1. Driving Security Improvements in Existing Technologies and Emerging Systems EDUCAUSE Net@EDU Annual Mtg Tempe, AZ February 12, 2008 Dept. of Homeland Security Science & Technology Directorate Douglas Maughan, Ph.D. Program Manager, CCI douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170

2. 12 February 20082 Agenda 2007 Capitol Hill and Other WDC Activities DHS S&T Cyber Security R&D Program  PREDICT  Broad Agency Announcements (BAAs)  Outreach / Transition University Programs Cyber R&D Background and Government R&D Coordination

3. 12 February 20083 Recent Hearings in Washington Cyber Insecurity: Hackers are Penetrating Federal Systems and Critical Infrastructure  http://homeland.house.gov/hearings/index.asp?ID=36 “These incidents have opened a lot of eyes in the halls of Congress. We need to get serious about this threat to our national security.” Addressing the Nation’s Cybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action”  http://homeland.house.gov/hearings/index.asp?ID=41 “I am deeply troubled by the lack of foresight that this Administration has demonstrated. The Homeland Security Committee is working to demonstrate the importance of R&D funding to this Administration.”

4. 12 February 20084 Recent Hearings in Washington (cont’d) House Homeland Security Committee investigation of DHS Networks  http://homeland.house.gov/SiteDocuments/Charbo.pdf http://homeland.house.gov/SiteDocuments/Charbo.pdf  13 questions to understand the security posture of DHS networks Senate Hearing on Terrorist use of the Internet  http://hsgac.senate.gov/index.cfm?Fuseaction=Hearings.De tail&HearingID=441 http://hsgac.senate.gov/index.cfm?Fuseaction=Hearings.De tail&HearingID=441

5. 12 February 20085 More recent activity May 2007 – DDOS attack on Estonia  First example of “cyber warfare”? Sep 2007 - “Chinese hack the Pentagon” Sep 2007 – “China hacks UK government” Oct 2007 – “White House initiative to defend against hackers” Nov 2007 – “White House requests $154M supplement for Cyber Initiative”

6. 12 February 20086 (National) Cyber Initiative Baltimore Sun Article on Cyber Initiative – Oct. 24, 2007 House panel chief demands details of cybersecurity plan  http://www.baltimoresun.com/technology/balte.cyber24oct24,0,782050,full.story http://www.baltimoresun.com/technology/balte.cyber24oct24,0,782050,full.story Rep. Bennie Thompson, Chairman of the House Homeland Security Committee, called on the Bush administration to delay the planned launch of a multi-billion-dollar cybersecurity initiative so that Congress could have time to evaluate it. Initiative mostly focused on fixing operational problems that exist across government infrastructure  E.g., Trusted Internet Connections (TIC) program announcement Small component of total effort is aimed at R&D

7. 12 February 20087 CSIS Commission for 44 th Presidency Goal: Identify a strategy and set of recommendations for the next administration to move ahead in securing cyberspace. The Commission will complete its work by December 2008. The Commission will be a bipartisan group composed of thirty to thirty- five experts drawn from the cyber security policy community and from the private sector.  Co-chaired by leaders from Congress and the private sector  Reinforced by a private sector advisory group composed of representatives from companies and associations The proposed working groups are:  (1) Federal Organization, Strategy and Doctrine;  (2) Cybersecurity Norms and Authorities;  (3) Budget and Acquisitions for Cybersecurity;  (4) Government/Private Sector Interfaces and Engagement. The final product would be a well-supported package of recommendations for improving cyber security that could help to guide both a legislative agenda and Presidential policy documents.

8. 12 February 20088 Homeland Security Mission Lead unified national effort to secure America Prevent terrorist attacks within the U.S. Respond to threats and hazards to the nation Ensure safe and secure borders Welcome lawful immigrants and visitors Promote free flow of commerce

9. 12 February 20089 DHS Goals: Secretary’s Priorities Keep terrorists, criminals and unlawful entrants out of the U.S. Prevent dangerous materials, weapons and illicit drugs from entering the country Strengthen screening of workers/travelers Secure critical infrastructure Build nimble, effective emergency response system and culture of preparedness Strengthen core management to ensure DHS is a great organization

10. 12 February 200810 Department of Homeland Security Organization Chart SECRETARY DEPUTY SECRETARY DIRECTOR TRANSPORTATION SECURITY ADMINISTRATION UNDER SECRETARY FOR POLICY UNDER SECRETARY FOR SCIENCE & TECHNOLOGY UNDER SECRETARY FOR MANAGEMENT UNDER SECRETARY FOR PREPAREDNESS A/S CONGRESSIONAL & INTERGOVERNMENTAL AFFAIRS ASSISTANT SECRETARY PUBLIC AFFAIRS INSPECTOR GENERAL GENERAL COUNSEL CHIEF PRIVACY OFFICER OMBUDSMAN CITIIZENSHIP & IMMIGRATION SERVICES DIRECTOR CIVIL RIGHTS/CIVIL LIBERTIES DIRECTOR OF COUNTER NARCOTICS DOMESTIC NUCLEAR DETECTION OFFICE SCREENING COORDINATION OFFICE CHIEF OF STAFF EXECUTIVE SECRETARY COMMISSIONER IMMIGRATION & CUSTOMS ENFORCEMENT COMMISSIONER CUSTOMS & BORDER PROTECTION DIRECTOR CITIZENSHIP & IMMIGRATION SERVICES DIRECTOR FEMA DIRECTOR US SECRET SERVICE COMMANDANT US COAST GUARD DIRECTOR OF OPERATIONS COORDINATION ASSISTANT SECRETARY OFFICE OF INTELLIGENCE & ANALYSIS LABOR RELATIONS BOARD FEDERAL LAW ENFORCEMENT TRAINING CENTER MILITARY LIAISON

11. 12 February 200811 Science and Technology (S&T) Mission Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.

12. 12 February 200812

13. 12 February 200813 DHS S&T Investment Portfolio Balance of Risk, Cost, Impact, and Time to Delivery Product Transition (0-3 yrs)  Focused on delivering near-term products/enhancements to acquisition  Customer IPT controlled  Cost, schedule, capability metrics Innovative Capabilities (2-5 yrs)  High-risk/High payoff  “Game changer/Leap ahead”  Prototype, Test and Deploy  HSARPA Basic Research (>8 yrs)  Enables future paradigm changes  Univ. fundamental research  Gov’t lab discovery and invention Mandated Spending (0-8+ yrs)  Required by Administration (HSPDs)  Congressional direction/law Customer Focused, Output Oriented

14. 12 February 200814 R&D SBIRs BAAs DNSSEC Cyber Security Assessment SPRI Emerging Threats Rapid Prototyping External (e.g., I3P) R&D Execution Model Solicitation Preparation Pre R&D CIP Sector Roadmaps Workshops Customers Critical Infrastructure Providers Critical Infrastructure Providers Customers * NCSD * NCS * OCIO * USSS * National Documents Other Sectors e.g., Banking & Finance Prioritized Requirements R&D Coordination – Government & Industry Experiments and Exercises Post R&D Outreach – Venture Community & Industry Supporting Programs PREDICTDETER

15. 12 February 200815 Cyber Security Program Areas Information Infrastructure Security  Domain Name System Security (DNSSEC)  Secure Protocols for the Routing Infrastructure (SPRI)  Cyber Security Assessment Cyber Security Research Tools and Techniques  Cyber Security Testbed (DETER)  Large Scale Datasets (PREDICT)  Experiments and Exercises Next Generation Technologies  BAA 04-17, BAA 07-09 Other Activities (SBIR, RTAP, Emerging Threats)

16. 12 February 200816 DHS / NSF Cyber Security Testbed “Justification and Requirements for a National DDOS Defense Technology Evaluation Facility”, July 2002 We still lack large-scale deployment of security technology sufficient to protect our vital infrastructures  Recent investment in research on cyber security technologies by government agencies (NSF, DARPA, armed services) and industry. One important reason is the lack of an experimental infrastructure and rigorous scientific methodologies for developing and testing next-generation defensive cyber security technology The goal is to create, operate, and support a researcher-and- vendor-neutral experimental infrastructure that is open to a wide community of users and produce scientifically rigorous testing frameworks and methodologies to support the development and demonstration of next-generation cyber defense technologies

17. 12 February 200817 DETER Users Map – over 60 sites

18. 12 February 200818 A Protected REpository for Defense of Infrastructure against Cyber Threats PREDICT Program Objective “To advance the state of the research and commercial development (of network security ‘products’) we need to produce datasets for information security testing and evaluation of maturing networking technologies.” Rationale / Background / Historical:  Researchers with insufficient access to data unable to adequately test their research prototypes  Government technology decision-makers with no data to evaluate competing “products” End Goal: Improve the quality of defensive cyber security technologies

19. 12 February 200819 : PREDICT Information https://www.predict.org

20. 12 February 200820 Sponsor Letter PREDICT Repository Access Process PREDICT Coordination Center (Government-funded, Externally hosted) Data Providers Researchers Data Hosting Sites Data Listing Institutional Sponsorship MOA MOAsMOAs Accept / Deny Notification Publication Review Board After Research (if required) Get Data Proposal Review Board Proposal MOA

21. 12 February 200821 Data Collection Activities Classes of data that are interesting, people want collected, and seem reasonable to collect  Netflow  Packet traces – headers and full packet (context dependent)  Critical infrastructure – BGP and DNS data  Topology data  IDS / firewall logs  Performance data  Network management data (i.e., SNMP)  VoIP (2200 IP-phone network)  Blackhole Monitor traffic

22. 12 February 200822 PREDICT Summary Why do we think PREDICT has a chance for success?  DHS has included the security and networking communities  DHS has included the legal community from the start  DHS has included the privacy community from the start EFF, CDT, ACLU comments incorporated into system processes  Included government privacy officials Managing external facing processes What else are we doing?  Recent BAA 07-09 Technical Topic Area (TTA) 8 – Data Anonymization –Focused on new ideas and techniques to improve data protection

23. 12 February 200823 Cyber Security R&D Broad Agency Announcement (BAA) A critical area of focus for DHS is the development and deployment of technologies to protect the nation’s cyber infrastructure including the Internet and other critical infrastructures that depend on computer systems for their mission. The goals of the Cyber Security Research and Development (CSRD) program are:  To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems;  To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure.  To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency. http://www.hsarpabaa.com

24. 12 February 200824 BAA Program / Proposal Structure NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in (DHS) “customer” environments Type I (New Technologies)  New technologies with an applied research phase, a development phase, and a deployment phase (optional) Funding not to exceed 36 months (including deployment phase) Type II (Prototype Technologies)  More mature prototype technologies with a development phase and a deployment phase (optional) Funding not to exceed 24 months (including deployment phase) Type III (Mature Technologies)  Mature technology with a deployment phase only. Funding not to exceed 12 months

25. 12 February 200825 BAA 07-09 Technical Topic Areas Botnets and Other Malware: Detection and Mitigation Composable and Scalable Secure Systems Cyber Security Metrics Network Data Visualization for Information Assurance Internet Tomography / Topography Routing Security Management Tool Process Control System Security  Secure and Reliable Wireless Communication for Control Systems  Real-Time Security Event Assessment and Mitigation Data Anonymization Tools and Techniques Insider Threat Detection and Mitigation

26. 12 February 200826 Partnership Project LOGIIC is a model for government-industry technology integration and demonstration efforts to address critical R&D needs Industry contributes  Requirements and operational expertise  Project management  Product vendor channels DHS S&T contributes  National Security Perspective on threats  Access to long term security research  Independent researchers with technical expertise  Testing facilities

27. 12 February 200827 Assist commercial companies in providing technology to DHS and other government agencies  Emerging Security Technology Forum (ESTF) Assist DHS S&T-funded researchers in transferring technology to larger, established security technology companies  System Integrator Forum (Feb. 21, 2008) Partner with the venture capital community to transfer technology to existing portfolio companies, or to create new ventures  Cyber Entrepreneurs Workshop (Mar. 11, 2008) Commercial Outreach Strategy Established Commercial Companies Emerging Commercial Companies Government Funder/Customer DHS Researchers Commercial Customers

28. 12 February 200828 System Integrator Forum 2008 IronKey, Palo Alto, CA  Secure USB Token HBGary, Chevy Chase, MD  Malware Discovery Tool Grammatech, Ithaca, NY  Software Analysis (Binary and Source) George Mason Univ, Fairfax, VA  Network Vulnerability Analysis/Discovery Endeavor Systems, Arlington, VA  Pattern Recognition and Signature Analysis 2008 SIF – February 21 in WDC (see website)

29. 12 February 200829 IT Security Entrepreneur Forum (ITSEF) Hot Topics - Current Market Trends and Conditions How to Optimize Having the Government as Your Partner Communicating Your Value Proposition The Risks and Rewards of Selling to the Government Navigating the Government Procurement Process from A to Z Financing Your Startup in the Information Security Space through Government Funds 2008 ITSEF – March 11 @ Stanford  http://www.publicprivatepartnerships.org

30. 12 February 200830 University Programs Centers of Excellence (COE) Program Goals  Develop the management and communications infrastructure to produce, share and transition Centers’ research results, data and technology to analysts and policymakers  Align existing Centers and establish new Centers and initiatives to align with S&T Divisions’ research and development activities, and address additional DHS needs  Deliver the Centers’ advanced research products, technology and educated workforce that DHS will need to protect the country for the foreseeable future

31. 12 February 200831  Center for Risk & Economic Analysis of Terrorism Events (CREATE) Based at the Univ. of Southern California  National Center for Food Protection & Defense (NCFPD) Based at the Univ. of Minnesota  National Center for Foreign Animal & Zoonotic Disease Defense (FAZD) Based at Texas A&M Univ.  National Consortium for the Study of Terrorism & Responses to Terrorism (START) Based at the Univ. of Maryland  National Center for Preparedness & Catastrophic Event Response (PACER) Based at Johns Hopkins Univ. Current Centers of Excellence

32. 12 February 200832  Center for Advancing Microbial Risk Assessment (CAMRA) Based at Michigan State Univ., in Partnership with U.S. EPA  Univ. Affiliate Centers to the Institute for Discrete Sciences (IDS-UACs) In Partnership with Lawrence Livermore National Laboratory: Rutgers Univ. (Lead Center), Univ. of Southern California, Univ. of Illinois at Urbana-Champaign, Univ. of Pittsburgh  Regional Visualization & Analytics Centers (RVACs) In Partnership with National VAC at Pacific Northwest National Laboratory: Penn State Univ., Purdue Univ., Stanford Univ., Univ. of North Carolina at Charlotte, Univ. of Washington  Southeast Regional Research Initiative (SERRI)  Kentucky Critical Infrastructure Protection Institute (KCI) Centers of Excellence, cont. Other University Research Initiatives

33. 12 February 200833 New Centers Beginning in FY 2007-08 COE for Explosives Detection, Mitigation and Response (Funded FY2007) COE for Border Security and Immigration (Funded FY2007) Northern Forest Borders Southwest Desert Borders COE for Maritime, Island & Remote/Extreme Environment Security (Funded FY2007) COE for Natural Disasters, Coastal Infrastructure and Emergency Management (Funded FY2008)

34. 12 February 200834 Education Programs Individual Scholarships and Fellowships Institutional Scholarships & Fellowships Summer Internships AAAS/AVMA Visiting Scholars Post-Doc Program

35. 12 February 200835 R&D Studies / Reports 1997 - President’s Commission on Critical Infrastructure Protection (PCCIP)  Critical Foundations: Protecting America’s Infrastructures 1999 – National Research Council Computer Science and Telecommunication Board  Trust in Cyberspace 2003 - National Strategy to Secure Cyberspace http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf 2003 – Institute for Information Infrastructure Protection (I3P)  Cyber Security Research And Development Agenda 2003 – Computing Research Association  Four Grand Challenges in Trustworthy Computing

36. 12 February 200836 R&D Studies / Reports (2) 2004 – National Infrastructure Advisory Council (NIAC)  Hardening The Internet 2005 - President's Information Technology AdvisoryCommittee (PITAC)  Cyber Security: A Crisis of Prioritization http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cyberse curity.pdf http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cyberse curity.pdf 2005 – Infosec Research Council (IRC)  Hard Problems List 2006 – National Science and Technology Council (NSTC)  Federal Plan for Cyber Security and Information Assurance Research and Development 2007 – National Research Council Computer Science and Telecommunication Board  Toward a Safer and More Secure Cyberspace

37. 12 February 200837 R&D Matrix

38. 12 February 200838 High Confidence Software and Systems (HCSS) Coordinating Group Human Computer Interaction and Information Management (HCI&IM) Coordinating Group Software Design and Productivity (SDP) Coordinating Group Social, Economic, and Workforce Implications of IT and IT Workforce Development (SEW) Coordinating Group NITRD Program Coordination Office of Science and Technology Policy National Coordination Office (NCO) for Networking and Information Technology Research and Development Cyber Security and Information Assurance (CSIA) Interagency Working Group Cyber Security and Information Assurance (CSIA) Interagency Working Group Large Scale Networking (LSN) Coordinating Group Subcommittee on Networking and Information Technology Research and Development (NITRD) NITRD Agency Authorization and Appropriations Legislation High End Computing (HEC) Interagency Working Group High End Computing (HEC) Interagency Working Group Subcommittee on Infrastructure Subcommittee on Infrastructure White House Executive Office of the President Committee on Homeland and National Security Committee on Homeland and National Security Committee on Technology Committee on Technology U.S. Congress National Science and Technology Council

39. 12 February 200839 Tackling Cyber Security R&D Challenges: Not Business as Usual Key people (i.e., Congress) now paying attention Close coordination with other Federal agencies Outreach to communities outside of the Federal government  Building public-private partnerships (the industry- government *dance* is a new tango) Need a stronger emphasis on technology diffusion and technology transfer Migration paths to a more secure infrastructure Awareness of economic realities

40. 12 February 200840 Douglas Maughan, Ph.D. Program Manager, CCI douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 For more information, visit http://www.cyber.st.dhs.gov