Upload
great-wide-open
View
157
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Great Wide Open - Day 2 Dr. Douglas Maughan - HSARPA 10:30 AM - Security
Citation preview
1
Open Source and Cyber Security:
Open Source Software's Rolein Government Cybersecurity
Dr. Douglas MaughanU.S. Department of Homeland Security
Science and Technology DirectorateDirector, Cyber Security Division
3 April 2014
2
HomelandSecurity
Office of Cybersecurity and Communications
Executive Order (EO) on Improving Critical Infrastructure Cybersecurity/Policy Presidential Directive (PPD) on Critical Infrastructure Security and Resilience
Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to: Develop a technology-neutral voluntary cybersecurity
framework Promote/incentivize adoption of cybersecurity practices Increase the volume, timeliness and quality of cyber
threat information sharing Incorporate strong privacy and civil liberties protections
into every initiative to secure our critical infrastructure Explore existing regulation to promote cyber security
Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security
Presidential Directive-7 and directs the Executive Branch to:
– Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time
– Understand cascading consequences of infrastructure failures – Evaluate and mature the public-private partnership– Update the National Infrastructure Protection Plan– Develop comprehensive research and development plan
3
“America must also face the rapidly growing threat from cyber attacks… That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.”
President Barack Obama, 2013 State of the Union
Credit: White House / Pete Souza
4
Open Source and Government
July 2001
Jan 2003 July 2004 June 2007
May 2003
StenbitMemo
MITREBus. Case
MITRESurvey
OMB Procurement
Memo
June 2006
OTDRoadmap
Launched Oct 2009
OTDPhase 2
DONCIOGuidance
DoD NIIGuidance
Oct 2009
PITACHPC
July 2001 2001 - 03
524 September 2010
Univ. of Pennsylvania
Network Associates Labs
WireXCommunications
DARPA Program (2001-2003) President’s Information Technology Advisory
Committee (PITAC) Report on Open Source Software (OSS) Panel for High Performance Computing (HPC)
Critical Findings1. Federal government should encourage the
development of Open Source Software. 2. Federal government should allow Open
Source development efforts to compete on a “level playing field” with proprietary solutions in government procurement
3. Government sponsored Open Source projects should choose from a small set of established Open Source licenses after analysis of each license and determination of which may be preferable.
6
Cuts 2.9% from FY2014 budget
Gives agencies $79 billion for IT
Includes $13 billion for cyber security
7
178
5,815
4,360
178
613,479
44034 National24K stations
170
1,120
19,902
10,000
3,637
47
COMM/911 6,153
EMS - 21,283
LE - 17,985
Fire - 30,125
and similarhealth facilities
5,000
Colleges &Universities
6,900
Departments14,800
Social Services210,427
Utilities16,960
327
Transportation217,926
Public Works~24,000
Media14,650
Chemical, Oiland Gas2,500
Restoration& Repair402,440
>1.5 millionNGOs
Veterinarians21,731
Schools132,656
Telecom & IT11,000
Sports Facilities1,965
State, Tribal,Local Govts39,3130
TelematicsProviders16,960
Doctors’ Offices,Nursing Homes
19,286
EMPLOYERS
7,601,160
Mental HealthServices15,000
Federal Agencies16,960
308,500
InsuranceCompanies
Our Stakeholder Community
Presenter’s Name June 17, 2003
Malware – Malicious software to disrupt computers
Viruses, worms, … Theft of Intellectual Property or Data Hactivism – Cyber protests that are
socially or politically motivated Mobile Devices and Applications and
their associated Cyber Attacks Social Engineering – Entice users to click
on Malicious Links Spear Phishing – Deceptive
communications (E-Mails, Texts, Tweets) Domain Name System (DNS) Hijacking Router Security – Border Gateway
Protocol (BGP) Hijacking Denial of Service (DOS) – blocking
access to web sites Others …..
Cyber Threats and Sources
8
Nation States
Cyber Criminals
Hackers/Hacktivists
Insider Threats
Terrorists, DTOs, etc.
Presenter’s Name June 17, 2003
CSD R&D Execution Model
• Ironkey – Secure USB– Standard Issue to S&T employees
from S&T CIO– Acquired by Imation
• Komoku – Rootkit Detection Technology
– Acquired by Microsoft• HBGary – Memory and Malware
Analysis– Over 100 pilot deployments as part
of Cyber Forensics• Endeavor Systems – Malware
Analysis tools– Acquired by McAfee
• Stanford – Anti-Phishing Technologies
– Open source; most browsers have included Stanford R&D
• Secure Decisions – Data Visualization
– Pilot with DHS/NCSD/US-CERT; Acquisition
Successes
ResearchDevelopmentTest and Evaluation &Transition (RDTE&T)
"Crossing the ‘Valley of Death’: Transitioning Cybersecurity Research into Practice," IEEE Security & Privacy, March-April 2013, Maughan, Douglas; Balenson, David; Lindqvist, Ulf; Tudor, Zacharyhttp://www.computer.org/portal/web/computingnow/securityandprivacy
9
Presenter’s Name June 17, 2003
Cyber Security Focus Areas
Trustworthy Cyber Infrastructure Working with the global Internet community to secure cyberspace
Research Infrastructure to Support Cybersecurity Developing necessary research infrastructure to support R&D community
R&D Partnerships Establishing R&D partnerships with private sector, academia, and
international partners
Innovation and Transition Ensuring R&D results become real solutions
Cybersecurity Education Leading National and DHS cybersecurity education initiatives
10
Presenter’s Name June 17, 2003 11
Enhance public awareness: (1) Augment current messaging to promote policies and practices that support Administration priorities, such as EO 13636 and PPD-21, and (2) develop messaging that targets senior executives of critical infrastructure companies (e.g., CEOs, Boards of Directors). Expand the Pipeline: (1) Expand formal education at the post-secondary level, including both four-year and two-year institutions and (2) establish new National Academic Consortiums for Cybersecurity Education (government, colleges/universities, high schools, middle schools, technical academies, industry, professional organizations)Evolve the profession: (1) Identify critical cybersecurity workforce skills through a national cybersecurity Workforce Inventory and Gap Analysis and continued development of Cybersecurity Workforce Forecasting Tools and (2) provide access to free or low-cost training for the identified critical skills.
NICE was established in support of the Comprehensive National Cybersecurity Initiative (CNCI) – Initiative 8: Expand Cyber Education – Interim Way Forward and is comprised of over 20 federal departments and agencies.
A National Problem
12
HOST Program Homeland Open Security Technology investigates
open security methods, models and technologies to identify viable and sustainable approaches to cybersecurity objectives.
Focus on cybersecurity (Open Security) solutions
Priority to Federal, State and local governments
Secondary to critical infrastructure and general IT solutions
DISCOVERY – COLLABORATION – INVESTMENT
13
HOST DISCOVERYIdentify existing resources, methods, techniques,
practices Lessons Learned: Roadblocks and Opportunities for
Open Source Software in U.S. Government 2012: Dr. David Wheeler, IDA; Tom Dunn, GTRI
Interviews with experts, suppliers and potential users
Open Security Inventory
OpenCyberSecurity.org Information Portal
Presenter’s Name June 17, 2003 14
Inertia We’ve never done it that way before
Procurement Government acquisition doesn’t match OSS
business models Paperwork impedes small businesses (where
most of OSS resides)
Security Too many Certification and Accreditation (C&A)
processes
Lessons Learned: Open Source Software and Government
Standards / Interoperability Inhibiting Policies
Policies inhibiting collaboration with public community (ITAR, EAR)
Education General problem, esp. intellectual property rights and licenses
15
HOST COLLABORATIONEstablish public and private-sector research
and development communities Open Information Security Foundation Government Strategic Council Round Table Summits Community Outreach
16
Open Source OptionIf Open Source enables technical agility,
administrative flexibility and economic savings, then:
How to leverage these benefits for Federal, state, local governments?
What technical resources and support services are available?
Is the technology secure? Has it been vetted?
Who else in government is using it?
Have acquisition, adoption, policy issues been addressed?
How to interact with “development community?”
17
HOST INVESTMENTContribute seed investments in advanced
R&D activities that produce sustainable project communities through broad adoption by public and private-sector use and support
Suricata IDS Engine FIPS 140-2 Validated OpenSSL Government Open Technology Index Open Security Application Map
Presenter’s Name June 17, 2003
Open Source – OISF and Suricata
Intrusion Detection & Prevention System (IDS/IPS) Very Fast, Multi-Threaded Automated Protocol Detection File Identification and Extraction GPU Acceleration
A new model for managing and sustaining “open source” innovation A non-profit to develop and “own” the code Software Freedom Law Center created the
License pro bono A consortium of companies providing
support in exchange for not having to release changes
18
~$1.2m in DHS funding matched by ~$8m in commercial sponsorship
Presenter’s Name June 17, 2003
Software Assurance
19
“Software is everywhere, and WE ALL ARE VULNERABLE. Market pressures are forcing early release of untested software.”According to Trustwave’s “2013 Global Security Report,” SQL injections accounted for 26% of the infiltration methods used by hackers in the data breaches it analyzed in 2012.
Presenter’s Name June 17, 2003
Software Evolution
20
Codebases are HUMONGOUS• Common software applications – some
apps scale near 60 MLOC• Software Assurance tools typically can’t
scale this amount of code• Codebase size contributes to code
complexity• More features, usually means more code• Spaghetti code typically results in poor
quality of code
50 MLOC
Presenter’s Name June 17, 2003
SWAMP Vision Document
http://continuousassurance.org/wp-content/uploads/2013/10/SWAMP-VISION-10.28.13.pdf
”The Software Assurance Marketplace has been carefully constructed, developed and implemented with community feedback. It is with this approach we expect the SWAMP to be a revolutionizing force in the software assurance community for years to come. A softwareassurance marketplace is a great place for the community to meet for research collaboration and technical exchange. The concept of the marketplace has influenced and shaped the vision outlined in this document – ideally the vision is to provide a unique set of services and capabilities that can be leveraged by the community, creating a collaborative marketplace for continuous assurance.” Kevin E. Greene, DHS S&TSoftware Assurance Program Manager
Presenter’s Name June 17, 2003
Cyber-Physical Systems
22
Cyber Physical Systems Are Becoming Ubiquitous:• Smart cars, smart grids, smart medical devices,
smart manufacturing, smart homes, and so on • You will “bet your life” on many of these systems• Fast moving field focusing on functionality now
and will bolt on security later… Drones Could Help Tulsa Firefighters During Search, Rescue
PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks”
Just like the Internet in its early days, car networks don’t employ very much security”
Opportunity Now To Build Security Into Emerging Cyber Physical Designs
Transportation Auto, UAVs, Aeronautical, Rail
Manufacturing Healthcare Energy Agriculture Emergency Response
Presenter’s Name June 17, 2003
http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm
II.C.1 U.S. DHS S&T Homeland Security Advanced Research Project Agency (HSARPA)
DHS S&T encourages R&D in cybersecurity to enhance the resilience of critical information infrastructure.
HSARPA has particular interests in security technologies relevant to cyber-physical systems. The NITRD CPS Senior Steering Group's 2012 CPS Vision Statement, which notes CPS research gaps, identifies drivers and technologies for CPS related to transportation, emergency response, energy, and healthcare are considered especially relevant for HSARPA. Relevant technologies include cybersecurity approaches for guarding against malicious attacks on CPS as well as diagnostics and prognostics that aim to identify, predict, and prevent or recover from faults.
Recent Solicitation
23
Presenter’s Name June 17, 2003
https://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/HSHQDC-14-R-00035/listing.html.
https://sbir2.st.dhs.gov
TITLE: Automatic Detection and Patching of Vulnerabilities in Embedded Systems
Embedded systems form a ubiquitous, networked, computing substrate that underlies much of modern technological society. Examples include supervisory control and data acquisition (SCADA) systems, medical devices, computer peripherals, communication devices, and vehicles, and the many consumer devices that make up the “Internet of Things”.
Develop innovative techniques to automatically detect and automatically patch vulnerabilities in networked, embedded systems.
Future Solicitation SBIR: H-SB014.2-002
24
Presenter’s Name June 17, 2003
CSD New Programs / Ideas
Security for Cloud-Based Systems Data Privacy Technologies Mobile Wireless Investigations Mobile Device Security Next-Generation DDOS Defenses Application Security Threat Attack Modeling (ASTAM) Static Tool Analysis Modernization Project (STAMP) Network Reputation and Risk Analysis Data Analytics Methods for Cyber Security Cyber Security Education Designed-In Security Finance Sector Cybersecurity DNSSEC Applications Data Provenance for Cybersecurity Cyber Economic Incentives – based on EO/PPD
25
26
SUMMARY Research is essential in driving innovation
for current and future cybersecurity solutions DHS S&T continues with aggressive
cybersecurity research agenda Continue emphasis on collaboration,
technology transfer and experimental developments
Open source is a key part of our whole program
Presenter’s Name June 17, 2003
For more information, visit
http://www.dhs.gov/cyber-researchhttp://www.dhs.gov/st-csd
Douglas Maughan, Ph.D.
Division Director
Cyber Security Division
Homeland Security Advanced Research Projects Agency (HSARPA)
202-254-6145 / 202-360-3170
27