Dept. of Homeland Security Science & Technology Directorate
DHS S&T Cyber Security Program
and PREDICT Discussion
NSF CSDE
August 27, 2010
Rosslyn, VA
Douglas Maughan, Ph.D.
Branch Chief / Program Mgr.
douglas.maughan@dhs.gov
202-254-6145 / 202-360-3170
12 CNCI Projects
Establish a front line of defense
Reduce the Number Deploy Passive Pursue Deployment
Coordinate and
of Trusted Internet Sensors Across of Automated
Redirect R&D Efforts
Connections Federal Systems Defense Systems
Resolve to secure cyberspace / set conditions for long-term success
Connect Current Develop Gov’t-wide Increase Security of
Centers to Enhance Counterintelligence the Classified Expand Education
Situational Awareness Plan for Cyber Networks
Shape future environment / secure U.S. advantage / address new threats
Define and Develop
Define and Develop Cyber Security in
Enduring Leap Ahead Manage Global
Enduring Deterrence Critical Infrastructure
Technologies, Supply Chain Risk
Strategies & Programs Domains
Strategies & Programs
CNCI = Comprehensive National Cyber Initiative
August 27 2010 2
2
Science and Technology (S&T) Mission
Conduct, stimulate,
and enable research,
development, test,
evaluation and timely
transition of
homeland security
capabilities to federal,
state and local
operational end-users.
August 27 2010 3
Cyber Security Program Areas
Information Infrastructure Security
Cyber Security Research Infrastructure
Next Generation Technologies
Two new program areas – Cyber Forensics and Homeland
Open Security Technology (HOST)
Small Business Innovative Research (SBIR)
Experimental Deployments
Outreach and Education/Competitions
Research Horizon – What does it look like?
August 27 2010 4
National Research Infrastructure
DETER - http://www.isi.edu/deter/
Researcher and vendor-neutral experimental infrastructure that is
open to a wide community of users to support the development
and demonstration of next-generation cyber defense technologies
Over 170 users from 14 countries (and growing)
PREDICT – https://www.predict.org
Repository of network data for use by the U.S.- based cyber
security research community
Privacy Impact Assessment (PIA) completed
Over 118 datasets and growing; Over 100 active users (and
growing)
End Goal: Improve the quality of defensive
cyber security technologies
August 27 2010 7
White House Cyberspace Policy Review
WH CPR, P. 27
At the same time, the Federal government needs to define
processes and rules for sharing its incident reporting with the
private sector. Formulation of these rules should consider
classification and privacy issues. In addition, the Federal
government should help the research community gain
access, with appropriate controls, to cybersecurity-related
event data that could be used to develop tools, test theories,
and develop workable solutions. Such sharing would need
to address the protection of sensitive or proprietary data
and personal identity information.
August 27 2010 10
A Protected REpository for Defense of
Infrastructure against Cyber Threats
PREDICT Program Objective
“To advance the state of the research and commercial
development (of network security „products‟) we need to
produce datasets for information security testing and
evaluation of maturing networking technologies.”
Rationale / Background / Historical:
Researchers with insufficient access to data unable to adequately test
their research prototypes
Government technology decision-makers with no data to evaluate
competing “products”
End Goal: Improve the quality of defensive
cyber security technologies
August 27 2010 11
PREDICT Repository Access Process
Institutional PREDICT Coordination Center
Sponsorship (Government-funded, Externally hosted)
Sponsor
Letter MOA
MOA
Data
Listing
M
Data
MOA O
Hosting
Researchers A
Sites
s
Proposal
Proposal
Accept / Deny Review
Notification Board
Get Data
Publication Data
Review Providers
Board
After Research August 27 2010 12
(if required)
PREDICT PCC – Provider MOA Terms
Ensure that any data they release complies with all applicable statutes and regulations
of applicable governing or regulating bodies and contractual agreements and is
consistent with the provider‟s privacy, security, or other policies and procedures
Certify that the data provided has been sanitized, de-identified, or cleaned of any
and all information that would not be in compliance or consistent with the privacy
requirements as determined by PCC and DHS
Burden is on the data provider to ensure data anonymization is done. Current lack of tools and
techniques to accomplish this part of the Provider MOA is the focus of recent research funded
by DHS S&T.
Provide terms and conditions for access to and use of the data, including
Identification requirements for the data custodian
Permitted uses and specific restrictions
Minimum safeguards to protect the data
Procedures for receipt, handling, control, dissemination, and return of data
Restrictions on publishing or releasing information about the data
Data Use Agreement between Researcher and Provider, if required by Provider
Make the data available to data hosts for release to approved researchers and no
others, under the terms and conditions for access and use as specified by them and the
PCC
Non compliance with these requirements may result in the data provider‟s expulsion
from the PREDICT project.
August 27 2010 13
Data Collection Activities
Classes of data that are interesting, people want
collected, and seem reasonable to collect
Netflow
Packet traces – headers and full packet (context dependent)
Critical infrastructure – BGP and DNS data
Topology data
IDS / firewall logs
Performance data
Network management data (i.e., SNMP)
VoIP (2200 IP-phone network)
Blackhole Monitor traffic
August 27 2010 14
Data Providers
CAIDA
Topology Measurement Data, Network Telescope Data
USC - LANDER
NetFlow Data, Internet Topology Data, Address Allocation Data
Merit Networks
Netflow Data, BGP Routing Data
University of Michigan
Dark Address Space Monitoring Data, BGP Beacon Routing Data
Georgia Tech
University of Wisconsin
Packet Clearing House
BGP Routing Data, VoIP Measurement Data
Many other data providers interested; Working on details
August 27 2010 15
PREDICT Information
https://www.predict.org
DHS Privacy Impact Assessment
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_st_predict.pdf
August 27 2010 16
PREDICT Legal Process Activities
Identify legal relationships and agreements needed
between PREDICT participants
Identify applicable laws and regulations (federal and
state)
Review policies and procedures and other available
documents from providers
Prepared risk chart for every dataset
Identifyhigh risk data fields, datasets
Establish requirements for high risk fields
Preparation of Memorandums of Agreement (MOAs)
Legally binding documents within U.S. jurisdiction
August 27 2010 17
PREDICT Legal Process Activities
Brief privacy advocates and obtain input
ACLU, Electronic Frontier Foundation (EFF), Center for
Democracy and Technology (CDT), EPIC (invited)
Prepare Privacy Impact Assessment (PIA)
Working with DHS Privacy Office
Brief government officials, privacy advocates,
participants
DHS S&T General Counsel
DHS General Counsel
Department of Justice
August 27 2010 18
PREDICT Issues for Consideration
Who is the Provider of the Data?
Provider of communications services to the public
Private organization or company
Governmental entity
Who Owns the Data?
How Was it Obtained? Intercepted v. Stored Data (ECPA)
What are the Data Provider‟s Privacy Policies and Operating
Procedures?
Who is the Researcher?
Who is the Organization Sponsoring the Research?
What is Contained in the Data?
August 27 2010 19
ECPA Issues Considered
INTERCEPTION
Real-Time Person Provider Consent
Activity
Packet Content Packet Content Packet Content
Capture NO NO Yes Yes Yes Yes
Disclose NO NO ? NO Yes Yes
Use NO NO Yes Yes Yes Yes
Equip Possess-OK Possess-NO Possess-OK Possess-OK N/A N/A
Install–NO Install–NO Install-OK Install-OK N/A N/A
Use-NO Use-NO Use-OK Use-OK N/A N/A
STORED COMMUNICATION ACT
Provider Headers Content
Private Provider - Disclose Yes Yes
Private Provider - Use Yes Yes
Public Provider - Disclose Y-BUT Not to NO
Gov‟t Entity
Public Provider - Use Y-BUT Not to NO
Gov‟t Entity
August 27 2010 20
PREDICT Activities: 2010 and beyond
Ethical Issues in Networking and Security Research
Something similar to the Belmont Report for human
subject research
More controversial data; More providers
Need to tackle issues associated with PII and other hurdles
International Participation
Working to partner with specific “centers” who will be
responsible for vetting their researchers
Anonymization / Disclosure Control
Existing schemes of “disclosure control” inadequate
Funded two projects: JHU/UNC, BAE/Columbia
Held first workshop; Significant work ahead
August 27 2010 21
PREDICT Summary
DHS S&T trying to provide data repository for the
research community through the PREDICT
program
Significant policy and legal issues exist in the
networking and security R&D communities
Many items still remain to provide usable data
across the entire spectrum of information security
R&D activities
End Goal: Improve the quality of defensive
cyber security technologies
August 27 2010 22
A Roadmap for Cybersecurity Research
http://www.cyber.st.dhs.gov
Scalable Trustrworthy Systems
Enterprise Level Metrics
System Evaluation Lifecycle
Combatting Insider Threats
Combatting Malware and Botnets
Global-Scale Identity Management
Survivability of Time-Critical
Systems
Situational Understanding and Attack
Attribution
Information Provenance
Privacy-Aware Security
Usable Security
August 27 2010 23
NCLY Summit Topics
Cyber economics
Digital provenance
Hardware enabled trust
Moving target defense
Nature-inspired cyber defense
Expectation: Agencies will be using these topic areas
in future solicitations (FY11 and beyond)
August 27 2010 24
Program Summary
DHS S&T continues with an aggressive cyber
security research agenda
Working with the community to solve the cyber security
problems of our current (and future) infrastructure
Outreach to communities outside of the Federal government, i.e.,
building public-private partnerships is essential
Working with academe and industry to improve research
tools and datasets
Looking at future R&D agendas with the most impact for
the nation, including education
Need to continue strong emphasis on technology
transfer and experimental deployments
August 27 2010 25
Douglas Maughan, Ph.D.
Branch Chief / Program Mgr.
douglas.maughan@dhs.gov
202-254-6145 / 202-360-3170
For more information, visit
http://www.cyber.st.dhs.gov
August 27 2010 26
PREDICT Backup Slides
Douglas Maughan, Ph.D.
Branch Chief / Program Mgr.
douglas.maughan@dhs.gov
202-254-6145 / 202-360-3170
For more information, visit
http://www.cyber.st.dhs.gov
August 27 2010 27
Table of Authorities
Cable TV Privacy Act of 1984, 47 U.S.C. § 551,
http://www4.law.cornell.edu/uscode/47/551.html
Communications Act of 1996, Protection of Customer
Proprietary Network Information, 47 U.S.C. § 222,
http://www4.law.cornell.edu/uscode/47/222.html
Electronic Communications Privacy Act (ECPA), 18 U.S.C.
§§ 2510-2521,
http://www4.law.cornell.edu/uscode/18/2510.html (wiretap)
Electronic Communications Privacy Act (ECPA), 18 U.S.C.
§§ 2701-2708,
http://www4.law.cornell.edu/uscode/18/2701.html (access to
or disclosure of stored communications)
August 27 2010 28
Table of Authorities (continued)
Electronic Communications Privacy Act (ECPA), 18 U.S.C.
§§ 3123-3127,
http://www4.law.cornell.edu/uscode/18/3123.html (pen
register and trap and trace devices)
Family Education Rights and Privacy Act (FERPA), 20 U.S.C.
§ 1232g, http://www4.law.cornell.edu/uscode/20/1232g/html
Freedom of Information Act, 5 U.S.C. § 552,
http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.ht
m
Privacy Act of 1974, 5 USC § 552a,
http://www.usdoj.gov/04foia/privstat.htm
August 27 2010 29
What Can Researchers Do?
Engage Legal Counsel & Communications Personnel
Examine the Types of Data Being Used in Research
Determine Whether Any of the Data is Intercepted
Determine if Any of the Data is Content
Determine if the Data Comes from a Provider “to the public”
Determine if Any Researchers are from “Governmental
Entity”
Assess Whether the Research Fits Within an Exception
described within legal documents
Understand Terms of Reference for Use of the Data
August 27 2010 30
PCC – Data Hosting MOA
Accept data from approved data providers and release to
approved researchers, subject to the terms and conditions set
forth by the providers and hosts
Provide Researcher with terms and conditions for access to,
transfer, storage, and use of the data as required by the
provider and PCC, as well as any host requirements
Ensure data they release complies with separate
agreements host may have with provider, all applicable
statutes and regulations applicable to the data, and all
contractual agreements it has with any other third parties
Not subcontract out hosting
August 27 2010 31
PCC – Researcher MOA
Agree they will not use the data for purposes other than described in
their application
Will not disclose the data to persons other than those identified in their
application
Will not send data outside of U.S.
Establish and maintain the appropriate administrative, technical, and
physical safeguards to protect the confidentiality of the data and to
prevent unauthorized use of or access to the data
If the researcher moves to a different institution, they will notify PCC
and the sponsoring institution and follow PCC‟s directions regarding
destruction or return of the data
No findings, analysis, or information derived from the data may be
released if such findings contain any combination of data elements that
might allow for identification or the deduction of a person’s or
institution’s identity
Submit findings, results of analysis, or manuscripts proposed for
release, publication, or any type of disclosure to Publication Review
Board and abide by PRB decision
August 27 2010 32
PCC – Researcher MOA (continued)
Report immediately to PCC any use or disclosure of the Data other
than as permitted and take all reasonable steps to mitigate the effects of
disclosure
Destroy all copies of the data when the MOA expires or as specified by
PCC and will certify such destruction or return by signing and
providing to PCC a Certification of Data Return or Destruction.
In the event PCC determines or has a reasonable belief that researcher
has violated any terms of the MOA, PCC may terminate the MOA and
require the researcher to return the data and all derivative files. PCC may
also seek injunctive relief against the researcher or the sponsoring
institution. In addition, PCC will report any misuse or improper
disclosure of the data to the data provider and host and to appropriate
authorities as required by applicable Federal or state law
August 27 2010 33