Docstoc

keynote Dept of Homeland Security Science Technology Directorate Homeland Security

Document Sample
keynote Dept of Homeland Security Science Technology Directorate Homeland Security Powered By Docstoc
					Dept. of Homeland Security Science & Technology Directorate


Homeland Security: Cyber
Security R&D Initiatives
ACM CCS
Alexandria, VA
November 8, 2005


                                   Douglas Maughan, Ph.D.
                                   Program Manager, HSARPA
                                   douglas.maughan@dhs.gov
                                   202-254-6145 / 202-360-3170
General DHS Organization (prior to 7/13/05)
                                         • Coast Guard
                                         • Secret Service
                                         • Citizenship & Immigration & Ombuds
            Secretary (Chertoff)         • Civil Rights and Civil Liberties
                                         • Legislative Affairs
                     &                   • General Counsel
             Deputy Secretary            • Inspector General
                                         • State & Local Coordination
                (Jackson)                • Private Sector Coordination
                                         • International Affairs
                                         • National Capital Region Coordination
                                         • Counter-narcotics
                                         • Small and Disadvantaged Business
 Management                              • Privacy Officer
   (Hale)                                • Chief of Staff




   Border &        Emergency          Information                      Science &
Transportation    Preparedness         Analysis &                     Technology
   Security       & Emergency        Infrastructure                   (McQueary)
(Beardsworth,       Response           Protection
     act.)       (Paulison, act.)   (Stephan, act.)



                                                                            8 November 2005   2
                                                  Organization Chart
                                                                                (proposed end state)

                                                                                                                                                  EXECUTIVE
                                                                                        SECRETARY                                                 SECRETARY

                                                                                                                          CHIEF OF STAFF
                                                                                 DEPUTY SECRETARY
                                                                                                                                                    MILITARY
                                                                                                                                                    LIAISON




                           UNDER SECRETARY                            UNDER SECRETARY                                    A/S CONGRESSIONAL &         ASSISTANT           INSPECTOR
 UNDER SECRETARY                                  UNDER SECRETARY
                            FOR SCIENCE &                                   FOR                  GENERAL COUNSEL         INTERGOVERNMENTAL        SECRETARY PUBLIC        GENERAL
 FOR MANAGEMENT                                      FOR POLICY
                             TECHNOLOGY                                PREPAREDNESS                                            AFFAIRS                AFFAIRS




                                             ASSISTANT SECRETARY                                                             OMBUDSMAN
                                                                         DIRECTOR OF               DIRECTOR OF
                                                   OFFICE OF                                                                 CITIIZENSHIP &         CHIEF PRIVACY         DIRECTOR
                                                                         OPERATIONS                  COUNTER
                                                INTELLIGENCE &                                                               IMMIGRATION               OFFICER        CIVIL RIGHTS/CIVIL
                                                                        COORDINATION                NARCOTICS
                                                   ANALYSIS                                                                    SERVICES                                   LIBERTIES




    FEDERAL LAW              DOMESTIC              SCREENING
                                                                      LABOR RELATIONS
   ENFORCEMENT                NUCLEAR             COORDINATION
                                                                          BOARD
  TRAINING CENTER         DETECTION OFFICE           OFFICE




                                                                                                                   COMMISSIONER
       DIRECTOR                  COMMISSIONER                                      DIRECTOR CITIZENSHIP
                                                             DIRECTOR                                              IMMIGRATION &               DIRECTOR               COMMANDANT
   TRANSPORTATION              CUSTOMS & BORDER                                       & IMMIGRATION
                                                         US SECRET SERVICE                                           CUSTOMS                     FEMA                US COAST GUARD
SECURITY ADMINISTRATION           PROTECTION                                             SERVICES
                                                                                                                   ENFORCEMENT




                                                                                                                                                               8 November 2005             3
 Department of Homeland Security
Organization Chart—Preparedness
                                        (proposed end state)



                                       UNDER SECRETARY FOR
                                          PREPAREDNESS




                  ASSISTANT         ASSISTANT                                              NATIONAL
CHIEF MEDICAL   SECRETARY FOR    SECRETARY FOR             FIRE
                                                                                         CAPITAL REGION
   OFFICER       GRANTS AND     INFRASTRUCTURE        ADMINISTRATION
                                                                                           DIRECTOR
                   TRAINING        PROTECTION




                                                                          ASSISTANT
                                                                        SECRETARY FOR
                                                                         CYBER & TELE-
                                                                       COMMUNICATIONS




                                                                                             8 November 2005   4
Science and Technology (S&T) Mission
                   Conduct, stimulate,
                   and enable research,
                   development, test,
                   evaluation and timely
                   transition of
                   homeland security
                   capabilities to federal,
                   state and local
                   operational end-users.

                                    8 November 2005   5
S&T Organization Chart
                              Under Secretary
                         for Science & Technology
                                (McQueary)




Office of Plans                    Homeland Security
Programs and                       Advanced Research
Requirements                        Projects Agency
 (Evans, act.)                       (Kubricky, act.)

                  Office of Research                    Office of Systems
                  and Development                        Engineering &
                      (McCarthy)                          Development
                                                            (Kubricky)


                                                                 8 November 2005   6
Execution
        Science and Technology Directorate
   Office of                                          Systems
                           Homeland Security
  Research                                          Engineering
     and               Advanced Research Projects        &
                                Agency
 Development                                        Development




    •   Centers
    •   Fellowships
    •   Scholarships
Stewardship of                Innovation,           Development
 an enduring                 Adaptation, &          Engineering,
  capability                  Revolution            Production, &
                                                     Deployment
                                                         8 November 2005   7
Crosscutting Portfolio Areas
                       Chemical
                       Biological
                       Radiological
                       Nuclear
                       High Explosives
                       Cyber Security
                       Critical Infrastructure
                            Protection (CIP)
                       USSS
                                       8 November 2005   8
Legacy of HSARPA Name
How is it different from DARPA?
                             Differences
                               85-90% of     funds for
                                  identified DHS requirements
                               10-15% of   funds for
                                  revolutionary research
                                      Breakthroughs,
                                      New technologies and systems
                               These percentages likely  to
                                  change over time, but we
                                  need to meet today’s
                                  requirements

                                                         8 November 2005   9
HSARPA Funding
HSARPA funding is allocated from Appropriated line items
                           SCIENCE AND TECHNOLOGY DIRECTORATE
                             FY05-06 Budget Execution Distribution
                                             Dollars $M
                                                                FY 2005        FY 2006            Delta
Portfolio                                                    Appropriation    Tentative
Biodefense/Bio Countermeasures                                        362.7           380.0            17.4
Chemical Countermeasures                                               53.0            95.0            42.0
Conventional Missions                                                  50.1            80.0            29.9
Counter-MANPADS                                                        61.0           110.0            49.0
Critical Infrastructure Protection                                     27.0            40.8            13.8
Cyber Security                                                         18.0            16.7            -1.3
Emerging Threats                                                       10.8             8.0            -2.8
High Explosives/Explosives Countermeasures                             19.7            44.0            24.3
National Biodefense Analysis & Countermeasures Ctr (NBACC)             35.0                           -35.0
Office of Interoperability and Compatibility                           21.0           26.5              5.5
Radiological and Nuclear (DNDO)                                       122.6          318.0            195.4
Radiological and Nuclear Countermeasures                                              19.1             19.1
Rapid Prototyping                                                      76.0           35.0            -41.0
Research and Development Consolidation                                                99.9             99.9
Safety Act                                                             10.0            7.0             -3.0
Standards                                                              39.7           35.0             -4.7
Threat and Vulnerability Testing and Assessment                        65.8           43.0            -22.8
University Programs/Fellowships                                        70.0           63.0             -7.0
Grand Total                                                         1,042.3        1,421.0            378.7


                                                                                              8 November 2005   10
Cyber Security R&D Portfolio: Scope
We focus on threats and issues that warrant
 national-level concern
   Asymmetric capabilities make cyberspace an appealing
    battleground for our adversaries
   Cyberspace presents an avenue to exploit weaknesses in our
    critical infrastructures
   The most significant cyber threats are very different from
    “script-kiddies” or virus writers
      Terrorism
      Organized crime
      Economic espionage


                                                         8 November 2005   11
   R&D Execution Model                                                        Post R&D


Customers                                                                                 Experiments
                Other Sectors
 * NCSD                                Critical
                                         Critical                                        and Exercises
               e.g., Banking &     Infrastructure           Outreach – Venture
 * NCS             Finance           Infrastructure           Community &
 * USSS                               Providers                  Industry
                                       Providers
 * National                                                                              R&D
   Documents
                     Prioritized                                                    Coordination –
                    Requirements                                                     Government
                                                                                      & Industry

Customers
                           Pre R&D

                                       CIP Sector
                                       Roadmaps                                  R&D
                Workshops                                            DNSSEC               SPRI


                                                                Cyber Security      Emerging Threats
                                 Solicitation
                                 Preparation                     Assessment


                                                                Rapid Prototyping      External (e.g., I3P)


                                                                         BAAs             SBIRs
                          Supporting Programs

                                            DETER     PREDICT                               8 November 2005   12
   R&D Execution Model                                                        Post R&D


Customers                                                                                 Experiments
                Other Sectors
 * NCSD                                Critical
                                         Critical                                        and Exercises
               e.g., Banking &     Infrastructure           Outreach – Venture
 * NCS             Finance           Infrastructure           Community &
 * USSS                               Providers                  Industry
                                       Providers
 * National                                                                              R&D
   Documents
                     Prioritized                                                    Coordination –
                    Requirements                                                     Government
                                                                                      & Industry

Customers
                           Pre R&D

                                       CIP Sector
                                       Roadmaps                                  R&D
                Workshops                                            DNSSEC               SPRI


                                                                Cyber Security      Emerging Threats
                                 Solicitation
                                 Preparation                     Assessment


                                                                Rapid Prototyping      External (e.g., I3P)


                                                                         BAAs             SBIRs
                          Supporting Programs

                                            DETER     PREDICT                               8 November 2005   13
Rapid Technology Application Program
(RTAP)
   Similar to the existing Technical Support Working
    Group (TSWG) approach
   Requirements Generation Panel
     Identify general technology needs
     Reduce collection of general needs
     Explore issues and draft Statement of Requirements (SoR)
     Write an SoR for each technology need in detail suitable
      for prototype procurement




                                                       8 November 2005   14
Cyber Security RTAP Topics
   #1 BOTNET Detection and Mitigation Tool
     Customer: IAIP/NCSD

   #2 Exercise Scenario Modeling Tool
     Customer: IAIP/NCSD

   #3 DHS Secure Wireless Access Prototype
     Customer: S&T   OCIO


   Pre-solicitation at http://www.hsarpabaa.com



                                                   8 November 2005   15
HSARPA Cyber Security Broad Agency
Announcement (BAA 04-17)
   A critical area of focus for DHS is the development and
    deployment of technologies to protect the nation‟s cyber
    infrastructure including the Internet and other critical
    infrastructures that depend on computer systems for their
    mission. The goals of the Cyber Security Research and
    Development (CSRD) program are:
       To perform research and development (R&D) aimed at improving the
        security of existing deployed technologies and to ensure the security
        of new emerging systems;
       To develop new and enhanced technologies for the detection of,
        prevention of, and response to cyber attacks on the nation‟s critical
        information infrastructure.
       To facilitate the transfer of these technologies into the national
        infrastructure as a matter of urgency.
   http://www.hsarpabaa.com
                                                                    8 November 2005   16
BAA Technical Topic Areas (TTAs)
   System Security Engineering
       Vulnerability Prevention
   Tools and techniques for better software development
       Vulnerability Discovery and Remediation
            Tools and techniques for analyzing software to detect security vulnerabilities
       Cyber Security Assessment
            Develop methods and tools for assessing the cyber security of information
             systems
   Security of Operational Systems
       Security and Trustworthiness for Critical Infrastructure Protection
            1) Automated security vulnerability assessments for CI systems
            2) Improvements in system robustness of critical infrastructure systems
            3) Configuration and security policy management tools
            4) Cross-platform and/or cross network attack correlation and aggregation
                                                                              8 November 2005   17
BAA TTAs (continued)
   Security of Operational Systems
     Wireless    Security
          Security tools/products for today‟s networks
          Solutions and standards for next generation networks
   Investigative and Prevention Technologies
     Network     Attack Forensics
          Tools and techniques for attack traceback
     Technologies     to Defend against Identity Theft
          R&D of tools and techniques for defending against identity theft
           and other financial systems attacks, e.g., phishing



                                                                    8 November 2005   18
BAA Program / Proposal Structure
   NOTE: Deployment Phase = Test, Evaluation, and Pilot
    deployment in DHS “customer” environments
   Type I (New Technologies) – Funding NTE 36 months
       New technologies with an applied research phase, a development
        phase, and a deployment phase (optional)
   Type II (Prototype Technologies) – Funding NTE 24
    months
       More mature prototype technologies with a development phase and a
        deployment phase (optional)
   Type III (Mature Technologies) – Funding NTE 12 months
       Mature technology with a deployment phase only.



                                                                   8 November 2005   19
BAA 04-17 Proposal Summary
           36 Months       24 Months       12 Months
              Type I          Type II        Type III         TOTAL
        Received Funded Received Funded Received Funded Received Funded
TTA-1       8        0      6         1    3          0    17        1
TTA-2      10        2      8         2    1          0    19        4
TTA-3       3        0      6         1    0          0     9        1
TTA-4      14        1     23         2    2          1    39        4
TTA-5       9        2      7         0    2          0    18        2
TTA-6       4        1      6         1    0          0    10        2
TTA-7       8        1     10         2    0          0    18        3
TOTAL      56        7     66         9    8          1   130       17

   http://www.hsarpabaa.com/; Solicitation Awards; BAA04-17 Awards

                                                              8 November 2005   20
Small Business Innovative
Research (SBIRs)
 http://www.hsarpasbir.com

             ATTACK CORRELATION
 CROSS-DOMAIN
 TECHNOLOGIES (SB04.2-001)
   Objective:   Develop a system to efficiently correlate information from
   multiple intrusion detection systems (IDSes) about “stealthy” sources and
   targets of attacks in a distributed fashion across multiple environments.

 REAL-TIME MALICIOUS                CODE IDENTIFICATION
 (SB04.2-002)
   Objective:  Develop technologies to detect anomalous network payloads
   destined for any service or port in a target machine in order to prevent the
   spread of destructive code through networks and applications. These
   technologies should focus on detecting “zero day attacks”, the first
   appearance of malicious code for which no known defense has been
   constructed.
                                                                    8 November 2005   21
SBIR FY05.2 Submission
Hardware-assisted          System Security Monitoring
OBJECTIVE: This topic seeks technologies that provide a hardware-assist for the
monitoring of system security. It is expected that the resulting solutions would be
some type of inexpensive coprocessor board that would work with existing hardware
and software, resulting in a system with much higher assurance than currently
available. By putting the monitoring capability in hardware it is much more difficult for
an attacker to disable this part of the system because the board is isolated from potential
remote attackers and would require physical access to compromise the hardware-assist
board, thus, providing the owner/user technology that can monitor the security health of
the system in near real-time. This will ensure that even when the machine is on, but the
user is not using the machine, the system will be monitored and can even be "shut
down" so unknown communications is not sent while the user's away. The hardware-
assist system should have the capability to collect and store information for
forensic purposes and the system should also have capability to report security
related events to a central monitoring station.

   Solicitation at http://www.hsarpasbir.com


                                                                               8 November 2005   22
   R&D Execution Model                                                        Post R&D


Customers                                                                                 Experiments
                Other Sectors
 * NCSD                                Critical
                                         Critical                                        and Exercises
               e.g., Banking &     Infrastructure           Outreach – Venture
 * NCS             Finance           Infrastructure           Community &
 * USSS                               Providers                  Industry
                                       Providers
 * National                                                                              R&D
   Documents
                     Prioritized                                                    Coordination –
                    Requirements                                                     Government
                                                                                      & Industry

Customers
                           Pre R&D

                                       CIP Sector
                                       Roadmaps                                  R&D
                Workshops                                            DNSSEC               SPRI


                                                                Cyber Security      Emerging Threats
                                 Solicitation
                                 Preparation                     Assessment


                                                                Rapid Prototyping      External (e.g., I3P)


                                                                         BAAs             SBIRs
                          Supporting Programs

                                            DETER     PREDICT                               8 November 2005   23
DHS / NSF Cyber Security Testbed
   “Justification and Requirements for a National DDOS
    Defense Technology Evaluation Facility”, July 2002
   We still lack large-scale deployment of security technology
    sufficient to protect our vital infrastructures
       Recent investment in research on cyber security technologies by
        government agencies (NSF, DARPA, armed services) and industry.
   One important reason is the lack of an experimental infrastructure
    and rigorous scientific methodologies for developing and testing
    next-generation defensive cyber security technology
   The goal is to create, operate, and support a researcher-and-
    vendor-neutral experimental infrastructure that is open to a wide
    community of users and produce scientifically rigorous testing
    frameworks and methodologies to support the development and
    demonstration of next-generation cyber defense technologies
                                                                  8 November 2005   24
  DETER Testbed Architecture
Cyber Defense Experiments run on Virtual Internet



      UCB


                 Internet       Sparta
                                                 User                                           DETER Testbed
                                                                  Internet                        Schematic
                                                                                                                                           Control

       USC-ISI                                                               Ethernet Bridge
                                                                               with Firewall 'Gatekeeper'
                                                                                                                                           DB



                                                   ‘User’ Server                                                         'Boss' Server
                                         User

 3 major sites; over 200 nodes          files     User Acct &
                                                   Data logging
                                                                                                                           Web/DB/SNMP,
                                                                                                                            switch mgmt



  GOAL: By end of FY07 to have                     Node Serial
                                                            …
                                                    Line Server



   1000 nodes distributed at                                        Control Network VLAN

                                                                                                         N @100bT
                                                                                                         Control ports
                                                                                                                            Power Serial
                                                                                                                             Line Server




   possibly up to 6 sites                          PC              PC                               PC                   160 Power
                                                                                                                           Controller
                                                                                N x 4 @1000bT
                                                                                Data ports


                                                    Programmable Patch Panel (VLAN switch)
                                                                                                      8 November 2005                          25
A Protected REpository for Defense of
Infrastructure against Cyber Threats
    PREDICT Program Objective
     “To advance the state of the research and commercial
     development (of network security „products‟) we need to
     produce datasets for information security testing and
     evaluation of maturing networking technologies.”
    Rationale / Background / Historical:
        Researchers with insufficient access to data unable to adequately test
         their research prototypes
        Government technology decision-makers with no data to evaluate
         competing “products”

      End Goal: Improve the quality of defensive
             cyber security technologies
                                                                        8 November 2005   26
Industry Workshop 2004
                                              ATTENDEES
   Begin the dialogue between                   AOL
    HSARPA and industry as it pertains           UUNET
    to the cyber security research agenda        Verio            PREDICT participant
   Discuss existing data collection             XO Comms
    activities and how they could be             Akamai
    leveraged to accomplish the goals of         Arbor Networks
    this program                                 System Detection
   Discuss data sharing issues (e.g.,           Cisco
    technical, legal, policy, privacy) that      PCH              PREDICT participant
    limit opportunities today and                Symantec
    develop a plan for navigating                USC-ISI          PREDICT participant
    forward                                      Univ. of WA      PREDICT participant
   Develop a process by which “data”            CERT/CC
    can be “regularly” collected and             LBNL             PREDICT participant
    shared with the network security             Internet2        PREDICT participant
    research community                           CAIDA            PREDICT participant
                                                 Merit Networks   PREDICT participant
                                                 Citigroup

                                                                          8 November 2005   27
Data Collection Activities
   Classes of data that are interesting, people want
    collected, and seem reasonable to collect
     Netflow
     Packet traces  – headers and full packet (context dependent)
     Critical infrastructure – BGP and DNS data
     Topology data
     IDS / firewall logs
     Performance data
     Network management data (i.e., SNMP)
     VoIP (1400 IP-phone network)
     Blackhole Monitor traffic


                                                          8 November 2005   28
PREDICT Information
   https://www.predict.org




   Recent Workshop
       http://www.hsarpacyber.com/public/PREDICT/

                                                     8 November 2005   29
Internet Infrastructure Security
Motivation
   The National Strategy to Secure Cyberspace
    (2003) recognized the DNS as a critical weakness
       NSSC called for the Department of Homeland Security
        to coordinate public-private partnerships to encourage
        the adoption of improved security protocols, such as
        DNS
       The security and continued functioning of the
        Internet will be greatly influenced by the success or
        failure of implementing more secure and more
        robust BGP and DNS. The Nation has a vital interest in
        ensuring that this work proceeds. The government
        should play a role when private efforts break down
        due to a need for coordination or a lack of proper
        incentives.

                                                                 8 November 2005   30
Domain Name System Security
(DNSSEC) Program
   DNSSEC Program Objective
    “Carry forward to completion the recommendation from the
    National Strategy to Secure Cyberspace by engaging industry,
    government, and academia to enable all DNS-related traffic on
    the Internet to be DNSSEC compliant”
   Rationale / Background / Historical:
        DNS is a critical component of the Internet infrastructure and was not
         designed for security
        DNS vulnerabilities have been identified for over a decade and we are
         addressing these vulnerabilities

    End Goal: Greatly increase the security of the
     Internet (as critical infrastructure) by securing
     the DNS through the use of crypto signatures
                                                                      8 November 2005   31
    The Domain Name System
   DNS database maps:                                       Root
       Name to IP address
        www.dhs.gov = 206.18.104.198

       And many other mappings                edu           mil               ru
        (mail servers, IPv6, reverse…)


   Data organized as tree               isi         darpa         usmc         mil
    structure:
       Each zone is authoritative
        for its own data
                                         nge                        alpha
       Minimal coordination between
        zone operators
                                                                      8 November 2005   32
DNS Attacks
   Attacks via and against the DNS infrastructure are
    increasing
                becoming costly and difficult to remedy
     Attacks are
     Consumer confidence in Internet accuracy is decreasing
   Financial/large enterprises are seeing a significant
    increase in online attacks for fraudulent purposes
     Hijacking     (virtual theft of domain names)
           http://www.icann.org/announcements/hijacking-report-
            12jul05.pdf
                         fraudulent emails and web sites)
     Phishing (look-alike
     Pharming (phishing combined with DNS attacks)

   Other attacks include DNS name mismatches or
    browser tricks aimed at careless users
                                                              8 November 2005   33
DNSSEC – What it provides
   Provides an approach so DNS users can:
       Validate that data they receive came from the correct originator, i.e.,
        Source Authenticity
       Validate that data they receive is the data the originator put into the
        DNS, i.e., Data Integrity
   Approach integrates with existing server infrastructure and
    user clients
   DNSSEC awareness by application
       Results of DNSSEC validation functions provided to applications
       Applications can take different actions based on DNSSEC validation
        results, e.g. won‟t connect to www.bankofamerica.com without good
        validation but will connect to www.cnn.com without it.
   Examples:
       Web browsers
       Email servers and clients


                                                                        8 November 2005   34
DNSSEC Initiative Activities
   Roadmap published in February 2005
       http://www.dnssec-deployment.org/roadmap.php
   Multiple workshops held world-wide
   DNSSEC testbed developed by
       http://www-x.antd.nist.gov/dnssec/
   Involvement with numerous deployment pilots
   Working with Civilian government (.gov) to develop policy
    and technical guidance for secure DNS operations and
    beginning deployment activities at all levels.
   Working with the operators of the “.us” and “.mil” zones
    towards DNSSEC deployment and compliance

                                                        8 November 2005   35
DNSSEC Design / Use
   Secure DNS Guidance Documents
        NIST 800 Series Documents for operators and
         policy/decision makers.
             Define the problem space
             Outline BCP for securing current DNS operations
             Guidelines for deployment and use of DNSSEC
             Series of outreach efforts
   Announcement from:
    http://csrc.nist.gov/publications/drafts.html

    August 11, 2005: Draft NIST Special Publication
    800-81, Secure Domain Name System (DNS)
    Deployment Guide
    Request for Comments closed Sept. 29th, 2005
                                                                8 November 2005   36
Secure Protocols for the Routing
Infrastructure (SPRI)
   BGP is the routing protocol that connects ISPs and subscriber
    networks together to form the Internet
   BGP does not forward subscriber traffic, but it determines the
    paths subscriber traffic follows
   The BGP architecture makes it highly vulnerable to human
    errors and malicious attacks against
       Links between routers
       The routers themselves
       Management stations that control routers
   Work with industry to develop solutions for our current
    routing security problems and future technologies


                                                           8 November 2005   37
SPRI Activities To Date
   Formation of government and industry “steering
    committee”
     DHS,   DOD, DOCommerce, NIST, ICANN, IETF
   Held first industry requirements workshop; March
    15-16, 2005 in WDC
   Held second workshop on operational security; May
    18-19, 2005 in Seattle in conjunction with NANOG.
   Held third workshop on registry operations; Sept. 13-
    14, 2005 in WDC; Outputs submitted at recent ARIN
    mtg

                                                   8 November 2005   38
Cyber Security Assessment
Activities
   Cyber Economics Study
   Dept. of Treasury – “Key Business Processes in the
    event of a Crisis” Study




                                                 8 November 2005   39
     Economic Analysis of Cyber Security and
     Private-Sector Investment Decisions
                                                         The objective of the study is to investigate Internet
                                                            stakeholders’ investment decisions for bolstering the
                                                            security of their information technology (IT) networks.
                                                         To achieve the study objectives, RTI will
                                                         • review existing studies to assess the economics of cyber
                                                             security,
                                                         • conduct a series of interviews within eight industry sectors
                                                             to assess companies’ investment decisions related to
                                                             securing their IT networks, and
                                                         •       identify potential areas for government involvement and/or
                                                                 support for the deployment and adoption of existing cyber
                                                                 security technologies.

          DHS/Cyber Security IMPACT                                                  SCHEDULE
                                                                                                                                          Months from Award
•   DHS is interested in economic decisions that may                                 Tasks                          1        2       3       4        5   6   7   8       9

    lead to inadequate investment in cyber security          Task 1: Convene Project Meeting                             k                            k               k
    measures.                                                Task 2: Review Existing Economic

•   Better information on the costs and benefits of                  Cybersecurity Studies and Methodology


    security technologies and adverse events will help       Task 3: Interview Targeted Industries
                                                                                                                                                 M    F
    inform private investment decisions.                     Task 4: Enhance Approaches to Model the
                                                                     Economic Impacts of Cybersecurity
•   Understanding the public goods nature of Internet        Task 5: Develop Industry Business Cases
    security may inform government’s involvement in
                                                             Task 6: Identify Potential Motivation for and
    cyber security.                                                  Types of Government Involvement                                                                  G       O

                                                                    LEGEND
                                                             k    Project Meetings            M    Draft Questionnaire           O       Final Report
                                                             F    Interim Deliverable         G    Draft Report                                      8 November 2005              40
    Prototyping of a Business Process Model (A Computer
    Simulation) of the Finance Sector
                                                                           DESCRIPTION / OBJECTIVES / METHODS
                                                                    -    “Proof of Concept” activities are designed to assess initial technical
                                                                         and operational feasibility, including scoping and development of a
                                                                         concept of operations, before stakeholders invest substantial
                                                                         resources in full-scale development.
                                                                    -    Various private and public-sector stakeholders have determined the
                                                                         immediate operational need for this capability; it meets several gaps
                                                                         defined by the Treasury Department and sector-level coordinating
                                                                         councils.
                                                                    -    The research involves 4 phases: Engage SMEs to help define the
                                                                         logical and physical extent of the sector at a high level; Determine an
                                                                         appropriate subset of sector transactions to model as a proof of
                                                                         concept; Use rapid prototyping to define simulation requirements;
                                                                         Report on technical and operational feasibility

            DHS/Cyber Security IMPACT
•   This project addresses the requirement for a man-in-the                          BUDGET & SCHEDULE
    loop simulation that emulates sector-wide disruptions and
    their operational (business) impact.                                     TASK                      FY05         FY06        FY07
•   Sector-level simulation of impacts resulting from cyber and         Proof of Concept
    physical disruptions of business processes and                      (Feasibility)
    transactions between critical entities in the Finance Sector
    will provide government and industry stakeholders and               Phase 1
                                                                        Requirements Definition
    users with unique insight of operational risks, single points
    of failure, and mitigation strategies.                              Phase 1
•   Potential users include risk managers responsible for the           Simulation Design
    operational health of the sector; also enterprise risk              Phase 1
    managers                                                            Implementation, Integration,
                                                                        Testing, and Roll-out
                                                                                                                        8 November 2005      41
        Rapid Prototyping – Authoritative SSL
        Auditing
                                                                                          PROJECT DESCRIPTION / OVERVIEW
Client Machine
 Client Machine
  Client Machine                                            Server Machine         Goal: Enable organizations to audit secure communications
    Client Machine
     Client Machine                                        Server Machine
                                                          Server Machine
                                                                                   to prove policy compliance, investigate attacks, and
        Client                                        Server                       arbitrate disputes.
      Application              Network              Application
                                Switch                                             Approach: Use a passive network device to record SSL
          SSL                                          SSL             Key         traffic, sign it with a hardware security module, and open
         Client                                       Server          Shield
                                                                                   communications when necessary. Requires the cooperation
                                                                                   of the original secure sever to keep its keys secure. Web
                                                                                   portal restricts access to authorized personnel.
                                                                                   •Status: Alpha Aug 15, 2005; Beta planned for Dec 15, 2005
                            Auditing Device                        Portal Device
                                                                                   •End Users: Information technology and security officers in government
                      Recording        Signing                       Auditing      agencies and commercial organizations, especially those that need to
                      Application     Application                     Portal       comply with regulations such as HIPAA, FACTA, and Sarbanes-Oxley.



                                                                                                     BUDGET & SCHEDULE
DHS/Cyber Security Impact
• Complete, authoritative records of electronic
  transactions                                                                              TASK                 FY05           FY06            FY07
• Ensure users/organizations follow security
                                                                                       Reqmnts. & Design
  policies
• Better investigate attacks and fraud over SSL                                              Alpha System
• All records remain confidential until specifically                                           Beta System
  reviewed
• Very low total cost of ownership encourages                                                 Final System
  adoption
                                                                                                                                  8 November 2005      42
Emerging Threats – VME-DEP
   Virtual Machine Environment - Detection and
    Escape Prevention
   VME use is increasing in industry and government,
    and is starting to be used in classified networks
   Goals of this project are to
     Gain a better understanding of where VMEs are used and
      for what purpose
     Determine how an attacker might break the security models
      defined by a VME
     Develop techniques for preventing those attacks
     Develop a “secured” open source VME

                                                       8 November 2005   43
Emerging Threats - NGCD
   Next Generation Crimeware Defenses
   Crimeware: Malicious software specifically designed to steal
    identity information and other associated financial information
   Goals of this project are:
       Gain an understanding of the nature of crimeware technologies and
        how to defend against their increasing sophistication
            Collect and analyze crimeware samples
       Build threat and vulnerability models based on the attack types and
        goals of stealing access credentials and identity information and
        correlated to popular computing environments
       Develop a “secure computing environment”: web browser (based on
        open-source Mozilla), secure keyboard and embedded co-processor to
        proactively prevent crimeware


                                                                   8 November 2005   44
The Institute for Information
Infrastructure Protection (I3P)
   The I3P is a consortium of 24 academic and not-for-profit
    research organizations
   The I3P embodies a concept developed in studies between
    1998 and 2000 by PCAST, IDA, and OSTP
   The I3P was formed in September 2001 and funded by
    congressionally appropriated funds assigned to Dartmouth
    College
   DHS/S&T/HSARPA now oversees the I3P funding
       $17.883 M Congressional Earmark for the Institute for Security
        Technologies Studies (ISTS) at Dartmouth College
            Inherited from Office of Domestic Preparedness (ODP) during R&D
             consolidation activity



                                                                        8 November 2005   45
Other Activities – Institute for Infrastructure
Protection (I3P)
   Creation of two research plans for cyber security, one in
    Supervisory Control and Data Acquisition (SCADA) systems,
    and one in economic and policy issues
       Two Independent Research Advisory Boards (RABs) established to
        review final research plans submitted for I3P support.
   Two-year, $8.5 million research program to protect SCADA
    systems in the oil and gas industry and other critical
    infrastructure sectors.
       Led by Sandia, comprises 10 research institutions with expertise in
        cyber security, risk management, and infrastructure systems analysis.
       Kickoff meeting held April 14-15 at Sandia National Laboratories‟
        Center for SCADA Security in Albuquerque
            Attended by project researchers along with oil and gas experts from
             ChevronTexaco, Ergon Refining, Public Utility of New Mexico, and
             Williams
            Provided training on SCADA hardware, software, and typical system
             configurations, as well as common threats and vulnerabilities associated
             with these systems

                                                                             8 November 2005   46
I3P Cyber Economics Project
   Two project goals:
       How to quantify the cost of cyber security and the effects of cyber
        attacks?
       How to measure the effectiveness of current security tools and policies?
   Three intertwined threads
       National perspective:
            Views the information infrastructure as an element of national security,
             where cyber security incidents can disrupt, impair or destroy critical
             economic capabilities.
       Enterprise or corporate perspective:
            Considers the effects of degraded or destroyed infrastructure on the degree
             to which an enterprise can maintain its bottom line by developing and
             delivering products and services.
       Technological perspective:
            Addresses those technologies that protect the infrastructure, by deterring
             particular threats, preventing certain classes of attacks, or mitigating the
             consequences of attack.
   Participants: RAND Corporation, University of Virginia, MIT
    Lincoln Laboratory, George Mason University, Dartmouth
                                                                                8 November 2005   47
   R&D Execution Model                                                        Post R&D


Customers                                                                                 Experiments
                Other Sectors
 * NCSD                                Critical
                                         Critical                                        and Exercises
               e.g., Banking &     Infrastructure           Outreach – Venture
 * NCS             Finance           Infrastructure           Community &
 * USSS                               Providers                  Industry
                                       Providers
 * National                                                                              R&D
   Documents
                     Prioritized                                                    Coordination –
                    Requirements                                                     Government
                                                                                      & Industry

Customers
                           Pre R&D

                                       CIP Sector
                                       Roadmaps                                  R&D
                Workshops                                            DNSSEC               SPRI


                                                                Cyber Security      Emerging Threats
                                 Solicitation
                                 Preparation                     Assessment


                                                                Rapid Prototyping      External (e.g., I3P)


                                                                         BAAs             SBIRs
                          Supporting Programs

                                            DETER     PREDICT                               8 November 2005   48
Experiments and Exercises
   Experiments
       U.S. / Canada Secure Blackberry Experiment
            PSTP-agreed upon deployment activity
       Oil and Gas Sector
            Working with DOE and industry
       Finance Sector
            CIDDAC
       U.S. NORTHCOM
            CWID 2005 (originally known as JWID)
   Exercises
       National Cyber Security Exercise (Cyber Storm)
       National Critical Infrastructure Exercise (NCIE)
            Exercise led by industry


                                                           8 November 2005   49
US-CAN Secure Wireless Trial
   Objective
       Test effectiveness of US/Canadian cross-
        border secure wireless architecture to cope
        with real-time communication in variety of
        scenarios
   Technologies
       PKI (S/MIME), Identity-based encryption,
        enforcement of policy and compliance
   Trial Activity
       July: U.S.-only initial four-day test period
       October: Four-day test period with 35
        activities and with 40+ participants acting
        out homeland security scenarios using
        BlackBerry devices



                                                       8 November 2005   50
     LOGI2C – Linking the Oil and Gas
     Industry to Improve Cybersecurity
   LOGI2C is a 12-month technology
    integration and demonstration project
                                                                 Attack
    driven by industry, supported by DHS
                                                   External      Indications
   Technical goal: Attack indications and         Events        and
    warnings through event analysis and                          Warnings
    correlation across business and process
                                                              LOGI2C
    control networks                                          Correlation
   Approach:                                                 Engine
      Identify new types of security sensors
        for process control networks
      Adapt a best-of-breed correlation
        engine to this environment                            Process
                                                Business
      Integrate in testbed and demonstrate                   Control
                                                Network
      Transfer technology to industry                        Network


                                                              8 November 2005   51
LOGI2C Partners
                     LOGI2C is a model for how
                      DHS S&T and industry can
                      work together in a public-
                      private partnership to address
                      a critical R&D need
                     Industry contributes
                         Requirements and operational
                          expertise
                         Project management
                         Product vendor channels
                     DHS S&T contributes
                         Independent researchers with
                          technical security expertise
                         Testing facilities



                                              8 November 2005   52
S&T and Cyber Storm
   Exercise Objectives:
       To incorporate elements of cyber defense and response technology into
        the exercise moving it gradually away from the “table top” format.
       To socialize the DETER test bed with the exercise participants and
        make them aware of its capability and its potential value to their
        respective organizations.
   Success criteria:
       Recognizing the complexity of the exercise and its key focus, S&T
        would consider their objective met if the DETER test bed were used in
        the planning of the exercise (to lend realism to scenario elements) and
        if one or more session can be arranged during the exercise, where the
        players could see the test bed in action being used to test exercise
        relevant problems or decisions. The session(s) should show the value
        of the tool and add defensive technology to the exercise.


                                                                      8 November 2005   53
National Critical Infrastructure Exercise
(NCIE)
   Exercise is co-managed by BearingPoint and Yoran Associates
       Funded by the private sector with public/private technology
        demonstrations
   Objectives
       Conduct a private sector exercise
       Exercise threat scenarios against SCADA operations
       Test and evaluate organizational plans, policies, and procedures
       Capture performance data to evaluate Critical Infrastructure Resiliency
        metrics and models – U.S. comparison against other countries
   Primary participants: senior operations managers and
    corporate executives from utility/energy sector
   Secondary participation: industry collaboration groups,
    government agencies, first responders, and others identified by
    primary participants during planning

                                                                      8 November 2005   54
    Commercial Outreach Strategy
   Assist commercial companies in providing technology to DHS and
    other government agencies
        Emerging Security Technology Forums (ESTF)
   Assist DHS S&T-funded researchers in transferring technology to
    larger, established security technology companies
        DHS Mentor / Protégé program
   Partner with the venture capital community to transfer technology
    to existing portfolio companies, or to create new ventures

                                    Government
                                  Funder/Customer




                    Established                      Emerging
                                      DHS
                    Commercial                      Commercial
                                   Researchers
                    Companies                       Companies




                                    Commercial
                                    Customers                    8 November 2005   55
Emerging Security Technology Forum
   ESTF held April 13-14, 2005 in Arlington, VA
     Opportunity to  introduce government representatives to
      smaller-sized information security technology vendors with
      innovative technology approaches
     For this ESTF vendors presented and demonstrated current
      and emerging information security technologies that
      defend against DDOS and worm attacks
   Next ESTF to be held in May 2006
     Topic: IdentityManagement technologies
     Audience will include industry and government




                                                        8 November 2005   56
Emerging Security Technology Forum
 Arbor  Networks           IntruGuard  Devices, Inc.
 CounterStorm, Inc.        Kerio Technologies
                            netZentry, Inc.
 Cs3, Inc.
                            Prolexic Technologies
 CyberShield Networks,
                            Q1 Labs Inc.
  Inc.
                            Top Layer Networks,
 Determina, Inc.
                             Inc.
 ForeScout Technologies
                            V-Secure Technologies




                                               8 November 2005   57
DHS Mentor/Protégé Program
   Objective
        Provide start-up emerging security companies with mentor support in
        sales & marketing to government
   Existing Mentor/Protégé programs in government are
    procurement oriented. New S&T Mentor/Protégé program will
    focus on rapidly transitioning cyber security technologies into
    government through existing relationships.
       Mentors will be large, established government contractors with cyber
        security experience
       Protégés will provide innovative cyber security technology. There are
        no set-aside requirements (e.g. disadvantaged, HubZone business)
   Selection Process
       The Cyber Security R&D Center will solicit government/industry
        technology requirements to identify gaps in the US cyber infrastructure.
       These requirements will guide selection of mentors. Protégés, with
        technology to meet infrastructure gaps, will be proposed to the mentors
        by the Center.
                                                                      8 November 2005   58
ITTC – The DHS-SRI Identity
Theft Technology Council
   ITTC is a revived and
    expanded Silicon Valley
    expert group originally           Consultant and ITTC
    convened by the U.S. Secret        Coordinator: Robert
    Service                            Rodriguez, retired head of
   Experts and leaders from           the Secret Service Field
       Government                     Office in San Francisco
       Financial and IT sectors      The ITTC was formed in
       Venture capital                April, and has four active
       Academia and science           working groups:
   ITTC works closely with               Phishing Technology Report
    The Anti-Phishing Working             Data collection and sharing
    Group (APWG)                          Future threats
                                          Development and deployment

                                                             8 November 2005   59
Tackling Cyber Security Challenges:
Business Not as Usual
   Strong mission focus (avoid mission creep)
   Close coordination with other Federal agencies
   Outreach to communities outside of the Federal
    government
     Buildingpublic-private partnerships (the industry-
      government *dance* is a new tango)
   Strong emphasis on technology diffusion and
    technology transfer
   Migration paths to a more secure infrastructure
   Awareness of economic realities
                                                      8 November 2005   60
Summary
   DHS S&T is moving forward with an aggressive
    cyber security research agenda
   Working with industry to solve the cyber security
    problems of our current infrastructure
     DNSSEC,    Secure Routing
   Working with academe and industry to improve
    research tools and datasets
     DHS/NSF    Cyber Security Testbed, PREDICT
   Looking at future RDT&E agendas with the most
    impact for the nation
     SBIRs,   BAA 04-17, RTAP

                                                   8 November 2005   61
Other Areas of Interest (were $ available)
   Cyber Situational Awareness – Indications &
    Warnings
   Insider Threat Detection & Mitigation
   Information Privacy Technologies
   Large-scale network survivability, rapid recovery and
    reconstitution
   Secure operating systems (open source)
   Network modeling and simulation – security policy
    reconfiguration impact on networks
   Highly scalable identity management

                                                  8 November 2005   62
Douglas Maughan, Ph.D.
Program Manager, HSARPA
douglas.maughan@dhs.gov
202-254-6145 / 202-360-3170




                              8 November 2005   63

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:35
posted:3/6/2010
language:English
pages:63