690 likes | 694 Views
Explore strategies and programs to enhance U.S. cybersecurity initiatives, research landscape, and enduring technologies for long-term success. Learn about coordination efforts, global supply chain risk management, and critical infrastructure security.
E N D
Dept. of Homeland Security Science & Technology Directorate Driving Security Improvement through R&D Cybersecurity Summit 2009 Arlington, VA September 15, 2009 Douglas Maughan, Ph.D. Branch Chief / Program Mgr. douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170
Agenda • WDC Happenings • CNCI – Research-related tasks • CSIS Commission • White House 60-Day Cyber Security Review • Department of Homeland Security (DHS) S&T Cyber Security Program • Research Landscape • Infosec Research Council (IRC) Hard Problems List (HPL) • DHS S&T Roadmap Activity • DOE Cyber Security Report • Federal Plan for Cyber Security and Information Assurance (CSIA) R&D • Summary / Conclusions
12 CNCI Initiatives Establish a front line of defense Reduce the Number of Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of Automated Defense Systems Coordinate and Redirect R&D Efforts Resolve to secure cyberspace / set conditions for long-term success Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide Counterintelligence Plan for Cyber Increase Security of the Classified Networks Expand Education Shape future environment / secure U.S. advantage / address new threats Define and Develop Enduring Leap Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Cyber Security in Critical Infrastructure Domains 3
Initiative to Coordinate R&D Efforts • OSTP – Prioritize and Coordinate Cyber R&D Activities to: • Improve synergy between classified and unclassified Federal research • Enable a broad multidisciplinary, multi-sector effort • Prioritize requirements and engage the private sector • Enable Federal agencies to leverage resources • Maximize intellectual capital • Exploit existing R&D activities while pursuing new approaches to develop game-changing cyber technologies The vision of the CNCI is to transform national cyber infrastructure through coordinated research and development efforts over the next 10 years such that critical national interests are protected from catastrophic damage. 4
Commission on Cybersecurity for the 44th Presidency • 15-month duration (Oct 07 – Dec 08) • 40 person commission, supported by many advisors • 30 government and industry briefings • 3 findings • 25 recommendations • The goal of the commission was to develop actionable recommendations for the next administration to improve U.S. cybersecurity http://www.csis.org/tech/cyber/
Findings • Cybersecurity is a major national security problem for the United States • Decisions and actions must respect privacy and civil liberties • Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure
Recommendations - 1 • Create a Comprehensive National Security Strategy for Cyberspace • Organize for Cybersecurity • Partner with the Private Sector • Regulate for Cybersecurity • Secure Industrial Control Systems and SCADA • Use Acquisition Rules to Improve Security
Recommendations - 2 • Manage Identities • Modernize Authorities • Revise the Federal Information Security Mgmt Act • End the Division Between Civilian and National Security Systems • Conduct Training for Cyber Education and Workforce Development • Research & Development for Cybersecurity • Increase investment in long-term cyber security R&D
WH Cyberspace Policy Review • Released May 29, 2009 • http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf • Ten (10) Near-Term ACTIONS • Appoint a cybersecurity policy official; establish a National Security Council (NSC) directorate to coordinate interagency development of strategy and policy • Produce an updated national strategy, including a review of CNCI activities • Designate cybersecurity as one of the President’s key management priorities; establish performance metrics • Designate a privacy and civil liberties official to the NSC cybersecurity directorate
WH Cyberspace Policy Review (cont’d) • Ten (10) Near-Term ACTIONS (continued) • Develop interagency mechanisms for legal analyses as part of the policy development process • Initiate national public awareness and education campaign • Develop USG positions for international framework including partnerships • Prepare incident response plan, including dialog with the private sector • Develop R&D framework; Access to data • Build identity management vision and strategy that addresses privacy, civil liberties, and technology
WH 60-Day Review - Summary • Not a review of the existing activities of the CNCI • No feedback expected on the current CNCI activities • Very minimal focus on the role of RDTE&T to produce the next generation of IT security solutions • Focused on linking R&D to industry and future infrastructure developments • Education and awareness is taking a significant role • Another place where R&D could have been more strongly promoted, but wasn’t
Hearings / Legislation – Summary • Never before has there been so much interest from the Hill on the topic of Cyber Security • Many of the hearings are focused on trying to understand and fix our current problems, therefore, R&D is still not getting the attention it needs • We – the R&D community – need to be more aggressive in our efforts to help educate law-makers and their staff about the need for R&D to help create the cyber security landscape of the future
Agenda • WDC Happenings • CNCI – Research-related tasks • CSIS Commission • White House 60-Day Cyber Security Review • Department of Homeland Security (DHS) S&T Cyber Security Program • Research Landscape • Infosec Research Council (IRC) Hard Problems List (HPL) • DHS S&T Roadmap Activity • DOE Cyber Security Report • Federal Plan for Cyber Security and Information Assurance (CSIA) R&D • Summary / Conclusions
Science and Technology (S&T) Mission Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.
Customers * CS&C * NCSC * OCIO * USSS * National Documents Critical Infrastructure Providers Post R&D DETER PREDICT PrioritizedRequirements Customers Pre R&D R&D DNSSEC SPRI Other Sectors e.g., Banking & Finance Critical Infrastructure Providers R&D Coordination – Government & Industry Cyber Security Assessment Emerging Threats Workshops HOST Cyber Forensics Solicitation Preparation Experiments and Exercises CIP Sector Roadmaps BAAs Outreach – Venture Community & Industry SBIRs Supporting Programs R&D Execution Model
Setting the Stage • Feb 2008 – Pakistan’s routing misconfiguration denies YouTube access for 2 hours showing routing vulnerability • Aug 2008 – Major vulnerability discovered in DNS • Nov 2008 – Conficker botnet affects as many as 12 million computers worldwide (and still out there) • Symantec reports there are 15,000 new types of malware daily • Gartner estimates 3.6M victims lost $3.2B in the U.S. in 2007 due to phishing attacks • Consumer Reports estimates U.S. consumers lost $8.5B and replaced 2.1M computers because of viruses, spyware, etc. between 2006 and 2008 • And many, many, many more …..
Cyber Security Program Areas • Information Infrastructure Security • Domain Name System Security (DNSSEC) • Secure Protocols for the Routing Infrastructure (SPRI) • Finance Sector Risk Mgmt Toolkit (DECIDE) • Cyber Security Research Tools and Techniques • Cyber Security Testbed (DETER) • Large Scale Datasets (PREDICT) • Experiments and Exercises • Next Generation Technologies • BAA 04-17: 17 Awards • BAA 07-09: 17 Awards • Two new program areas – Cyber Forensics and Homeland Open Security Technology (HOST) • Other Activities (SBIR, RTAP, Emerging Threats, ITTC, Outreach, Government Coordination)
National Strategy to Secure Cyberspace • The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness • NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS • The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.
DNSSEC fits HERE Content Flow Content Flow What and Who are the DNS (and DNSSEC) Players and Pieces? Registries Zone Name Servers Publication Area Content Responsibility Area DNS and DNSSEC ‘Content Picture’ DNS Resolvers Registrars Content Starts Here Content Used Here User Applications Registrants
DNSSEC Initiative Activities • Roadmap published in February 2005; Revised March 2007 • http://www.dnssec-deployment.org/roadmap.php • DNSSEC testbed developed by NIST • http://www-x.antd.nist.gov/dnssec/ • Involvement with numerous deployment pilots • Formal publicity and awareness plan including newsletter • http://www.dnssec-deployment.org/news/dnssecthismonth • Working with Microsoft, Mozilla, OpenDNS and others to promote DNSSEC awareness in their software or projects
OMB memo on DNSSEC http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf
History of Routing Outages • Commercial Internet -- specific network outages • Apr 1997 – AS 7007 announced routes to all the Internet • Apr 1998 – AS 8584 mis-announced 100K routes • Dec 1999 – AT&T’s server network announced by another ISP – misdirecting their traffic (made the Wall Street Journal) • May 2000 – Sprint addresses announced by another ISP • Apr 2001 – AS 15412 mis-announced 5K routes • Dec 24, 2004 – thousands of networks misdirected to Turkey • Feb 10, 2005: Estonian ISP announced a part of Merit address space • Sep 9, 2005 – AT&T, XO and Bell South (12/8, 64/8, 65/8) misdirected to Bolivia [the next day, Germany – prompting AT&T to deaggregate] • Jan 22, 2006 – Many networks, including PANIX and Walrus Internet, misdirected to NY ISP (Con Edison (AS27506)) • Feb 26, 2006 - Sprint and Verio briefly passed along TTNET (AS9121 again?) announcements that it was the origin AS for 4/8, 8/8, and 12/8 • Feb 24, 2008 –Pakistan Telecom announces /24 from YouTube • March 2008 – Kenyan ISP’s /24 announced by AboveNet • Frequent full table leaks, e.g., Sep08 (Moscow), Nov08 (Brazil), Jan09(Russia)
A Tragedy of the Commons • BGP routing space is simultaneously • Everyone's problem, because it impacts the stability and viability of the entire Internet, and • No one's problem, in that no single entity manages this common resource • Who’s responsible for the reliability of the network? • End customers? • Service providers? • Somebody else?
Border Gateway Protocol Security • Without BGP there would be no Internet • BGP servers (border routers) are prime attack objects • SYN floods • RST attacks • Data insertion (forged packets) • TCP hijacking • Several proposed solutions have been developed over the years, but none have been “universally” adopted • Secure BGP (S-BGP), soBGP, PGBGP, etc., etc. • Scalability as the Internet grows is still an issue
Secure Protocols for the Routing Infrastructure (SPRI) • Border Gateway Protocol (BGP) • Routing protocol that connects ISPs and subscriber networks together to form the Internet • Used to exchange network reachability information • Final version: BGP-4 (RFC 1771-1774 – 3/95) • The BGP architecture makes it highly vulnerable to human errors and malicious attacks against • Links between routers • The routers themselves • Management stations that control routers • Working with industry to develop solutions for our current routing security problems and future technologies
SPRI Roadmap • http://www.cyber.st.dhs.gov/docs/spriRoadmap.pdf • COMMENTS ARE ENCOURAGED!!! • Roadmap Outline • Threats • Two major areas • Deployment • Mechanisms (e.g., BCPs) • Protocol Issues • Research • Near term research • Long term research • Other research problems
SPRI Deployment Activities • Working with registries to deploy PKI between ICANN/IANA and registry and between registry and ISPs/customers • Pilot project with the Asia-Pacific Network Information Center (APNIC) to add public key infrastructure to registration operations • BGPSEC Protocol Design Team • Router Vendors, ISPs, Standards, Academics • End Goal: “Agreed upon” secure routing protocol that can be expedited through the Internet standards process, implemented by router vendors, and deployed by ISPs • Working with ARIN to clean up existing database and legacy address space problem • Pre-1997 IP Addresses are not accounted for • Government is one of the biggest offenders
BGPmon: Data Collector Objectives Support Large Scale BGP Monitoring Collect data from a large number of peers Data collectors run at multiple locations/multiple exchange points Users see a single coherent monitoring infrastructure Provide BGP Data in Real-Time BGP update messages delivered to users in seconds BGP RIB tables reported at regular intervals Data archives also available for non-real-time users Create An Extensible and Easy To Use Data Format Data available as bits off the wire and human readable format Users can annotate data (flag customer prefixes, potential hijacks, etc.) Users can easily ignore annotations they don’t understand 08/04/2009 WIT: A Watchdog for Internet Routing 30
BGPmon Deployment Today 08/04/2009 WIT: A Watchdog for Internet Routing 31
The Prefix Hijack Alert System • BGPmon Observes Attacks in Real-time • Improve placement to maximize detection • Provide real-time (seconds) access to day currently only available after hours. • But Data Volume is Vast and Growing • One collector observes 260,177 prefixes and logged 53,519,042 changes in just a few days! • Need smart algorithm to distinguish valid changes from potential attacks
BGPmon provides the raw data Cyclops alerts you to unexpected behavior Cyclops: A Network Watchdog Observed Rules of expectedbehavior Expected Network data Cyclops Engine Router configs Black lists Valid prefix lists Routing messages Geolocation intel Active measurement Alarm generation Reaction False positive detection
Web*DECIDE (Distributed Environment for Critical Infrastructure Decision-making Exercises) • Enable enterprise decision-makers to think through responses to operational disruptions of market-based transactions across networks • Sector(s), Market(s), Institution(s) • Provide a dedicated exercise capability for several critical infrastructures in the U.S. • Beginning with Banking and Finance • Foster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats • Enterprises will be able to initiate their own large-scale exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity, all from their desktops • Think through sector impacts of the National Planning Scenarios • Enhance coordination during a large-scale disruption to key infrastructures • The concept has been reviewed by and developed with input from experts at ChicagoFIRST, the Options Clearing Corporation, ABN-AMRO, Eurex, Archipelago, Bank of New York, and CitiBank. • The Financial Services Sector Coordinating Council R&D Committee is organizing a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years.
DHS / NSF Cyber Security Testbed • “Justification and Requirements for a National DDOS Defense Technology Evaluation Facility”, July 2002 • We still lack large-scale deployment of security technology sufficient to protect our vital infrastructures • Recent investment in research on cyber security technologies by government agencies (NSF, DARPA, armed services) and industry. • One important reason is the lack of an experimental infrastructure and rigorous scientific methodologies for developing and testing next-generation defensive cyber security technology • The goal is to create, operate, and support a researcher-and-vendor-neutral experimental infrastructure that is open to a wide community of users and produce scientifically rigorous testing frameworks and methodologies to support the development and demonstration of next-generation cyber defense technologies
DETERlab: The DETER Facilityhttp://www.deterlab.net Cyber Security testbed located at USC/ISI and UC Berkeley Funded by NSF and DHS, started in 2003 400 Nodes - 200 each at ISI and UC Berkeley Based on Emulab software, with focus on security experimentation The DETER testbed infrastructure Tool libraries SEER workbench Operations and Management Community building and Outreach
DETER – Map of Global Users Over 170 users from 14 countries (and growing)
A Protected REpository for Defense of Infrastructure against Cyber Threats • PREDICT Program Objective “To advance the state of the research and commercial development (of network security ‘products’) we need to produce datasets for information security testing and evaluation of maturing networking technologies.” • Rationale / Background / Historical: • Researchers with insufficient access to data unable to adequately test their research prototypes • Government technology decision-makers with no data to evaluate competing “products” End Goal: Improve the quality of defensive cyber security technologies
Data Collection Activities • Classes of data that are interesting, people want collected, and seem reasonable to collect • Netflow • Packet traces – headers and full packet (context dependent) • Critical infrastructure – BGP and DNS data • Topology data • IDS / firewall logs • Performance data • Network management data (i.e., SNMP) • VoIP (2200 IP-phone network) • Blackhole Monitor traffic
: PREDICT Information • https://www.predict.org • DHS Privacy Impact Assessment • http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_st_predict.pdf Over 330 datasets; Over 70 active users (and growing)
Next Generation Technologies • http://baa.st.dhs.gov • R&D funding model that delivers both near-term and medium-term solutions: • To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. • To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; • To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.
BAA Program / Proposal Structure • NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in (DHS) “customer” environments • Type I (New Technologies) • New technologies with an applied research phase, a development phase, and a deployment phase (optional) • Funding not to exceed 36 months (including deployment phase) • Type II (Prototype Technologies) • More mature prototype technologies with a development phase and a deployment phase (optional) • Funding not to exceed 24 months (including deployment phase) • Type III (Mature Technologies) • Mature technology with a deployment phase only. • Funding not to exceed 12 months
BAA 07-09 Technical Topic Areas • Botnets and Other Malware: Detection and Mitigation • Composable and Scalable Secure Systems • Cyber Security Metrics • Network Data Visualization for Information Assurance • Internet Tomography / Topography • Routing Security Management Tool • Process Control System Security • Secure and Reliable Wireless Communication for Control Systems • Real-Time Security Event Assessment and Mitigation • Data Anonymization Tools and Techniques • Insider Threat Detection and Mitigation
Next Generation Technologies (2) • Two Solicitations – 2004 and 2007 • 2004 – 7 topics, 17 awards totaling $13.9M • 9 Academic (CA,GA,DE,NJ,VA,MI,NH) • 8 Private Sector (NY,MD,MN,NJ,MA,TX) • 8 commercial products, 2 open source products • 2007 – 9 topics, 17 awards totaling $13.7M • 5 Academic (CA,GA,WA,CO,MD) • 8 Private Sector (NY,CO,CA,FL) • 1 National Lab (NM) • 2 commercial products, 4 open source products (so far) • Expect another BAA in FY10
Sample Product List • Grammatech – Binary Analysis tools • Coverity – Open Source Hardening (SCAN) • Telcordia – Automated Vulnerability Analysis • GMU – Network Topology Analysis (Cauldron) • Stanford – Anti-Phishing Technologies • Ironkey – Secure USB • USURF – Cyber Exercise Planning tool • HBGary – Memory and Malware Analysis • Secure Decisions – Data Visualization • Secure64 – DNSSEC Automation
Cyber Forensics • Initial requirements working group held 11/20/08 • Attendees from USSS, CBP, ICE, FLETC, FBI, NIJ, TSWG, NIST, Miami-Dade PD, Albany NY PD • Initial list of projects • Mobile device forensic tools • GPS forensics tools • LE First responder “field analysis kit” • High-speed data capture and deep packet inspection • Live stream capture for gaming systems • Memory analysis and malware tools • Information Clearing House