Atlantic Council Cybersecurity Conference

The following was sent to me by Jacques Gansler, from the School of Public Policy, and I thought it might be of general interest so I'm re-posting here with his permission.

On Dec. 8th, I went to a Cyber Security conference that was seen by the "Atlantic Council" (I am a Director) and sponsored by SAIC, and held at the "Spy Museum".  (Mike adds: see http://www.acus.org/program/cyber-statecraft-initiative but there's no link for the conference event itself.)

Of course, I discussed the MC2 (including with SAIC key players-since they are one of our sponsors); but I was particularly impressed by the mix of attendees-- both U.S. and international; and both "wonks" (policy) and "geeks"(techies). Clearly, this topic is great, and widespread, interest (to industry, government, and academic-here and abroad).

The main messages that came out of the meeting were:

·         It is both a technical and (even more) a policy issues;
·         It requires senior-level government involvement and commitment (including of resources);
·         It must be multinational;
·         It must involve public/private partnerships (which is happening in some countries), but far too little in the US).

When the report (of the meeting) comes out, I'll send it around.

Cukier & Maimon's Research Highlighted

Michel Cukier and David Maimon have been conducting some impressive interdisciplinary cybersecurity research for some time now. For those of you who don't know them, Michel is an Associate Professor of Reliability Engieerning and David is an Assistant Professor of Criminology and Criminal Justice.

Michel and David are applying criminological concepts and research methods in the study of cybercrime and generating recommendations for IT managers to leverage to better prevent exploits on their own networks.

For more information see the below release, which was picked up by hundreds of other media outlets:

http://www.it.umd.edu/html/news/news_story.php?id=6141

Doug Maughan talk

Dr. Doug Maughan, Director, Cyber Security Division Department of Homeland Security, spoke at the Google Symposium on Thursday.  His talk was extremely well attended and generated quite a bit of discussion.


The slides for the talk are available here:


http://www.cs.umd.edu/~mwh/UMD-Google-Maughan-1Dec2011.pptx


One useful takeway from the talk is this: DHS is different from DARPA, NSA, and other DOD-based agencies in that its focus is to protect the homeland.  For cybersecurity, this means DHS absolutely has to work with companies, so that they can protect their assets, which in aggregate are the nation's assets.  This focus has a couple of consequences.

First, classified research is a non-starter, since companies may not have the necessary classifications, and indeed want to support the broader, non-classified marketplace.  All DHS-supported research is open.

Second, DHS considers it a success if it can make a security-related business viable, so that that business improves the nation's security.  Therefore, it has extensive SBIR and STTR programs to support businesses.  One key success story is Komoku, founded Maryland's own Bill Arbaugh; Komoku was bought by Microsoft a few years back.  Interestingly, the DHS policy is that they don't want any intellectual property: a DHS-supported company keeps that property but then must either commercialize, or release their code etc. open source.

The flip-side of the business focus is that DHS does not support basic research (6.1 research in DOD parlance).  Instead it supports applied research up through development and testing.  Doug pointed out that STTRs should be attractive to academics who can partner with companies.  And their general focus is attractive to those wishing to commercialize their academically developed technology.

Several technical areas that Doug mentioned that struck me: he felt that software was at the root of most, if not all, of the security problems that DHS is considering.  Better software will make a dent in all these problems.  He also called out usability and metrics as key, underexplored areas.  Finally, he said DHS has plans to consider privacy in FY13.  I observe that MC2 has strength in all these areas.

Particular slides in the talk I found very useful are slides 7, 14, 19, 22, and 38.

Overall it was an interesting talk.  Let me know if you have questions or ideas after you've looked at the slides.  I'm very interested to hear them!

Doug's BIO:


Branch Chief in Homeland Security Advanced Research Projects Agency (HSARPA) within the Science and Technology (S&T) Directorate of the Department of Homeland Security (DHS). Doug is directing the Cyber Security Research and Development activities at HSARPA. Prior to his appointment at DHS, Doug was a Program Manager in the Advanced Technology Office (ATO) of the Defense Advanced Research Projects Agency (DARPA) in Arlington, Virginia. His research interests and related programs were in the areas of networking and information assurance.


Prior to his appointment at DARPA, Doug worked for the National Security Agency (NSA) as a senior computer scientist and led several research teams performing network security research. Doug received bachelors degrees in Computer Science and Applied Statistics from Utah State University, a master's degree in Computer Science from Johns Hopkins University, and a PhD in Computer Science from the University of Maryland, Baltimore County (UMBC).


Doug's Blog:


See, e.g., I also found that Doug runs a blog; here's a recent post: http://blog.dhs.gov/2011/10/science-and-technology-directorate-wins.html

Cyberpoint

Just had a nice dinner with two engineers from Cyberpoint, a cybersecurity company located in Baltimore. One of them, Mike West, I've known since the two of us worked at ARINC nearly 20 years ago.  Cyberpoint seems to be doing really interesting things, with a culture that values research, and I'm optimistic that MC2 will find ways to work with them that benefit all parties.

Tudor Dumitras of Symantec

Tudor Dumitras of Symantec's Research Lab in Herndon, VA (near Dulles airport) gave a talk on Friday morning about Symantec's WINE (Worldwide Intelligence Network Environment) dataset.  


Slides for a longer version of the talk are available, but here's a brief synopsis.

WINE's data sets are collected primarily by Symantec’s anti-virus products installed on millions of hosts worldwide.  Collected data contains malware samples, A/V and IPS results (i.e., which positive signatures have been discovered, what IP address they were from, what process they were targeting, etc.), spam samples, and binary and URL reputation data.  The latter is gathered by tracking unknown binaries installed on a user's machine, or URLs visited, and then correlating those installs/visits with negative or positive behavior that ensues.  They also gather URL data with a web crawler that looks for web sites engaged in attacks such as drive-by downloads (also accessible at safeweb.norton.com).  They are in the process of adding data from Android Norton, too, and have included some open source data sets in the collection (e.g., the open source vulnerability database).

All of this data is available for periods of several years, enabling historical comparisons to be made.

Researchers access the data at Symantec's site in Herndon (or at another site in California) and set up experiment scripts aimed to be reproducible by running on virtual machines in tightly controlled environments.  So far the data has been used for a variety of purposes, e.g., tracking the dissemination of Stuxnet and a variant of it, and for the development of a "cyber benchmark" (work in progress with  Leyla Bilge), among other applications (which he didn't talk about).

If you are interested in this data set and potential collaborative research with Symantec Labs, please let me know.  I think this is an interesting opportunity.

Upcoming talks

The next Google seminar talk will be given on December 1 at 5:30pm by Douglas Maughan of DHS, titled "Current R&D Initiatives in Cybersecurity."  Details here: http://goo.gl/sMxza.


Another talk that may be of interest will be given in Arlington also on December 1 from 1-2pm by Prof. Fred B. Schneider of Cornell as part of the Air Force Office of Scientific Research (AFOSR) 60th anniversary celebration.  The title of the talk is not yet available, but I expect it will be about Fred's Blueprint for a Science of Cybersecurity. Registration for this talk is here http://events.SignUp4.com/AFOSRDecember-Schneider

DARPA Cyber Colloquium presentations

I just learned that DARPA's presentations from the Cyber Colloquium (which I blogged about earlier) are now available on-line.  I'd definitely recommend Dan Kaufman's slides, the first one listed.

GameSec 2011

Tomorrow is the start of the main sessions of GameSec 2011, organized by MC2 faculty John Baras and Jonathan Katz.  The following is an announcement from John Baras, the General Chair.

Dear MC2 colleagues and graduate students, 

I am very pleased to inform you that, thanks in part to support from MC2, you can attend the lectures in the upcoming GameSec 2011 Conference, November 13-14, at the Inn and Conference Center for free, even if you are not registered.  

You will not be able to participate in the welcoming reception, lunches and banquet without a Conference registration. If you wish to attend the lectures for free, please go to the Conference registration desk and get a special badge, which will allow you to attend the lectures only. 

Thanks and best regards,

John Baras 

General Chair 

DARPA Cyber Colloquium

I attended DARPA's Cyber Colloquium on Monday, November 7, 2011. This is a trip report of the event.

Most of the 700 attendees came from academia, industry, and government. The goal was a "frank discussion" between the attendees and DARPA on solutions to the problem of cybersecurity.

WIRED has written about the event, as has the Register. These two articles focus on the opening address by Dr. Regina Dugan, the Director of DARPA. I was impressed by the talk. She regularly returned to a vexing dichotomy. The benefits of Internet-connected software are enormous. But these benefits are threatened by the increasing regularity and impact of cyberattacks. As examples, this Popular Science article catalogues some of the most costly data breaches in history, including very recent, and disturbing, events.

Richard Clarke was an invited speaker. I found one of his vignettes particularly interesting. During the Cold War, the Soviets targeted our civilian infrastructure, e.g., steel production, railroads, etc. The military protected that infrastructure from attack. Today, much of our critical infrastructure is open to cyberattack, and a successful attack could have similarly devastating consequences. Yet companies are left to protect themselves even though there is little incentive to do a good job. If a power plant hooks up its SCADA system to the network, it is vulnerable to attack (as the INL experiments showed). But if it does not, it will be less efficient in its operation, leading to lost revenue. Facing this tradeoff, companies choose the revenue over security, and put the country at risk.

Bruce Potter of Ponte technologies was also a speaker, and he emphasized the need to go to the root of the problem: build better software. Rather than try to prevent access (think firewalls and antivirus companies' host-based security systems (HBSSs)) or make software defects harder to exploit (think ASLR or DEP) he suggests we go to the root of the problem: write better software. Ironically, HBSSs are so large now (10M LOC) that they regularly succumb to attack! I have worked on methods to build secure software, so Potter's plea resonated with me. But I've also come to understand that incentives and policy play an important role, e.g., to foster adoption. I think there is an opportunity for cross-disciplinary research here.

The afternoon was dedicated to current and future DARPA programs, explained by the PMs in charge.    Dr. Dugan pointed out in her speech that DARPA is spending upwards of $208M on cybersecurity research in FY12, up $88M from FY11, and hopes to increase spending by 8-12% per year. Defense Systems' summary has some verbage on these. Howie Shrobe, Tim Fraser, Kathleen Fisher, Drew Dean, and Dan Roelker all have, or will soon issue, programs aimed at producing highly reliable software. Dean's program was particularly interesting: turn verification problems into games, so that winning the game proves a property of software. Other programs contemplated means to detect and survive attack, inspired by the human immune system.

Welcome

I have been on the job for about two weeks as Director of Maryland's Cybersecurity Center (MC2).  Eric Chapman has been the Associate Director since September.  This our blog for all things MC2.

We are writing this blog primarily to MC2 faculty and affiliates.  Our goals are to keep you apprised of MC2-related activities, to report on events we attend when representing the Center, and to share some of our thoughts about the daunting problem of securing our computing infrastructure.  We hope you will find these posts useful.  We very much welcome your feedback and ideas.

We are currently revamping the MC2 web site and once that task is complete we will move this blog to be hosted at MC2.  Until then, this space will be the main source for MC2 news.