1

Open Source and Cyber Security:

Open Source Software's Rolein Government Cybersecurity

Dr. Douglas MaughanU.S. Department of Homeland Security

Science and Technology DirectorateDirector, Cyber Security Division

3 April 2014

2

HomelandSecurity

Office of Cybersecurity and Communications

Executive Order (EO) on Improving Critical Infrastructure Cybersecurity/Policy Presidential Directive (PPD) on Critical Infrastructure Security and Resilience

Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to: Develop a technology-neutral voluntary cybersecurity

framework Promote/incentivize adoption of cybersecurity practices Increase the volume, timeliness and quality of cyber

threat information sharing Incorporate strong privacy and civil liberties protections

into every initiative to secure our critical infrastructure Explore existing regulation to promote cyber security

Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security

Presidential Directive-7 and directs the Executive Branch to:

– Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time

– Understand cascading consequences of infrastructure failures – Evaluate and mature the public-private partnership– Update the National Infrastructure Protection Plan– Develop comprehensive research and development plan

3

“America must also face the rapidly growing threat from cyber attacks… That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.”

President Barack Obama, 2013 State of the Union

Credit: White House / Pete Souza

4

Open Source and Government

July 2001

Jan 2003 July 2004 June 2007

May 2003

StenbitMemo

MITREBus. Case

MITRESurvey

OMB Procurement

Memo

June 2006

OTDRoadmap

Launched Oct 2009

OTDPhase 2

DONCIOGuidance

DoD NIIGuidance

Oct 2009

PITACHPC

July 2001 2001 - 03

524 September 2010

Univ. of Pennsylvania

Network Associates Labs

WireXCommunications

DARPA Program (2001-2003) President’s Information Technology Advisory

Committee (PITAC) Report on Open Source Software (OSS) Panel for High Performance Computing (HPC)

Critical Findings1. Federal government should encourage the

development of Open Source Software. 2. Federal government should allow Open

Source development efforts to compete on a “level playing field” with proprietary solutions in government procurement

3. Government sponsored Open Source projects should choose from a small set of established Open Source licenses after analysis of each license and determination of which may be preferable.

6

Cuts 2.9% from FY2014 budget

Gives agencies $79 billion for IT

Includes $13 billion for cyber security

7

178

5,815

4,360

178

613,479

44034 National24K stations

170

1,120

19,902

10,000

3,637

47

COMM/911 6,153

EMS - 21,283

LE - 17,985

Fire - 30,125

and similarhealth facilities

5,000

Colleges &Universities

6,900

Departments14,800

Social Services210,427

Utilities16,960

327

Transportation217,926

Public Works~24,000

Media14,650

Chemical, Oiland Gas2,500

Restoration& Repair402,440

>1.5 millionNGOs

Veterinarians21,731

Schools132,656

Telecom & IT11,000

Sports Facilities1,965

State, Tribal,Local Govts39,3130

TelematicsProviders16,960

Doctors’ Offices,Nursing Homes

19,286

EMPLOYERS

7,601,160

Mental HealthServices15,000

Federal Agencies16,960

308,500

InsuranceCompanies

Our Stakeholder Community

Presenter’s Name June 17, 2003

Malware – Malicious software to disrupt computers

Viruses, worms, … Theft of Intellectual Property or Data Hactivism – Cyber protests that are

socially or politically motivated Mobile Devices and Applications and

their associated Cyber Attacks Social Engineering – Entice users to click

on Malicious Links Spear Phishing – Deceptive

communications (E-Mails, Texts, Tweets) Domain Name System (DNS) Hijacking Router Security – Border Gateway

Protocol (BGP) Hijacking Denial of Service (DOS) – blocking

access to web sites Others …..

Cyber Threats and Sources

8

Nation States

Cyber Criminals

Hackers/Hacktivists

Insider Threats

Terrorists, DTOs, etc.

Presenter’s Name June 17, 2003

CSD R&D Execution Model

• Ironkey – Secure USB– Standard Issue to S&T employees

from S&T CIO– Acquired by Imation

• Komoku – Rootkit Detection Technology

– Acquired by Microsoft• HBGary – Memory and Malware

Analysis– Over 100 pilot deployments as part

of Cyber Forensics• Endeavor Systems – Malware

Analysis tools– Acquired by McAfee

• Stanford – Anti-Phishing Technologies

– Open source; most browsers have included Stanford R&D

• Secure Decisions – Data Visualization

– Pilot with DHS/NCSD/US-CERT; Acquisition

Successes

ResearchDevelopmentTest and Evaluation &Transition (RDTE&T)

"Crossing the ‘Valley of Death’: Transitioning Cybersecurity Research into Practice," IEEE Security & Privacy, March-April 2013, Maughan, Douglas; Balenson, David; Lindqvist, Ulf; Tudor, Zacharyhttp://www.computer.org/portal/web/computingnow/securityandprivacy

9

Presenter’s Name June 17, 2003

Cyber Security Focus Areas

Trustworthy Cyber Infrastructure Working with the global Internet community to secure cyberspace

Research Infrastructure to Support Cybersecurity Developing necessary research infrastructure to support R&D community

R&D Partnerships Establishing R&D partnerships with private sector, academia, and

international partners

Innovation and Transition Ensuring R&D results become real solutions

Cybersecurity Education Leading National and DHS cybersecurity education initiatives

10

Presenter’s Name June 17, 2003 11

Enhance public awareness: (1) Augment current messaging to promote policies and practices that support Administration priorities, such as EO 13636 and PPD-21, and (2) develop messaging that targets senior executives of critical infrastructure companies (e.g., CEOs, Boards of Directors). Expand the Pipeline: (1) Expand formal education at the post-secondary level, including both four-year and two-year institutions and (2) establish new National Academic Consortiums for Cybersecurity Education (government, colleges/universities, high schools, middle schools, technical academies, industry, professional organizations)Evolve the profession: (1) Identify critical cybersecurity workforce skills through a national cybersecurity Workforce Inventory and Gap Analysis and continued development of Cybersecurity Workforce Forecasting Tools and (2) provide access to free or low-cost training for the identified critical skills.

NICE was established in support of the Comprehensive National Cybersecurity Initiative (CNCI) – Initiative 8: Expand Cyber Education – Interim Way Forward and is comprised of over 20 federal departments and agencies.

A National Problem

12

HOST Program Homeland Open Security Technology investigates

open security methods, models and technologies to identify viable and sustainable approaches to cybersecurity objectives.

Focus on cybersecurity (Open Security) solutions

Priority to Federal, State and local governments

Secondary to critical infrastructure and general IT solutions

DISCOVERY – COLLABORATION – INVESTMENT

13

HOST DISCOVERYIdentify existing resources, methods, techniques,

practices Lessons Learned: Roadblocks and Opportunities for

Open Source Software in U.S. Government 2012: Dr. David Wheeler, IDA; Tom Dunn, GTRI

Interviews with experts, suppliers and potential users

Open Security Inventory

OpenCyberSecurity.org Information Portal

Presenter’s Name June 17, 2003 14

Inertia We’ve never done it that way before

Procurement Government acquisition doesn’t match OSS

business models Paperwork impedes small businesses (where

most of OSS resides)

Security Too many Certification and Accreditation (C&A)

processes

Lessons Learned: Open Source Software and Government

Standards / Interoperability Inhibiting Policies

Policies inhibiting collaboration with public community (ITAR, EAR)

Education General problem, esp. intellectual property rights and licenses

15

HOST COLLABORATIONEstablish public and private-sector research

and development communities Open Information Security Foundation Government Strategic Council Round Table Summits Community Outreach

16

Open Source OptionIf Open Source enables technical agility,

administrative flexibility and economic savings, then:

How to leverage these benefits for Federal, state, local governments?

What technical resources and support services are available?

Is the technology secure? Has it been vetted?

Who else in government is using it?

Have acquisition, adoption, policy issues been addressed?

How to interact with “development community?”

17

HOST INVESTMENTContribute seed investments in advanced

R&D activities that produce sustainable project communities through broad adoption by public and private-sector use and support

Suricata IDS Engine FIPS 140-2 Validated OpenSSL Government Open Technology Index Open Security Application Map

Presenter’s Name June 17, 2003

Open Source – OISF and Suricata

Intrusion Detection & Prevention System (IDS/IPS) Very Fast, Multi-Threaded Automated Protocol Detection File Identification and Extraction GPU Acceleration

A new model for managing and sustaining “open source” innovation A non-profit to develop and “own” the code Software Freedom Law Center created the

License pro bono A consortium of companies providing

support in exchange for not having to release changes

18

~$1.2m in DHS funding matched by ~$8m in commercial sponsorship

Presenter’s Name June 17, 2003

Software Assurance

19

“Software is everywhere, and WE ALL ARE VULNERABLE. Market pressures are forcing early release of untested software.”According to Trustwave’s “2013 Global Security Report,” SQL injections accounted for 26% of the infiltration methods used by hackers in the data breaches it analyzed in 2012.

Presenter’s Name June 17, 2003

Software Evolution

20

Codebases are HUMONGOUS• Common software applications – some

apps scale near 60 MLOC• Software Assurance tools typically can’t

scale this amount of code• Codebase size contributes to code

complexity• More features, usually means more code• Spaghetti code typically results in poor

quality of code

50 MLOC

Presenter’s Name June 17, 2003

SWAMP Vision Document

http://continuousassurance.org/wp-content/uploads/2013/10/SWAMP-VISION-10.28.13.pdf

”The Software Assurance Marketplace has been carefully constructed, developed and implemented with community feedback. It is with this approach we expect the SWAMP to be a revolutionizing force in the software assurance community for years to come. A softwareassurance marketplace is a great place for the community to meet for research collaboration and technical exchange. The concept of the marketplace has influenced and shaped the vision outlined in this document – ideally the vision is to provide a unique set of services and capabilities that can be leveraged by the community, creating a collaborative marketplace for continuous assurance.” Kevin E. Greene, DHS S&TSoftware Assurance Program Manager

Presenter’s Name June 17, 2003

Cyber-Physical Systems

22

Cyber Physical Systems Are Becoming Ubiquitous:• Smart cars, smart grids, smart medical devices,

smart manufacturing, smart homes, and so on • You will “bet your life” on many of these systems• Fast moving field focusing on functionality now

and will bolt on security later… Drones Could Help Tulsa Firefighters During Search, Rescue

PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks”

Just like the Internet in its early days, car networks don’t employ very much security”

Opportunity Now To Build Security Into Emerging Cyber Physical Designs

Transportation Auto, UAVs, Aeronautical, Rail

Manufacturing Healthcare Energy Agriculture Emergency Response

Presenter’s Name June 17, 2003

http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm

II.C.1 U.S. DHS S&T Homeland Security Advanced Research Project Agency (HSARPA)

DHS S&T encourages R&D in cybersecurity to enhance the resilience of critical information infrastructure.

HSARPA has particular interests in security technologies relevant to cyber-physical systems. The NITRD CPS Senior Steering Group's 2012 CPS Vision Statement, which notes CPS research gaps, identifies drivers and technologies for CPS related to transportation, emergency response, energy, and healthcare are considered especially relevant for HSARPA. Relevant technologies include cybersecurity approaches for guarding against malicious attacks on CPS as well as diagnostics and prognostics that aim to identify, predict, and prevent or recover from faults.

Recent Solicitation

23

Presenter’s Name June 17, 2003

https://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/HSHQDC-14-R-00035/listing.html. 

https://sbir2.st.dhs.gov

TITLE: Automatic Detection and Patching of Vulnerabilities in Embedded Systems

Embedded systems form a ubiquitous, networked, computing substrate that underlies much of modern technological society. Examples include supervisory control and data acquisition (SCADA) systems, medical devices, computer peripherals, communication devices, and vehicles, and the many consumer devices that make up the “Internet of Things”.

Develop innovative techniques to automatically detect and automatically patch vulnerabilities in networked, embedded systems.

Future Solicitation SBIR: H-SB014.2-002

24

Presenter’s Name June 17, 2003

CSD New Programs / Ideas

Security for Cloud-Based Systems Data Privacy Technologies Mobile Wireless Investigations Mobile Device Security Next-Generation DDOS Defenses Application Security Threat Attack Modeling (ASTAM) Static Tool Analysis Modernization Project (STAMP) Network Reputation and Risk Analysis Data Analytics Methods for Cyber Security Cyber Security Education Designed-In Security Finance Sector Cybersecurity DNSSEC Applications Data Provenance for Cybersecurity Cyber Economic Incentives – based on EO/PPD

25

26

SUMMARY Research is essential in driving innovation

for current and future cybersecurity solutions DHS S&T continues with aggressive

cybersecurity research agenda Continue emphasis on collaboration,

technology transfer and experimental developments

Open source is a key part of our whole program

Presenter’s Name June 17, 2003

For more information, visit

http://www.dhs.gov/cyber-researchhttp://www.dhs.gov/st-csd

Douglas Maughan, Ph.D.

Division Director

Cyber Security Division

Homeland Security Advanced Research Projects Agency (HSARPA)

douglas.maughan@dhs.gov

202-254-6145 / 202-360-3170

27