HSARPA%20Cyber%20Security%20R

1
Dept. of Homeland Security Science Technology
Directorate
Homeland Security Cyber Security RD Initiatives
ACM CCS Alexandria, VA November 8, 2005
Douglas Maughan, Ph.D. Program Manager,
HSARPA douglas.maughan_at_dhs.gov 202-254-6145 /
202-360-3170
2
General DHS Organization (prior to 7/13/05)

• Coast Guard
• Secret Service
• Citizenship Immigration Ombuds
• Civil Rights and Civil Liberties
• Legislative Affairs
• General Counsel
• Inspector General
• State Local Coordination
• Private Sector Coordination
• International Affairs
• National Capital Region Coordination
• Counter-narcotics
• Small and Disadvantaged Business
• Privacy Officer
• Chief of Staff

Secretary (Chertoff) Deputy Secretary
(Jackson)
Management (Hale)
Science Technology (McQueary)
Information Analysis Infrastructure
Protection (Stephan, act.)
Border Transportation Security (Beardsworth,
act.)
Emergency Preparedness Emergency
Response (Paulison, act.)
3
Department of Homeland SecurityOrganization
Chart
(proposed end state)
SECRETARY DEPUTY SECRETARY
EXECUTIVE SECRETARY
CHIEF OF STAFF
MILITARYLIAISON
INSPECTOR GENERAL
UNDER SECRETARY FOR POLICY
UNDER SECRETARY FOR SCIENCE TECHNOLOGY
UNDER SECRETARY FOR MANAGEMENT
A/S CONGRESSIONAL INTERGOVERNMENTAL AFFAIRS
ASSISTANT SECRETARY PUBLIC AFFAIRS
GENERAL COUNSEL
UNDER SECRETARY FOR PREPAREDNESS
DIRECTOR OF COUNTER NARCOTICS
DIRECTOR OF OPERATIONS COORDINATION
ASSISTANT SECRETARY OFFICE OF INTELLIGENCE
ANALYSIS
CHIEF PRIVACY OFFICER
OMBUDSMAN CITIIZENSHIP IMMIGRATION SERVICES
DIRECTOR CIVIL RIGHTS/CIVIL LIBERTIES
DOMESTIC NUCLEAR DETECTION OFFICE
SCREENING COORDINATION OFFICE
LABOR RELATIONS BOARD
FEDERAL LAW ENFORCEMENT TRAINING CENTER
COMMISSIONER IMMIGRATION CUSTOMS ENFORCEMENT
DIRECTOR CITIZENSHIP IMMIGRATION SERVICES
DIRECTOR FEMA
DIRECTOR TRANSPORTATION SECURITY ADMINISTRATION
COMMISSIONER CUSTOMS BORDER PROTECTION
DIRECTOR US SECRET SERVICE
COMMANDANT US COAST GUARD
4
Department of Homeland SecurityOrganization
ChartPreparedness
(proposed end state)
UNDER SECRETARY FOR PREPAREDNESS
CHIEF MEDICAL OFFICER
FIRE ADMINISTRATION
NATIONAL CAPITAL REGION DIRECTOR
ASSISTANT SECRETARY FOR GRANTS AND TRAINING
ASSISTANT SECRETARY FOR INFRASTRUCTURE PROTECTION
ASSISTANT SECRETARY FOR CYBER
TELE-COMMUNICATIONS
5
Science and Technology (ST) Mission
Conduct, stimulate, and enable research,
development, test, evaluation and timely
transition of homeland security capabilities to
federal, state and local operational end-users.
6
ST Organization Chart
Under Secretary for Science Technology (McQuear
y)
Office of Plans Programs and Requirements (Evans,
act.)
Homeland Security Advanced Research Projects
Agency (Kubricky, act.)
Office of Research and Development (McCarthy)
Office of Systems Engineering
Development (Kubricky)
7
Execution

• Industry

• Laboratories

• Industry

• Universities

• Universities

• Laboratories

• Centers
• Fellowships
• Scholarships

Stewardship of an enduring capability
Development Engineering, Production, Deployment
Innovation, Adaptation, Revolution
8
Crosscutting Portfolio Areas

• Chemical
• Biological
• Radiological
• Nuclear
• High Explosives
• Cyber Security
• Critical Infrastructure Protection (CIP)
• USSS

9
Legacy of HSARPA NameHow is it different from
DARPA?

• Differences
• 85-90 of funds for identified DHS requirements
• 10-15 of funds for revolutionary research
• Breakthroughs,
• New technologies and systems
• These percentages likely to change over time, but
  we need to meet todays requirements

10
HSARPA Funding
HSARPA funding is allocated from Appropriated
line items
11
Cyber Security RD Portfolio Scope

• We focus on threats and issues that warrant
  national-level concern
• Asymmetric capabilities make cyberspace an
  appealing battleground for our adversaries
• Cyberspace presents an avenue to exploit
  weaknesses in our critical infrastructures
• The most significant cyber threats are very
  different from script-kiddies or virus writers
• Terrorism
• Organized crime
• Economic espionage

12
RD Execution Model
13
RD Execution Model
14
Rapid Technology Application Program (RTAP)

• Similar to the existing Technical Support Working
  Group (TSWG) approach
• Requirements Generation Panel
• Identify general technology needs
• Reduce collection of general needs
• Explore issues and draft Statement of
  Requirements (SoR)
• Write an SoR for each technology need in detail
  suitable for prototype procurement

15
Cyber Security RTAP Topics

• 1 BOTNET Detection and Mitigation Tool
• Customer IAIP/NCSD
• 2 Exercise Scenario Modeling Tool
• Customer IAIP/NCSD
• 3 DHS Secure Wireless Access Prototype
• Customer ST OCIO
• Pre-solicitation at http//www.hsarpabaa.com

16
HSARPA Cyber Security Broad Agency Announcement
(BAA 04-17)

• A critical area of focus for DHS is the
  development and deployment of technologies to
  protect the nations cyber infrastructure
  including the Internet and other critical
  infrastructures that depend on computer systems
  for their mission. The goals of the Cyber
  Security Research and Development (CSRD) program
  are
• To perform research and development (RD) aimed
  at improving the security of existing deployed
  technologies and to ensure the security of new
  emerging systems
• To develop new and enhanced technologies for the
  detection of, prevention of, and response to
  cyber attacks on the nations critical
  information infrastructure.
• To facilitate the transfer of these technologies
  into the national infrastructure as a matter of
  urgency.
• http//www.hsarpabaa.com

17
BAA Technical Topic Areas (TTAs)

• System Security Engineering
• Vulnerability Prevention
• Tools and techniques for better software
  development
• Vulnerability Discovery and Remediation
• Tools and techniques for analyzing software to
  detect security vulnerabilities
• Cyber Security Assessment
• Develop methods and tools for assessing the cyber
  security of information systems
• Security of Operational Systems
• Security and Trustworthiness for Critical
  Infrastructure Protection
• 1) Automated security vulnerability assessments
  for CI systems
• 2) Improvements in system robustness of critical
  infrastructure systems
• 3) Configuration and security policy management
  tools
• 4) Cross-platform and/or cross network attack
  correlation and aggregation

18
BAA TTAs (continued)

• Security of Operational Systems
• Wireless Security
• Security tools/products for todays networks
• Solutions and standards for next generation
  networks
• Investigative and Prevention Technologies
• Network Attack Forensics
• Tools and techniques for attack traceback
• Technologies to Defend against Identity Theft
• RD of tools and techniques for defending against
  identity theft and other financial systems
  attacks, e.g., phishing

19
BAA Program / Proposal Structure

• NOTE Deployment Phase Test, Evaluation, and
  Pilot deployment in DHS customer environments
• Type I (New Technologies) Funding NTE 36 months
• New technologies with an applied research phase,
  a development phase, and a deployment phase
  (optional)
• Type II (Prototype Technologies) Funding NTE 24
  months
• More mature prototype technologies with a
  development phase and a deployment phase
  (optional)
• Type III (Mature Technologies) Funding NTE 12
  months
• Mature technology with a deployment phase only.

20
BAA 04-17 Proposal Summary

• http//www.hsarpabaa.com/ Solicitation Awards
  BAA04-17 Awards

21
Small Business Innovative Research (SBIRs)

• http//www.hsarpasbir.com
• CROSS-DOMAIN ATTACK CORRELATION TECHNOLOGIES
  (SB04.2-001)
• Objective Develop a system to efficiently
  correlate information from multiple intrusion
  detection systems (IDSes) about stealthy
  sources and targets of attacks in a distributed
  fashion across multiple environments.
• REAL-TIME MALICIOUS CODE IDENTIFICATION
  (SB04.2-002)
• Objective Develop technologies to detect
  anomalous network payloads destined for any
  service or port in a target machine in order to
  prevent the spread of destructive code through
  networks and applications. These technologies
  should focus on detecting zero day attacks, the
  first appearance of malicious code for which no
  known defense has been constructed.

22
SBIR FY05.2 Submission

• Hardware-assisted System Security Monitoring
• OBJECTIVE This topic seeks technologies that
  provide a hardware-assist for the monitoring of
  system security. It is expected that the
  resulting solutions would be some type of
  inexpensive coprocessor board that would work
  with existing hardware and software, resulting in
  a system with much higher assurance than
  currently available. By putting the monitoring
  capability in hardware it is much more difficult
  for an attacker to disable this part of the
  system because the board is isolated from
  potential remote attackers and would require
  physical access to compromise the hardware-assist
  board, thus, providing the owner/user technology
  that can monitor the security health of the
  system in near real-time. This will ensure that
  even when the machine is on, but the user is not
  using the machine, the system will be monitored
  and can even be "shut down" so unknown
  communications is not sent while the user's away.
  The hardware-assist system should have the
  capability to collect and store information for
  forensic purposes and the system should also have
  capability to report security related events to a
  central monitoring station.
• Solicitation at http//www.hsarpasbir.com

23
RD Execution Model
24
DHS / NSF Cyber Security Testbed

• Justification and Requirements for a National
  DDOS Defense Technology Evaluation Facility,
  July 2002
• We still lack large-scale deployment of security
  technology sufficient to protect our vital
  infrastructures
• Recent investment in research on cyber security
  technologies by government agencies (NSF, DARPA,
  armed services) and industry.
• One important reason is the lack of an
  experimental infrastructure and rigorous
  scientific methodologies for developing and
  testing next-generation defensive cyber security
  technology
• The goal is to create, operate, and support a
  researcher-and-vendor-neutral experimental
  infrastructure that is open to a wide community
  of users and produce scientifically rigorous
  testing frameworks and methodologies to support
  the development and demonstration of
  next-generation cyber defense technologies

25
DETER Testbed Architecture
Cyber Defense Experiments run on Virtual Internet
UCB
Internet
Sparta
USC-ISI

• 3 major sites over 200 nodes
• GOAL By end of FY07 to have 1000 nodes
  distributed at possibly up to 6 sites

26
A Protected REpository for Defense of
Infrastructure against Cyber Threats

• PREDICT Program Objective
• To advance the state of the research and
  commercial development (of network security
  products) we need to produce datasets for
  information security testing and evaluation of
  maturing networking technologies.
• Rationale / Background / Historical
• Researchers with insufficient access to data
  unable to adequately test their research
  prototypes
• Government technology decision-makers with no
  data to evaluate competing products

End Goal Improve the quality of defensive cyber
security technologies
27
Industry Workshop 2004

• ATTENDEES
• AOL
• UUNET
• Verio PREDICT participant
• XO Comms
• Akamai
• Arbor Networks
• System Detection
• Cisco
• PCH PREDICT participant
• Symantec
• USC-ISI PREDICT participant
• Univ. of WA PREDICT participant
• CERT/CC
• LBNL PREDICT participant
• Internet2 PREDICT participant
• CAIDA PREDICT participant
• Merit Networks PREDICT participant
• Citigroup

• Begin the dialogue between HSARPA and industry as
  it pertains to the cyber security research agenda
• Discuss existing data collection activities and
  how they could be leveraged to accomplish the
  goals of this program
• Discuss data sharing issues (e.g., technical,
  legal, policy, privacy) that limit opportunities
  today and develop a plan for navigating forward
• Develop a process by which data can be
  regularly collected and shared with the network
  security research community

28
Data Collection Activities

• Classes of data that are interesting, people want
  collected, and seem reasonable to collect
• Netflow
• Packet traces headers and full packet (context
  dependent)
• Critical infrastructure BGP and DNS data
• Topology data
• IDS / firewall logs
• Performance data
• Network management data (i.e., SNMP)
• VoIP (1400 IP-phone network)
• Blackhole Monitor traffic

29
PREDICT Information

• https//www.predict.org
• Recent Workshop
• http//www.hsarpacyber.com/public/PREDICT/

30
Internet Infrastructure Security Motivation

• The National Strategy to Secure Cyberspace (2003)
  recognized the DNS as a critical weakness
• NSSC called for the Department of Homeland
  Security to coordinate public-private
  partnerships to encourage the adoption of
  improved security protocols, such as DNS
• The security and continued functioning of the
  Internet will be greatly influenced by the
  success or failure of implementing more secure
  and more robust BGP and DNS. The Nation has a
  vital interest in ensuring that this work
  proceeds. The government should play a role when
  private efforts break down due to a need for
  coordination or a lack of proper incentives.

31
Domain Name System Security (DNSSEC) Program

• DNSSEC Program Objective
• Carry forward to completion the recommendation
  from the National Strategy to Secure Cyberspace
  by engaging industry, government, and academia to
  enable all DNS-related traffic on the Internet to
  be DNSSEC compliant
• Rationale / Background / Historical
• DNS is a critical component of the Internet
  infrastructure and was not designed for security
• DNS vulnerabilities have been identified for over
  a decade and we are addressing these
  vulnerabilities

End Goal Greatly increase the security of the
Internet (as critical infrastructure) by securing
the DNS through the use of crypto signatures
32
The Domain Name System
Root

• DNS database maps
• Name to IP addresswww.dhs.gov 206.18.104.198
• And many other mappings (mail servers, IPv6,
  reverse)
• Data organized as tree structure
• Each zone is authoritativefor its own data
• Minimal coordination between zone operators

edu
mil
ru
darpa
isi
mil
usmc
nge
alpha
33
DNS Attacks

• Attacks via and against the DNS infrastructure
  are increasing
• Attacks are becoming costly and difficult to
  remedy
• Consumer confidence in Internet accuracy is
  decreasing
• Financial/large enterprises are seeing a
  significant increase in online attacks for
  fraudulent purposes
• Hijacking (virtual theft of domain names)
• http//www.icann.org/announcements/hijacking-repor
  t-12jul05.pdf
• Phishing (look-alike fraudulent emails and web
  sites)
• Pharming (phishing combined with DNS attacks)
• Other attacks include DNS name mismatches or
  browser tricks aimed at careless users

34
DNSSEC What it provides

• Provides an approach so DNS users can
• Validate that data they receive came from the
  correct originator, i.e., Source Authenticity
• Validate that data they receive is the data the
  originator put into the DNS, i.e., Data Integrity
• Approach integrates with existing server
  infrastructure and user clients
• DNSSEC awareness by application
• Results of DNSSEC validation functions provided
  to applications
• Applications can take different actions based on
  DNSSEC validation results, e.g. wont connect to
  www.bankofamerica.com without good validation but
  will connect to www.cnn.com without it.
• Examples
• Web browsers
• Email servers and clients

35
DNSSEC Initiative Activities

• Roadmap published in February 2005
• http//www.dnssec-deployment.org/roadmap.php
• Multiple workshops held world-wide
• DNSSEC testbed developed by
• http//www-x.antd.nist.gov/dnssec/
• Involvement with numerous deployment pilots
• Working with Civilian government (.gov) to
  develop policy and technical guidance for secure
  DNS operations and beginning deployment
  activities at all levels.
• Working with the operators of the .us and
  .mil zones towards DNSSEC deployment and
  compliance

36
DNSSEC Design / Use

• Secure DNS Guidance Documents
• NIST 800 Series Documents for operators and
  policy/decision makers.
• Define the problem space
• Outline BCP for securing current DNS operations
• Guidelines for deployment and use of DNSSEC
• Series of outreach efforts
• Announcement from 
• http//csrc.nist.gov/publications/drafts.htmlAu
  gust 11, 2005 Draft NIST Special Publication
  800-81, Secure Domain Name System (DNS)
  Deployment GuideRequest for Comments closed
  Sept. 29th, 2005

37
Secure Protocols for the Routing Infrastructure
(SPRI)

• BGP is the routing protocol that connects ISPs
  and subscriber networks together to form the
  Internet
• BGP does not forward subscriber traffic, but it
  determines the paths subscriber traffic follows
• The BGP architecture makes it highly vulnerable
  to human errors and malicious attacks against
• Links between routers
• The routers themselves
• Management stations that control routers
• Work with industry to develop solutions for our
  current routing security problems and future
  technologies

38
SPRI Activities To Date

• Formation of government and industry steering
  committee
• DHS, DOD, DOCommerce, NIST, ICANN, IETF
• Held first industry requirements workshop March
  15-16, 2005 in WDC
• Held second workshop on operational security May
  18-19, 2005 in Seattle in conjunction with NANOG.
• Held third workshop on registry operations Sept.
  13-14, 2005 in WDC Outputs submitted at recent
  ARIN mtg

39
Cyber Security Assessment Activities

• Cyber Economics Study
• Dept. of Treasury Key Business Processes in
  the event of a Crisis Study

40

Economic Analysis of Cyber Security and
Private-Sector Investment Decisions

• The objective of the study is to investigate
  Internet stakeholders investment decisions for
  bolstering the security of their information
  technology (IT) networks.
• To achieve the study objectives, RTI will
• review existing studies to assess the economics
  of cyber security,
• conduct a series of interviews within eight
  industry sectors to assess companies investment
  decisions related to securing their IT networks,
  and
• identify potential areas for government
  involvement and/or support for the deployment and
  adoption of existing cyber security technologies.

• DHS/Cyber Security IMPACT
• DHS is interested in economic decisions that may
  lead to inadequate investment in cyber security
  measures.
• Better information on the costs and benefits of
  security technologies and adverse events will
  help inform private investment decisions.
• Understanding the public goods nature of Internet
  security may inform governments involvement in
  cyber security.

SCHEDULE
41

Prototyping of a Business Process Model (A
Computer Simulation) of the Finance Sector

• DESCRIPTION / OBJECTIVES / METHODS
• Proof of Concept activities are designed to
  assess initial technical and operational
  feasibility, including scoping and development of
  a concept of operations, before stakeholders
  invest substantial resources in full-scale
  development.
• Various private and public-sector stakeholders
  have determined the immediate operational need
  for this capability it meets several gaps
  defined by the Treasury Department and
  sector-level coordinating councils.
• The research involves 4 phases Engage SMEs to
  help define the logical and physical extent of
  the sector at a high level Determine an
  appropriate subset of sector transactions to
  model as a proof of concept Use rapid
  prototyping to define simulation requirements
  Report on technical and operational feasibility

• DHS/Cyber Security IMPACT
• This project addresses the requirement for a
  man-in-the loop simulation that emulates
  sector-wide disruptions and their operational
  (business) impact.
• Sector-level simulation of impacts resulting from
  cyber and physical disruptions of business
  processes and transactions between critical
  entities in the Finance Sector will provide
  government and industry stakeholders and users
  with unique insight of operational risks, single
  points of failure, and mitigation strategies.
• Potential users include risk managers responsible
  for the operational health of the sector also
  enterprise risk managers

BUDGET SCHEDULE
TASK
FY05
FY06
FY07
Proof of Concept (Feasibility)
Phase 1 Requirements Definition
Phase 1 Simulation Design
Phase 1 Implementation, Integration, Testing,
and Roll-out
42

Rapid Prototyping Authoritative SSL Auditing
PROJECT DESCRIPTION / OVERVIEW
Client Machine

• Goal Enable organizations to audit secure
  communications to prove policy compliance,
  investigate attacks, and arbitrate
  disputes.Approach Use a passive network device
  to record SSL traffic, sign it with a hardware
  security module, and open communications when
  necessary. Requires the cooperation of the
  original secure sever to keep its keys secure.
  Web portal restricts access to authorized
  personnel.
• Status Alpha Aug 15, 2005 Beta planned for Dec
  15, 2005
• End Users Information technology and security
  officers in government agencies and commercial
  organizations, especially those that need to
  comply with regulations such as HIPAA, FACTA, and
  Sarbanes-Oxley.

Client Machine
Client Machine
Server Machine
Client Machine
Server Machine
Client Machine
Server Machine
Client Application
Server Application
Network Switch
SSL Client
SSL Server
Key Shield
Auditing Device
Portal Device

Auditing Portal
Recording Application
Signing Application
BUDGET SCHEDULE

• DHS/Cyber Security Impact
• Complete, authoritative records of electronic
  transactions
• Ensure users/organizations follow security
  policies
• Better investigate attacks and fraud over SSL
• All records remain confidential until
  specifically reviewed
• Very low total cost of ownership encourages
  adoption

TASK
FY05
FY06
FY07

Reqmnts. Design Alpha System Beta System Final
System
43
Emerging Threats VME-DEP

• Virtual Machine Environment - Detection and
  Escape Prevention
• VME use is increasing in industry and government,
  and is starting to be used in classified networks
• Goals of this project are to
• Gain a better understanding of where VMEs are
  used and for what purpose
• Determine how an attacker might break the
  security models defined by a VME
• Develop techniques for preventing those attacks
• Develop a secured open source VME

44
Emerging Threats - NGCD

• Next Generation Crimeware Defenses
• Crimeware Malicious software specifically
  designed to steal identity information and other
  associated financial information
• Goals of this project are
• Gain an understanding of the nature of crimeware
  technologies and how to defend against their
  increasing sophistication
• Collect and analyze crimeware samples
• Build threat and vulnerability models based on
  the attack types and goals of stealing access
  credentials and identity information and
  correlated to popular computing environments
• Develop a secure computing environment web
  browser (based on open-source Mozilla), secure
  keyboard and embedded co-processor to proactively
  prevent crimeware

45
The Institute for Information Infrastructure
Protection (I3P)

• The I3P is a consortium of 24 academic and
  not-for-profit research organizations
• The I3P embodies a concept developed in studies
  between 1998 and 2000 by PCAST, IDA, and OSTP
• The I3P was formed in September 2001 and funded
  by congressionally appropriated funds assigned to
  Dartmouth College
• DHS/ST/HSARPA now oversees the I3P funding
• 17.883 M Congressional Earmark for the Institute
  for Security Technologies Studies (ISTS) at
  Dartmouth College
• Inherited from Office of Domestic Preparedness
  (ODP) during RD consolidation activity

46
Other Activities Institute for Infrastructure
Protection (I3P)

• Creation of two research plans for cyber
  security, one in Supervisory Control and Data
  Acquisition (SCADA) systems, and one in economic
  and policy issues
• Two Independent Research Advisory Boards (RABs)
  established to review final research plans
  submitted for I3P support.
• Two-year, 8.5 million research program to
  protect SCADA systems in the oil and gas industry
  and other critical infrastructure sectors.
• Led by Sandia, comprises 10 research institutions
  with expertise in cyber security, risk
  management, and infrastructure systems analysis.
• Kickoff meeting held April 14-15 at Sandia
  National Laboratories Center for SCADA Security
  in Albuquerque
• Attended by project researchers along with oil
  and gas experts from ChevronTexaco, Ergon
  Refining, Public Utility of New Mexico, and
  Williams
• Provided training on SCADA hardware, software,
  and typical system configurations, as well as
  common threats and vulnerabilities associated
  with these systems

47
I3P Cyber Economics Project

• Two project goals
• How to quantify the cost of cyber security and
  the effects of cyber attacks?
• How to measure the effectiveness of current
  security tools and policies?
• Three intertwined threads
• National perspective
• Views the information infrastructure as an
  element of national security, where cyber
  security incidents can disrupt, impair or destroy
  critical economic capabilities.
• Enterprise or corporate perspective
• Considers the effects of degraded or destroyed
  infrastructure on the degree to which an
  enterprise can maintain its bottom line by
  developing and delivering products and services.
• Technological perspective
• Addresses those technologies that protect the
  infrastructure, by deterring particular threats,
  preventing certain classes of attacks, or
  mitigating the consequences of attack.
• Participants RAND Corporation, University of
  Virginia, MIT Lincoln Laboratory, George Mason
  University, Dartmouth

48
RD Execution Model
49
Experiments and Exercises

• Experiments
• U.S. / Canada Secure Blackberry Experiment
• PSTP-agreed upon deployment activity
• Oil and Gas Sector
• Working with DOE and industry
• Finance Sector
• CIDDAC
• U.S. NORTHCOM
• CWID 2005 (originally known as JWID)
• Exercises
• National Cyber Security Exercise (Cyber Storm)
• National Critical Infrastructure Exercise (NCIE)
• Exercise led by industry

50
US-CAN Secure Wireless Trial

• Objective
• Test effectiveness of US/Canadian cross-border
  secure wireless architecture to cope with
  real-time communication in variety of scenarios
• Technologies
• PKI (S/MIME), Identity-based encryption,
  enforcement of policy and compliance
• Trial Activity
• July U.S.-only initial four-day test period
• October Four-day test period with 35 activities
  and with 40 participants acting out homeland
  security scenarios using BlackBerry devices

51
LOGI2C Linking the Oil and Gas Industry to
Improve Cybersecurity

• LOGI2C is a 12-month technology integration and
  demonstration project driven by industry,
  supported by DHS
• Technical goal Attack indications and warnings
  through event analysis and correlation across
  business and process control networks
• Approach
• Identify new types of security sensors for
  process control networks
• Adapt a best-of-breed correlation engine to this
  environment
• Integrate in testbed and demonstrate
• Transfer technology to industry

52
LOGI2C Partners

• LOGI2C is a model for how DHS ST and industry
  can work together in a public-private partnership
  to address a critical RD need
• Industry contributes
• Requirements and operational expertise
• Project management
• Product vendor channels
• DHS ST contributes
• Independent researchers with technical security
  expertise
• Testing facilities

53
ST and Cyber Storm

• Exercise Objectives
• To incorporate elements of cyber defense and
  response technology into the exercise moving it
  gradually away from the table top format.
• To socialize the DETER test bed with the exercise
  participants and make them aware of its
  capability and its potential value to their
  respective organizations.
• Success criteria
• Recognizing the complexity of the exercise and
  its key focus, ST would consider their objective
  met if the DETER test bed were used in the
  planning of the exercise (to lend realism to
  scenario elements) and if one or more session can
  be arranged during the exercise, where the
  players could see the test bed in action being
  used to test exercise relevant problems or
  decisions. The session(s) should show the value
  of the tool and add defensive technology to the
  exercise.

54
National Critical Infrastructure Exercise (NCIE)

• Exercise is co-managed by BearingPoint and Yoran
  Associates
• Funded by the private sector with public/private
  technology demonstrations
• Objectives
• Conduct a private sector exercise
• Exercise threat scenarios against SCADA
  operations
• Test and evaluate organizational plans, policies,
  and procedures
• Capture performance data to evaluate Critical
  Infrastructure Resiliency metrics and models
  U.S. comparison against other countries
• Primary participants senior operations managers
  and corporate executives from utility/energy
  sector
• Secondary participation industry collaboration
  groups, government agencies, first responders,
  and others identified by primary participants
  during planning

55
Commercial Outreach Strategy

• Assist commercial companies in providing
  technology to DHS and other government agencies
• Emerging Security Technology Forums (ESTF)
• Assist DHS ST-funded researchers in transferring
  technology to larger, established security
  technology companies
• DHS Mentor / Protégé program
• Partner with the venture capital community to
  transfer technology to existing portfolio
  companies, or to create new ventures

56
Emerging Security Technology Forum

• ESTF held April 13-14, 2005 in Arlington, VA
• Opportunity to introduce government
  representatives to smaller-sized information
  security technology vendors with innovative
  technology approaches
• For this ESTF vendors presented and demonstrated
  current and emerging information security
  technologies that defend against DDOS and worm
  attacks
• Next ESTF to be held in May 2006
• Topic Identity Management technologies
• Audience will include industry and government

57
Emerging Security Technology Forum

• IntruGuard Devices, Inc.
• Kerio Technologies
• netZentry, Inc.
• Prolexic Technologies
• Q1 Labs Inc.
• Top Layer Networks, Inc.
• V-Secure Technologies

• Arbor Networks
• CounterStorm, Inc.
• Cs3, Inc.
• CyberShield Networks, Inc.
• Determina, Inc.
• ForeScout Technologies

58
DHS Mentor/Protégé Program

• Objective
• Provide start-up emerging security companies
  with mentor support in sales marketing to
  government
• Existing Mentor/Protégé programs in government
  are procurement oriented. New ST Mentor/Protégé
  program will focus on rapidly transitioning cyber
  security technologies into government through
  existing relationships.
• Mentors will be large, established government
  contractors with cyber security experience
• Protégés will provide innovative cyber security
  technology. There are no set-aside requirements
  (e.g. disadvantaged, HubZone business)
• Selection Process
• The Cyber Security RD Center will solicit
  government/industry technology requirements to
  identify gaps in the US cyber infrastructure.
• These requirements will guide selection of
  mentors. Protégés, with technology to meet
  infrastructure gaps, will be proposed to the
  mentors by the Center.

59
ITTC The DHS-SRI Identity Theft Technology
Council

• ITTC is a revived and expanded Silicon Valley
  expert group originally convened by the U.S.
  Secret Service
• Experts and leaders from
• Government
• Financial and IT sectors
• Venture capital
• Academia and science
• ITTC works closely with The Anti-Phishing Working
  Group (APWG)

• Consultant and ITTC Coordinator Robert
  Rodriguez, retired head of the Secret Service
  Field Office in San Francisco
• The ITTC was formed in April, and has four active
  working groups
• Phishing Technology Report
• Data collection and sharing
• Future threats
• Development and deployment

60
Tackling Cyber Security ChallengesBusiness Not
as Usual

• Strong mission focus (avoid mission creep)
• Close coordination with other Federal agencies
• Outreach to communities outside of the Federal
  government
• Building public-private partnerships (the
  industry-government dance is a new tango)
• Strong emphasis on technology diffusion and
  technology transfer
• Migration paths to a more secure infrastructure
• Awareness of economic realities

61
Summary

• DHS ST is moving forward with an aggressive
  cyber security research agenda
• Working with industry to solve the cyber security
  problems of our current infrastructure
• DNSSEC, Secure Routing
• Working with academe and industry to improve
  research tools and datasets
• DHS/NSF Cyber Security Testbed, PREDICT
• Looking at future RDTE agendas with the most
  impact for the nation
• SBIRs, BAA 04-17, RTAP

62
Other Areas of Interest (were available)

• Cyber Situational Awareness Indications
  Warnings
• Insider Threat Detection Mitigation
• Information Privacy Technologies
• Large-scale network survivability, rapid recovery
  and reconstitution
• Secure operating systems (open source)
• Network modeling and simulation security policy
  reconfiguration impact on networks
• Highly scalable identity management

63
Douglas Maughan, Ph.D. Program Manager,
HSARPA douglas.maughan_at_dhs.gov 202-254-6145 /
202-360-3170