Dept. of Homeland Security Science & Technology Directorate Priorities in Security Research Funding ACM CCS Washington, DC October 26, 2004 Douglas Maughan, Ph.D. Program Manager, HSARPA douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 Presentation Agenda DHS Overview Cyber Security R&D Overview Cyber Security R&D Activities National Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure DHS / NSF Cyber Security Testbed Large-scale Network Security Datasets Cyber Economic Assessment studies “New” Activities 23 September 2004 2 General DHS Organization Secretary (Ridge) & Deputy Secretary (Loy) Management (Hale) Border & Transportation Security (Hutchinson) Emergency Preparedness & Emergency Response (Brown) • Coast Guard • Secret Service • Citizenship & Immigration & Ombuds • Civil Rights and Civil Liberties • Legislative Affairs • General Counsel • Inspector General • State & Local Coordination • Private Sector Coordination • International Affairs • National Capital Region Coordination • Counter-narcotics • Small and Disadvantaged Business • Privacy Officer • Chief of Staff Information Analysis & Infrastructure Protection (Libutti) Science & Technology (McQueary) 23 September 2004 3 Border and Transportation Security (BTS) Mission: Securing our nation's air, land, and sea borders is a difficult yet critical task. The United States has 5,525 miles of border with Canada and 1,989 miles with Mexico. Our maritime border includes 95,000 miles of shoreline. Each year, more than 500 million people cross the borders into the U.S., some 330 million of whom are non-citizens. CBP – Customs and Border Protection ICE – Immigrations and Customs Enforcement TSA – Transportation Security Administration APHIS – Animal and Plant Health Inspection Service ODP – Office for Domestic Preparedness 23 September 2004 4 Emergency Preparedness & Response Mission: Ensure that our nation is prepared for catastrophes whether natural disasters or terrorist assaults. Not only will the EP&R Directorate coordinate with first responders, it will oversee the federal government's national response and recovery strategy. FEMA – Federal Emergency Management Agency NIRT – Nuclear Incident Response Teams DES – Domestic Emergency Support NDPO – National Domestic Preparedness Office 23 September 2004 5 Information Analysis and Infrastructure Protection (IAIP) Mission: Ensure the capability to identify and assess current and future threats to the homeland, map those threats against our vulnerabilities, issue timely warnings and take preventive and protective action to secure the national infrastructures. NCSD – National Cyber Security Division NCS – National Communications System PSD – Physical Security Division ICD – Infrastructure Coordination Division Our main internal DHS customers 23 September 2004 6 Science and Technology (S&T) Mission Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users. 23 September 2004 7 S&T Organization Chart Under Secretary for Science & Technology (McQueary) Office of Plans Programs and Budgets (Albright) Homeland Security Advanced Research Projects Agency (Oxford) Office of Research and Development (McCarthy) Office of Systems Engineering & Development (Kubricky) 23 September 2004 8 Crosscutting Portfolio Areas Chemical Biological Radiological Nuclear High Explosives Cyber Security USSS Paul Mahon, Ptfl Mgr 23 September 2004 9 Execution Science and Technology Directorate Office of Research and Development • • • Homeland Security Advanced Research Projects Agency Systems Engineering & Development Centers Fellowships Scholarships Stewardship of an enduring capability Innovation, Adaptation, & Revolution Development Engineering, Production, & Deployment 23 September 2004 10 Legacy of HSARPA Name How is it different from DARPA? Differences 85-90% of funds for identified DHS requirements 10-15% of funds for revolutionary research Breakthroughs, New technologies and systems These percentages likely to change over time, but we need to meet today’s requirements 23 September 2004 11 Presentation Agenda DHS Overview Cyber Security R&D Overview Cyber Security R&D Activities National Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure DHS / NSF Cyber Security Testbed Large-scale Network Security Datasets Cyber Economic Assessment studies “New” Activities 23 September 2004 12 Cyber Security R&D Portfolio: Scope The Internet serves a significant underlying role in many of the Nation’s critical infrastructures Adversaries face asymmetric offensive / defensive capabilities with respect to traditional warfare Makes cyberspace an appealing battleground Cyberspace provides the ability to exploit weaknesses in our critical infrastructures Communications, monitoring, operations and business systems Provides a fulcrum for leveraging physical attacks The most significant cyber threats to the nation are very different from “script-kiddies” or virus writers DHS S&T focus is on those threats and issues that warrant national-level concerns 23 September 2004 13 Cyber Security R&D Center Requirements Pre R&D R&D Customers Critical Infrastructure Providers DNSSEC Prioritize requirements • NCSD • NCS • USSS • National Documents Post R&D Experiments and Exercises Workshops Customers Customers • NCSD • NCS • USSS SPRI Sector Roadmaps Solicitation Preparation Cyber Economics Outreach – Venture Community & Industry Future Programs Other Sectors e.g., Banking & Finance BAA SBIR R&D Coordination Government & Industry Critical Infrastructure Providers Other Sectors e.g., Banking & Finance Supporting Programs PREDICT DETER 23 September 2004 14 Post Research Activities Experiments U.S. / Canada Secure Blackberry Experiment 3 phase homeland security deployment activity Includes industry participants from both countries Oil and Gas Sector Sector workshop in late July Expected to lead to technology pilot deployments Department of Treasury FS ISAC, FSSCC, Numerous sector participants Technology pilot organization in process 23 September 2004 15 Post Research Activities (continued) Exercises National Exercise Plan (managed by DHS ODP) National Cyber Security Exercise as part of NEP Several regional cyber security tabletop exercises Others U.S. NORTHCOM Unified Defense 05 / TOPOFF 3 CWID 2005 (originally known as JWID) 23 September 2004 16 DHS S&T Commercial Outreach Strategy Assist commercial companies in providing cyber security technology to DHS and other government agencies Assist DHS S&T-funded researchers in transferring cyber security technology to larger, established security technology companies Partner with the venture capital community to transfer technology to existing portfolio companies, or to create new ventures We will work with the VCs to: Focus on bringing innovation to the marketplace Accelerate development and deployment Provide orders-of-magnitude leverage of DHS R&D funding Government We will partner with the VCs, not compete with them Work with many VCs and portfolio companies Provide liaison and bridge activities We do not invest for equity Established Commercial Companies DHS Researchers Emerging Commercial Companies 23 September 2004 17 Presentation Agenda DHS Overview Cyber Security R&D Overview Cyber Security R&D Activities National Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure DHS / NSF Cyber Security Testbed Large-scale Network Security Datasets Cyber Economic Assessment studies “New” Activities 23 September 2004 18 Domain Name System and Security Critical Internet infrastructure component Virtually DNS database maps: Name to IP address (for example: www.isi.edu = 128.9.176.32) And every Internet application uses the DNS many other mappings (mail servers, IPv6, reverse…) DNS threats identified in early 1990s DNSSEC Cryptographic signatures in the DNS Assures integrity of results returned from DNS queries Protects against tampering in caches and during transmission End-system checks the chain of signatures up to the root 23 September 2004 19 Activities To Date Formation of ad-hoc government and industry “steering committee” Two workshops in early and late May May: Amsterdam – as part of the RIPE agenda 23 May: San Fran – affiliated with NANOG Attendees included: DNS software developers, DNS root operators (U.S. and International), government network operators, and numerous other stakeholders 3 Initial R&D Funding – NIST, industry Future Activities Pilot deployments of DNSSEC on .us and .gov network 23 September 2004 20 Secure Protocols for the Routing Infrastructure (SPRI) BGP is the routing protocol that connects ISPs and subscriber networks together to form the Internet BGP does not forward subscriber traffic, but it determines the paths subscriber traffic follows The BGP architecture makes it highly vulnerable to human errors and malicious attacks against Links between routers The routers themselves Management stations that control routers Working with industry to develop solutions for our current routing security problems and future technologies 23 September 2004 21 DHS / NSF Cyber Security Testbed “Justification and Requirements for a National DDOS Defense Technology Evaluation Facility”, July 2002 We still lack large-scale deployment of security technology sufficient to protect our vital infrastructures Recent investment in research on cyber security technologies by government agencies (NSF, DARPA, armed services) and industry. One important reason is the lack of an experimental infrastructure and rigorous scientific methodologies for developing and testing next-generation defensive cyber security technology The goal is to create, operate, and support a researcher-andvendor-neutral experimental infrastructure that is open to a wide community of users and produce scientifically rigorous testing frameworks and methodologies to support the development and demonstration of next-generation cyber defense technologies 23 September 2004 22 Architectural Plan Construct a homogeneous emulation cluster based upon University of Utah’s Emulab Implement network services – DNS, BGP Add containment, security, and usability features to the software Add (controlled) hardware heterogeneity Connect to other government and industry testbeds (once we have our act together) 23 September 2004 23 DETER Testbed Architecture User Internet Ethernet Bridge with Firewall ‘User’ Server User files Control DB 'Gatekeeper' 'Boss' Server Image fills this entire area User Acct & Data logging External VLAN Web/DB/SNMP, switch mgmt Boss VLAN Users VLAN Router (OR originates at the upper left corner of the area with Firewall … outlined and is sized to the full width or height of this bounding box.) Control Hardware VLAN Node Serial Line Server Control Network VLAN Power Serial Line Server 64 @100bT Control ports PC PC PC Power 160Controller 64 x 4 @1000bT Data ports Switch Control Interface Programmable Patch Panel (VLAN switch) DETER Project – Feb 04 23 September 2004 24 DETER Testbed Status Developed Draft Policy and Procedures Experiment Definition Experiment Review Board Security Isolation Argument Architecture Design Report ISI and UCB Node Operational Held first set of Experiments June 8, 2004 Workshop held yesterday In conjunction with ACM CCS in Washington, DC Open to entire research community 23 September 2004 25 A Protected REpository for Defense of Infrastructure against Cyber Threats PREDICT Program Objective “To advance the state of the research and commercial development (of network security ‘products’) we need to produce datasets for information security testing and evaluation of maturing networking technologies.” Rationale / Background / Historical: Researchers with insufficient access to data unable to adequately test their research prototypes Government technology decision-makers with no data to evaluate competing “products” Bottom Line: Improve the quality of defensive cyber security technologies 23 September 2004 26 Activities To Date Industry Workshop (Feb. 11-12, 2004) Begin the dialogue between HSARPA and industry as it pertains to the cyber security research agenda Discuss existing data collection activities and how they could be leveraged to accomplish the goals of this program Discuss data sharing issues (e.g., technical, legal, policy, privacy) that limit opportunities today and develop a plan for navigating forward Develop a process by which “data” can be “regularly” collected and shared with the network security research community 23 September 2004 27 Workshop Attendees (Feb. 11-12, 2004) AOL UUNET Verio XO Communications Akamai Arbor Networks Riverhead Networks System Detection Cisco Packet Clearing House Symantec USC-ISI UC San Diego Univ. of Washington BBN Technologies CERT/CC LBNL Internet2 CAIDA Merit Networks Citigroup Cooley, LLC (Lawyer) 23 September 2004 28 Data Collection Activities Classes of data that are interesting, people want collected, and seem reasonable to collect Netflow traces – headers and full packet (context dependent) Critical infrastructure – BGP and DNS data Topology data IDS / firewall logs Performance data Network management data (i.e., SNMP) VoIP (1400 IP-phone network) Blackhole Monitor traffic Packet 23 September 2004 29 Trusted Access Repository Process PREDICT Coordination Center (Government-funded, Externally hosted) Institutional Sponsorship Data Providers Data Listing Researchers Data Hosting Sites Proposal Review Process Accepted Proposals MOU / MOA 23 September 2004 30 Sample Datasets that will be available University of Michigan University of Washington Wisconsin Advanced Internet Lab – Netflow, iSink logs, IDS logs XO Communications Performance data, NetFlow data, and routing protocol data from the Abilene network University of Wisconsin Host-based forensic data and honeypot data Internet 2 Dark address space monitoring, honeypot monitoring, BGP Beacon routing data, and routing protocol sensors, MichNet routing protocol data and Netflow data Netflow and routing protocol logs Packet Clearing House BGP routing dataset and VoIP measurement data 23 September 2004 31 Sample Datasets (continued) CAIDA Internet Software Consortium (ISC) Packet traces from Internet Business Exchange (IBX) point Los Nettos - LA regional network provider Packet traces from OC48 operational network Equinix DNS packet traces from F-root Verio Topology measurement data, Network Telescope data Full packet headers, NetFlow data, SNMP data, and standard logs DNS root server data. Los Nettos hosts both the B and L root servers Internet topology data based on the SCAN topology-mapping project LBNL Anonymized enterprise traffic from internal LBNL networks 23 September 2004 32 PREDICT – Proposed Timeline Sep 1- Oct 30: Working groups complete actions identified at last PI meeting Data Schema WG Application Process WG All MOU/MOAs in develoment Public Relations WG Oct 1-Nov 15: Conduct internal PREDICT Process Pilot Nov 15- Dec 15: Conduct external PREDICT Process Pilot Dec 15-Jan 15: Modify PREDICT processes based on feedback from PREDICT pilot ~Jan 15: PREDICT goes live Working through announcement process 23 September 2004 33 Cyber Economic Assessment Studies Examination of current “cyber event” cost evaluation methods Business Case Development Understanding of costs and losses Strategies for encouraging cyber security investment Cyber Risk Prioritization 23 September 2004 34 Presentation Agenda DHS Overview Cyber Security R&D Overview Cyber Security R&D Activities National Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure DHS / NSF Cyber Security Testbed Large-scale Network Security Datasets Cyber Economic Assessment studies “New” Activities 23 September 2004 35 Recent SBIRs SBIR = Small Business Innovative Research CROSS-DOMAIN ATTACK CORRELATION TECHNOLOGIES Objective: Develop a system to efficiently correlate information from multiple intrusion detection systems (IDSes) about “stealthy” sources and targets of attacks in a distributed fashion across multiple environments. REAL-TIME MALICIOUS CODE IDENTIFICATION Objective: Develop technologies to detect anomalous network payloads destined for any service or port in a target machine in order to prevent the spread of destructive code through networks and applications. These technologies should focus on detecting “zero day attacks”, the first appearance of malicious code for which no known defense has been constructed. 23 September 2004 36 HSARPA Cyber Security Broad Area Announcement (BAA 04-17) A critical area of focus for DHS is the development and deployment of technologies to protect the nation’s cyber infrastructure including the Internet and other critical infrastructures that depend on computer systems for their mission. The goals of the Cyber Security Research and Development (CSRD) program are: To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency. http://www.hsarpabaa.com 23 September 2004 37 BAA Technical Topic Areas (TTAs) System Security Engineering Vulnerability Prevention Vulnerability Discovery and Remediation Tools and techniques for analyzing software to detect security vulnerabilities Cyber Security Assessment Tools and techniques for better software development Develop methods and tools for assessing the cyber security of information systems Security of Operational Systems Security and Trustworthiness for Critical Infrastructure Protection 1) Automated security vulnerability assessments for critical infrastructure systems 2) Improvements in system robustness of critical infrastructure systems 3) Configuration and security policy management tools 4) Cross-platform and/or cross network attack correlation and aggregation 23 September 2004 38 BAA TTAs (continued) Security of Operational Systems Wireless Security Security tools/products for today’s networks Solutions and standards for next generation networks Investigative and Prevention Technologies Network Attack Tools and techniques for attack traceback Technologies Forensics to Defend against Identity Theft R&D of tools and techniques for defending against identity theft and other financial systems attacks, e.g., phishing 23 September 2004 39 BAA Program / Proposal Structure NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in DHS “customer” environments Type I (New Technologies) New technologies with an applied research phase, a development phase, and a deployment phase (optional) Type II (Prototype Technologies) More mature prototype technologies with a development phase and a deployment phase (optional) Funding not to exceed 36 months (including deployment phase) Funding not to exceed 24 months (including deployment phase) Type III (Mature Technologies) Mature technology with a deployment phase only. Funding not to exceed 12 months 23 September 2004 40 Tackling Cyber Security Challenges: Business Not as Usual Strong mission focus (avoid mission creep) Close coordination with other Federal agencies Outreach to communities outside of the Federal government Building public-private partnerships (the industrygovernment *dance* is a new tango) Strong emphasis on technology diffusion and technology transfer Migration paths to a more secure infrastructure Awareness of economic realities 23 September 2004 41 Summary DHS S&T is moving forward with an aggressive cyber security research agenda Working with industry to solve the cyber security problems of our current infrastructure DNSSEC, Working with academe and industry to improve research tools and datasets DHS/NSF Secure Routing Cyber Security Testbed, PREDICT Looking at future RDT&E agendas with the most impact for the nation SBIRs, BAA 04-17 23 September 2004 42 Douglas Maughan, Ph.D. Program Manager, HSARPA douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 23 September 2004 43