Homeland Security: Cyber Security R&D Initiatives ACM CCS Alexandria, VA November 8, 2005 Dept. of...
-
Upload
annabel-hart -
Category
Documents
-
view
219 -
download
0
Transcript of Homeland Security: Cyber Security R&D Initiatives ACM CCS Alexandria, VA November 8, 2005 Dept. of...
Homeland Security: Cyber Security R&D InitiativesACM CCSAlexandria, VANovember 8, 2005
Dept. of Homeland Security Science & Technology Directorate
Douglas Maughan, Ph.D.
Program Manager, HSARPA
202-254-6145 / 202-360-3170
8 November 2005 2
Secretary (Chertoff)&
Deputy Secretary (Jackson)
Management(Hale)
• Coast Guard• Secret Service• Citizenship & Immigration & Ombuds• Civil Rights and Civil Liberties• Legislative Affairs• General Counsel• Inspector General• State & Local Coordination• Private Sector Coordination• International Affairs• National Capital Region Coordination• Counter-narcotics• Small and Disadvantaged Business• Privacy Officer• Chief of Staff
Information Analysis &
Infrastructure Protection
(Stephan, act.)
Border &Transportation
Security(Beardsworth,
act.)
EmergencyPreparedness & Emergency
Response(Paulison, act.)
General DHS Organization (prior to 7/13/05)
Science &Technology (McQueary)
8 November 2005 3
Department of Homeland SecurityOrganization Chart
(proposed end state)
SECRETARY
DEPUTY SECRETARY
DIRECTORTRANSPORTATION
SECURITY ADMINISTRATION
UNDER SECRETARY FOR POLICY
UNDER SECRETARY FOR SCIENCE & TECHNOLOGY
UNDER SECRETARY FOR MANAGEMENT
UNDER SECRETARY FOR
PREPAREDNESS
A/S CONGRESSIONAL & INTERGOVERNMENTAL
AFFAIRS
ASSISTANT SECRETARY PUBLIC
AFFAIRS
INSPECTOR GENERALGENERAL COUNSEL
CHIEF PRIVACY OFFICER
OMBUDSMAN CITIIZENSHIP & IMMIGRATION
SERVICES
DIRECTORCIVIL RIGHTS/CIVIL
LIBERTIES
DIRECTOR OFCOUNTER
NARCOTICS
DOMESTIC NUCLEAR
DETECTION OFFICE
SCREENING COORDINATION
OFFICE
CHIEF OF STAFF
EXECUTIVE SECRETARY
COMMISSIONERIMMIGRATION &
CUSTOMS ENFORCEMENT
COMMISSIONER CUSTOMS & BORDER
PROTECTION
DIRECTOR CITIZENSHIP & IMMIGRATION
SERVICES
DIRECTORFEMA
DIRECTOR US SECRET SERVICE
COMMANDANTUS COAST GUARD
DIRECTOR OF OPERATIONS
COORDINATION
ASSISTANT SECRETARYOFFICE OF
INTELLIGENCE & ANALYSIS
LABOR RELATIONS BOARD
FEDERAL LAW ENFORCEMENT
TRAINING CENTER
MILITARYLIAISON
8 November 2005 4
Department of Homeland SecurityOrganization Chart—Preparedness
UNDER SECRETARY FOR PREPAREDNESS
ASSISTANT SECRETARY FOR
GRANTS AND TRAINING
CHIEF MEDICAL OFFICER
FIRE ADMINISTRATION
ASSISTANT SECRETARY FOR CYBER & TELE-
COMMUNICATIONS
NATIONAL CAPITAL REGION
DIRECTOR
ASSISTANT SECRETARY FOR
INFRASTRUCTURE PROTECTION
(proposed end state)
8 November 2005 5
Science and Technology (S&T) Mission
Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.
8 November 2005 6
Under Secretaryfor Science & Technology
(McQueary)
Office of Research and Development
(McCarthy)
Office of Systems Engineering & Development
(Kubricky)
S&T Organization Chart
Office of Plans Programs and Requirements(Evans, act.)
Homeland Security Advanced Research
Projects Agency (Kubricky, act.)
8 November 2005 7
Execution
Office of Research
and Development
Homeland Security Advanced Research Projects
Agency
Systems Engineering
& Development
Science and Technology Directorate
Stewardship of an enduring
capability
Development Engineering, Production, & Deployment
Innovation, Adaptation, &
Revolution
• Centers• Fellowships• Scholarships
8 November 2005 8
Crosscutting Portfolio Areas Chemical Biological Radiological Nuclear High Explosives Cyber Security Critical Infrastructure Protection (CIP)
USSS
8 November 2005 9
Legacy of HSARPA NameHow is it different from DARPA?
Differences 85-90% of funds for
identified DHS requirements
10-15% of funds for revolutionary research
Breakthroughs,
New technologies and systems
These percentages likely to change over time, but we need to meet today’s requirements
8 November 2005 10
HSARPA Funding
FY 2005 FY 2006 DeltaPortfolio Appropriation Tentative Biodefense/Bio Countermeasures 362.7 380.0 17.4Chemical Countermeasures 53.0 95.0 42.0Conventional Missions 50.1 80.0 29.9Counter-MANPADS 61.0 110.0 49.0Critical Infrastructure Protection 27.0 40.8 13.8Cyber Security 18.0 16.7 -1.3Emerging Threats 10.8 8.0 -2.8High Explosives/Explosives Countermeasures 19.7 44.0 24.3National Biodefense Analysis & Countermeasures Ctr (NBACC) 35.0 -35.0Office of Interoperability and Compatibility 21.0 26.5 5.5Radiological and Nuclear (DNDO) 122.6 318.0 195.4Radiological and Nuclear Countermeasures 19.1 19.1Rapid Prototyping 76.0 35.0 -41.0Research and Development Consolidation 99.9 99.9Safety Act 10.0 7.0 -3.0Standards 39.7 35.0 -4.7Threat and Vulnerability Testing and Assessment 65.8 43.0 -22.8University Programs/Fellowships 70.0 63.0 -7.0Grand Total 1,042.3 1,421.0 378.7
SCIENCE AND TECHNOLOGY DIRECTORATEFY05-06 Budget Execution Distribution
Dollars $M
HSARPA funding is allocated from Appropriated line items
8 November 2005 11
Cyber Security R&D Portfolio: ScopeWe focus on threats and issues that warrant
national-level concern
Asymmetric capabilities make cyberspace an appealing battleground for our adversaries
Cyberspace presents an avenue to exploit weaknesses in our critical infrastructures
The most significant cyber threats are very different from “script-kiddies” or virus writers Terrorism Organized crime Economic espionage
8 November 2005 12
R&D
SBIRsBAAs
DNSSEC
Cyber SecurityAssessment
SPRI
Emerging Threats
Rapid Prototyping External (e.g., I3P)
R&D Execution Model
Solicitation Preparation
Pre R&D
CIP Sector Roadmaps
Workshops
Customers
Critical Infrastructure
Providers
Critical Infrastructure
Providers
Customers * NCSD * NCS * USSS * National
Documents
Other Sectorse.g., Banking &
Finance
PrioritizedRequirements
R&DCoordination – Government
& Industry
Experimentsand Exercises
Post R&D
Outreach – Venture Community &
Industry
Supporting Programs
PREDICTDETER
8 November 2005 13
R&D Execution Model
Solicitation Preparation
Pre R&D
CIP Sector Roadmaps
Workshops
Customers
Critical Infrastructure
Providers
Critical Infrastructure
Providers
Customers * NCSD * NCS * USSS * National
Documents
Other Sectorse.g., Banking &
Finance
PrioritizedRequirements
R&DCoordination – Government
& Industry
Experimentsand Exercises
Post R&D
Outreach – Venture Community &
Industry
Supporting Programs
PREDICTDETER
R&D
SBIRsBAAs
DNSSEC
Cyber SecurityAssessment
SPRI
Emerging Threats
Rapid Prototyping External (e.g., I3P)
8 November 2005 14
Rapid Technology Application Program (RTAP) Similar to the existing Technical Support Working
Group (TSWG) approach Requirements Generation Panel
Identify general technology needs Reduce collection of general needs Explore issues and draft Statement of Requirements (SoR) Write an SoR for each technology need in detail suitable
for prototype procurement
8 November 2005 15
Cyber Security RTAP Topics
#1 BOTNET Detection and Mitigation Tool Customer: IAIP/NCSD
#2 Exercise Scenario Modeling Tool Customer: IAIP/NCSD
#3 DHS Secure Wireless Access Prototype Customer: S&T OCIO
Pre-solicitation at http://www.hsarpabaa.com
8 November 2005 16
HSARPA Cyber Security Broad Agency Announcement (BAA 04-17) A critical area of focus for DHS is the development and
deployment of technologies to protect the nation’s cyber infrastructure including the Internet and other critical infrastructures that depend on computer systems for their mission. The goals of the Cyber Security Research and Development (CSRD) program are: To perform research and development (R&D) aimed at improving the
security of existing deployed technologies and to ensure the security of new emerging systems;
To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure.
To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.
http://www.hsarpabaa.com
8 November 2005 17
BAA Technical Topic Areas (TTAs)
System Security Engineering Vulnerability Prevention
Tools and techniques for better software development Vulnerability Discovery and Remediation
Tools and techniques for analyzing software to detect security vulnerabilities Cyber Security Assessment
Develop methods and tools for assessing the cyber security of information systems
Security of Operational Systems Security and Trustworthiness for Critical Infrastructure Protection
1) Automated security vulnerability assessments for CI systems 2) Improvements in system robustness of critical infrastructure systems 3) Configuration and security policy management tools 4) Cross-platform and/or cross network attack correlation and aggregation
8 November 2005 18
BAA TTAs (continued)
Security of Operational Systems Wireless Security
Security tools/products for today’s networks Solutions and standards for next generation networks
Investigative and Prevention Technologies Network Attack Forensics
Tools and techniques for attack traceback Technologies to Defend against Identity Theft
R&D of tools and techniques for defending against identity theft and other financial systems attacks, e.g., phishing
8 November 2005 19
BAA Program / Proposal Structure
NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in DHS “customer” environments
Type I (New Technologies) – Funding NTE 36 months New technologies with an applied research phase, a development
phase, and a deployment phase (optional)
Type II (Prototype Technologies) – Funding NTE 24 months More mature prototype technologies with a development phase and a
deployment phase (optional)
Type III (Mature Technologies) – Funding NTE 12 months Mature technology with a deployment phase only.
8 November 2005 20
BAA 04-17 Proposal Summary
Received Funded Received Funded Received Funded Received FundedTTA-1 8 0 6 1 3 0 17 1TTA-2 10 2 8 2 1 0 19 4TTA-3 3 0 6 1 0 0 9 1TTA-4 14 1 23 2 2 1 39 4TTA-5 9 2 7 0 2 0 18 2TTA-6 4 1 6 1 0 0 10 2TTA-7 8 1 10 2 0 0 18 3TOTAL 56 7 66 9 8 1 130 17
36 Months 24 Months 12 MonthsTOTALType IIIType IIType I
http://www.hsarpabaa.com/; Solicitation Awards; BAA04-17 Awards
8 November 2005 21
Small Business Innovative Research (SBIRs)http://www.hsarpasbir.com
CROSS-DOMAIN ATTACK CORRELATION TECHNOLOGIES (SB04.2-001) Objective: Develop a system to efficiently correlate information from
multiple intrusion detection systems (IDSes) about “stealthy” sources and targets of attacks in a distributed fashion across multiple environments.
REAL-TIME MALICIOUS CODE IDENTIFICATION (SB04.2-002) Objective: Develop technologies to detect anomalous network payloads
destined for any service or port in a target machine in order to prevent the spread of destructive code through networks and applications. These technologies should focus on detecting “zero day attacks”, the first appearance of malicious code for which no known defense has been constructed.
8 November 2005 22
SBIR FY05.2 SubmissionHardware-assisted System Security Monitoring
OBJECTIVE: This topic seeks technologies that provide a hardware-assist for the monitoring of system security. It is expected that the resulting solutions would be some type of inexpensive coprocessor board that would work with existing hardware and software, resulting in a system with much higher assurance than currently available. By putting the monitoring capability in hardware it is much more difficult for an attacker to disable this part of the system because the board is isolated from potential remote attackers and would require physical access to compromise the hardware-assist board, thus, providing the owner/user technology that can monitor the security health of the system in near real-time. This will ensure that even when the machine is on, but the user is not using the machine, the system will be monitored and can even be "shut down" so unknown communications is not sent while the user's away. The hardware-assist system should have the capability to collect and store information for forensic purposes and the system should also have capability to report security related events to a central monitoring station.
Solicitation at http://www.hsarpasbir.com
8 November 2005 23
R&D Execution Model
Solicitation Preparation
Pre R&D
CIP Sector Roadmaps
Workshops
Customers
Critical Infrastructure
Providers
Critical Infrastructure
Providers
Customers * NCSD * NCS * USSS * National
Documents
Other Sectorse.g., Banking &
Finance
PrioritizedRequirements
R&DCoordination – Government
& Industry
Experimentsand Exercises
Post R&D
Outreach – Venture Community &
Industry
Supporting Programs
PREDICTDETER
R&D
SBIRsBAAs
DNSSEC
Cyber SecurityAssessment
SPRI
Emerging Threats
Rapid Prototyping External (e.g., I3P)
8 November 2005 24
DHS / NSF Cyber Security Testbed “Justification and Requirements for a National DDOS
Defense Technology Evaluation Facility”, July 2002 We still lack large-scale deployment of security technology
sufficient to protect our vital infrastructures Recent investment in research on cyber security technologies by
government agencies (NSF, DARPA, armed services) and industry. One important reason is the lack of an experimental infrastructure
and rigorous scientific methodologies for developing and testing next-generation defensive cyber security technology
The goal is to create, operate, and support a researcher-and-vendor-neutral experimental infrastructure that is open to a wide community of users and produce scientifically rigorous testing frameworks and methodologies to support the development and demonstration of next-generation cyber defense technologies
8 November 2005 25
DETER Testbed Architecture
PC
Internet
160 PowerController
'Boss' Server
User Acct & Data logging
N x 4 @1000bTData ports
N @100bTControl ports
‘User’ Server
PC PC
…
Control Network VLAN
User
ControlDB
Node Serial Line Server
Power Serial Line Server
Web/DB/SNMP,switch mgmt
Userfiles
Ethernet Bridge with Firewall
Programmable Patch Panel (VLAN switch)
'Gatekeeper'
DETER TestbedSchematic
3 major sites; over 200 nodesGOAL: By end of FY07 to have
1000 nodes distributed at possibly up to 6 sites
UCB
USC-ISI
SpartaInternetInternet
Cyber Defense Experiments run on Virtual Internet
8 November 2005 26
A Protected REpository for Defense of Infrastructure against Cyber Threats
PREDICT Program Objective“To advance the state of the research and commercial development (of network security ‘products’) we need to produce datasets for information security testing and evaluation of maturing networking technologies.”
Rationale / Background / Historical: Researchers with insufficient access to data unable to adequately test
their research prototypes Government technology decision-makers with no data to evaluate
competing “products”
End Goal: Improve the quality of defensive cyber security technologies
End Goal: Improve the quality of defensive cyber security technologies
8 November 2005 27
Industry Workshop 2004 Begin the dialogue between
HSARPA and industry as it pertains to the cyber security research agenda
Discuss existing data collection activities and how they could be leveraged to accomplish the goals of this program
Discuss data sharing issues (e.g., technical, legal, policy, privacy) that limit opportunities today and develop a plan for navigating forward
Develop a process by which “data” can be “regularly” collected and shared with the network security research community
ATTENDEES AOL UUNET Verio PREDICT participant XO Comms Akamai Arbor Networks System Detection Cisco PCH PREDICT participant Symantec USC-ISI PREDICT participant Univ. of WA PREDICT participant CERT/CC LBNL PREDICT participant Internet2 PREDICT participant CAIDA PREDICT participant Merit Networks PREDICT participant Citigroup
8 November 2005 28
Data Collection Activities
Classes of data that are interesting, people want collected, and seem reasonable to collect Netflow Packet traces – headers and full packet (context dependent) Critical infrastructure – BGP and DNS data Topology data IDS / firewall logs Performance data Network management data (i.e., SNMP) VoIP (1400 IP-phone network) Blackhole Monitor traffic
8 November 2005 29
:
PREDICT Information https://www.predict.org
Recent Workshop http://www.hsarpacyber.com/public/PREDICT/
8 November 2005 30
Internet Infrastructure Security Motivation The National Strategy to Secure Cyberspace
(2003) recognized the DNS as a critical weakness NSSC called for the Department of Homeland Security
to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS
The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.
8 November 2005 31
Domain Name System Security (DNSSEC) Program
DNSSEC Program Objective“Carry forward to completion the recommendation from the National Strategy to Secure Cyberspace by engaging industry, government, and academia to enable all DNS-related traffic on the Internet to be DNSSEC compliant”
Rationale / Background / Historical: DNS is a critical component of the Internet infrastructure and was not
designed for security DNS vulnerabilities have been identified for over a decade and we are
addressing these vulnerabilities
End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures
End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures
8 November 2005 32
RootDNS database maps: Name to IP address
www.dhs.gov = 206.18.104.198
And many other mappings (mail servers, IPv6, reverse…)
Data organized as tree structure: Each zone is authoritative
for its own data
Minimal coordination between zone operators
edu mil ru
darpaisi milusmc
nge alpha
The Domain Name System
8 November 2005 33
DNS Attacks Attacks via and against the DNS infrastructure are
increasing Attacks are becoming costly and difficult to remedy Consumer confidence in Internet accuracy is decreasing
Financial/large enterprises are seeing a significant increase in online attacks for fraudulent purposes Hijacking (virtual theft of domain names)
http://www.icann.org/announcements/hijacking-report-12jul05.pdf Phishing (look-alike fraudulent emails and web sites) Pharming (phishing combined with DNS attacks)
Other attacks include DNS name mismatches or browser tricks aimed at careless users
8 November 2005 34
DNSSEC – What it provides Provides an approach so DNS users can:
Validate that data they receive came from the correct originator, i.e., Source Authenticity
Validate that data they receive is the data the originator put into the DNS, i.e., Data Integrity
Approach integrates with existing server infrastructure and user clients
DNSSEC awareness by application Results of DNSSEC validation functions provided to applications Applications can take different actions based on DNSSEC validation
results, e.g. won’t connect to www.bankofamerica.com without good validation but will connect to www.cnn.com without it.
Examples: Web browsers Email servers and clients
8 November 2005 35
DNSSEC Initiative Activities
Roadmap published in February 2005 http://www.dnssec-deployment.org/roadmap.php
Multiple workshops held world-wide DNSSEC testbed developed by
http://www-x.antd.nist.gov/dnssec/
Involvement with numerous deployment pilots Working with Civilian government (.gov) to develop policy
and technical guidance for secure DNS operations and beginning deployment activities at all levels.
Working with the operators of the “.us” and “.mil” zones towards DNSSEC deployment and compliance
8 November 2005 36
DNSSEC Design / Use Secure DNS Guidance Documents
NIST 800 Series Documents for operators and policy/decision makers.
Define the problem space Outline BCP for securing current DNS operations Guidelines for deployment and use of DNSSEC Series of outreach efforts
Announcement from:
http://csrc.nist.gov/publications/drafts.html
August 11, 2005: Draft NIST Special Publication 800-81, Secure Domain Name System (DNS) Deployment GuideRequest for Comments closed Sept. 29th, 2005
8 November 2005 37
Secure Protocols for the Routing Infrastructure (SPRI)
BGP is the routing protocol that connects ISPs and subscriber networks together to form the Internet
BGP does not forward subscriber traffic, but it determines the paths subscriber traffic follows
The BGP architecture makes it highly vulnerable to human errors and malicious attacks against Links between routers The routers themselves Management stations that control routers
Work with industry to develop solutions for our current routing security problems and future technologies
8 November 2005 38
SPRI Activities To Date Formation of government and industry “steering
committee” DHS, DOD, DOCommerce, NIST, ICANN, IETF
Held first industry requirements workshop; March 15-16, 2005 in WDC
Held second workshop on operational security; May 18-19, 2005 in Seattle in conjunction with NANOG.
Held third workshop on registry operations; Sept. 13-14, 2005 in WDC; Outputs submitted at recent ARIN mtg
8 November 2005 39
Cyber Security Assessment Activities Cyber Economics Study Dept. of Treasury – “Key Business Processes in the
event of a Crisis” Study
8 November 2005 40
The objective of the study is to investigate Internet stakeholders’ investment decisions for bolstering the security of their information technology (IT) networks.
To achieve the study objectives, RTI will• review existing studies to assess the economics of cyber
security,• conduct a series of interviews within eight industry sectors
to assess companies’ investment decisions related to securing their IT networks, and
• identify potential areas for government involvement and/or support for the deployment and adoption of existing cyber security technologies.
DHS/Cyber Security IMPACT
• DHS is interested in economic decisions that may lead to inadequate investment in cyber security measures.
• Better information on the costs and benefits of security technologies and adverse events will help inform private investment decisions.
• Understanding the public goods nature of Internet security may inform government’s involvement in cyber security.
Economic Analysis of Cyber Security and Private-Sector Investment DecisionsEconomic Analysis of Cyber Security and Private-Sector Investment Decisions
SCHEDULE
O
M
Task 1: Convene Project Meeting
Tasks
Task 2: Review Existing EconomicCybersecurity Studies and Methodology
Task 3: Interview Targeted Industries
Task 4: Enhance Approaches to Model theEconomic Impacts of Cybersecurity
54321
Months from Award
Task 5: Develop Industry Business Cases
9876
Draft Questionnaire
Draft Report
Project Meetings
Interim Deliverable
k
F
LEGEND
M
G
Task 6: Identify Potential Motivation for andTypes of Government Involvement
k
F
Final ReportO
G
k k
8 November 2005 41
DESCRIPTION / OBJECTIVES / METHODS - “Proof of Concept” activities are designed to assess initial technical
and operational feasibility, including scoping and development of a concept of operations, before stakeholders invest substantial resources in full-scale development.
- Various private and public-sector stakeholders have determined the immediate operational need for this capability; it meets several gaps defined by the Treasury Department and sector-level coordinating councils.
- The research involves 4 phases: Engage SMEs to help define the logical and physical extent of the sector at a high level; Determine an appropriate subset of sector transactions to model as a proof of concept; Use rapid prototyping to define simulation requirements; Report on technical and operational feasibility
DHS/Cyber Security IMPACT• This project addresses the requirement for a man-in-the
loop simulation that emulates sector-wide disruptions and their operational (business) impact.
• Sector-level simulation of impacts resulting from cyber and physical disruptions of business processes and transactions between critical entities in the Finance Sector will provide government and industry stakeholders and users with unique insight of operational risks, single points of failure, and mitigation strategies.
• Potential users include risk managers responsible for the operational health of the sector; also enterprise risk managers
Prototyping of a Business Process Model (A Computer Simulation) of the Finance SectorPrototyping of a Business Process Model (A Computer Simulation) of the Finance Sector
BUDGET & SCHEDULE
TASK FY05
FY06 FY07
Proof of Concept (Feasibility)
Phase 1 Requirements Definition
Phase 1 Simulation Design
Phase 1 Implementation, Integration, Testing, and Roll-out
8 November 2005 42
PROJECT DESCRIPTION / OVERVIEW
DHS/Cyber Security Impact• Complete, authoritative records of electronic
transactions• Ensure users/organizations follow security
policies• Better investigate attacks and fraud over SSL• All records remain confidential until specifically
reviewed• Very low total cost of ownership encourages
adoption
BUDGET & SCHEDULE
TASK FY05
Reqmnts. & Design
Alpha System
Beta System
Final System
Client MachineClient MachineClient MachineClient MachineClient Machine
ClientApplication
SSLClient
Auditing Device
RecordingApplication
SigningApplication
Server MachineServer MachineServer Machine
ServerApplication
SSLServer
KeyShield
AuditingPortal
Portal Device
NetworkSwitch
Goal: Enable organizations to audit secure communications to prove policy compliance, investigate attacks, and arbitrate disputes.Approach: Use a passive network device to record SSL traffic, sign it with a hardware security module, and open communications when necessary. Requires the cooperation of the original secure sever to keep its keys secure. Web portal restricts access to authorized personnel.
•Status: Alpha Aug 15, 2005; Beta planned for Dec 15, 2005
•End Users: Information technology and security officers in government agencies and commercial organizations, especially those that need to comply with regulations such as HIPAA, FACTA, and Sarbanes-Oxley.
FY06 FY07
Rapid Prototyping – Authoritative SSL Auditing
8 November 2005 43
Emerging Threats – VME-DEP
Virtual Machine Environment - Detection and Escape Prevention
VME use is increasing in industry and government, and is starting to be used in classified networks
Goals of this project are to Gain a better understanding of where VMEs are used and
for what purpose Determine how an attacker might break the security models
defined by a VME Develop techniques for preventing those attacks Develop a “secured” open source VME
8 November 2005 44
Emerging Threats - NGCD Next Generation Crimeware Defenses Crimeware: Malicious software specifically designed to steal
identity information and other associated financial information Goals of this project are:
Gain an understanding of the nature of crimeware technologies and how to defend against their increasing sophistication
Collect and analyze crimeware samples Build threat and vulnerability models based on the attack types and
goals of stealing access credentials and identity information and correlated to popular computing environments
Develop a “secure computing environment”: web browser (based on open-source Mozilla), secure keyboard and embedded co-processor to proactively prevent crimeware
8 November 2005 45
The Institute for Information Infrastructure Protection (I3P) The I3P is a consortium of 24 academic and not-for-profit
research organizations The I3P embodies a concept developed in studies between
1998 and 2000 by PCAST, IDA, and OSTP The I3P was formed in September 2001 and funded by
congressionally appropriated funds assigned to Dartmouth College
DHS/S&T/HSARPA now oversees the I3P funding $17.883 M Congressional Earmark for the Institute for Security
Technologies Studies (ISTS) at Dartmouth College Inherited from Office of Domestic Preparedness (ODP) during R&D
consolidation activity
8 November 2005 46
Other Activities – Institute for Infrastructure Protection (I3P) Creation of two research plans for cyber security, one in
Supervisory Control and Data Acquisition (SCADA) systems, and one in economic and policy issues Two Independent Research Advisory Boards (RABs) established to
review final research plans submitted for I3P support. Two-year, $8.5 million research program to protect SCADA
systems in the oil and gas industry and other critical infrastructure sectors. Led by Sandia, comprises 10 research institutions with expertise in
cyber security, risk management, and infrastructure systems analysis. Kickoff meeting held April 14-15 at Sandia National Laboratories’
Center for SCADA Security in Albuquerque Attended by project researchers along with oil and gas experts from
ChevronTexaco, Ergon Refining, Public Utility of New Mexico, and Williams
Provided training on SCADA hardware, software, and typical system configurations, as well as common threats and vulnerabilities associated with these systems
8 November 2005 47
I3P Cyber Economics Project Two project goals:
How to quantify the cost of cyber security and the effects of cyber attacks?
How to measure the effectiveness of current security tools and policies? Three intertwined threads
National perspective: Views the information infrastructure as an element of national security,
where cyber security incidents can disrupt, impair or destroy critical economic capabilities.
Enterprise or corporate perspective: Considers the effects of degraded or destroyed infrastructure on the degree
to which an enterprise can maintain its bottom line by developing and delivering products and services.
Technological perspective: Addresses those technologies that protect the infrastructure, by deterring
particular threats, preventing certain classes of attacks, or mitigating the consequences of attack.
Participants: RAND Corporation, University of Virginia, MIT Lincoln Laboratory, George Mason University, Dartmouth
8 November 2005 48
R&D Execution Model
Solicitation Preparation
Pre R&D
CIP Sector Roadmaps
Workshops
Customers
Critical Infrastructure
Providers
Critical Infrastructure
Providers
Customers * NCSD * NCS * USSS * National
Documents
Other Sectorse.g., Banking &
Finance
PrioritizedRequirements
R&DCoordination – Government
& Industry
Experimentsand Exercises
Post R&D
Outreach – Venture Community &
Industry
Supporting Programs
PREDICTDETER
R&D
SBIRsBAAs
DNSSEC
Cyber SecurityAssessment
SPRI
Emerging Threats
Rapid Prototyping External (e.g., I3P)
8 November 2005 49
Experiments and Exercises
Experiments U.S. / Canada Secure Blackberry Experiment
PSTP-agreed upon deployment activity Oil and Gas Sector
Working with DOE and industry Finance Sector
CIDDAC U.S. NORTHCOM
CWID 2005 (originally known as JWID)
Exercises National Cyber Security Exercise (Cyber Storm) National Critical Infrastructure Exercise (NCIE)
Exercise led by industry
8 November 2005 50
US-CAN Secure Wireless Trial
Objective Test effectiveness of US/Canadian cross-
border secure wireless architecture to cope with real-time communication in variety of scenarios
Technologies PKI (S/MIME), Identity-based encryption,
enforcement of policy and compliance Trial Activity
July: U.S.-only initial four-day test period October: Four-day test period with 35
activities and with 40+ participants acting out homeland security scenarios using BlackBerry devices
8 November 2005 51
LOGI2C – Linking the Oil and Gas Industry to Improve Cybersecurity
LOGI2C is a 12-month technology integration and demonstration project driven by industry, supported by DHS
Technical goal: Attack indications and warnings through event analysis and correlation across business and process control networks
Approach: Identify new types of security sensors
for process control networks Adapt a best-of-breed correlation
engine to this environment Integrate in testbed and demonstrate Transfer technology to industry
BusinessNetwork
ProcessControlNetwork
LOGI2CCorrelationEngine
ExternalEvents
AttackIndicationsandWarnings
8 November 2005 52
LOGI2C Partners LOGI2C is a model for how
DHS S&T and industry can work together in a public-private partnership to address a critical R&D need
Industry contributes Requirements and operational
expertise Project management Product vendor channels
DHS S&T contributes Independent researchers with
technical security expertise Testing facilities
8 November 2005 53
S&T and Cyber Storm Exercise Objectives:
To incorporate elements of cyber defense and response technology into the exercise moving it gradually away from the “table top” format.
To socialize the DETER test bed with the exercise participants and make them aware of its capability and its potential value to their respective organizations.
Success criteria: Recognizing the complexity of the exercise and its key focus, S&T
would consider their objective met if the DETER test bed were used in the planning of the exercise (to lend realism to scenario elements) and if one or more session can be arranged during the exercise, where the players could see the test bed in action being used to test exercise relevant problems or decisions. The session(s) should show the value of the tool and add defensive technology to the exercise.
8 November 2005 54
National Critical Infrastructure Exercise (NCIE) Exercise is co-managed by BearingPoint and Yoran Associates
Funded by the private sector with public/private technology demonstrations
Objectives Conduct a private sector exercise Exercise threat scenarios against SCADA operations Test and evaluate organizational plans, policies, and procedures Capture performance data to evaluate Critical Infrastructure Resiliency
metrics and models – U.S. comparison against other countries Primary participants: senior operations managers and
corporate executives from utility/energy sector Secondary participation: industry collaboration groups,
government agencies, first responders, and others identified by primary participants during planning
8 November 2005 55
Assist commercial companies in providing technology to DHS and other government agencies Emerging Security Technology Forums (ESTF)
Assist DHS S&T-funded researchers in transferring technology to larger, established security technology companies DHS Mentor / Protégé program
Partner with the venture capital community to transfer technology to existing portfolio companies, or to create new ventures
Commercial Outreach Strategy
EstablishedCommercialCompanies
EmergingCommercialCompanies
GovernmentFunder/Customer
DHSResearchers
CommercialCustomers
8 November 2005 56
Emerging Security Technology Forum ESTF held April 13-14, 2005 in Arlington, VA
Opportunity to introduce government representatives to smaller-sized information security technology vendors with innovative technology approaches
For this ESTF vendors presented and demonstrated current and emerging information security technologies that defend against DDOS and worm attacks
Next ESTF to be held in May 2006 Topic: Identity Management technologies Audience will include industry and government
8 November 2005 57
Emerging Security Technology Forum
Arbor NetworksCounterStorm, Inc.Cs3, Inc.CyberShield Networks,
Inc.Determina, Inc.ForeScout Technologies
IntruGuard Devices, Inc.Kerio TechnologiesnetZentry, Inc.Prolexic TechnologiesQ1 Labs Inc.Top Layer Networks,
Inc.V-Secure Technologies
8 November 2005 58
DHS Mentor/Protégé Program Objective
Provide start-up emerging security companies with mentor support in sales & marketing to government
Existing Mentor/Protégé programs in government are procurement oriented. New S&T Mentor/Protégé program will focus on rapidly transitioning cyber security technologies into government through existing relationships. Mentors will be large, established government contractors with cyber
security experience Protégés will provide innovative cyber security technology. There are
no set-aside requirements (e.g. disadvantaged, HubZone business) Selection Process
The Cyber Security R&D Center will solicit government/industry technology requirements to identify gaps in the US cyber infrastructure.
These requirements will guide selection of mentors. Protégés, with technology to meet infrastructure gaps, will be proposed to the mentors by the Center.
8 November 2005 59
ITTC – The DHS-SRI Identity Theft Technology Council ITTC is a revived and
expanded Silicon Valley expert group originally convened by the U.S. Secret Service
Experts and leaders from Government Financial and IT sectors Venture capital Academia and science
ITTC works closely with The Anti-Phishing Working Group (APWG)
Consultant and ITTC Coordinator: Robert Rodriguez, retired head of the Secret Service Field Office in San Francisco
The ITTC was formed in April, and has four active working groups: Phishing Technology Report Data collection and sharing Future threats Development and deployment
8 November 2005 60
Tackling Cyber Security Challenges:Business Not as Usual
Strong mission focus (avoid mission creep) Close coordination with other Federal agencies Outreach to communities outside of the Federal
government Building public-private partnerships (the industry-
government *dance* is a new tango) Strong emphasis on technology diffusion and
technology transfer Migration paths to a more secure infrastructure Awareness of economic realities
8 November 2005 61
Summary DHS S&T is moving forward with an aggressive
cyber security research agenda Working with industry to solve the cyber security
problems of our current infrastructure DNSSEC, Secure Routing
Working with academe and industry to improve research tools and datasets DHS/NSF Cyber Security Testbed, PREDICT
Looking at future RDT&E agendas with the most impact for the nation SBIRs, BAA 04-17, RTAP
8 November 2005 62
Other Areas of Interest (were $ available)
Cyber Situational Awareness – Indications & Warnings
Insider Threat Detection & Mitigation Information Privacy Technologies Large-scale network survivability, rapid recovery and
reconstitution Secure operating systems (open source) Network modeling and simulation – security policy
reconfiguration impact on networks Highly scalable identity management
8 November 2005 63
Douglas Maughan, Ph.D.
Program Manager, HSARPA
202-254-6145 / 202-360-3170