2009 CybersecuritySummit Report

Arlington, Virginia

September 14–15, 2009

This workshop is supported by the National Science Foundation under Grant No. 0821879.

Table of Contents

2009 Cybersecurity Summit Program Committee.............................................................................1Executive Summary...........................................................................................................................2

Observations from Summit Chair James A. Marsteller.................................................................2Overview............................................................................................................................................2

Program Committee and Program..................................................................................................3Attendee Participation....................................................................................................................3

Plenary Sessions.................................................................................................................................5Thinking Outside the Box..............................................................................................................5FBI Update.....................................................................................................................................5Community Updates......................................................................................................................5Cybersecurity Policy Directions: Implications for Education and Research.................................6Cybersecurity Research Challenges...............................................................................................6Driving Security Improvements Through Research and Development.........................................6

Technical Track Sessions...................................................................................................................6Server Virtualization and Security: Dos and Don’ts......................................................................6Getting to Know Bro......................................................................................................................7Domain Name System Security (DNSSEC): Lessons Learned and Deployment for Research Facilities.........................................................................................................................................7

Operations and Management Track Sessions....................................................................................7Report from the NIST 800-53 Trenches........................................................................................7Federated Identity Management: Challenges and Solutions..........................................................7Developing an Information Security Program: Addressing the NSF Cooperative Agreement.....8

Emerging Trends Track.....................................................................................................................8Losing Control? The Impact of Cloud Storage, Services, and Mobile Computing on Infrastructure Planning...................................................................................................................8

Participant Evaluation Summary........................................................................................................8Conference Program..........................................................................................................................9Conference Attendees......................................................................................................................11

2009 Cybersecurity Summit Program Committee

James A. Marsteller, Chair, Pittsburgh Supercomputing Center Mine Altunay, Fermi National Accelerator Laboratory Thomas F. Carruthers, National Science Foundation John W. Cobb, Oak Ridge National Laboratory Michael Corn, University of Illinois at Urbana-Champaign David Halstead, National Radio Astronomy Observatory Ardoth A. Hassler, National Science Foundation Albert Lazzarini, California Institute of Technology Margaret Murray, University of Texas at Austin Rodney J. Petersen, EDUCAUSE (Staff Liaison) Valerie Vogel, EDUCAUSE (Staff Liaison)

2009 Cybersecurity Summit Report 1

Executive SummaryObservations from Summit Chair James A. MarstellerI have been involved with each Cybersecurity Summit in the role of a program committee chair and member, breakout session leader, or speaker. This participation has allowed me to develop a deep understanding of the relationship between the Summit, the community it serves, and the sponsor (NSF). I have benefited from the knowledge and relationships gained at each summit over the past five years. Based on my experience, I have made some observations that I believe could be used to improve future summits:

First, let me state that the research and education community greatly appreciates and benefits from the Cybersecurity Summit. Feedback from summit attendees shows a strong desire that the NSF continues to sponsor future summits. With the budget cuts many facilities are experiencing, the summit offers a low-cost opportunity to collaborate on improving security locally and at the community level: 96.7% of attendees gave the summit a high satisfaction rating, and 86% plan to attend next year (this is a significant increase from the previous summit figure of 51% planning to attend a future summit).

The educational session on intrusion detection systems that was added this year was very well received. Many technical attendees have sought training or educational content in the summit for some time. I would strongly suggest a similar training session in future summits.

Feedback from this year’s attendees suggests that the summit be extended to two full days, thus allowing for more topics to be covered and to make the summit more attractive for those who must travel long distances.

I would suggest that the NSF consider a greater commitment to supporting the Cybersecurity Summit experience by extending funding for a multiyear period. The prior award was for a two-year period, which helped greatly in planning and continuity. I also believe that, given the right set of tools and leadership, there is great potential for the summit to act as the catalyst for empowering the community to strengthen and advance information security practices.

OverviewThe 2009 Cybersecurity Summit was held September 14 and 15 in Arlington, Virginia. The purpose was the same as in the previous three meetings: to bring together stakeholders from the university and government research communities to establish and maintain collaborative efforts advancing cybersecurity. The event drew 92 attendees from universities, research facilities, and federal agencies (NSF, DOD, DOE, NIST, DHS, and others), including two international participants (from Chile and Switzerland).

Based on attendee comments from past years, the program committee made a few changes to the 2009 summit. The breakout sessions were replaced with tracks in three subject areas: Technical, Operational and Management, and Emerging Trends. Rather than using previous years’ report-based format, sessions were informational. Another change came earlier in the year, when the program committee surveyed past attendees for the most relevant topics to include in the upcoming summit. This marked the first time the community had direct input into the content of the summit, and the response was very positive.

The average session length was shortened to a maximum of one and a half hours to accommodate the topics selected by the community. More panel discussions, which were very popular in the past year, were added. Another popular offering was an introductory training session on a leading intrusion detection system. The program covered a diverse list of timely subjects ranging from technical discussions, to policy and security programs, to strategic planning discussions on the rapidly changing security environment.

Finally, the summit ended with a town hall meeting, where attendees provided feedback on the summit changes and contemplated how the summit should evolve. Many comments expressed the value of the summit and its continued development. There were a number of suggestions and comments for moving forward:

“Featured facility”: Select a facility/community member for each summit to present their security program, how it was developed, changes made over the past year (based on previous Cybersecurity Summits/security conferences/security events), etc.

Organize as a community to have greater influence with vendors (developing patches for zero-day vulnerabilities, better customer service/servicing of needs, etc.).

2 2009 Cybersecurity Summit Report

Suggested topics for future summits: revisiting the use of one-time passwords; developing a security training and awareness program for staff; protecting data in the cloud; NIST 800-53 toolkit; incident response.

All of the summits have had similar goals:

Share information and ideas. By sharing information and ideas, participants can understand the common issues and problems that affect security in the research and education communities. They can learn how others have solved these problems and/or identify problems in securing the research cyberinfrastructure that need further discussion and attention.

Develop understanding of our communities’ diverse perspectives. While balancing security and usability in the research environment, workshop attendees discuss and analyze the similarities and differences between small and large computing/research facilities.

Discuss our communities’ strengths and weaknesses. The academic and research communities have specific, unique requirements for providing open, collaborative environments. Participants discuss and analyze the strengths and weaknesses related to security of these environments.

Identify our communities’ security needs. Attendees explore the competing needs of providing an open, collaborative research environment and protecting the security and integrity of the nation’s research computing and data assets. They strive to describe a secure computing environment that minimizes negative impact, either on (1) researchers and their productivity or (2) computer and network performance.

Program Committee and ProgramIn an effort to strengthen continuity between summits, James Marsteller of the Pittsburgh Supercomputing Center filled the role of program chair again this year. The program committee included members who came from many different research and educational institutions and federal agencies, as well as Rodney Petersen from EDUCAUSE. The first program committee meeting took place March 20, 2009, and continued biweekly up to the summit. The program committee received generous support from EDUCAUSE in planning the workshop, recording meeting minutes, communicating meeting times, and coordinating the program schedule.

For a list of the program committee members, see page 1 of this report. A copy of the conference program can be found on pages 9–10 of this report.

Attendee ParticipationThis invitation-only event included individuals recommended to the program committee, some previous years’ attendees, program committee members, and others. A diverse group of participants was sought, including those from both large and small research facilities and universities as well as federal agencies.

The 92 attendees from universities, research facilities, and federal agencies included two international attendees (from Chile and Switzerland). The counts of attendees by selected organization were as follows:

Organization Number of AttendeesUCAR/NCAR 2National Radio Astronomy Observatory 2National Astronomy and Ionosphere Center 1National High Magnetic Field Laboratory 2National Optical Astronomy Observatory 2Gemini Observatory 2Indiana University 2LBNL 3ORNL 4NSF 18The National Ecological Observatory (NEON) 3University of Illinois 4Other federal agencies 4EDUCAUSE 3

Other organizations were represented by one or two attendees.

2009 Cybersecurity Summit Report 3

These figures are based on summit registrations. Note that some individuals may have registered under their parent institution instead of their department/center, which will affect overall totals.

Counts by StateParticipants from 20 states, the District of Columbia, and Puerto Rico attended the workshop:

State or DistrictNumber of Attendees

Percentage of Attendees

Virginia 24 26.7%District of Columbia 8 8.9%Illinois 8 8.9%Indiana 7 7.8%California 7 7.8%Colorado 6 6.7%Pennsylvania 4 4.4%Tennessee 4 4.4%Arizona 4 4.4%Texas 3 3.3%Florida 3 3.3%Maryland 2 2.2%Hawaii, Louisiana, Massachusetts, Michigan, New Jersey, North Carolina, Ohio, Puerto Rico, Washington, Wisconsin 1 each 11.1%

Counts by Institutional SizeOf the attendees, 40% came from large (18,000-plus) institutions, 6% from large-medium institutions (8,000–17,999), 4% from medium institutions (2,000–7,999), and 0% from small institutions (under 2,000); 49% did not give their institution size.

Counts by Functional TitleBy title, 36% of attendees identified themselves as support IT, 20% as senior IT, 5% as CIOs, 8% as other executive level, 1% as faculty, 4% as sales, and 24% as “other.”

The data in the following tables regarding summit attendees come from the participant evaluations completed at the end of the summit by 30 respondents. Note that some respondents checked more than one category for each of the three questions.

1. Which area of science does your job or interest most closely relate to? Check all that apply.

OD/OCI: Office of Cyberinfrastructure (DTF, ETF, PACI) 20.0%ENG/CMS: Engineering—Civil & Mechanical Systems (NEES) 3.3%ENG/EEC: Engineering—Engineering Education & Centers (NNIN) 3.3%GEO/ATM: Geosciences—Atmospheric Sciences (AMISR, JRO, NAIC, UARF, MHO, Sondrestrom, NCAR, UNIDATA)

13.3%

GEO/EAR: Geosciences—Earth Sciences (IRIS, GSEC, UNAVCO, Earthscope)

6.7%

GEO/OCE: Geosciences—Ocean Sciences (ODP, NOSAMS, IODP, SODV)

10.0%

MPS/AST: Math & Physical Sciences—Astronomical Sciences (ALMA, Gemini, NAIC, EVLA, NRAO, NSO, NOAO)

46.7%

MPS/DMR: Math & Physical Sciences—Materials Research (CHESS, NHMFL, SRC, CHRNS, LENS)

16.7%

MPS/PHY: Math & Physical Sciences—Physics (Ice Cube, LHC, LIGO, NSC)

20.0%

BIO/DBI: Biological Infrastructure (NEON) 10.0%No direct science area 6.7%Other science area 3.3%

4 2009 Cybersecurity Summit Report

2. Which function does your job or position most closely relate to? Check all that apply.

Facilities Operation and Management 35.5%Facility User 6.4%Government Project/Program Manager 16.1%IT Security Management 38.7%IT Security Policy 32.3%Network or Computer Security Engineering 19.3%Other 6.4%

3. Which category fits your organization best? Check one. (Note: Some respondents checked more than one category.)

Academic Institution or Organization 19.3%Commercial Industry 0.0%DOD 3.2%DOE 12.9%DOE Facility 9.8%NASA 0.0%NSF 19.3%NSF Large Facility 32.3%Other Government Facility 0.0%Other 3.2%

Plenary SessionsThinking Outside the BoxSpeaker: Eugene H. Spafford, Professor and Executive Director, CERIAS, Purdue University

Over the past six decades, computing technology has undergone a series of revolutions that have changed the world. Computing touches everyone’s life, yet few stop to think about the incredible rate of change of the underlying technology. The World Wide Web is just 20 years old, and Internet commerce is even younger. With the expansion of the reach of computing, networks, and all that we do with computers, we have also seen new threats emerge to security, privacy, and even (to some extent) our social interactions, yet we continue to pursue solutions using outmoded models and paradigms that sometimes worsen the problems. This talk will discuss some of the major changes we have seen in computing and their implications for security and privacy. Moreover, it will address how some of our basic concepts in computing technology have failed to adapt with the computing hardware, and how that ultimately shapes what we do (and do not do) in research to address urgent problems. We must challenge some of our fundamental views of how we use computing, and the nature of privacy, if we wish to see improvement.

FBI UpdateSpeaker: Shawn Henry, Assistant Director, Cyber Division, Federal Bureau of Investigation

Shawn Henry, Assistant Director of the Cyber Division, Federal Bureau of Investigation (FBI), briefed the community on current FBI information security activities. He provided an overview of past investigations, current trends in cybercrime/threats, and the bureau’s response to current conditions. Assistant Director Henry also shared timely information and intelligence with the community in order to raise awareness and prevent future hostile acts.

Community UpdatesSpeakers: Mine Altunay, Head, Open Science Grid (OSG) Security, Fermi National Accelerator Laboratory; Ken Klingenstein, Director, Internet2 Middleware and Security, University of Colorado at Boulder; James A. Marsteller, Information Security Officer, Pittsburgh Supercomputing Center; Doug Pearson, REN-ISAC Technical Director, Indiana University; David G. Swartz, Assistant VP and CIO, American University

Community updates from EDUCAUSE/Internet2 Higher Education Information Security Council (formerly the Security Task Force), InCommon, the Open Science Grid, REN-ISAC, and TeraGrid.

2009 Cybersecurity Summit Report 5

Cybersecurity Policy Directions: Implications for Education and ResearchPanelists: Robert B. Dix Jr., Vice President, Government Affairs and Critical Infrastructure Protection, Juniper Network, Karl Levitt, Program Officer, CISE, Lenore Zuck, Program Officer, CISE, and Paul Markovitz, Branch Chief, Security, Architecture, Policy and Plans, National Science Foundation

Session moderator: Rodney J. Petersen, Government Relations Officer and Director of Cybersecurity Initiative, EDUCAUSE

The White House 60-day cyberspace review is the latest in a series of government efforts to raise visibility of the seriousness of cybersecurity to our nation’s economic and national security. The final report called on the federal government to “expand support for key education programs and research and development to ensure the Nation’s continued ability to compete in the information age economy.” The Federal Trade Commission’s report, “Security in Numbers: SSNs and ID Theft,” and congressional proposals to update the Federal Information Security Management Act are among the many information security reforms under consideration for both the public and private sectors. This panel explored the public policy dimensions of cybersecurity and their implications for research facilities.

Cybersecurity Research ChallengesStrategic Discussion on Cybersecurity Planning

Panelists: Michael A. Corn, Chief Privacy and Security Officer, University of Illinois at Urbana-Champaign; Walter Dykas, Cyber Security Program Manager, Office of Science, United States Department of Energy; Kathleen R. Kimball, Senior Director, ITS Security Operations and Services, The Pennsylvania State University; Stefan Lueders, Deputy Computer Security Officer, CERN

Session moderator: George O. Strawn, CIO, National Science Foundation

The foment of activity surrounding security operations tends to drown out the time and resources for strategic planning with regard to security. All security managers have a mental portfolio of things they should be doing if only they had the human and fund resources: however, it’s difficult to design your next house when you can’t afford a deadbolt for your front door. Nevertheless, security professionals and campus executives need to look at the strategic dimension to the evolution of security operations. Are there architectural principles or metrics we should be examining that will guide the next five years of planning? Is there a looming paradigm shift we should try to anticipate? This session presented a broad-ranging discussion of these questions, from the operational to the executive perspective.

Driving Security Improvements Through Research and DevelopmentSpeaker: Douglas Maughan, Program Manager, Cyber Security R&D, Science and Technology Directorate, United States Department of Homeland Security

The Directorate for Science and Technology (S&T) is the primary research and development arm of the U.S. Department of Homeland Security. S&T uses the Homeland Security Advanced Research Project Agency to engage industry, academia, government, and other sectors in innovative research and development, rapid prototyping, and technology transfer to meet operational needs. Academic organizations such as the Computing Research Association and industry groups have called for increased funding for cybersecurity R&D. This keynote will describe what the S&T directorate is doing to drive, discover, and deliver new solutions to address cybervulnerabilities as well as what research areas it considers near-term priorities.

Technical Track SessionsServer Virtualization and Security: Dos and Don’tsSpeaker: Kevin Sullivan, Coordinator for Special Projects, Pittsburgh Supercomputing Center

With shrinking budgets and the pressure to reduce costs, many organizations are turning to server virtualization as a technique to do more with less. This session reviewed the basics of virtualization and best practices that you can use to benefit from server virtualization today. Of course, adding multiple services to a single piece of hardware also increases risk; therefore, how to avoid mistakes that could affect the security, availability, and performance of mission-critical IT services were also addressed.

Session Resources: http://www.educause.edu/node/179648

6 2009 Cybersecurity Summit Report

Getting to Know BroSpeakers: Seth Hall, Network Security Engineer, The Ohio State University; Robin Sommer, Research Scientist, International Computer Science Institute (ICSI)

An introductory training session was conducted on a popular intrusion detection system. The open-source Bro network intrusion detection system provides a flexible framework for high-performance traffic inspection. Bro’s extensive application-layer analysis provides deep insight into each session’s actual activity, and its custom scripting language enables experienced analysts to customize the system’s operation to their needs. In addition, Bro also supports standard signature-based analysis to bridge the gap between traditional IDS analysis and its more powerful script-based approach.

Session Resources: http://www.educause.edu/node/179766

Domain Name System Security (DNSSEC): Lessons Learned and Deployment for Research FacilitiesSpeakers: James M. Galvin, Director Strategic Relationships and Technical Standards, Afilias; Matt Larson, Vice President, DNS Research, VeriSign; Scott Rose, DNSSEC Project Lead, National Institute of Standards and Technology

Session moderator: Douglas Maughan, Program Manager, Cyber Security R&D, Science and Technology Directorate, United States Department of Homeland Security

The Domain Name System Security Extensions, known as the DNSSEC, is a suite of IETF specifications for securing certain kinds of information provided by the DNS as used on IP networks. It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of devising a backward-compatible standard that can scale to the size of the Internet and deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients). This session will focus on the technical aspect and trends of implementing DNSSEC for industry and academia, as well as how .edu can signal to the rest of the Internet community that it will lead the way with deployment of DNS security extensions. Discussion on lessons that can be learned from the DNSSEC initiative in the .gov and .org domains will also be highlighted.

Session Resources: http://www.educause.edu/node/179647

Operations and Management Track SessionsReport from the NIST 800-53 TrenchesSpeaker: Dan Peterson, ESnet Security Officer, Lawrence Berkeley National Laboratory

NIST 800-53 presents an integrated yet potentially overwhelming methodology for mapping adequate security controls to security requirements. Integration is achieved by considering technical, operational, and management aspects of security requirements as a whole. Yet difficulties result from site- or enterprise-specific combinations of factors, including evolving technologies and hardware and software infrastructures, limited time and resources, differences in perception by and impact prioritization between management and technical staff, and the necessity of dealing with a massive set of forms. This session will address ESnet’s wiki-based approach to motivating and implementing a maintainable security audit process.

Session Resources: http://www.educause.edu/node/179524

Federated Identity Management: Challenges and SolutionsSpeakers: Clair W. Goldsmith, Senior Advisor for Information Technology, University of Texas at Austin; Ardoth A. Hassler, NSF Senior IT Advisor/Associate VP, University Information Services, Georgetown University; Kenneth J. Klingenstein, Director, Internet2 Middleware and Security, Internet2; Renee Shuey, Principal Lead of Identity and Access Management Initiative, The Pennsylvania State University

NSF and NIH have joined the InCommon Federation and are enabling their applications to use federated identity for members of the InCommon Federation, an organization that provides a federated trust framework for research and education institutions and their partners. This session reviewed the management and operational opportunities and

2009 Cybersecurity Summit Report 7

challenges associated with implementing federated IdM, including: what federated IdM does and doesn’t do; level of assurance issues (Identity Assurance Framework); and how large facilities can leverage these technologies.

Session Resources: http://www.educause.edu/node/179379

Developing an Information Security Program: Addressing the NSF Cooperative AgreementSpeaker: Abe Singer, Chief Security Officer, LIGO Lab, California Institute of Technology

Session moderator: Ardoth A. Hassler, NSF Senior IT Advisor/Associate VP, University Information Services, Georgetown University

NSF cooperative agreements require the awardee to develop a security program and present it to the NSF, but they do not mandate specific security requirements. This talk addressed what this means, how to approach putting together a security program, and what the elements of the program might contain, as well as how to present a security program to the NSF.

Session Resources: http://www.educause.edu/node/179381

Emerging Trends TrackLosing Control? The Impact of Cloud Storage, Services, and Mobile Computing on Infrastructure PlanningSpeakers: Michael A. Corn, Chief Privacy and Security Officer, and Anthony S. Rimovsky, Associate Director, University of Illinois at Urbana-Champaign; Steven Worona, Director of Policy and Networking Programs, EDUCAUSE

Whether it’s the iPhone, Dropbox, or Amazon’s S3, infrastructure architects and designers are now under pressure to address “the cloud” in their operational plans. Cloud-based services, together with powerful portable devices, have fundamentally altered user expectations for data access and infrastructure transparency. This panel engaged the audience in a discussion of the actual and anticipated effects this is having on operations and security managers from both the technical and policy dimensions.

Participant Evaluation SummaryThis section summarizes key results from the participation evaluations. Answers to the first question came from 30 respondents; 29 attendees responded to the second. Results are based on a Likert scale, where 1 = not satisfied and 5 = very satisfied.

QuestionVery

SatisfiedSomewhat Satisfied Neutral

Somewhat Unsatisfied Unsatisfied

Overall, how satisfied were you with your summit experience? 56.7% 40.0% 0.0% 3.3% 0.0%

How satisfied were you with the overall logistics of the summit? 75.9% 20.7% 3.4% 0.0% 0.0%

We received 29 responses to a third question gauging interest in future summits, with a majority indicating they would attend:

Question Yes No Not SureWould you attend a future summit? 86.2% 0% 13.8%

8 2009 Cybersecurity Summit Report

Conference Program

Monday, September 14, 2009

Session Time Session Details

7:30–8:30 a.m. Breakfast

7:30 a.m.–5:30 p.m. Registration Desk

8:30–8:45 a.m. Welcome and Introductions

8:45–9:45 a.m. Thinking Outside the Box

9:45–10:00 a.m. Refreshment Break

10:00–11:00 a.m. FBI Update

11:00 a.m.–12:00 noon Community Updates

12:00 noon–1:00 p.m. Lunch

1:00–2:00 p.m. Cybersecurity Policy Directions: Implications for Education and Research

2:00–3:00 p.m. Strategic Discussion on Cybersecurity Planning

3:00–3:15 p.m. Refreshment Break

3:15–4:15 p.m. Technical TrackServer Virtualization and Security: Dos and Don’ts

Operations/Management TrackReport from the NIST 800-53 Trenches

3:15–5:30 p.m. Emerging Topics TrackLosing Control? The Impact of Cloud Storage, Services, and Mobile Computing on Infrastructure Planning

4:15–5:30 p.m. Technical TrackIntrusion Detection: Getting to Know Bro

Operations/Management TrackFederated Identity Management: Challenges and Solutions

5:30–6:30 p.m. Reception

7:30–9:00 p.m. Birds-of-a-Feather Sessions

2009 Cybersecurity Summit Report 9

Tuesday, September 15, 2009

Session Time Session Details

7:30–8:30 a.m. Breakfast

7:30 a.m.–12:30 p.m. Registration Desk

8:30–9:30 a.m. Driving Security Improvements Through Research and Development

9:30–9:45 a.m. Refreshment Break

9:45–11:15 a.m. Technical TrackDomain Name System Security (DNSSEC): Lessons Learned and Deployment for Research Facilities

Operations/Management TrackDeveloping an Information Security Program: Addressing the NSF Cooperative Agreement

11:15–11:30 a.m. Break

11:30 a.m.–12:00 noon Town HallFuture Summit—What’s Next?

12:00 noon–12:30 p.m. Closing Remarks

10 2009 Cybersecurity Summit Report

Conference AttendeesJames F. AllanProgram DirectorNational Science FoundationArlington, VA USA(703) 2928581jallan@nsf.gov

William AltmireTelecommunications Branch ChiefNational Science FoundationArlington, VA USA(703) 2924201waltmire@nsf.gov

Mine AltunayOSG Security OfficerFermi National Accelerator LaboratoryBatavia, IL USA(630) 8406490maltunay@fnal.gov

Warren G. AndersonScientistUniversity of Wisconsin–MilwaukeeMilwaukee, WI USA(414) 5595366warren@gravity.phys.uwm.edu

Matthew ArrotteScience Program Manager, Calit2University of California, San DiegoLa Jolla, CA(858) 8225281marrott@ucsd.edu

Bill BakerResearch ProgrammerUniversity of Illinois at UrbanaChampaignUrbana, IL USA

James J. BarlowHead of Security Ops/Incident ResponseNational Center for Supercomputing ApplicationsUrbana, IL USA(217) 2446403jbarlow@ncsa.illinois.edu

Darren BennettChief Security OfficerSan Diego Supercomputer CenterLa Jolla, CA USA(858) 8225479dbennett@sdsc.edu

Benjamin BergersenUSAP Information Security ManagerNational Science FoundationArlington, VA(703) 2928051benjamin.bergersen@nsf.gov

Karan BhatiaComputer ScientistNEES Consortium, Inc.Summit, NJ USA(858) 9640653karan.bhatia@gmail.com

Richard BramanSenior Systems AdministratorIRISSeattle, WA USA(206) 5470393braman@iris.washington.edu

Thomas F. CarruthersProgram OfficerNational Science FoundationArlington, VA USA(703) 2927373tcarruth@nsf.gov

John W. CobbR&D Staff MemberOak Ridge National LaboratoryOak Ridge, TN USA(865) 5765439cobbjw@ornl.gov

Michael A. CornChief Privacy and Security OfficerUniversity of Illinois at UrbanaChampaignUrbana, IL USA(217) 2650588mcorn@uiuc.edu

Robert B. Dix Jr.Vice President, Government Affairs & CriticalInfrastructure ProtectionJuniper Networks, Inc.Herdon, VA USA(571) 2032687rdix@juniper.net

Walter DykasCyber Security Program Manager, Office of ScienceU.S. Department of EnergyGermantown, MD USA(301) 9038226walter.dykas@science.doe.gov

David EscalanteDirector of Computer Policy & SecurityBoston CollegeChestnut Hill, MA USA(617) 5526909david.escalante@bc.edu

Brian P. FairhurstAssociate Director, Management and AdministrationNational High Magnetic Field Laboratory (NHMFL)Tallahassee, FL USA(850) 6454864fairhurs@magnet.fsu.edu

Michael FlemingNetwork Sec AdminNational Optical Astronomy ObservatoryTucson, AZ USA(520) 3188496fleming@noao.edu

Cesar FloresComputer Group ManagerTexas A&M UniversityCollege Station, TX USA(979) 8458948flores@iodp.tamu.edu

Craig FoltzProgram Manager, Division of Astronomical SciencesNational Science FoundationArlington, VA USA(703) 2924909cfoltz@nsf.gov

Timothy FredrickSystem AdministratorUniversity Corporation for Atmospheric Research(UCAR)/NCARBoulder, CO(303) 4971498fredrick@ucar.edu

James M. GalvinDirector, Strategic Relationships and Technical StandardsAfiliasHorsham, PA USA(416) 6193045jgalvin@afilias.info

Clair W. GoldsmithSenior Advisor for Information TechnologyUniversity of Texas SystemAustin, TX USA(512) 4994334cgoldsmith@utsystem.edu

Steven GrandiManager, Computer Infrastructure Svcs/CIONational Optical Astronomy ObservatoryTucson, AZ USA(520) 3188228grandi@noao.edu

Seth HallNetwork Security EngineerThe Ohio State UniversityColumbus, OH USA(614) 2929721hall.692@osu.edu

David HalsteadAssistant Director, CIONational Radio Astronomy ObservatoryCharlottesville, VA USA(434) 2960292dhalstead@nrao.edu

Nakita HarrisGrant & Agreement SpecialistNational Science FoundationArlington, VA USA(703) 2922182nyharris@nsf.gov

2009 Cybersecurity Summit Report 11

Ardoth A. HasslerNSF Sr IT Advisor/Assoc VP Univ Info ServicesGeorgetown UniversityWashington, DC USA(202) 6871973hasslera@georgetown.edu

Victor HazlewoodSenior HPC Cyber Security AnalystOak Ridge National LaboratoryOak Ridge, TN USA(865) 5748312victor@ornl.gov

Shawn HenryAssistant Director, Cyber DivisionFederal Bureau of InvestigationWashington, DC USA(202) 3243000shawn.henry@ic.fbi.gov

James Babcock HughesSenior Scientific ProgrammerCerro Tololo Interamerican ObservatoryTucson, AZ USA(520) 3188277jhughes@ctio.noao.edu

Julio E. IbarraAssistant Vice PresidentFlorida International UniversityMiami, FL USA(305) 3484105julio@fiu.edu

Kathleen R. KimballSenior Director, ITS Security Operations andServicesThe Pennsylvania State UniversityState College, PA USA(814) 8639533krk5@psu.edu

Kenneth J. KlingensteinDirector, Internet2 Middleware and SecurityInternet2Longmont, CO(303) 5706098ken.klingenstein@colorado.edu

Scott L. KsanderCISO/Exec. Director IT Networks and SecurityPurdue UniversityWest Lafayette, IN USA(765) 4968289ksander@purdue.edu

Jay KuslerNSCLComputer Department HeadMichigan State UniversityEast Lansing, MI USA(517) 3248118kusler@nscl.msu.edu

Ronald R. LambertManagerCerro Tololo Interamerican ObservatoryTucson, AZ USA(520) 3188277rlambert@ctio.noao.edu

Matt LarsonVice President, DNS ResearchVeriSign, Inc.Dulles, VA USA(703) 9483239mlarson@verisign.com

Jeff S. LeitheadContracts and Agreements OfficerNational Science FoundationArlington, VA USA(703) 2924594jleithea@nsf.gov

Nick LockIS ManagerGemini ObservatoryLa Serena CHILE56 51 205623nlock@gemini.edu

Stefan LuedersDeputy Computer Security OfficerCERNGeneva SWITZERLAND41 22 767 4841stefan.lueders@cern.ch

Ruth MarinshawAssistant Vice Chancellor for Research ComputingUniversity of North Carolina at Chapel HillChapel Hill, NC USA(919) 9624314ruth@email.unc.edu

Paul MarkovitzBranch Chief, Security, Architecture, Policy and PlansNational Science FoundationArlington, VA USA(703) 2928150pmarkovi@nsf.gov

Cora B. MarrettActing Deputy DirectorNational Science FoundationArlington, VA USA(703) 2928001cmarrett@nsf.gov

Douglas MaughanProgram Manager, Cyber Security R&D, Science and Technology DirectorateUnited States Department of Homeland SecurityWashington, DC USA(202) 2546145douglas.maughan@dhs.gov

Ann F. MillerGrant & Agreement SpecialistNational Science FoundationArlington, VA USA(703) 2928709afmiller@nsf.gov

Paul MorrisProgram OfficerNational Science FoundationArlington, VA(703) 2924229pmorris@nsf.gov

Patrick MurphyComputing Security ManagerNational Radio Astronomy ObservatoryCharlottesville, VA USA(434) 2960372pmurphy+educause@nrao.edu

Margaret MurrayNet/Sec Research AssociateUniversity of Texas at AustinAustin, TX(512) 2327124marg@tacc.utexas.edu

Doug PearsonTechnical Director, RENISACIndiana UniversityBloomington, IN USA(812) 8553846dodpears@ren isac.net

Rodney J. PetersenGovernment Relations Officer and Director of Cybersecurity InitiativeEDUCAUSEWashington, DC USA(202) 3315368rpetersen@educause.edu

Dan PetersonESnet Security OfficerLawrence Berkeley National LaboratoryBerkeley, CA USA(510) 4867275drpeterson@es.net

Gene RackowCyberSecurity EngineerArgonne National LaboratoryArgonne, IL USA(630) 2527126rackow@mcs.anl.gov

Anthony S. RimovskyAssociate DirectorUniversity of Illinois at Urbana-ChampaignUrbana, IL USA(217) 4934551tsr@illinois.edu

Joseph RinkovskyUnix Systems SpecialistIUPUIIndianapolis, IN USA(317) 2786092jrinkovs@iupui.edu

12 2009 Cybersecurity Summit Report

Shannon RoddySecurity/Systems AdminCalifornia Institute of TechnologyLivingston, LA USA(225) 6863106sroddy@ligo la.caltech.edu

James A. RomeSecurity ConsultantOak Ridge National LaboratoryOak Ridge, TN USA(865) 4825643jar@ornl.gov

Scott RoseDNSSEC Project LeadNational Institute of Standards and TechnologyGaithersburg, MD USA(301) 9758439scottr@nist.gov

Pauline RothAssociate Director of AdministrationGemini ObservatoryHilo, HI USA(808) 9742508proth@gemini.edu

JeanRene RoyProgram Director NSF Large Facilities Projects GroupNational Science FoundationArlington, VA USA(703) 2924432jrroy@gemini.edu

Nigel SharpProgram DirectorNational Science FoundationArlington, VA USA(703) 2924905nsharp@nsf.gov

Abe SingerChief Security Officer, LIGO LabCalifornia Institute of TechnologyPasadena, CA USA(626) 3953065abe@ligo.caltech.edu

Patrick D. SmithManager, Technology Development, PolarResearch SupportNational Science FoundationArlington, VA USA(703) 2927455pdsmith@nsf.gov

Robin SommerResearch ScientistInternational Computer Science Institute (ICSI)Berkeley, CA USA(510) 6662886robin@icsi.berkeley.edu

Eugene H. SpaffordProfessor & Executive Director, CERIASPurdue UniversityWest Lafayette, IN USA(765) 4947805spaf@cerias.purdue.edu

Kristin SpencerContracting/Agreements OfficerNational Science FoundationArlington, VA USA(703) 2924585kspencer@nsf.gov

Jacqueline G. SteeleSenior Engineer High PerformanceComputing Security AssessmentsHigh Performance Computing Modernization Program OfficeLorton, VA USA(256) 5413705steelej@hpcmo.hpc.mil

Adam D. StonePolicy, Assurance, and Risk Management, OCIOLawrence Berkeley National LaboratoryBerkeley, CA USA(510) 4864650adstone@lbl.gov

George O. StrawnCIONational Science FoundationArlington, VA USA(703) 2928102gstrawn@nsf.gov

Kevin SullivanCoordinator for Special ProjectsPittsburgh Supercomputing CenterPittsburgh, PA USA(412) 2681555ksulliva@psc.edu

Denise SumikawaComputer Protection Program ManagerLawrence Berkeley National LaboratoryBerkeley, CA USA(510) 4865519dasumikawa@lbl.gov

David G. SwartzAssistant VP and CIOAmerican UniversityNW Washington, DC USA(202) 8852612dswartz@american.edu

Robert TawaDirector of ComputingThe National Ecological Observatory (NEON)Boulder, CO USA(720) 7464844rtawa@neoninc.org

Jon TruanInformation Systems Security SpecialistOak Ridge National LaboratoryOak Ridge, TN USA(865) 5749623truanjc@ornl.gov

William TurnbullAssociate CIO for Advanced TechnologyU.S. Department of EnergyWashington, DC USA(202) 5860166william.turnbull@hq.doe.govAngel M. VazquezSysAdmin/ConsultantNational Astronomy and Ionosphere CenterArecibo, PR USA(787) 8782612x304angel@naic.edu

Alan VerloNetwork EngineerUniversity of Illinois at ChicagoChicago, IL USA(312) 9963002verlo@uic.edu

Brian WeeChief of External AffairsThe National Ecological Observatory (NEON)Washington, DC USA(202) 5524707bwee@neoninc.org

Von WelchDirector, CyberSecurityNational Center for Supercomputing ApplicationsUrbana, IL USA(217) 2657139vwelch@uiuc.edu

Scott WiantSenior Data EngineerThe National Ecological Observatory (NEON)Boulder, CO USA(720) 7464851swiant@neoninc.org

Steven WoronaDirector of Policy & Networking ProgramsEDUCAUSEWashington, DC USA(202) 3315358sworona@educause.edu

2009 Cybersecurity Summit Report 13