Presentation on theme: "Homeland Security Advanced Research Projects Agency"— Presentation transcript:
1Homeland Security Advanced Research Projects Agency The Threat Landscape – A U.S. PerspectiveMarch 13, 2014CSIT 2014Belfast, Northern IrelandDouglas MaughanDivision Director
2Presentation Outline Threat Space Top Technical / Policy Challenges The Human ChallengeTop Technical / Policy ChallengesCritical Infrastructure SecuritySoftware AssuranceMobile Device (and App) SecurityDistributed Denial of Service DefensesCyber-Physical SystemsCybersecurity WorkforceLegal and Ethical R&DSummary
3Environment: Greater Use of Technology, More Threats, Less Resources Globalization & TransportationAnywhere in the world in 24 hoursLESSRESOURCESBorder Security & ImmigrationTenuous balanceViolent ExtremismInsider ThreatCyber DomainLow cost of entryStrategic potentialBoth sides get to innovateAviation as an example …Nature of InnovationPredictive & ReactiveMisuse of TechnologyHistorical PerspectiveNatural Disasters & Pushing Beyond Design LimitsMORE THREATS
4Cyber Threats and Sources Nation StatesMalware – Malicious software to disrupt computersViruses, worms, …Theft of Intellectual Property or DataHactivism – Cyber protests that are socially or politically motivatedMobile Devices and Applications and their associated Cyber AttacksSocial Engineering – Entice users to click on Malicious LinksSpear Phishing – Deceptive communications ( s, Texts, Tweets)Domain Name System (DNS) HijackingRouter Security – Border Gateway Protocol (BGP) HijackingDenial of Service (DOS) – blocking access to web sitesOthers …..Cyber CriminalsTerrorists, DTOs, etc.Insider ThreatsHackers/Hacktivists
5Cyberspace Definitions “Cyberspace is [our nation’s critical infrastructures’] nervous system—the control system of our country. Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables that allow our critical infrastructures to work.” National Strategy to Secure Cyberspace, 2003“Cyberspace means the interdependent network of IT infrastructures, and includes the internet, telecomms networks, computer systems, and embedded processors and controllers in critical industries” NSPD 54, 8 Jan 2008“The interdependent network of information and communications technology infrastructures, including the Internet, telecommunications networks, computer systems and networks, and embedded processors and controllers in facilities and industries.” White House Cyberspace Policy Review, May 2009“The terms cyber security and information assurance refer to measures for protecting computer systems, networks, and information from disruption or unauthorized access, use, disclosure, modification, or destruction.” Federal Plan for Cyber Security and Information Assurance Research and Development, Apr 2006“A cyber environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. International Telecommunications Union X.1205, Overview of Cybersecurity, Oct 2008AND PEOPLE!!!
6Example of a Cyber Intrusion All traffic over common ports (25, 80, 443)Determined AttackerUnique IPs used for each attack phase7123846756666Targeted PhishingUser clicks on link to hostile website or opens attachmentInfected computer beacons to attacker and waits for commandsAttacker takes direct control of remote machine inside encrypted sessionAttacker compromises administrator credentialsAttacker move laterally through the network, compromising additional machines and searches for desired informationTargeted information is packaged and exfiltratedInfected machines sit idle and wait for further instructions or remove evidence of intrusion
7Presentation Outline Threat Space Top Technical / Policy Challenges The Human ChallengeTop Technical / Policy ChallengesCritical Infrastructure SecuritySoftware AssuranceMobile Device (and App) SecurityDistributed Denial of Service DefensesCyber-Physical SystemsCybersecurity WorkforceLegal and Ethical R&DSummary
8Cybersecurity for the 16 Critical Infrastructure Sectors DHS provides advice and alerts to the 16 critical infrastructure areas …… DHS collaborates with sectors through Sector Coordinating Councils (SCC)XXBusiness / PersonalShopping & Banking Point of Sale (in store/on line) – See “Target”, for examplePersonalSocial Media…
9Credit: White House / Pete Souza Executive Order (EO) on Improving Critical Infrastructure Cybersecurity/ Policy Presidential Directive (PPD) on Critical Infrastructure Security and ResilienceExecutive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to:Develop a technology-neutral voluntary cybersecurity frameworkPromote/incentivize adoption of cybersecurity practicesIncrease the volume, timeliness and quality of cyber threat information sharingIncorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructureExplore existing regulation to promote cyber securityPresidential Policy Directive-21: Critical InfrastructureSecurity and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to:Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real timeUnderstand cascading consequences of infrastructure failuresEvaluate and mature the public-private partnershipUpdate the National Infrastructure Protection PlanDevelop comprehensive research and development planCredit: White House / Pete Souza“America must also face the rapidly growing threat from cyber attacks… That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.”President Barack Obama,2013 State of the UnionExecutive Order – Improving Critical Infrastructure CybersecurityFacing threats to our nation from cyber attacks, and in the absence of comprehensive legislation, the President issued an Executive Order directing Federal agencies to use their existing authorities and increase cooperation with the private sector to provide better protection for the computer systems that are critical to our national and economic security.In developing the PPD and EO, the Administration sought input from stakeholders of all viewpoints in the private sector, and their concerns have been incorporated.There is also a strong role for State, local, tribal and territorial governments who own a significant portion of the Nation’s critical infrastructure.The Executive Order clears the way for more efficient sharing of cyber threat information with the private sector and directs the establishment of a Cybersecurity Framework to identify and implement better security practices among critical infrastructure sectors.America’s national security and economic prosperity are increasingly dependent upon critical infrastructure that is at risk from a variety of hazards, including attacks via the Internet.Presidential Policy Directive (PPD)-21 Critical Infrastructure Security and ResilienceTo complement the Cyber Security Executive Order, the Administration is also issuing a Presidential Policy Directive on critical infrastructure security and resilience that updates the national approach from Homeland Security Presidential Directive 7 (issued in 2003) to adjust to the new risk environment, key lessons learned, and drive toward enhanced capabilities.The PPD directs the government to develop an efficient situational awareness capability that addresses both the physical and cyber implications of an incident.The PPD directs the government to address other information sharing priorities, including updating the information flow to near real-time to respond to the changing risk environment.The PPD also calls for a comprehensive research and development plan for critical infrastructure to guide the government’s effort to enhance market-based innovation.
10Software Assurance“Software is everywhere, and WE ALL ARE VULNERABLE. Market pressures are forcing early release of untested software.”According to Trustwave’s “2013 Global Security Report,” SQL injections accounted for 26% of the infiltration methods used by hackers in the data breaches it analyzed in 2012.
11More Software NumbersNIST study suggests that software errors cost US economy an estimated $59.5 billion annually, of which 1/3 of costs or $22.2 billion could be removed with improved software quality testing and toolsPoor software quality has become one of the most expensive topics -- $ billion/yr. and $500+ billon/yr. worldwideSoftware failures account for 24% of all medical device recallsSource: Capers JonesSource: Threatpost via FDA Study
12Software Evolution Codebases are HUMONGOUS Common software applications – some apps scale near 60 MLOCSoftware Assurance tools typically can’t scale this amount of codeCodebase size contributes to code complexityMore features, usually means more codeSpaghetti code typically results in poor quality of code50 MLOC
14SWAMP Vision Document”The Software Assurance Marketplace has been carefully constructed, developed and implemented with community feedback. It is with this approach we expect the SWAMP to be a revolutionizing force in the software assurance community for years to come. A softwareassurance marketplace is a great place for the community to meet for research collaboration and technical exchange. The concept of the marketplace has influenced and shaped the vision outlined in this document – ideally the vision is to provide a unique set of services and capabilities that can be leveraged by the community, creating a collaborative marketplace for continuous assurance.”Kevin E. Greene, DHS S&TSoftware Assurance Program Manager
15Mobile Device Growth Desktop PC Portable PC Tablet Smartphone # Units Shipped(millions)2012Total: 1,201.12017 (Projected)Total: 2,250.316001200700200
1750 POPULAR MOBILE APPS, IOS/ANDROID 2013 Mobile App TestingTESTING RESULTS50 POPULAR MOBILE APPS, IOS/ANDROID% With Issues100%~80%~30%~50%~15%Stored UsernameStored PasswordMedium or High RiskFailed MITMStoredUsernamePasswordOtherRisksFailedMiTM
18DDoS Attacks 101 Victim is overwhelmed. Examples include: - 400 Gbps traffic to 10 Gbps access link- Millions of requests to server designed for thousands- 1000s of 911 calls to a system designed for hundredsBoth brute force and clever ways to overwhelm the targetAttack traffic originated from multiple locations throughout the InternetControl Over Vast Number of Compromised Devices:Desktops, laptops, and even refrigerators!Command and Control:Nation State, Criminal Organization, Hactivist groups, etc.
19Threat: DDOS VolumeDistributed Denial of Service attacks render key systems and resources unavailable,effectively denying users access to the serviceUSA Today: Why DDoS attacks continue to bedevil financial firms… adversaries may potentially be nation states …NY Times: Attacks used the internet against itself to clog trafficAttack traffic exceeds 400 Gbps!eWeek: DHS, FBI Warn of Denial-of-Service Attacks on Emergency Telephone SystemsCurrent Advantage Favors Attackers:Attack resources are cheap compromised machines while defense requires provisioningAttackers easily cross boundaries while defense requires cross-organization collaborationChallenge: shift advantage in DDoS events toward defense
20Cyber-Physical Systems PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks”Cyber Physical Systems Are Becoming Ubiquitous:Smart cars, smart grids, smart medical devices, smart manufacturing, smart homes, and so onYou will “bet your life” on many of these systemsFast moving field focusing on functionality now and will bolt on security later…Drones Could Help Tulsa Firefighters During Search, RescueJust like the Internet in its early days, car networks don’t employ very much security”TransportationAuto, UAVs, Aeronautical, RailManufacturingHealthcareEnergyAgricultureEmergency ResponseOpportunity Now To Build Security Into Emerging Cyber Physical Designs
21Recent Solicitation http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm II.C.1 U.S. DHS S&T Homeland Security Advanced Research Project Agency (HSARPA)DHS S&T encourages R&D in cybersecurity to enhance the resilience of critical information infrastructure.HSARPA has particular interests in security technologies relevant to cyber-physical systems. The NITRD CPS Senior Steering Group's 2012 CPS Vision Statement, which notes CPS research gaps, identifies drivers and technologies for CPS related to transportation, emergency response, energy, and healthcare are considered especially relevant for HSARPA. Relevant technologies include cybersecurity approaches for guarding against malicious attacks on CPS as well as diagnostics and prognostics that aim to identify, predict, and prevent or recover from faults.
22Workforce Shortage(Reuters) - For the governments and corporations facing increasing computer attacks, the biggest challenge is finding the right cyber warriors to fight back. Hostile computer activity from spies, saboteurs, competitors and criminals has spawned a growing industry of corporate defenders who can attract the best talent from government cyber units.The U.S. military's Cyber Command is due to quadruple in size by 2015 with 4,000 new personnel while Britain announced a new Joint Cyber Reserve last month. From Brazil to Indonesia, similar forces have been set up. But demand for specialists has far outpaced the number of those qualified to do the job, leading to a staffing crunch as talent is poached by competitors offering big salaries.
23A National ProblemEnhance public awareness: (1) Augment current messaging to promote policies and practices that support Administration priorities, such as EO and PPD-21, and (2) develop messaging that targets senior executives of critical infrastructure companies (e.g., CEOs, Boards of Directors).Expand the Pipeline: (1) Expand formal education at the post-secondary level, including both four-year and two-year institutions and (2) establish new National Academic Consortiums for Cybersecurity Education (government, colleges/universities, high schools, middle schools, technical academies, industry, professional organizations)Evolve the profession: (1) Identify critical cybersecurity workforce skills through a national cybersecurity Workforce Inventory and Gap Analysis and continued development of Cybersecurity Workforce Forecasting Tools and (2) provide access to free or low-cost training for the identified critical skills.NICE was established in support of the Comprehensive National Cybersecurity Initiative (CNCI) – Initiative 8: Expand Cyber Education – Interim Way Forward and is comprised of over 20 federal departments and agencies.
24Cybersecurity Education Cyber Security Competitions (http://nationalccdc.org)National Initiative for Cybersecurity Education (NICE)NCCDC (Collegiate); U.S. Cyber Challenge (High School)Provide a controlled, competitive environment to assess a student’s depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems.WHY Competitions?Hands-on approach better than “book learned”; provides opportunities to perform “real world” defenseMeasurable – can determine if participants are getting better/smarterEasier than internships, etc. for younger and minority studentsPrivate sector companies can more easily provide supporting funding
25Who else is supporting these activities? NATIONAL CHAMPIONSHIPApril 25-27, 2014 in San Antonio, TX
26Legal and Ethical R&D Menlo Report Companion Report Ethical Principles Guiding Information and Communications Technology Research (ICTR)Something similar to the Belmont Report for human subject research (from 1970s)Respect for PersonsBeneficenceJusticeRespect for Law and Public InterestCompanion Report21 Case Studies examined
27SummaryCybersecurity research is a key area of innovation to support our global economic and national security futuresMust focus on the human aspect of cyberspace - education, training, and awareness aspects of our current and future cybersecurity workforceNo shortage of technical challengesEveryone gets to innovate in their own wayCollaboration is essential; no single government / university / company is going to solve this problem aloneLook at future technical agendas with the most impact for the global communityNeed to continue strong emphasis on technology transfer and experimental deployments
28For more information, visit http://www.dhs.gov/cyber-research Douglas Maughan, Ph.D.Division DirectorCyber Security DivisionHomeland Security Advanced Research Projects Agency (HSARPA)/For more information, visit
30Transition To Practice (TTP) Program R&D SourcesDOE National LabsFFRDC’s (Federally Funded R&D Centers)AcademiaSmall BusinessTransition processesTesting & evaluationRed TeamingPilot deploymentsUtilizationOpen SourcingLicensingNew CompaniesAdoption by cyber operations analystsDirect private-sector adoptionGovernment useImplement Presidential Memorandum – “Accelerating Technology Transfer and Commercialization of Federal Research in Support of High-Growth Businesses” (Oct 28, 2011)