Homeland Security Advanced Research Projects Agency

A View from Washington: The

Latest in Cyber Security

November 7, 2013

TCIPG Annual Meeting

Douglas Maughan

Division Director

http://www.dhs.gov/cyber-research

Presenter’s Name June 17, 2003

Presentation Outline

Threat Space

National / Federal Activities

DHS Activities

Cyber Security Division (CSD) Overview

What’s Ahead

Summary

Q&A

2

Environment: Greater Use of Technology,

More Threats, Less Resources

Globalization &

Transportation

Natural Disasters

& Pushing

Beyond Design

Limits

Misuse of

Technology

Border Security

& Immigration

Cyber Domain

L

E

S

S

R

E

S

O

U

R

C

E

S

MORE THREATS

Violent

Extremism

Nature of

Innovation

Both sides get

to innovate Predictive &

Reactive

Aviation as an

example …

Low cost

of entry

Strategic

potential

Anywhere in the

world in 24 hours

Historical

Perspective

Tenuous

balance

Insider

Threat

“Cyber” – Where is it used?

Business / Personal

Shopping & Banking Point of Sale (in store or on line)

Personnel

Social Media

…

DHS

provides

advice and

alerts to the

16 critical

infrastructure

areas …

… DHS

collaborates

with sectors

through Sector

Coordinating

Councils (SCC)

X X

Presenter’s Name June 17, 2003

Cyber Threat Sources Ready to Exploit Weaknesses

Nation States

Hackers/Hacktivists

Cyber Criminals

Insider Threats

Terrorists, DTOs, etc.

Presenter’s Name June 17, 2003

Malware – Malicious software to disrupt computers

Viruses, worms, …

Theft of Intellectual Property or Data

Hactivism – Cyber protests that are socially or politically motivated

Mobile Devices and Applications and their associated Cyber Attacks

Social Engineering – Entice users to click on Malicious Links

Spear Phishing – Deceptive communications (E-Mails, Texts, Tweets…)

Domain Name System (DNS) Hijacking

Router Security – BGP Hijacking

Denial of Service (DOS) – blocking access to web sites

Others …..

6

Cyber Threats

Presenter’s Name June 17, 2003

Recent Events

7

Presenter’s Name June 17, 2003

Targeting of DHS through Email The primary method of specifically targeting

DHS is through phishing emails

Emails contain malicious attachment or link

Recipients often “BCCed”

A single compromise can provide an attacker

with a foothold for complete network access

Notable Targeted Email Statistics:

60% of malicious emails sent from Gmail

Account names are believable

17% spoof other Government agencies

Total Emails per Year

2010 – 1108 emails (143 campaigns)

2011 – 1312 emails (157 campaigns)

2012 – 1497 emails (102 campaigns)

Targeted Malicious Email

Detection and Response

2012 - Average new campaign every 3.6 days

Presenter’s Name June 17, 2003

Cyberspace Definitions

“The interdependent network of information and communications technology infrastructures, including the Internet, telecommunications networks, computer systems and networks, and embedded processors and controllers in facilities and industries.” White House Cyberspace Policy Review, May 2009

AND PEOPLE!!!

EO-13636 and PPD-21

In February 2013, the President issued two new policies:

1) Executive Order 13636: Improving Critical

Infrastructure Cybersecurity

2) Presidential Policy Directive – 21: Critical

Infrastructure Security and Resilience

America's national security and economic prosperity are

dependent upon the operation of critical infrastructure

that are increasingly at risk to the effects of cyber attacks

The vast majority of U.S. critical infrastructure is owned

and operated by private companies

A strong partnership between government and industry is

indispensible to reducing the risk to these vital systems

Presenter’s Name June 17, 2003

Integrating Cyber-Physical Security

Executive Order 13636: Improving

Critical Infrastructure Cybersecurity

directs the Executive Branch to:

Develop a technology-neutral

voluntary cybersecurity framework

Promote and incentivize the

adoption of cybersecurity

practices

Increase the volume, timeliness and

quality of cyber threat information

sharing

Incorporate strong privacy and civil

liberties protections into every

initiative to secure our critical

infrastructure

Explore the use of existing

regulation to promote cyber security

Presidential Policy Directive-21:

Critical Infrastructure Security and

Resilience replaces Homeland Security

Presidential Directive-7 and directs the

Executive Branch to:

Develop a situational awareness

capability that addresses both

physical and cyber aspects of how

infrastructure is functioning in near-

real time

Understand the cascading

consequences of infrastructure

failures

Evaluate and mature the public-

private partnership

Update the National Infrastructure

Protection Plan

Develop comprehensive research

and development plan (CSD / RSD)

11

Presenter’s Name June 17, 2003

• Publish instructions: unclassified threat information

• Report on cybersecurity incentives

• Publish procedures: expand the Enhanced Cybersecurity Services

120 days – June 12, 2013

• Identify cybersecurity critical infrastructure

• Evaluate public-private partnership models

• Expedite security clearances for private sector

150 Days - July 12, 2013

• Develop a situational awareness capability

• Update the National Infrastructure Protection Plan

• Publish draft voluntary Cybersecurity Framework

240 Days – October 10, 2013

• Report on privacy and civil rights and civil liberties cybersecurity enhancement risks

• Stand up voluntary program based on finalized Cybersecurity Framework

365 days – February 12, 2014

• Critical Infrastructure Security and Resilience R&D Plan

Beyond 365 - TBD

12

C

C

EO-PPD Deliverables

C

Presenter’s Name June 17, 2003

Cybersecurity Framework (NIST lead)

Developed in collaboration with industry, provides guidance to an organization on

managing cybersecurity risk

Supports the improvement of cybersecurity for the Nation’s Critical Infrastructure

using industry-known standards and best practices

Provides a common language and mechanism for organizations to

1. describe current cybersecurity posture;

2. describe their target state for cybersecurity;

3. identify and prioritize opportunities for improvement within the context of risk

management;

4. assess progress toward the target state;

5. Foster communications among internal and external stakeholders.

Composed of three parts: the Framework Core, the Framework Implementation

Tiers, and Framework Profiles

13

Presenter’s Name June 17, 2003

Cybersecurity Framework

Function Category

IDENTIFY

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management

PROTECT

Access Control

Awareness and Training

Data Security

Information Protection Processes and Procedures

Protective Technology

DETECT

Anomalies and Events

Security Continuous Monitoring

Detection Processes

RESPOND

Communication

Analysis

Mitigation

Improvements

RECOVER

Recovery Planning

Improvements

Communication

14

Presenter’s Name June 17, 2003

Areas:

“While these reports do not yet represent a final Administration policy, they do offer

an initial examination of how the critical infrastructure community could be

incentivized to adopt the Cybersecurity Framework as envisioned in the Executive

Order. We will be making more information on these efforts available as the

Framework and Program are completed.”

Michael Daniel,

Special Assistant to the President and Cybersecurity Coordinator

White House Blog, August 6, 2013

1. Cybersecurity Insurance

2. Grants

3. Process Preference

4. Liability Limitation

5. Streamline Regulations

6. Public Recognition

7. Rate Recovery for Price Regulated

Industries

8. Cybersecurity Research

15

Recommended Incentives

Presenter’s Name June 17, 2003

R&D guidance from PPD-21 Within 2 years, DHS in coordination with OSTP, SSA’s, DOC and other Federal

D&A, shall provide to the President a National Critical Infrastructure Security and

Resilience R&D Plan that takes into account the evolving threat landscape, annual

metrics, and other relevant information to identify priorities and guide R&D

requirements and investments…plan issued every 4 years …updates as needed.

Innovation and Research & Development: DHS in coordination with OSTP, SSA’s,

Commerce and other Federal D&A, shall provide input to align those Federal and

Federally-funded R&D activities that seek to strengthen the security and resiliency

of the Nation’s critical infrastructure, including:

Promoting R&D to enable the secure and resilient design and construction of critical

infrastructure and more secure accompanying cyber technology;

Enhancing modeling capabilities to determine potential impacts … and cascading effects;

Facilitating initiatives to incentivize cyber security investments and the adoption of critical

infrastructure design features that strengthen all-hazards security and resilience;

Prioritizing efforts to support the strategic guidance issued by the Secretary.

Working Group headed up by DHS S&T

16

Presenter’s Name June 17, 2003

How to Engage National Infrastructure Protection Plan process

Review and comment on Draft Documents

www.dhs.gov/eo-ppd

Provide input through dialogue on IdeaScale -- http://eoppd.ideascale.com

Encourage partners to review and provide input

PPD/EO Integrated Task Force Weekly Stakeholder Bulletin

Current status of activities

List of upcoming Open Forums, Webinars and other Engagement Opportunities

Contact EO-PPDTaskForce@hq.dhs.gov for more information

Also R&DWG@hq.dhs.gov for R&D plan information, participation

17

DHS S&T Mission

Strengthen America’s security and resiliency by providing

knowledge products and innovative technology solutions for

the Homeland Security Enterprise

1) Create new technological capabilities and knowledge products

2) Provide Acquisition Support and Operational Analysis

3) Provide process enhancements and gain efficiencies

4) Evolve US understanding of current and future homeland security risks and

opportunities

18

FOCUS AREAS

• Bio

• Explosives

• Cybersecurity

• First Responders

• Resilient Systems

• Borders / Maritime

Presenter’s Name June 17, 2003

Cyber Security Focus Areas

Trustworthy Cyber Infrastructure

Working with the global Internet community to secure cyberspace

Research Infrastructure to Support Cybersecurity

Developing necessary research infrastructure to support R&D community

R&D Partnerships

Establishing R&D partnerships with private sector, academia, and international partners

Innovation and Transition

Ensuring R&D results become real solutions

Cybersecurity Education

Leading National and DHS cybersecurity education initiatives

19

Presenter’s Name June 17, 2003

R&D Partnerships

Oil and Gas Sector

LOGIIC – Linking Oil & Gas Industry to Improve Cybersecurity

Electric Power Sector

TCIPG – Trustworthy Computing Infrastructure for the Power Grid

Banking and Finance Sector

FI-VICS – Financial Institutions – Verification of Identity Credential Service

DECIDE – Distributed Environment for Critical Incident Decision-making

Exercises (recent Quantum Dawn II exercise)

State and Local

PRISEM - Public Regional Information Security Event Management

PIV-I/FRAC TTWG – State and Local and Private Sector First Responder

Authentication Credentials and Technology Transition

Law Enforcement

SWGDE – Special Working Group on Digital Evidence (FBI lead)

CFWG – Cyber Forensics Working Group (CBP, ICE, USSS, FBI, S/L)

20

Presenter’s Name June 17, 2003

International Bilateral Agreements

Government-to-government cooperative activities for 13 bilateral Agreements

S&T International Engagements

• Canada (2004)

• Australia (2004)

• United Kingdom (2005)

• Singapore (2007)

• Sweden (2007)

• Mexico (2008)

• Israel (2008)

• France (2008)

• Germany (2009)

• New Zealand (2010)

• European Commission (2010)

• Spain (2011)

• Netherlands (2013)

COUNTRY PROJECTS MONEY IN JOINT MONEY OUT Australia 3 $300K $400K

Canada 11 $1.8M

Germany 1 $300K

Israel 2 $100K Netherlands 7 $450K $1.2M $150K

Sweden 4 $650K United Kingdom 3 $1.2M $400K European Union 1

Japan 1

Over $6M of

International

co-funding

Presenter’s Name June 17, 2003

Transition To Practice (TTP) Program

22

R&D Sources

DOE National

Labs

FFRDC’s (Federally

Funded R&D Centers)

Academia

Small Business

Transition

processes

Testing &

evaluation

Red Teaming

Pilot

deployments

Utilization

Open Sourcing

Licensing

New Companies

Adoption by

cyber

operations

analysts

Direct private-

sector adoption

Government

use

Implement Presidential Memorandum –

“Accelerating Technology Transfer and

Commercialization of Federal Research in Support

of High-Growth Businesses” (Oct 28, 2011)

Presenter’s Name June 17, 2003

Cybersecurity Education

Cyber Security Competitions (http://nationalccdc.org)

National Initiative for Cybersecurity Education (NICE)

NCCDC (Collegiate); U.S. Cyber Challenge (High School)

Provide a controlled, competitive environment

to assess a student’s depth of understanding and

operational competency in managing the challenges

inherent in protecting a corporate network

infrastructure and business information systems.

DHS Cyber Skills Task Force (CSTF)

Established June 6, 2012 - Homeland Security Advisory Council

Over 50 interviews (DHS internal and external)

Identify best ways DHS can foster the development of a national security

workforce capable of meeting current and future cybersecurity challenges;

Outline how DHS can improve its capability to recruit and retain sophisticated

cybersecurity talent.

11 recommendations in 5 key areas

23

Presenter’s Name June 17, 2003

White House Priorities – FY14+

Secure Federal Networks Identity/Credential Access Mgmt (ICAM), Cloud Exchange, Fed-RAMP

Protect Critical Infrastructure Public-Private Cyber Coordination, EO/PPD Initiatives

Improve Incident Response and Reporting Information Sharing among Federal Centers

Capacity Building for State/Local/Tribal/Territorial (SLTTs)

Engage Internationally Foreign Assistance Capacity Building

Build Workforce Capacity to Support International Cyber Engagement

Shape the Future National Strategy for Trusted Identity in Cyberspace (NSTIC)

National Initiative for Cybersecurity Education (NICE)

Cybersecurity R&D – EO/PPD R&D Plan, Federal R&D Plan, Transition To

Practice, Foundational Research

24

Presenter’s Name June 17, 2003

Cyber Physical Systems (CPS) “Smart networked systems with embedded sensors, processors

and actuators that are designed to sense and interact with the

physical world (including the human users), and support real-time,

guaranteed performance in safety-critical applications”

Several workshops over the past year or two Transportation

Automotive, UAVs, Aeronautical, Rail

Manufacturing

Healthcare

Energy

Agriculture

Defense

Emergency Response

Others …..

All with an eye towards society, economics, and impact

Future - Inter-Agency: CPS

25

Presenter’s Name June 17, 2003

CSD New Program Ideas

Security for Cloud-Based Systems

Data Privacy Technologies

Mobile Wireless Investigations

Mobile Device Security

Next-Generation DDOS Defenses

Application Security Threat Attack Modeling (ASTAM)

Static Tool Analysis Modernization Project (STAMP)

Network Reputation and Risk Analysis

Data Analytics Methods for Cyber Security

Cyber Security Education

Designed-In Security

Finance Sector Cybersecurity

DNSSEC Applications

Data Provenance for Cybersecurity

Cyber Economic Incentives – based on EO/PPD 26

DHS S&T Long Range Broad Agency Announcement (LRBAA) 12-07 S&T seeks R&D projects for revolutionary, evolving, and maturing

technologies that demonstrate the potential for significant

improvement in homeland security missions and operations

Offerors can submit a pre-submission inquiry prior to White Paper

submission that is reviewed by an S&T Program Manager

CSD has 18 Topic Areas (CSD.01 – CSD.18) – SEE NEXT SLIDE

LRBAA 12-07 has been extended and closes on 12/31/13

S&T BAA Website: https://baa2.st.dhs.gov

Additional information can be found on the Federal Business

Opportunities website (www.fbo.gov) (Solicitation #:DHSS-

TLRBAA12-07)

27

CSD.01 – Comprehensive National

Cybersecurity Initiative and Federal R&D

Strategic Plan topics

CSD.02 – Internet Infrastructure Security

CSD.03 – National Research

Infrastructure

CSD.04 –Homeland Open Security

Technology

CSD.05 – Forensics support to law

enforcement

CSD.06 – Identity Management

CSD.07 – Data Privacy and Information

Flow technologies.

CSD.08 – Software Assurance

CSD.09 – Cyber security competitions,

education and curriculum development.

LRBAA Summary Listing CSD.10 – Process Control Systems and

Critical Infrastructure Security

CSD.11 – Internet Measurement and

Attack Modeling

CSD.12 – Securing the mobile

workforce

CSD.13 - Security in cloud based

systems

CSD.14 – Experiments – Test and

evaluation in experimental operational

environments to facilitate transition.

CSD.15 – Research Data Repository

CSD.16 – Cybersecurity Economic

Incentives

CSD.17 – Data Analytics – analysis

techniques, visualization,

CSD.18 – Tailored Trustworthy Spaces

– trust negotiation, app anonymity

28

Presenter’s Name June 17, 2003

Summary

Cybersecurity research is a key area of innovation to

support our global economic and national security futures

DHS S&T continues with an aggressive cyber security

research agenda

Working to solve the cyber security problems of our current (and

future) infrastructure and systems

Working with academe and industry to improve research tools and

datasets

Looking at future R&D agendas with the most impact for the nation

Need to continue strong emphasis on technology transfer

and experimental deployments

Must focus on the education, training, and awareness

aspects of our current and future cybersecurity workforce

29

Presenter’s Name June 17, 2003

Recent CSD Publications

30

Presenter’s Name June 17, 2003

For more information, visit

http://www.dhs.gov/cyber-research

http://www.dhs.gov/st-csd

Douglas Maughan, Ph.D.

Division Director

Cyber Security Division

Homeland Security Advanced

Research Projects Agency (HSARPA)

douglas.maughan@dhs.gov

202-254-6145 / 202-360-3170

31