 2005 20061999 2002 2007
President’s Commission on CIP (PCCIP)NRC CSTB Trust in Cyberspace
I3P R&D AgendaNational Strategy to Secure Cyberspace
Computing Research Association – 4 ChallengesNIAC Hardening the Internet
PITAC - Cyber Security: A Crisis of PrioritizationIRC Hard Problems List
NSTC Federal Plan for CSIA R&DNRC CSTB Toward a Safer and More Secure Cyberspace
All documents available at http://www.cyber.st.dhs.gov
10 December 2009 44
Areas of Potential ResearchGlobal Scale Identity ManagementScalable Trustworthy SystemsSurvivability of Time-Critical SystemsSituational Understanding and Attack AttributionCombating Insider ThreatsData ProvenancePrivacy-Aware SecurityEnterprise Level MetricsCoping with Malware and Botnets
Usability and SecuritySystem Evaluation LifecycleNetwork recovery and reconstitutionCyber Security economic modelingModeling of Internet Attacks -critical infrastructureProcess Control System (PCS) securitySoftware Quality AssuranceFinance Sector R&D Agenda
10 December 2009 45
DHS S&T Roadmap
Original 8 topics from the IRC Hard Problems ListUsability and SecurityCoping with Malware and BotnetsSystem Lifecycle Evaluation
Publication in December 2009Will be available at http://www.cyber.st.dhs.gov and also in hardcopy
Source for future solicitations
10 December 2009 46
Summary
DHS has a difficult mission – many supporters, many critics, continues to make improvementsActivities around Washington, DC having an impact on operational and research agendasDHS S&T is moving forward with an aggressive cyber security research agenda
Working with the community to solve the cyber security problems of our current (and future) infrastructureWorking with academe and industry to improve national research infrastructureLooking at future R&D agendas with the most impact for the nation
10 December 2009 47
Conclusion
Together we mustmake a difference to improve the cyber security landscape of our country and world
10 December 2009 48
Douglas Maughan, Ph.D.Branch Chief / Program [email protected] / 202-360-3170
For more information, visithttp://www.cyber.st.dhs.gov
Top Related