I attended DARPA's Cyber Colloquium on Monday, November 7, 2011. This is a trip report of the event.
Most of the 700 attendees came from academia, industry, and government. The goal was a "frank discussion" between the attendees and DARPA on solutions to the problem of cybersecurity.
WIRED has written about the event, as has the Register. These two articles focus on the opening address by Dr. Regina Dugan, the Director of DARPA. I was impressed by the talk. She regularly returned to a vexing dichotomy. The benefits of Internet-connected software are enormous. But these benefits are threatened by the increasing regularity and impact of cyberattacks. As examples, this Popular Science article catalogues some of the most costly data breaches in history, including very recent, and disturbing, events.
Richard Clarke was an invited speaker. I found one of his vignettes particularly interesting. During the Cold War, the Soviets targeted our civilian infrastructure, e.g., steel production, railroads, etc. The military protected that infrastructure from attack. Today, much of our critical infrastructure is open to cyberattack, and a successful attack could have similarly devastating consequences. Yet companies are left to protect themselves even though there is little incentive to do a good job. If a power plant hooks up its SCADA system to the network, it is vulnerable to attack (as the INL experiments showed). But if it does not, it will be less efficient in its operation, leading to lost revenue. Facing this tradeoff, companies choose the revenue over security, and put the country at risk.
Bruce Potter of Ponte technologies was also a speaker, and he emphasized the need to go to the root of the problem: build better software. Rather than try to prevent access (think firewalls and antivirus companies' host-based security systems (HBSSs)) or make software defects harder to exploit (think ASLR or DEP) he suggests we go to the root of the problem: write better software. Ironically, HBSSs are so large now (10M LOC) that they regularly succumb to attack! I have worked on methods to build secure software, so Potter's plea resonated with me. But I've also come to understand that incentives and policy play an important role, e.g., to foster adoption. I think there is an opportunity for cross-disciplinary research here.
The afternoon was dedicated to current and future DARPA programs, explained by the PMs in charge. Dr. Dugan pointed out in her speech that DARPA is spending upwards of $208M on cybersecurity research in FY12, up $88M from FY11, and hopes to increase spending by 8-12% per year. Defense Systems' summary has some verbage on these. Howie Shrobe, Tim Fraser, Kathleen Fisher, Drew Dean, and Dan Roelker all have, or will soon issue, programs aimed at producing highly reliable software. Dean's program was particularly interesting: turn verification problems into games, so that winning the game proves a property of software. Other programs contemplated means to detect and survive attack, inspired by the human immune system.
No comments:
Post a Comment