Dept. of Homeland Security Science & Technology Directorate
Current R&D Initiatives in
Cybersecurity
UMD / Google
College Park, MD
December 1, 2011
Douglas Maughan, Ph.D.
Division Director
Cyber Security Division
Homeland Security Advanced
Research Projects Agency (HSARPA)
douglas.maughan@dhs.gov
202-254-6145 / 202-360-3170
Cyberspace Definitions
“The interdependent network of information and
communications technology infrastructures,
including the Internet, telecommunications networks,
computer systems and networks, and embedded
processors and controllers in facilities and
industries.” White House Cyberspace Policy
Review, May 2009
12 October 2011
2
Comprehensive National
Cybersecurity Initiative (CNCI)
Establish a front line of defense
Reduce the Number
of Trusted Internet
Connections
Deploy Passive
Sensors Across
Federal Systems
Pursue Deployment
of Automated
Defense Systems
Coordinate and
Redirect R&D Efforts
Resolve to secure cyberspace / set conditions for long-term success
Connect Current
Centers to Enhance
Situational Awareness
Develop Gov’t-wide
Counterintelligence
Plan for Cyber
Increase Security of
the Classified
Networks
Expand Education
Shape future environment / secure U.S. advantage / address new threats
Define and Develop
Enduring Leap Ahead
Technologies,
Strategies & Programs
Define and Develop
Enduring Deterrence
Strategies & Programs
Manage Global
Supply Chain Risk
Cyber Security in
Critical Infrastructure
Domains
http://cybersecurity.whitehouse.gov 1 December 2011
3
3
NITRD Structure for Cybersecurity
R&D Coordination
OSTP
OMB
National Science and Technology Council
National Coordination
Office for NITRD
National security
systems R&D
NITRD Subcommittee
Senior representatives from
agencies conducting NIT R&D
Senior representatives from
agencies with national
cybersecurity missions
Cybersecurity R&D
Senior Steering Group
Special Cyber
Operations Research and
Engineering (SCORE)
Interagency Working Group
Cyber Security
and Information Assurance
Interagency Working Group
(CSIA IWG)
Program
managers with
cybersecurity
R&D portfolios
1 December 2011
4
Federal Gov’t Cyber Research Community
Agency / Org
Research Agenda
Researchers
Customers / Consumers
National Science
Foundation (NSF)
SW engineering/protection, HW/FW security,
mobile wireless and sensor networks, trustworthy
computing ; Several academic centers
Academics and NonProfits
Basic Research - No specific
customers
Defense Advanced
Research Projects Agency
(DARPA)
Mostly classified; unclassified topics are focused
on basic research; National Cyber Range
Few academics; large
system integrators;
research and
government labs
Mostly DOD; most solutions
are GOTS, not COTS
National Security Agency
(NSA)
Information Assurance Automation (ISAP),
SELinux; Networking theory; CAEIAE centers
Mostly in-house
Intelligence community; some
NSA internal; some open
source
Intelligence Advanced
Research Projects Agency
(IARPA)
Automatic Privacy Protection (APP,) Securely
Taking on New Executable Software of Uncertain
Provenance (STONESOUP)
Mostly research labs,
system integrators, and
national labs; Some
academics
Intelligence community
National Institute of
Standards & Technology
(NIST)
Trusted Identities in Cyberspace, National
Initiative for Cybersecurity Education (NICE)
In-house; Most R&D
funding comes from
other agencies
Federal agencies with some
impact on state and locals
Department of Homeland
Security (DHS) S&T
All unclassified; Secure Internet Protocols;
Process Control Systems (PCS), Emerging Threats,
Insider Threat, Cyber Forensics; Software
Assurance, Open Security Technologies, Next
Generation Technologies
Blend of academics,
research and
government labs, nonprofits, private sector
and small business
DHS Components (including
NPPD, USSS, FLETC, FEMA, ICE,
CBP); CI/KR Sectors; USG and
5
Internet and Private Sector
Federal Cybersecurity
Research and Development
Program: Strategic Plan
1 December 2011
6
Federal Cybersecurity R&D Strategic Plan

Research Themes






Science of Cyber Security
Transition to Practice




Tailored Trustworthy Spaces
Moving Target Defense
Cyber Economics and Incentives
Designed-In Security (New for FY12)
Technology Discovery
Test & Evaluation / Experimental Deployment
Transition / Adoption / Commercialization
Support for National Priorities

Health IT, Smart Grid, NSTIC (Trusted Identity), NICE (Education),
Financial Services
1 December 2011
7
Quadrennial Homeland Security Review
The Core Missions
1.
Preventing terrorism and enhancing security;
2.
Securing and managing our borders;
3.
Enforcing and administering our immigration laws;
4.
Safeguarding and securing cyberspace; and
5.
Ensuring resilience to disasters.
Mission 6: Maturing and Strengthening the Homeland Security Enterprise
Foster Innovative Solutions Through Science and Technology
• Ensure scientifically informed analyses and decisions are coupled to effective
technological solutions
• Conduct scientific assessments of threats and vulnerabilities
• Foster collaborative efforts involving government, academia, and the private sector to
1 December 2011
create innovative approaches to key homeland security challenges
8
DHS S&T Mission
Strengthen America’s security and resiliency by providing
knowledge products and innovative technology solutions
for the Homeland Security Enterprise
1 December 2011
9
Cyber Security Division (CSD) R&D
Execution Model
1 December 2011
10
Sample Product List

Ironkey – Secure USB
 Standard

Coverity – Open Source Hardening (SCAN)
 Analyzes

150+ open source software packages daily (later)
USURF – Cyber Exercise Planning tool
 Recently

Issue to S&T employees from S&T CIO
used in MA & WA state cyber exercises
Secure64 – DNSSEC Automation
 Several
commercial customers; Government pilots
underway

HBGary – Memory and Malware Analysis
 12-15
pilot deployments as part of Cyber Forensics
program
1 December 2011
11
Sample Product List - 2

Grammatech – Binary Analysis tools
 Used

Telcordia – Automated Vulnerability Analysis
 In

use by DOD, SEC
GMU – Network Topology Analysis (Cauldron)
 In

by several Intel agencies; commercially available
use at FAA, several commercial customers
Stanford – Anti-Phishing Technologies
 Open

source; most browsers have included Stanford R&D
Secure Decisions – Data Visualization
 Pilot
with DHS/NCSD/US-CERT in progress
1 December 2011
12
Cyber Security Program Areas

Research Infrastructure to Support Cybersecurity
(RISC)

Trustworthy Cyber Infrastructure (TCI)

Cyber Technology Evaluation and Transition (CTET)

Foundational Elements of Cyber Systems (FECS)

Cybersecurity User Protection and Education (CUPE)
1 December 2011
13
Research Infrastructure (RISC)

Experimental Research Testbed (DETER)
 Researcher
and vendor-neutral experimental infrastructure
 DETER - http://www.isi.edu/deter/

Research Data Repository (PREDICT)
 Repository
of network data for use by the U.S.- based
cyber security research community
 PREDICT – https://www.predict.org

Software Quality Assurance (SWAMP)
A
software assurance testing and evaluation facility and the
associated research infrastructure services
1 December 2011
14
Trustworthy Cyber Infrastructure

Secure Protocols
 DNSSEC – Domain Name System Security
 SPRI – Secure Protocols for Routing Infrastructure

Process Control Systems
– Linking Oil & Gas Industry to Improve
Cybersecurity
 TCIPG – Trustworthy Computing Infrastructure for the
Power Grid
 LOGIIC

Internet Measurement and Attack Modeling
 Geographic
mapping of Internet resources
 Logically and/or physically connected maps of Internet
resources
 Monitoring and archiving of BGP route information
1 December 2011
15
Evaluation and Transition (CTET)

Assessment and Evaluations
 Red

Teaming of DHS S&T-funded technologies
Experiments and Pilots
 Experimental
Deployment of DHS S&T-funded
technologies into operational environments

Transition to Practice (CNCI)
 New
FY12 Initiative
1 December 2011
16
Foundational Elements (FECS)




Enterprise Level Security Metrics and Usability
Homeland Open Security Technology (HOST)
Software Quality Assurance
Cyber Economic Incentives (CNCI)
 New


Leap Ahead Technologies (CNCI)
Moving Target Defense (CNCI)
 New

FY12 Initiative
FY12 Initiative
Tailored Trustworthy Spaces (CNCI)
 New
FY12 Initiative
1 December 2011
17
Cybersecurity Users (CUPE)

Cyber Security Competitions
 National
Initiative for Cybersecurity Education (NICE)
 NCCDC (Collegiate); U.S. Cyber Challenge (High School)

Cyber Security Forensics
 Support
to DHS and other Law
Enforcement customers

Identity Management
 National
Strategy for Trusted Identities
in Cyberspace (NSTIC)

Data Privacy Technologies
 New
Start in FY13
7-10 November 2011
18
DHS S&T Cybersecurity Program
Cyber Economic Incentives
Moving Target Defense
Tailored Trustworthy
Spaces
Leap Ahead Technologies
Transition To Practice
PEOPLE
SYSTEMS
Software Quality Assurance
Homeland Open Security
Technology
Experiments & Pilots
Assessments & Evaluations
INFRASTRUCTURE
Identity Management
Enterprise Level Security Metrics &
Usability
Data Privacy
Cyber Forensics
Competitions
Secure Protocols
Process Control Systems
Internet Measurement & Attack
Modeling
RESEARCH INFRASTRUCTURE
Experimental Research Testbed (DETER)
Research Data Repository (PREDICT)
Software Quality Assurance (SWAMP)
1 December 2011
19
Small Business Innovative Research (SBIR)

FY04




FY05



Large-Scale Network Survivability, Rapid Recovery, and Reconstitution (1)
FY11


Software Testing and Vulnerability Analysis (3)
FY10


Secure and Reliable Wireless Communication for Control Systems (2)
FY09


Network-based Boundary Controllers (3)
Botnet Detection and Mitigation (4)
FY07


Hardware-assisted System Security Monitoring (4)
FY06


Cross-Domain Attack Correlation Technologies (2)
Real-Time Malicious Code Identification (2)
Advanced SCADA and Related Distributed Control Systems (5)
Mobile Device Forensics
FY12

Moving Target Defense
7-10 November 2011
20
Small Business Innovative Research (SBIR)


Important program for creating new innovation and
accelerating transition into the marketplace
Since 2004, DHS S&T Cyber Security has had:
 60
Phase I efforts
 27 Phase II efforts
 4 Phase II efforts currently in progress
 9 commercial/open source products available
 Three acquisitions



Komoku, Inc. (MD) acquired by Microsoft in March 2008
Endeavor Systems (VA) acquired by McAfee in January 2009
Solidcore (CA) acquired by McAfee in June 2009
7-10 November 2011
21
HSARPA Cyber Security R&D Broad
Agency Announcement (BAA) 11-02

Delivers both near-term and medium-term solutions




To develop new and enhanced technologies for the detection of, prevention
of, and response to cyber attacks on the nation’s critical information
infrastructure, based on customer requirements
To perform research and development (R&D) aimed at improving the security
of existing deployed technologies and to ensure the security of new emerging
cybersecurity systems;
To facilitate the transfer of these technologies into operational environments.
Proposals Received According to 3 Levels of Technology Maturity
Type I (New Technologies)
 Applied Research Phase
 Development Phase
 Demo in Op Environ.
 Funding ≤ $3M & 36 mos.
Type II (Prototype Technologies)
 More Mature Prototypes
 Development Phase
 Demo in Op Environ.
 Funding ≤ $2M & 24 mos.
Type III (Mature Technologies)
 Mature Technology
 Demo Only in Op Environ.
 Funding ≤ $750K & 12 mos.
Note: Technology Demonstrations = Test,
Evaluation, and Pilot deployment in
DHS “customer” environments
1 December 2011
22
Technical Topic Areas (TTAs)














TTA-1
TTA-2
TTA-3
TTA-4
TTA-5
TTA-6
TTA-7
TTA-8
TTA-9
TTA-10
TTA-11
TTA-12
TTA-13
TTA-14
Software Assurance
DHS, FSSCC
Enterprise-level Security Metrics
DHS, FSSCC
Usable Security
DHS, FSSCC
Insider Threat
DHS, FSSCC
Resilient Systems and Networks
DHS, FSSCC
Modeling of Internet Attacks
DHS
Network Mapping and Measurement DHS
Incident Response Communities
DHS
Cyber Economics
CNCI
Digital Provenance
CNCI
Hardware-enabled Trust
CNCI
Moving Target Defense
CNCI
Nature-inspired Cyber Health
CNCI
Software Assurance MarketPlace
S&T
(SWAMP)
1 December 2011
23
Timeline of Past Research Reports
President’s Commission on CIP (PCCIP)
NRC CSTB Trust in Cyberspace
I3P R&D Agenda
National Strategy to Secure Cyberspace
Computing Research Association – 4 Challenges
NIAC Hardening the Internet
PITAC - Cyber Security: A Crisis of Prioritization
IRC Hard Problems List
NSTC Federal Plan for CSIA R&D
NRC CSTB Toward a Safer and More Secure Cyberspace
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
All documents available at http://www.cyber.st.dhs.gov
1 December 2011
24
A Roadmap for Cybersecurity Research

http://www.cyber.st.dhs.gov











Scalable Trustrworthy Systems
Enterprise Level Metrics
System Evaluation Lifecycle
Combatting Insider Threats
Combatting Malware and Botnets
Global-Scale Identity Management
Survivability of Time-Critical
Systems
Situational Understanding and Attack
Attribution
Information Provenance
Privacy-Aware Security
Usable Security
1 December 2011
25
So what if I take over a
botnet to do my research?
An examination of the current state of
Ethics in Information and Communications
Technology Research
1 December 2011
26
What are ethics?


“The field of ethics (or moral philosophy) involves
systematizing, defending, and recommending
concepts of right and wrong behavior.”
Normative ethics, is concerned with developing a set
of morals or guiding principles intended to influence
the conduct of individuals and groups within a
population (i.e., a profession, a religion, or society at
large).
1 December 2011
27
Ethics != Law


“Law can be defined as a consistent set of universal rules that
are widely published, generally accepted, and usually
enforced”
Interrelated but by no means identical (e.g., legal but not
ethical, ethical but not legal)



Adherence to ethical principles may be required to meet regulatory
requirements surrounding academic research
A law may illuminate the line between beneficial acts and harmful
ones.
If the computer security research community develops ethical
principals and standards that are acceptable to the profession and
integrates those as standard practice, it makes it easier for legislatures
and courts to effectively perform their functions.
1 December 2011
28
(Normative) Computer Ethics
“A typical problem in computer ethics arises because
there is a policy vacuum about how computer
technology should be used.
Computers provide us with new capabilities and
these in turn give us new choices for action. Often,
either no policies for conduct in these situations exist
or existing policies seem inadequate.
A central task of computer ethics is to determine
what we should do in such cases, i.e., to formulate
policies to guide our actions.”
- James Moor, 1985
1 December 2011
29
The Belmont Report
"Ethical Principles and Guidelines for the Protection of Human Subjects of
Research”, US Department of Health, Education, and Welfare, April 18,1979
IRBs help ensure
that research
conforms with the
ethical principles of
the Belmont Report
1 December 2011
30
What is the role of an IRB?
Institutional Review Board (IRBs) are responsible for:

Protecting “human subjects” involved in research
 Proper informed consent – or waiver of consent
 Special protections for vulnerable populations
 Strong privacy and confidentiality protections
 Can allow deception in some research

IRBs generally review medical or social/behavioral/educational research,
not network/security research.
Question: Should the IRB review network/security research?
1 December 2011
31
What is a “human subject” ?
The Federal human subjects regulations (45 CFR 46.102(f)) define a
human subject as:
“a living individual about whom an investigator…conducting
research obtains either:
(1) data through intervention or interaction with
the individual -OR(2) identifiable private information.”
1 December 2011
32
What is Network and Security
Research?
Network and Security Research, or Information
Communication Technology (ICT) Research involves:

the collection, use and disclosure of information collected via
networks or using hardware and software associated with
information technology

Examples include:




Phishing experiments
Botnets
Honeypots
Analysis of internet network traffic
1 December 2011
33
Ethical Challenges in ICT Research
ICT research differs from traditional human subjects research
which poses new ethical challenges:

Interactions with humans are often indirect
with intervening technology

It is often not feasible to obtain
informed consent

Deception may be necessary

There are varying degrees of linkage between data and
individuals’ identities for behaviors

Researchers can easily engage millions of “subjects” and
billions of associated data “objects” simultaneously.
1 December 2011
34
Comparing ICTR and Medical Research
How is ICTR like researching health issues?
Identity of subjects
 Risk of harm to subjects
 Subjects of research are also the beneficiaries

How is ICTR not like researching health issues?
Research “subjects” could be criminals, their tools, or computers
owned by innocent 3rd parties
 Researchers are sometimes indistinguishable from criminals
controlling a botnet
 Viruses/cancers don’t adapt due to our publications
 Harm primarily financial, but unintended consequences could
affect uninvolved 3rd parties (and their customers)

1 December 2011
35
The Menlo Report
"Ethical Principles Guiding Information and Communication Technology Research”
Supported by US Department of Homeland Security (unpublished 2011).
Belmont Principle
Menlo Application
Respect for Persons
Identify stakeholders
Informed consent
Beneficence
Identify potential benefits and harms
Balance risks and benefits
Mitigate realized harms
Justice
Fairness and equity
Additional Menlo Principle: Respect
for the Law and Public Interest
Compliance
Transparency and accountability
1 December 2011
36
Our Education Problem
Problem: The U.S. is not producing enough computer scientists and CS degrees
• CS/CE enrollments are down 50% from 5 years ago1
• CS jobs are growing faster than the national average2
Taulbee Survey, CRA
BLS
Computer Science/STEM have been the basis for American growth for 60 years
The gap in production of CS threatens continued growth and also national security
Defense, DHS, CNCI and industry all need more CS and CE competencies now
1Taulbee
Survey 2006-2007, Computer Research Association, May 2008 Computing
Research News, Vol. 20/No. 3
2Nicholas Terrell, Bureau of Labor Statistics, STEM Occupations, Occupational Outlook
Quarterly, Spring 2007
1 December 2011
37
National Initiative for Cybersecurity
Education (NICE)

National Cybersecurity Awareness (Lead: DHS).


Formal Cybersecurity Education (Co-Leads: DoEd and
OSTP).


Education programs encompassing K-12, higher education, and vocational
programs related to cybersecurity
Federal Cybersecurity Workforce Structure (Lead: OPM).



Public service campaigns to promote cybersecurity and responsible use of the
Internet
Defining government cybersecurity jobs and skills and competencies required.
New strategies to ensure federal agencies attract, recruit, and retain skilled
employees to accomplish cybersecurity missions.
Cybersecurity Workforce Training and Professional
Development (Tri-Leads: DoD, ODNI, DHS).

Cybersecurity training and professional development required for federal
government civilian, military, and contractor personnel.
1 December 2011
38
CCDC Mission

The mission of the Collegiate Cyber Defense Competition
(CCDC) system is to provide institutions with an information
assurance or computer security curriculum a controlled,
competitive environment to assess a student's depth of
understanding and operational competency in managing
the challenges inherent in protecting a corporate network
infrastructure and business information systems.

CCDC Events are designed to:




Build a meaningful mechanism by which institutions of higher
education may evaluate their current educational programs
Provide an educational venue in which students are able to apply the
theory and practical skills they have learned in their course work
Foster a spirit of teamwork, ethical behavior, and effective
communication both within and across teams
Create interest and awareness among participating institutions and
students
1 December 2011
39
U.S. Cyber Challenge

DC3 Digital Forensics Challenge
 An
Air Force Association national high school cyber
defense competition

CyberPatriot Defense Competition
A
Department of Defense Cyber Crime Center competition
focusing on cyber investigation and forensics

Netwars Capture-the-Flag Competition
A
SANS Institute challenge testing mastery of
vulnerabilities
1 December 2011
40
Summary


Cybersecurity research is a key area of innovation
needed to support our future
DHS S&T continues with an aggressive cyber
security research agenda
 Working
to solve the cyber security problems of our
current (and future) infrastructure and systems
 Working with academe and industry to improve research
tools and datasets
 Looking at future R&D agendas with the most impact for
the nation, including education

Need to continue strong emphasis on technology
transfer and experimental deployments
1 December 2011
41
Douglas Maughan, Ph.D.
Division Director
Cyber Security Division
Homeland Security Advanced
Research Projects Agency (HSARPA)
douglas.maughan@dhs.gov
202-254-6145 / 202-360-3170
For more information, visit
http://www.cyber.st.dhs.gov
1 December 2011
42