National Conversation – A Trusted Cyber Future Discussion Led by Dan Massey, CSD Program Manager
Moderator: Joe Gersch (Secure 64)
Department of Homeland Security Science and Technology Directorate (DHS S&T) Hosted by the University of Colorado-Boulder
August 6th, 2015 8:30am-12:30pm
Participants: - Government
o Dan Massey, DHS S&T o Doug Maughan, DHS S&T o Ann Cox, DHS S&T o Tammi Fisher, DHS S&T o Kyshina Dickerson, DHS S&T - Other attendees
o A combination of 16 participants representing industry and academia
Introduction:
The National Conversation – A Trusted Cyber Future includes a series of in-person community engagements at meetings and conferences, as well as an online collaboration community where ideas can be posted, ranked, and discussed.
A National Conversation meeting was held at the University of Colorado-Boulder on August 6, 2015. Dan Massey, Program Manager for the Cybersecurity Division (CSD) within the
Department of Homeland Security Science and Technology Directorate (DHS S&T), provided an introduction for Joe Gersch (Secure 64) who ultimately served as moderator for the meeting. Approximately 21 researchers and key stakeholders from industry, academia, and government participated in the 3½-hour session.
The objectives of this meeting were to gain input and responses to questions that will help shape DHS S&T and federal cybersecurity research and development (R&D) for the next five years.
Opening Presentation:
CSD Division Director, Dr. Douglas Maughan opened the Conversation by presenting a brief overview detailing the purpose of the National Conversation, information sharing, and
referring
to the 2013/2014 CSD Cybersecurity R&D Strategic Plan, which identified 39 priority areas
with 320+ focus areas, organized into the following themes below
1.
Software Assurance Network Security
Mobile, Web, and Cloud Security Identity Management and Privacy Usability and Metrics
Cyber Security Education and Training
Comprehensive National Cybersecurity Initiative (CNCI) Securing Critical Infrastructure
Law Enforcement Needs
Dr. Maughan further explained that NITRD and a number of member agencies, including
DHS, NSF, NIST, DOE, and others coordinated on the US Federal cybersecurity R&D. The
group produced the 2011 Federal Cybersecurity R&D Plan, which identities a number of
areas and themes:
Research Themes
o Tailored Trustworthy Spaces
o Moving Target
o Cyber Economic Incentives
o Designed-In Security
Science of Cyber Security
Support for National Priorities
Transition to Practice
The DHS S&T Cybersecurity Division (CSD)
2 receives research requirements from multiplesources, including: the White House and various Federal strategies, plans, and programs,
DHS components, other government agencies, critical infrastructure sectors (privacy
industry), state and local government, and international partners. The CSD mission is to:
develop and deliver new technologies, tools and techniques to defend and secure current
and future systems and networks; conduct and support technology transition efforts; and
provide R&D leadership and coordination within the government, academia, private sector
and international cybersecurity community.
The private sector has more information than the government especially when you think about the internet and critical infrastructure.
Information sharing questions asked by attendees:
What are the incentives for sharing?
Provide data back to the research community to build better tools for the next generation Questions that come up in the community are:
1. Who owns the information?
2. Who can I share the information with? 3. Who should not receive the information?
4. What are the mechanisms for information sharing?
2
What is the difference between ISAC and ISAO’s? ISAC’s are private sector focused
ISAO’s are State and Local driven How does CSD fund research?
Based on the maturity of the technology 12-36 months basis
Funding depends on the budget we receive from Congress
Main Discussion:
Is a shift needed in a way that the government approaches cyber research?
Possibly consider an “insurance model”. There have been suggestions in the past where people have said you will never stop hackers. Car insurance and home insurance for example, where you have people contribute to protect themselves from tragedy. We then ultimately cover ourselves:
o Have everyone contribute o Accept some liability o Accept some level of fraud o Accept some level of risk
Realistically it’s the consumer that will bear most of the liability. It should be the liability of the company at fault, not the consumer. It’s just a myriad of threats. Software assurance.
Combine network security with mobile and cloud for extra protection. How can we make a decision without data?
Over time you would access the claims and build up a database Physical security
Cyber security
Software assurance – most of the problems come from crappy code o Software assurance is the correctness of software
o Combine network security and mobile cloud
Cyber security and loss of life – is it going to take loss of life to change the balance? It’s just a matter of time before it happens
What will be the most pertinent cyber-security concerns of the next 5 years?
Internet of Things (IoT) comes to mind. Market research states that this is going to be a fast growing space. We need to be concerned about how to protect those assets and make those devices that are mission critical secure.
Level of trust issue regarding personal information: Getting to a level of trust with smart phones and laptops, we know who we trust with people but not quite there with
computability, because the complexity of technology is also an issue.
You can change the culture but if you’re going to be secure you’re going to have to do what’s necessary to make things secure. How do you change some of the software that does not make things secure without getting to the point where you build security in later?
We would really have to undertake an effort to make things secure. What is the view on the current academic code of teaching for security?
Students not typically judged on how secure something is, but more so the performance. If workforce development is important we need to get kids informed early. By the time
they go through 6 years of penetration testing and go to college, they’re getting hired right out of school. If the knowledge of security is built–in at an early age it makes more sense.
Some of those individuals who are younger and learning how to hack tend to seek resources that lead them down a dark path. If we can lead them into a more positive way we can avoid some of this hacking.
We need to ask for help from our current national education systems. When do we teach cyber security and ethics that go along with it?
We are at a point where the security conversation will change. In the past security was considered to be someone else’s problem. Now, we are at a point where it will truly start to affect people’s lives. We need to start thinking about different security models. Identity Management
o How to get away from using passwords for authentication o Guarantee privacy
o How to authenticate the user is who they say they are o Build levels of trust in computing
Usability because of complexity Cultural shift in order to build things Make secure coding
How do we change the culture of building secure technology? Developing software and hardware that’s secure
How do you think secure coding is included in curriculum today? Think about defenses
Judged on functionality not on security
Design curriculum to build security into as a design process At what age should we start teaching cyber security?
Possibly in elementary school, have kids familiarize themselves at a younger age. Grow with technology.
If a competition is available, get children involved. Schools are now offering cyber security, computer science, and/or robotics classes.
Develop age specific curriculum
What technology areas would you fund to prevent critical infrastructure? Hacking is an attitude:
Smart sensors
Different security models Biological defense mechanisms Static code analysis
Wireless networking
The enemy is the human: training for every day people
What needs to be done to accelerate the transition of cyber security solutions into the marketplace?
How is it going and how can we improve it? Micro loans
Broker model – Developers and end users
o An accelerated way to find technologies that are needed Accelerator model – corporate partners provides requirements
o What’s needed? o What’s out there? o Mentoring
o Pair with the appropriate entity o Create a path to customer
o Seeing products that are duplicating each other o Curate the market better
o Incubator period – 4 months ($50,000)
Cyber threats are like bird flu – the solution is putting pressure on people commercially to change things
o See where the culprits are
o Is there a better way to call them out?
Open Source Solutions? Is there a place where the end-users can transition their technology?
Need to know what technologies people are looking for?
Even if issues are fixed, it doesn’t mean the resolution will be consistent. Get involved with FISMA and Fedramp.
Get to a place where some of the small communities can play in the Fed space
Can the government make their operational requirements known to the small investment community?
What will be the biggest key to improving cyber security over the next five years? Dark net – what’s going to happen next
Good and bad uses of anonymity Privacy:
o Preserving privacy
o Not a clear understanding
o European vs American view of privacy
People aren’t willing to offer information about themselves: o Assumption that there won’t be unauthorized access o What’s authorized is different from what the user thinks
Changing the landscape of cyber security as a whole. Think space race: how the 60’s changed when people landed on the moon.
Encouraging women and other minorities to get involved in the area of cyber security and computer science.
Closing/Conclusion:
Dr. Maughan informed participants that there is The National Conversation – A Trusted Cyber Future which includes a series of in-person community engagements at meetings and
conferences, as well as an online collaboration community at http://scitech.ideascale.com/, where ideas can be posted, ranked, and discussed. He encouraged participants to engage in online discussions via the IdeaScale portal3. Background information and notes from the various National Conversation meetings are also available on these site4.
3
http://scitech.ideascale.com/
4