430 likes | 445 Views
Dept. of Homeland Security Science & Technology Directorate. Priorities in Security Research Funding. ACM CCS Washington, DC October 26, 2004. Douglas Maughan, Ph.D. Program Manager, HSARPA douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170. Presentation Agenda. DHS Overview
E N D
Dept. of Homeland Security Science & Technology Directorate Priorities in Security Research Funding ACM CCS Washington, DC October 26, 2004 Douglas Maughan, Ph.D. Program Manager, HSARPA douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170
Presentation Agenda • DHS Overview • Cyber Security R&D Overview • Cyber Security R&D Activities • National Strategy to Secure Cyberspace • Secure Domain Name System (DNSSEC) • Secure Protocols for the Routing Infrastructure • DHS / NSF Cyber Security Testbed • Large-scale Network Security Datasets • Cyber Economic Assessment studies • “New” Activities
General DHS Organization Coast Guard Secret Service Citizenship & Immigration & Ombuds Civil Rights and Civil Liberties Legislative Affairs General Counsel Inspector General State & Local Coordination Private Sector Coordination International Affairs National Capital Region Coordination Counter-narcotics Small and Disadvantaged Business Privacy Officer Chief of Staff Secretary (Ridge) & Deputy Secretary (Loy) Management (Hale) Science & Technology (McQueary) Border & Transportation Security (Hutchinson) Emergency Preparedness & Emergency Response (Brown) Information Analysis & Infrastructure Protection (Libutti)
Border and Transportation Security (BTS) • Mission: Securing our nation's air, land, and sea borders is a difficult yet critical task. The United States has 5,525 miles of border with Canada and 1,989 miles with Mexico. Our maritime border includes 95,000 miles of shoreline. Each year, more than 500 million people cross the borders into the U.S., some 330 million of whom are non-citizens. • CBP – Customs and Border Protection • ICE – Immigrations and Customs Enforcement • TSA – Transportation Security Administration • APHIS – Animal and Plant Health Inspection Service • ODP – Office for Domestic Preparedness
Emergency Preparedness & Response • Mission: Ensure that our nation is prepared for catastrophes - whether natural disasters or terrorist assaults. Not only will the EP&R Directorate coordinate with first responders, it will oversee the federal government's national response and recovery strategy. • FEMA – Federal Emergency Management Agency • NIRT – Nuclear Incident Response Teams • DES – Domestic Emergency Support • NDPO – National Domestic Preparedness Office
Our main internal DHS customers Information Analysis and Infrastructure Protection (IAIP) • Mission: Ensure the capability to identify and assess current and future threats to the homeland, map those threats against our vulnerabilities, issue timely warnings and take preventive and protective action to secure the national infrastructures. • NCSD – National Cyber Security Division • NCS – National Communications System • PSD – Physical Security Division • ICD – Infrastructure Coordination Division
Science and Technology (S&T) Mission Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.
S&T Organization Chart Under Secretary for Science & Technology (McQueary) Office of Plans Programs and Budgets (Albright) Homeland Security Advanced Research Projects Agency (Oxford) Office of Systems Engineering & Development (Kubricky) Office of Research and Development (McCarthy)
Crosscutting Portfolio Areas • Chemical • Biological • Radiological • Nuclear • High Explosives • Cyber Security • USSS • Paul Mahon, Ptfl Mgr
Science and Technology Directorate Office of Research and Development Homeland Security Advanced Research Projects Agency Systems Engineering & Development GFE GFI Execution Industry Laboratories Industry Universities Universities Laboratories Centers Fellowships Scholarships Stewardship of an enduring capability Innovation, Adaptation, & Revolution Development Engineering, Production, & Deployment
Legacy of HSARPA NameHow is it different from DARPA? • Differences • 85-90% of funds for identified DHS requirements • 10-15% of funds for revolutionary research • Breakthroughs, • New technologies and systems • These percentages likely to change over time, but we need to meet today’s requirements
Presentation Agenda • DHS Overview • Cyber Security R&D Overview • Cyber Security R&D Activities • National Strategy to Secure Cyberspace • Secure Domain Name System (DNSSEC) • Secure Protocols for the Routing Infrastructure • DHS / NSF Cyber Security Testbed • Large-scale Network Security Datasets • Cyber Economic Assessment studies • “New” Activities
Cyber Security R&D Portfolio: Scope • The Internet serves a significant underlying role in many of the Nation’s critical infrastructures • Communications, monitoring, operations and business systems • Adversaries face asymmetric offensive / defensive capabilities with respect to traditional warfare • Makes cyberspace an appealing battleground • Cyberspace provides the ability to exploit weaknesses in our critical infrastructures • Provides a fulcrum for leveraging physical attacks • The most significant cyber threats to the nation are very different from “script-kiddies” or virus writers • DHS S&T focus is on those threats and issues that warrant national-level concerns
Requirements Customers Pre R&D R&D Post R&D Customers • NCSD • NCS • USSS Customers • NCSD • NCS • USSS • National Documents DNSSEC Experiments and Exercises Workshops Prioritize requirements SPRI Sector Roadmaps Critical Infrastructure Providers Outreach – Venture Community & Industry Cyber Economics Future Programs Critical Infrastructure Providers Solicitation Preparation Other Sectors e.g., Banking & Finance R&D Coordination - Government & Industry Other Sectors e.g., Banking & Finance BAA SBIR Supporting Programs PREDICT DETER Cyber Security R&D Center
Post Research Activities • Experiments • U.S. / Canada Secure Blackberry Experiment • 3 phase homeland security deployment activity • Includes industry participants from both countries • Oil and Gas Sector • Sector workshop in late July • Expected to lead to technology pilot deployments • Department of Treasury • FS ISAC, FSSCC, Numerous sector participants • Technology pilot organization in process
Post Research Activities (continued) • Exercises • National Exercise Plan (managed by DHS ODP) • National Cyber Security Exercise as part of NEP • Several regional cyber security tabletop exercises • Others • U.S. NORTHCOM • Unified Defense 05 / TOPOFF 3 • CWID 2005 (originally known as JWID)
Government Established Commercial Companies DHS Researchers Emerging Commercial Companies DHS S&T Commercial Outreach Strategy • Assist commercial companies in providing cyber security technology to DHS and other government agencies • Assist DHS S&T-funded researchers in transferring cyber security technology to larger, established security technology companies • Partner with the venture capital community to transfer technology to existing portfolio companies, or to create new ventures • We will work with the VCs to: • Focus on bringing innovation to the marketplace • Accelerate development and deployment • Provide orders-of-magnitude leverage of DHS R&D funding • We will partner with the VCs, not compete with them • Work with many VCs and portfolio companies • Provide liaison and bridge activities • We do not invest for equity
Presentation Agenda • DHS Overview • Cyber Security R&D Overview • Cyber Security R&D Activities • National Strategy to Secure Cyberspace • Secure Domain Name System (DNSSEC) • Secure Protocols for the Routing Infrastructure • DHS / NSF Cyber Security Testbed • Large-scale Network Security Datasets • Cyber Economic Assessment studies • “New” Activities
Domain Name System and Security • Critical Internet infrastructure component • Virtually every Internet application uses the DNS • DNS database maps: • Name to IP address • (for example: www.isi.edu = 128.9.176.32) • And many other mappings (mail servers, IPv6, reverse…) • DNS threats identified in early 1990s • DNSSEC • Cryptographic signatures in the DNS • Assures integrity of results returned from DNS queries • Protects against tampering in caches and during transmission • End-system checks the chain of signatures up to the root
Activities To Date • Formation of ad-hoc government and industry “steering committee” • Two workshops in early and late May • 3 May: Amsterdam – as part of the RIPE agenda • 23 May: San Fran – affiliated with NANOG • Attendees included: DNS software developers, DNS root operators (U.S. and International), government network operators, and numerous other stakeholders • Initial R&D Funding – NIST, industry • Future Activities • Pilot deployments of DNSSEC on .us and .gov network
Secure Protocols for the Routing Infrastructure (SPRI) • BGP is the routing protocol that connects ISPs and subscriber networks together to form the Internet • BGP does not forward subscriber traffic, but it determines the paths subscriber traffic follows • The BGP architecture makes it highly vulnerable to human errors and malicious attacks against • Links between routers • The routers themselves • Management stations that control routers • Working with industry to develop solutions for our current routing security problems and future technologies
DHS / NSF Cyber Security Testbed • “Justification and Requirements for a National DDOS Defense Technology Evaluation Facility”, July 2002 • We still lack large-scale deployment of security technology sufficient to protect our vital infrastructures • Recent investment in research on cyber security technologies by government agencies (NSF, DARPA, armed services) and industry. • One important reason is the lack of an experimental infrastructure and rigorous scientific methodologies for developing and testing next-generation defensive cyber security technology • The goal is to create, operate, and support a researcher-and-vendor-neutral experimental infrastructure that is open to a wide community of users and produce scientifically rigorous testing frameworks and methodologies to support the development and demonstration of next-generation cyber defense technologies
Architectural Plan • Construct a homogeneous emulation cluster based upon University of Utah’s Emulab • Implement network services – DNS, BGP • Add containment, security, and usability features to the software • Add (controlled) hardware heterogeneity • Connect to other government and industry testbeds (once we have our act together)
DETER Testbed Architecture Image fills this entire area (OR originates at the upper left corner of the area outlined and is sized to the full width or height of this bounding box.)
DETER Testbed Status • Developed Draft Policy and Procedures • Experiment Definition • Experiment Review Board • Security Isolation Argument • Architecture Design Report • ISI and UCB Node Operational • Held first set of Experiments June 8, 2004 • Workshop held yesterday • In conjunction with ACM CCS in Washington, DC • Open to entire research community
A Protected REpository for Defense of Infrastructure against Cyber Threats • PREDICT Program Objective “To advance the state of the research and commercial development (of network security ‘products’) we need to produce datasets for information security testing and evaluation of maturing networking technologies.” • Rationale / Background / Historical: • Researchers with insufficient access to data unable to adequately test their research prototypes • Government technology decision-makers with no data to evaluate competing “products” Bottom Line: Improve the quality of defensive cyber security technologies
Activities To Date • Industry Workshop (Feb. 11-12, 2004) • Begin the dialogue between HSARPA and industry as it pertains to the cyber security research agenda • Discuss existing data collection activities and how they could be leveraged to accomplish the goals of this program • Discuss data sharing issues (e.g., technical, legal, policy, privacy) that limit opportunities today and develop a plan for navigating forward • Develop a process by which “data” can be “regularly” collected and shared with the network security research community
AOL UUNET Verio XO Communications Akamai Arbor Networks Riverhead Networks System Detection Cisco Packet Clearing House Symantec USC-ISI UC San Diego Univ. of Washington BBN Technologies CERT/CC LBNL Internet2 CAIDA Merit Networks Citigroup Cooley, LLC (Lawyer) Workshop Attendees (Feb. 11-12, 2004)
Data Collection Activities • Classes of data that are interesting, people want collected, and seem reasonable to collect • Netflow • Packet traces – headers and full packet (context dependent) • Critical infrastructure – BGP and DNS data • Topology data • IDS / firewall logs • Performance data • Network management data (i.e., SNMP) • VoIP (1400 IP-phone network) • Blackhole Monitor traffic
Data Listing Trusted Access Repository Process PREDICT Coordination Center (Government-funded, Externally hosted) Institutional Sponsorship Data Providers Researchers Data Hosting Sites Proposal Review Process Accepted Proposals MOU / MOA
Sample Datasets that will be available • University of Michigan • Dark address space monitoring, honeypot monitoring, BGP Beacon routing data, and routing protocol sensors, MichNet routing protocol data and Netflow data • University of Washington • Host-based forensic data and honeypot data • Internet 2 • Performance data, NetFlow data, and routing protocol data from the Abilene network • University of Wisconsin • Wisconsin Advanced Internet Lab – Netflow, iSink logs, IDS logs • XO Communications • Netflow and routing protocol logs • Packet Clearing House • BGP routing dataset and VoIP measurement data
Sample Datasets (continued) • CAIDA • Topology measurement data, Network Telescope data • Internet Software Consortium (ISC) • DNS packet traces from F-root • Verio • Packet traces from OC48 operational network • Equinix • Packet traces from Internet Business Exchange (IBX) point • Los Nettos - LA regional network provider • Full packet headers, NetFlow data, SNMP data, and standard logs • DNS root server data. Los Nettos hosts both the B and L root servers • Internet topology data based on the SCAN topology-mapping project • LBNL • Anonymized enterprise traffic from internal LBNL networks
PREDICT – Proposed Timeline • Sep 1- Oct 30: Working groups complete actions identified at last PI meeting • Data Schema WG • Application Process WG • All MOU/MOAs in develoment • Public Relations WG • Oct 1-Nov 15: Conduct internal PREDICT Process Pilot • Nov 15- Dec 15: Conduct external PREDICT Process Pilot • Dec 15-Jan 15: Modify PREDICT processes based on feedback from PREDICT pilot • ~Jan 15: PREDICT goes live • Working through announcement process
Cyber Economic Assessment Studies • Examination of current “cyber event” cost evaluation methods • Business Case Development • Understanding of costs and losses • Strategies for encouraging cyber security investment • Cyber Risk Prioritization
Presentation Agenda • DHS Overview • Cyber Security R&D Overview • Cyber Security R&D Activities • National Strategy to Secure Cyberspace • Secure Domain Name System (DNSSEC) • Secure Protocols for the Routing Infrastructure • DHS / NSF Cyber Security Testbed • Large-scale Network Security Datasets • Cyber Economic Assessment studies • “New” Activities
Recent SBIRs • SBIR = Small Business Innovative Research • CROSS-DOMAIN ATTACK CORRELATION TECHNOLOGIES • Objective: Develop a system to efficiently correlate information from multiple intrusion detection systems (IDSes) about “stealthy” sources and targets of attacks in a distributed fashion across multiple environments. • REAL-TIME MALICIOUS CODE IDENTIFICATION • Objective: Develop technologies to detect anomalous network payloads destined for any service or port in a target machine in order to prevent the spread of destructive code through networks and applications. These technologies should focus on detecting “zero day attacks”, the first appearance of malicious code for which no known defense has been constructed.
HSARPA Cyber Security Broad Area Announcement (BAA 04-17) • A critical area of focus for DHS is the development and deployment of technologies to protect the nation’s cyber infrastructure including the Internet and other critical infrastructures that depend on computer systems for their mission. The goals of the Cyber Security Research and Development (CSRD) program are: • To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; • To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. • To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency. • http://www.hsarpabaa.com
BAA Technical Topic Areas (TTAs) • System Security Engineering • Vulnerability Prevention • Tools and techniques for better software development • Vulnerability Discovery and Remediation • Tools and techniques for analyzing software to detect security vulnerabilities • Cyber Security Assessment • Develop methods and tools for assessing the cyber security of information systems • Security of Operational Systems • Security and Trustworthiness for Critical Infrastructure Protection • 1) Automated security vulnerability assessments for critical infrastructure systems • 2) Improvements in system robustness of critical infrastructure systems • 3) Configuration and security policy management tools • 4) Cross-platform and/or cross network attack correlation and aggregation
BAA TTAs (continued) • Security of Operational Systems • Wireless Security • Security tools/products for today’s networks • Solutions and standards for next generation networks • Investigative and Prevention Technologies • Network Attack Forensics • Tools and techniques for attack traceback • Technologies to Defend against Identity Theft • R&D of tools and techniques for defending against identity theft and other financial systems attacks, e.g., phishing
BAA Program / Proposal Structure • NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in DHS “customer” environments • Type I (New Technologies) • New technologies with an applied research phase, a development phase, and a deployment phase (optional) • Funding not to exceed 36 months (including deployment phase) • Type II (Prototype Technologies) • More mature prototype technologies with a development phase and a deployment phase (optional) • Funding not to exceed 24 months (including deployment phase) • Type III (Mature Technologies) • Mature technology with a deployment phase only. • Funding not to exceed 12 months
Tackling Cyber Security Challenges:Business Not as Usual • Strong mission focus (avoid mission creep) • Close coordination with other Federal agencies • Outreach to communities outside of the Federal government • Building public-private partnerships (the industry-government *dance* is a new tango) • Strong emphasis on technology diffusion and technology transfer • Migration paths to a more secure infrastructure • Awareness of economic realities
Summary • DHS S&T is moving forward with an aggressive cyber security research agenda • Working with industry to solve the cyber security problems of our current infrastructure • DNSSEC, Secure Routing • Working with academe and industry to improve research tools and datasets • DHS/NSF Cyber Security Testbed, PREDICT • Looking at future RDT&E agendas with the most impact for the nation • SBIRs, BAA 04-17
Douglas Maughan, Ph.D. Program Manager, HSARPA douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170