This document summarizes the cybersecurity research agenda of the U.S. Department of Homeland Security Science and Technology Directorate. It discusses how DHS is focusing on areas like critical infrastructure security, open source software, cyber-physical systems, and new technology programs. The research aims to drive innovation in cybersecurity solutions through collaboration with academia, industry and open source communities to address evolving threats and transition technologies for real-world use.
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Open Source and Cyber Security: Open Source Software's Role in Government Cybersecurity
1. Open Source and
Cyber Security:
Open Source Software's Role
in Government Cybersecurity
Dr. Douglas Maughan
U.S. Department of Homeland Security
Science and Technology Directorate
Director, Cyber Security Division
3 April 2014
1
3. Homeland
Security
Office of Cybersecurity and Communications
Executive Order (EO) on Improving Critical Infrastructure Cybersecurity/
Policy Presidential Directive (PPD) on Critical Infrastructure Security and Resilience
Executive Order 13636: Improving Critical
Infrastructure Cybersecurity directs the Executive
Branch to:
Develop a technology-neutral voluntary cybersecurity
framework
Promote/incentivize adoption of cybersecurity practices
Increase the volume, timeliness and quality of cyber
threat information sharing
Incorporate strong privacy and civil liberties protections
into every initiative to secure our critical infrastructure
Explore existing regulation to promote cyber security
Presidential Policy Directive-21: Critical Infrastructure
Security and Resilience replaces Homeland Security
Presidential Directive-7 and directs the Executive
Branch to:
– Develop a situational awareness capability that addresses both
physical and cyber aspects of how infrastructure is functioning
in near-real time
– Understand cascading consequences of infrastructure failures
– Evaluate and mature the public-private partnership
– Update the National Infrastructure Protection Plan
– Develop comprehensive research and development plan
3
“America must also face the rapidly
growing threat from cyber attacks…
That’s why, earlier today, I signed a new
executive order that will strengthen our
cyber defenses by increasing information
sharing, and developing standards to
protect our national security, our jobs, and
our privacy.”
President Barack Obama,
2013 State of the Union
Credit: White House / Pete Souza
4. Open Source and Government
July 2001
Jan 2003 July 2004 June 2007
May 2003
Stenbit
Memo
MITRE
Bus. Case
MITRE
Survey
OMB
Procurement
Memo
June 2006
OTD
Roadmap
Launched Oct
2009
OTD
Phase 2
DONCIO
Guidance
DoD NII
Guidance
Oct 2009
PITAC
HPC
July 2001 2001 - 03
4
5. 24 September 2010 5
Univ. of Pennsylvania
Network Associates Labs
WireX
Communications
DARPA Program (2001-2003)
President’s Information Technology Advisory
Committee (PITAC) Report on Open Source Software
(OSS) Panel for High Performance Computing (HPC)
Critical Findings
1. Federal government should encourage the
development of Open Source Software.
2. Federal government should allow Open
Source development efforts to compete on a
“level playing field” with proprietary
solutions in government procurement
3. Government sponsored Open Source projects
should choose from a small set of
established Open Source licenses after
analysis of each license and determination of
which may be preferable.
6. 6
Cuts 2.9% from FY2014 budget
Gives agencies $79 billion for IT
Includes $13 billion for cyber security
7. 7
178
5,815
4,360
178
61
3,479
440
34 National
24K stations
170
1,120
19,902
10,000
3,637
47
COMM/911
6,153
EMS - 21,283
LE - 17,985
Fire - 30,125
and similar
health facilities
5,000
Colleges &
Universities
6,900
Departments
14,800
Social Services
210,427
Utilities
16,960
327
Transportation
217,926
Public Works
~24,000
Media
14,650
Chemical, Oil
and Gas
2,500
Restoration
& Repair
402,440
>1.5 million
NGOs
Veterinarians
21,731
Schools
132,656
Telecom & IT
11,000
Sports Facilities
1,965
State, Tribal,
Local Govts
39,3130
Telematics
Providers
16,960
Doctors’ Offices,
Nursing Homes
19,286
EMPLOYERS
7,601,160
Mental Health
Services
15,000
Federal Agencies
16,960
308,500
Insurance
Companies
Our Stakeholder Community
8. Presenter’s Name June 17, 2003
Malware – Malicious software to disrupt
computers
Viruses, worms, …
Theft of Intellectual Property or Data
Hactivism – Cyber protests that are
socially or politically motivated
Mobile Devices and Applications and
their associated Cyber Attacks
Social Engineering – Entice users to click
on Malicious Links
Spear Phishing – Deceptive
communications (E-Mails, Texts, Tweets)
Domain Name System (DNS) Hijacking
Router Security – Border Gateway
Protocol (BGP) Hijacking
Denial of Service (DOS) – blocking
access to web sites
Others …..
Cyber Threats and Sources
8
Nation
States
Cyber
Criminals
Hackers/Hacktivists
Insider
Threats
Terrorists, DTOs,
etc.
9. Presenter’s Name June 17, 2003
CSD R&D Execution Model
• Ironkey – Secure USB
– Standard Issue to S&T employees
from S&T CIO
– Acquired by Imation
• Komoku – Rootkit Detection
Technology
– Acquired by Microsoft
• HBGary – Memory and Malware
Analysis
– Over 100 pilot deployments as part
of Cyber Forensics
• Endeavor Systems – Malware
Analysis tools
– Acquired by McAfee
• Stanford – Anti-Phishing
Technologies
– Open source; most browsers have
included Stanford R&D
• Secure Decisions – Data
Visualization
– Pilot with DHS/NCSD/US-CERT;
Acquisition
Successes
Research
Development
Test and Evaluation &
Transition (RDTE&T)
"Crossing the ‘Valley of Death’: Transitioning Cybersecurity
Research into Practice," IEEE Security & Privacy, March-April
2013, Maughan, Douglas; Balenson, David; Lindqvist, Ulf;
Tudor, Zachary
http://www.computer.org/portal/web/computingnow/securityandprivacy
9
10. Presenter’s Name June 17, 2003
Cyber Security Focus Areas
Trustworthy Cyber Infrastructure
Working with the global Internet community to secure cyberspace
Research Infrastructure to Support Cybersecurity
Developing necessary research infrastructure to support R&D community
R&D Partnerships
Establishing R&D partnerships with private sector, academia, and
international partners
Innovation and Transition
Ensuring R&D results become real solutions
Cybersecurity Education
Leading National and DHS cybersecurity education initiatives
10
11. Presenter’s Name June 17, 2003 11
Enhance public awareness: (1) Augment current messaging to promote
policies and practices that support Administration priorities, such as EO 13636
and PPD-21, and (2) develop messaging that targets senior executives of
critical infrastructure companies (e.g., CEOs, Boards of Directors).
Expand the Pipeline: (1) Expand formal education at the post-secondary level,
including both four-year and two-year institutions and (2) establish new National
Academic Consortiums for Cybersecurity Education (government,
colleges/universities, high schools, middle schools, technical academies,
industry, professional organizations)
Evolve the profession: (1) Identify critical cybersecurity workforce skills
through a national cybersecurity Workforce Inventory and Gap Analysis and
continued development of Cybersecurity Workforce Forecasting Tools and (2)
provide access to free or low-cost training for the identified critical skills.
NICE was established in support of the Comprehensive National
Cybersecurity Initiative (CNCI) – Initiative 8: Expand Cyber Education
– Interim Way Forward and is comprised of over 20 federal
departments and agencies.
A National Problem
12. 12
HOST Program
Homeland Open Security Technology investigates open
security methods, models and technologies to identify
viable and sustainable approaches to cybersecurity
objectives.
Focus on cybersecurity (Open Security) solutions
Priority to Federal, State and local governments
Secondary to critical infrastructure and general IT solutions
DISCOVERY – COLLABORATION – INVESTMENT
13. 13
HOST DISCOVERY
Identify existing resources, methods, techniques,
practices
Lessons Learned: Roadblocks and Opportunities for Open
Source Software in U.S. Government
2012: Dr. David Wheeler, IDA; Tom Dunn, GTRI
Interviews with experts, suppliers and potential users
Open Security Inventory
OpenCyberSecurity.org Information Portal
14. Presenter’s Name June 17, 2003
Inertia
We’ve never done it that way before
Procurement
Government acquisition doesn’t match OSS
business models
Paperwork impedes small businesses (where
most of OSS resides)
Security
Too many Certification and Accreditation (C&A)
processes
Lessons Learned: Open Source
Software and Government
14
Standards / Interoperability
Inhibiting Policies
Policies inhibiting collaboration with public community (ITAR, EAR)
Education
General problem, esp. intellectual property rights and licenses
15. 15
HOST COLLABORATION
Establish public and private-sector research and
development communities
Open Information Security Foundation
Government Strategic Council
Round Table Summits
Community Outreach
16. 16
Open Source Option
If Open Source enables technical agility, administrative
flexibility and economic savings, then:
How to leverage these benefits for Federal, state, local governments?
What technical resources and support services are available?
Is the technology secure? Has it been vetted?
Who else in government is using it?
Have acquisition, adoption, policy issues been addressed?
How to interact with “development community?”
17. 17
HOST INVESTMENT
Contribute seed investments in advanced R&D
activities that produce sustainable project
communities through broad adoption by public
and private-sector use and support
Suricata IDS Engine
FIPS 140-2 Validated OpenSSL
Government Open Technology Index
Open Security Application Map
18. Presenter’s Name June 17, 2003
Open Source – OISF and Suricata
Intrusion Detection & Prevention System
(IDS/IPS)
Very Fast, Multi-Threaded
Automated Protocol Detection
File Identification and Extraction
GPU Acceleration
A new model for managing and sustaining
“open source” innovation
A non-profit to develop and “own” the code
Software Freedom Law Center created the
License pro bono
A consortium of companies providing
support in exchange for not having to
release changes
18
~$1.2m in DHS funding matched by ~$8m in commercial sponsorship
19. Presenter’s Name June 17, 2003
Software Assurance
19
“Software is everywhere, and
WE ALL ARE VULNERABLE.
Market pressures are forcing
early release of untested
software.”
According to Trustwave’s “2013 Global
Security Report,” SQL injections
accounted for 26% of the infiltration
methods used by hackers in the data
breaches it analyzed in 2012.
20. Presenter’s Name June 17, 2003
Software Evolution
20
Codebases are
HUMONGOUS
• Common software applications – some
apps scale near 60 MLOC
• Software Assurance tools typically can’t
scale this amount of code
• Codebase size contributes to code
complexity
• More features, usually means more code
• Spaghetti code typically results in poor
quality of code
50 MLOC
21. Presenter’s Name June 17, 2003
SWAMP Vision Document
http://continuousassurance.org/wp-content/uploads/2013/10/SWAMP-
VISION-10.28.13.pdf
”The Software Assurance Marketplace has been carefully
constructed, developed and implemented with community
feedback. It is with this approach we expect the SWAMP to be
a revolutionizing force in the software assurance community
for years to come. A software
assurance marketplace is a great place for the community to
meet for research collaboration and technical exchange. The
concept of the marketplace has influenced and shaped the
vision outlined in this document – ideally the vision is to
provide a unique set of services and capabilities that can be
leveraged by the community, creating a collaborative
marketplace for continuous assurance.”
Kevin E. Greene, DHS S&T
Software Assurance Program Manager
22. Presenter’s Name June 17, 2003
Cyber-Physical Systems
22
Cyber Physical Systems Are Becoming Ubiquitous:
• Smart cars, smart grids, smart medical devices,
smart manufacturing, smart homes, and so on
• You will “bet your life” on many of these systems
• Fast moving field focusing on functionality now
and will bolt on security later…
Drones Could Help
Tulsa Firefighters
During Search,
Rescue
PPD 21 Identifies critical infrastructure as “interdependent functions
and systems in both the physical space and cyberspace” and aims to
strengthen security and resilience “against both the physical and
cyber attacks”
Just like the Internet in its early days, car
networks don’t employ very much
security”
Opportunity Now To Build Security Into Emerging Cyber Physical Designs
Transportation
Auto, UAVs, Aeronautical, Rail
Manufacturing
Healthcare
Energy
Agriculture
Emergency Response
23. Presenter’s Name June 17, 2003
http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm
II.C.1 U.S. DHS S&T Homeland Security Advanced
Research Project Agency (HSARPA)
DHS S&T encourages R&D in cybersecurity to enhance the
resilience of critical information infrastructure.
HSARPA has particular interests in security technologies
relevant to cyber-physical systems. The NITRD CPS Senior
Steering Group's 2012 CPS Vision Statement, which notes
CPS research gaps, identifies drivers and technologies for CPS
related to transportation, emergency response, energy, and
healthcare are considered especially relevant for HSARPA.
Relevant technologies include cybersecurity approaches for
guarding against malicious attacks on CPS as well as
diagnostics and prognostics that aim to identify, predict, and
prevent or recover from faults.
Recent Solicitation
23
24. Presenter’s Name June 17, 2003
https://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/HSHQDC-
14-R-00035/listing.html.
https://sbir2.st.dhs.gov
TITLE: Automatic Detection and Patching of Vulnerabilities in
Embedded Systems
Embedded systems form a ubiquitous, networked, computing
substrate that underlies much of modern technological society.
Examples include supervisory control and data acquisition
(SCADA) systems, medical devices, computer peripherals,
communication devices, and vehicles, and the many consumer
devices that make up the “Internet of Things”.
Develop innovative techniques to automatically detect and
automatically patch vulnerabilities in networked, embedded
systems.
Future Solicitation
SBIR: H-SB014.2-002
24
25. Presenter’s Name June 17, 2003
CSD New Programs / Ideas
Security for Cloud-Based Systems
Data Privacy Technologies
Mobile Wireless Investigations
Mobile Device Security
Next-Generation DDOS Defenses
Application Security Threat Attack Modeling (ASTAM)
Static Tool Analysis Modernization Project (STAMP)
Network Reputation and Risk Analysis
Data Analytics Methods for Cyber Security
Cyber Security Education
Designed-In Security
Finance Sector Cybersecurity
DNSSEC Applications
Data Provenance for Cybersecurity
Cyber Economic Incentives – based on EO/PPD
25
26. 26
SUMMARY
Research is essential in driving innovation for
current and future cybersecurity solutions
DHS S&T continues with aggressive cybersecurity
research agenda
Continue emphasis on collaboration, technology
transfer and experimental developments
Open source is a key part of our whole program
27. Presenter’s Name June 17, 2003
For more information, visit
http://www.dhs.gov/cyber-research
http://www.dhs.gov/st-csd
Douglas Maughan, Ph.D.
Division Director
Cyber Security Division
Homeland Security Advanced Research
Projects Agency (HSARPA)
douglas.maughan@dhs.gov
202-254-6145 / 202-360-3170
27