Homeland Open Security Technologies (HOST)


Published on

Homeland Open Security Technologies (HOST)
Douglas Maughan,
Program Manager, DHS S&T Cyber Security R&D Program

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Homeland Open Security Technologies (HOST)

  1. 1. Dept. of Homeland Security Science & Technology Directorate<br />DHS S&T Cyber Security RDTE&T Initiatives and Open Source<br />MIL-OSS Conference<br />Rosslyn, VA<br />August 4, 2010<br />Douglas Maughan, Ph.D.<br />Branch Chief / Program Mgr.<br />douglas.maughan@dhs.gov<br />202-254-6145 / 202-360-3170<br />
  2. 2. 4 August 2010<br />2<br />Open Source and Government<br />Stenbit<br />Memo<br />OTD<br />Roadmap<br />OTD<br />Phase 2<br />May 2003<br />June 2006<br />Launched Oct 2009<br />MITRE<br />Bus. Case<br />PITAC<br />HPC<br />July 2001<br />July 2001<br />2001 - 03<br />Jan 2003<br />July 2004<br />Oct 2009<br />June 2007 <br />MITRE<br />Survey<br />OMB <br />Procurement<br />Memo<br />DONCIO<br />Guidance<br />DoD NII<br />Guidance<br />
  3. 3. 4 August 2010<br />3<br />Univ. of Pennsylvania<br />WireX<br />Communications<br />Critical Findings<br />1. Federal government should encourage the development of Open Source Software. <br />2. Federal government should allow Open Source development efforts to compete on a “level playing field” with proprietary solutions in government procurement<br />3. Government sponsored Open Source projects should choose from a small set of established Open Source licenses after analysis of each license and determination of which may be preferable.<br />Network Associates Labs<br />DARPA Program (2001-2003)<br /><ul><li>President’s Information Technology Advisory Committee (PITAC) Report on Open Source Software (OSS) Panel for High Performance Computing (HPC)</li></li></ul><li>4 August 2010<br />4<br />Science and Technology (S&T) Mission<br />Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.<br />
  4. 4. Cyber Security Program Areas<br />Information Infrastructure Security<br />Cyber Security Research Infrastructure<br />Next Generation Technologies<br />Two new program areas – Cyber Forensics and Homeland Open Security Technology (HOST)<br />Research Horizon – What does it look like?<br />4 August 2010<br />5<br />
  5. 5. Information Infrastructure Security<br />DNSSEC – Domain Name System Security<br />S&T has been leading global DNSSEC Deployment Initiative since 2004, including roadmaps, workshops, testbed, pilots, software development, standards, outreach, and training <br />Working with OMB, OSTP, GSA, NIST to ensure USG is leading the global deployment efforts<br />http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf<br />Working with vendor community to ensure solutions<br />http://dnssec-deployment.org/presentations/govsec2009.html<br />SPRI – Secure Protocols for Routing Infrastructure <br />S&T has been leading global SPRI Initiative since 2008, including a roadmap, workshops, testbed, software development, standards, and community outreach <br />Working with global registries to deploy Public Key Infrastructure (PKI) between ICANN/IANA and registries (e.g., ARIN) and ISPs/customers<br />Working with IETF standards and industry to develop solutions for our current routing security problems and future technologies<br />Funding R&D for tools to facilitate deployment<br />Colorado State Univ, University of Oregon, UCLA, USC-ISI, PCH, NIST<br />July 6, 2010<br />6<br />
  6. 6. Information Infrastructure Security - 2<br />LOGIIC – Linking Oil & Gas Industry to Improve Cybersecurity <br />A collaboration of oil and natural gas companies and DHS S&T to facilitate cooperative research, development, testing, and evaluation procedures to improve cyber security in Industrial Automation and Control Systems <br />Consortium under the Automation Federation<br />TCIPG – Trustworthy Computing Infrastructure for the Power Grid<br />Partnership with DOE funded at UIUC with several partner universities and industry participation<br />Drive the design of an adaptive, resilient, and trustworthy cyber infrastructure for transmission & distribution of electric power, including new resilient “smart” power grid<br />DECIDE (Distributed Environment for Critical Infrastructure Decision-making Exercises)<br />Provide a dedicated exercise capability to foster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats<br />Enterprises will be able to initiate their own large-scale exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity, all from their desktops<br />The Financial Services Sector Coordinating Council R&D Committee has organized a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years.<br />July 6, 2010<br />7<br />
  7. 7. National Research Infrastructure<br />DETER - http://www.isi.edu/deter/<br />Researcher and vendor-neutral experimental infrastructure that is open to a wide community of users to support the development and demonstration of next-generation cyber defense technologies<br />Over 170 users from 14 countries (and growing)<br />PREDICT – https://www.predict.org<br />Repository of network data for use by the U.S.- based cyber security research community<br />Privacy Impact Assessment (PIA) completed<br />Over 118 datasets and growing; Over 100 active users (and growing)<br />End Goal: Improve the quality of defensive cyber security technologies<br />8<br />4 August 2010<br />
  8. 8. 4 August 2010<br />9<br />Next Generation Technologies<br />http://baa.st.dhs.gov<br />R&D funding model that delivers both near-term and medium-term solutions:<br />To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. <br />To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems;<br />To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency. <br />
  9. 9. Sample Product List<br />Ironkey – Secure USB<br />Standard Issue to S&T employees from S&T CIO<br />Coverity – Open Source Hardening (SCAN)<br />Evaluates over 150 open source software packages nightly<br />USURF – Cyber Exercise Planning tool<br />Currently in use in WA state exercise; partnering with NCSD<br />Secure64 – DNSSEC Automation<br />Several commercial customers; Government pilots underway<br />HBGary – Memory and Malware Analysis<br />12-15 pilot deployments as part of Cyber Forensics program (later)<br />Stanford – Anti-Phishing Technologies<br />Open source; Most browsers have incorporated Stanford R&D<br />Secure Decisions – Data Visualization<br />Pilot with DHS/NCSD/US-CERT in progress<br />10<br />4 August 2010<br />
  10. 10. 4 August 2010<br />11<br />Give open source community access to entire toolset<br />Open-source developers register their project.<br />Coverity automatically downloads and runs tool over it.<br />Developers get back bugs in coverity’s bug database<br />Big success:<br />Roughly 500 projects registered<br />4,700+ defects actually patched.<br />Some really crucial bugs found; dozens of security patches (e.g., X, ethereal)<br />Coverity: scan.coverity.com<br />
  11. 11. 4 August 2010<br />12<br />Initial requirements working group held 11/20/08<br />Attendees from USSS, CBP, ICE, FLETC, FBI, NIJ, TSWG, NIST, Miami-Dade PD, Albany NY PD<br />Initial list of projects<br />Mobile device forensic tools<br />GPS forensics tools<br />LE First responder “field analysis kit”<br />High-speed data capture and deep packet inspection<br />Live stream capture for gaming systems<br />Memory analysis and malware tools<br />Information Clearing House<br />S&T initiated 6 projects in FY09 totaling $2M<br />Cyber Forensics<br />Combined<br />
  12. 12. 4 August 2010<br />13<br />Vulnerability Assessment of Open Source “Wireshark” <br />Assessment: Assess a key open-source monitoring and forensics tool using the University of Wisconsin’s First Principles Vulnerability Assessment (FPVA) methodology<br />Training: Develop materials and teach tutorials in vulnerability assessment and secure programming techniques<br />Vulnerability characterization and automated detection: Use the results from assessments to formalize the description of vulnerabilities found and develop algorithms to detect them<br />
  13. 13. 4 August 2010<br />14<br />Homeland Open Security Technology (HOST)<br />Promote the development and implementation of open source solutions within US Federal, state and municipal government agencies<br />
  14. 14. How can we (collectively) afford IT?<br />$38,500,000,000+ (BILLION!)<br />HOST Motivation<br />4 August 2010<br />15<br />
  15. 15. <ul><li>US Govt Spends $38 Billion on IT Annually
  16. 16. Trend is Not Sustainable
  17. 17. Bureaucracy (easy to blame)
  18. 18. Complexity of Govt Enterprise Systems
  19. 19. Redundancy – Re-Invent the Wheel
  20. 20. Existing System of Acquisition, Management, Updating, Technical Obsolescence
  21. 21. Significant Hurdle
  22. 22. Cybersecurity = Protection of Infrastructure and Data</li></ul>16<br />Need: Sustainable Government IT Systems<br />4 August 2010<br />
  23. 23. Approach:Leverage Open Systems<br /><ul><li>Audience
  24. 24. Federal, State, Local Government End Users - Citizens
  25. 25. Share Benefits with Industry, Development Communities
  26. 26. Open Technology Solutions
  27. 27. Vendor/Platform Agnostic
  28. 28. Best of Breed Development – Builds Upon Success
  29. 29. Focuses on Addressing the Needs of End Users</li></ul>4 August 2010<br />17<br />GOAL: Improve systems security, enhance technical efficiency and reduce the cost of IT management...within Govt IT systems.<br />
  30. 30. Benefits:Open Technology Solutions<br /><ul><li>Open Systems promote and encourage
  31. 31. Transparency – Interoperability – Technical Agility
  32. 32. Enhanced Manageability through Open Source License
  33. 33. Economic Benefits
  34. 34. Lower Adoption Costs – Promotes Vendor Competition
  35. 35. Broad Vendor and Developer Support
  36. 36. Secure – Stable – Broadly Adopted in Govt and Industry
  37. 37. Existing Govt Adoption/Usage
  38. 38. OMB/White House, DoD, Dept of Navy adoption OS Policy
  39. 39. Growing Govt Open Technology Adoption</li></ul>4 August 2010<br />18<br />
  40. 40. Competition: Who/What are the Challenges<br /><ul><li>Adoption Resistance
  41. 41. Ingrained Systems
  42. 42. Existing Relationships
  43. 43. Policy Updates and Modifications
  44. 44. Change Mentality
  45. 45. Lack of Vision, Leadership and Continuity
  46. 46. FUD/Pushback
  47. 47. Proprietary Vendors
  48. 48. Technology Vendors
  49. 49. Business Models
  50. 50. Non-competitive solutions</li></ul>4 August 2010<br />19<br />
  51. 51. 4 August 2010<br />20<br />HOST Program Areas<br />Information Portal<br />Federal Government Open Source Census <br />GovernmentForge Open Source Software Repository<br />Documentation<br />Standards, Best Practices<br />Community Outreach<br />“New” open source IDS/IPS<br />Work with tool developers (source, binary) on open source software quality analysis<br />Information Assurance / Security<br />US Government security evaluation processes (OpenSSL)<br />S&T initiated projects in FY09/10 totaling $1.5M<br />
  52. 52. Progress to Date<br />4 August 2010<br />21<br />
  53. 53. HOST: Going Forward<br /><ul><li>Investment
  54. 54. $10M up to $50M+
  55. 55. 5-yr (1 + 4 w/options)
  56. 56. Scalable based on deliverables & program review
  57. 57. ROI
  58. 58. Value of Deliverables
  59. 59. Strategic Advantage
  60. 60. Accountability
  61. 61. Metrics tied to similar IT program of record
  62. 62. Investment Costs
  63. 63. Recurring Fees
  64. 64. Management/Admin Exp
  65. 65. Upgrade Costs
  66. 66. Compatibility Expenses
  67. 67. Vendor Failure Expense
  68. 68. Process Not Product</li></ul>4 August 2010<br />22<br />Can we afford NOT to Invest in Open Technology?<br />
  69. 69. 4 August 2010<br />23<br />Timeline of Past Research Reports<br />President’s Commission on CIP (PCCIP)<br />NRC CSTB Trust in Cyberspace<br />I3P R&D Agenda<br />National Strategy to Secure Cyberspace<br />Computing Research Association – 4 Challenges<br />NIAC Hardening the Internet<br />PITAC - Cyber Security: A Crisis of Prioritization<br />IRC Hard Problems List<br />NSTC Federal Plan for CSIA R&D<br />NRC CSTB Toward a Safer and More Secure Cyberspace<br />1997<br />1998<br />2000<br />2001<br />2003<br />2004<br />2005<br />2006<br />1999<br />2002<br />2007<br />All documents available at http://www.cyber.st.dhs.gov<br />
  70. 70. 4 August 2010<br />24<br />A Roadmap for Cybersecurity Research<br />http://www.cyber.st.dhs.gov<br />Scalable Trustrworthy Systems <br />Enterprise Level Metrics<br />System Evaluation Lifecycle<br />Combatting Insider Threats<br />Combatting Malware and Botnets<br />Global-Scale Identity Management<br />Survivability of Time-Critical Systems<br />Situational Understanding and Attack Attribution <br />Information Provenance<br />Privacy-Aware Security<br />Usable Security<br />
  71. 71. DHS S&T Roadmap Content<br />What is the problem being addressed?<br />What are the potential threats?<br />Who are the potential beneficiaries? What are their respective needs?<br />What is the current state of practice?<br />What is the status of current research?<br />What are the research gaps?<br />What challenges must be addressed?<br />What resources are needed?<br />How do we test & evaluate solutions?<br />What are the measures of success?<br />4 August 2010<br />25<br />
  72. 72. National Cyber Leap Year (NCLY)<br />RFI – 1: Generic, wide-open<br />Received over 160 responses; created 9 research areas<br />Attribution, Cyber Economics, Disaster Recovery, Network Ecology, Policy-based Configuration, Randomization/Moving Target, Secure Data, Software Assurance, Virtualization<br />RFI – 2: Same as RFI-1, but providing IP protection<br />Received over 30 responses<br />RFI – 3: Requested submissions only in 9 research areas above<br />Received over 40 responses<br />National Cyber Leap Year (NCLY) Summit<br />August 17-19, 2009<br />Results posted on http://www.nitrd.gov<br />4 August 2010<br />26<br />
  73. 73. NCLY Summit Topics<br />Cyber economics<br />Digital provenance<br />Hardware enabled trust<br />Moving target defense<br />Nature-inspired cyber defense<br />Expectation: Agencies will be using these topic areas in future solicitations (FY11 and beyond)<br />4 August 2010<br />27<br />
  74. 74. 28<br />Summary<br />DHS S&T continues with an aggressive cyber security research agenda<br />Working with the community to solve the cyber security problems of our current (and future) infrastructure<br />Outreach to communities outside of the Federal government, i.e., building public-private partnerships is essential<br />Working with academe and industry to improve research tools and datasets<br />Looking at future R&D agendas with the most impact for the nation, including education<br />Need to continue strong emphasis on technology transfer and experimental deployments<br />4 August 2010<br />
  75. 75. 4 August 2010<br />29<br />Douglas Maughan, Ph.D.<br />Branch Chief / Program Mgr.<br />douglas.maughan@dhs.gov<br />202-254-6145 / 202-360-3170<br />For more information, visithttp://www.cyber.st.dhs.gov<br />