The Center for Applied Cybersecurity Research (CACR) at Indiana University was founded in 2003 to conduct interdisciplinary cybersecurity research and provide expertise in risk management, policy, and compliance. CACR has over $16 million in external funding and partnerships with organizations such as CMU, U of Illinois, and U of Wisconsin. It works on key projects like the Cybersecurity for Trustworthy Scientific Cyberinfrastructure to help scientific collaborations and the Software Assurance Marketplace to improve software integrity. CACR also runs education and outreach programs including internships, a seminar series, and an annual cybersecurity summit.

1. Von Welch, Director
Craig Jackson, Senior Policy Analyst
Susan Sons, Senior Systems Analyst
Naval Surface Warfare Center Crane Division
28 August 2015

2. Outline
1. Overview and History of CACR
2. CACR Expertise: Risk Management, Policy,
Compliance
3. CACR Activities: CTSC, SWAMP, XSIM,
Education/Internships
4. CACR Events: Seminar Series, Summits
2

3. CACR
Founded by then CIO Michael McRobbie
in 2003
“...university-wide research center that would
bridge our operational strengths and practical
experience with our academic units [and]
bridge technical specialties in cybersecurity
with business, law and the behavior
disciplines.”
3

4. Cybersecurity @ IU
CACR’s IU Partner Organizations
•REN-ISAC
•SOIC (Master’s Degree in Cybersecurity)
•University Information Security Office
•University Information Policy Office
•Maurer School of Law
•Kelley School of Business
•IUPUI School of Science
•Pervasive Technology Institute Research Center
4

5. IU’s NSA/DHS Designations
Indiana University designated as a National Center of
Academic Excellence in Information Assurance / Cyber
Defense through academic year 2021.
5

6. CACR is External Facing
Base funding from OVPIT, President’s Office, but primarily grant-
funded applied research.
Since its origination in 2003, over $16 million in external funding
from: Lilly Endowment, Inc., the National Science Foundation,
the Department of Energy, the Department of Homeland
Security, the National Institutes of Health, and others.
External partners: CMU/PSC, U. of Illinois/NCSA, U. of Wisconsin,
U. of Wisconsin-Milwaukee, Morgridge Institute for Research.
6

7. Applied Research
CACR’s mission is to advance the state of cybersecurity practice, interdisciplinary
research, and understanding in order to serve Indiana University, the state of Indiana,
and our national and global communities.
Some guiding principles:
● Stay grounded: CACR takes on operational cybersecurity responsibilities.
● Real-world problem-oriented research in collaboration with funding partners.
● Tackle all aspects of problem: technical, policy, legal, social.
● Draw on Indiana University’s wide range of scholarly expertise in computer
science, informatics, accounting and information systems, criminal justice, law,
organizational behavior, public policy, and other disciplines.
7

8. Cybersecurity Historically
Firewalls, IDS,
encryption, logs,
passwords,...
8

9. Cybersecurity is an Interdisciplinary
Challenge today
9
http://www.bankinfosecurity.com/

10. Cybersecurity as a Risk Management Tool
Cybersecurity supports the organization by
managing risks to its business mission.
Must understand what is critical to business
mission and apply resources appropriately.
Must balance resources between prevention,
detection, and response to risks.
10

11. CACR Expertise: Risk Management,
Policy, Compliance
11

12. Risk Management & Resilience
● Familiarity w/ many frameworks: FISMA / NIST RMF, NIST
Framework for Improving Critical Infrastructure
Cybersecurity, HIPAA, ISO, MITRE’s resilience work
● Assist organizations in navigating and applying these
frameworks, conducting risk assessments, balancing
prevention, detection, response, fight thru, and recovery;
evaluating their information security programs
● Experience applying risk management to novel environments
and particular missions where one-size-fits-all doesn’t cut it
● We know the pitfalls: effort / resources; failure of orgs and
auditors to understand risk acceptance 12

13. Policy & Law
Policy: provide leadership, guidance, and a
convening function on national and international
levels; often bringing people together who
otherwise would never talk
policy: assist organizations
in creating, navigating, enforcing,
and educating personnel on
the detailed policies and laws
that both limit and enable our missions
13
Image credit: Bob Cowles

14. Compliance
• FISMA and HIPAA
• Establish NIST-based Risk Management Framework (RMF) at IU
• Use it to align IU’s central systems with HIPAA & FISMA
• Assist IU biomedical researchers to tackle HIPAA
• Develop compliance resources for IU
• Education
• Provide HIPAA and FISMA training locally and nationally
• Outreach
• Provide cyber compliance assistance to other academic and research
institutions
• Provide national leadership on compliance issues in research and academia
14

15. Key CACR Projects
15

16. 16
Image credit: NSF/K. Thompson

17. 17
TrustedCI.org:
Center for Trustworthy Scientific
Cyberinfrastructure
Providing leadership and addressing
cybersecurity challenges for the NSF community.

18. CTSC’s Accomplishments
● Engaged with >20 NSF science projects to provide
cybersecurity leadership.
● Organized 2013-15 NSF Cybersecurity Summits for
Large Facilities and CI
● Developed and provided training & best practices.
● Developed Cybersecurity Program Guide for NSF CI
● Authoring cybersecurity chapter for NSF Large
Facilities Manual
18

19. Software Assurance Marketplace
(SWAMP)
We rely increasingly on our
software stacks – both the
ones we write and others.
Open nature leads to large
attack surfaces.
Software integrity is critical.
19
Funded by DHS:
Morgridge Institute for
Research (lead)
University of Illinois Urbana
Champaign
University of Wisconsin –
Madison
Indiana University

20. 20
Explosion of Software
Plus cars, medical devices, Internet of Things….

21. And where are all those programmers?
21

22. A Framework for Software Assurance
22
Results
Packa
ge
Packa
gePackage
Tool
Tool
Tool
Platfor
m
Platfor
mPlatform
Current: 396 &
bring your own
Current: 8
Perform
Assess-
ment
Result
Viewe
r
Result
Viewe
r
Result
Viewer
Current: 2
Current: 700+ Cores
View
Results
Parse
Results
Parsed
Results
Current: 9

23. eXtreme Scale Identity Management
for Science (XSIM)
Traditional computing with
users all managed by data
center.
Modern science has large multi-
site collaborations.
Funded by DOE/ASCR
23
Image credit: Ian
Bird/CERN

24. Science collaboratory identity management
• Based on interviews with 18 sites and projects.
• Simple model for describing collaboratory IdM.
• Identified factors that inhibit and encourage
delegation from computing center to collaboration.
24

25. Security Matters
A trusted voice for the
general public.
Real world practice
cybersecurity
guidance videos.
http://www.securitymatters.iu.edu/
25

26. Internships
● Working with students from multiple disciplines: law/policy,
computer science, engineering
● Students work alongside CACR Senior Analysts on policy
issues, selecting and implementing security controls,
providing training, and assessing the security needs of novel
technologies and implementations.
● Big attractants: exposure to unusual technologies and
environments, opportunities for professional development
rather than getting penned in on rote tasks.
26

27. CACR 2015-16 Seminar Series
Every other Thursday at
noon in Law 335.
Free and open to the
public. Lunch provided.
27
9/3/15 Stacy Prowell, ORNL
10/1/15 Sadia Afroz, U. Berkeley
10/15/15 Bart Miller, U. Wisconsin
11/5/15 Abhi Shelat, U. Virginia
12/10/15 Kathryn Seigfried-Spellar,
Purdue U.
1/21/16 Lujo Bauer, CMU
2/4/16 Serge Egelman, U. Berkeley
2/18/16 Matt Bishop, U. Cal-Davis
3/24/16 LeAnn Miller, Sandia
4/7/16 Yang Wang, Syracuse U.
4/21/16 Adam Slagell, U.
Illinois/NCSA

28. CACR Cybersecurity Summit
2014 Summit
● Featured two senior Homeland Security officials
responsible for cyber operations and R&D.
2015 Summit Coming Soon!
● September 15, 2015
● Hine Hall, IUPUI, Indianapolis
● Featuring Ron Ross, NIST
28

29. 2015 CACR Summit Agenda
• Morning Keynote Address:
• Ron Ross, NIST
• Morning Panel:
• Enterprise Risk Management
• Merri Beth Lavagnino, Indiana University
• Ron Ross, NIST
• Hans Vargas, Indiana Office of Technology and IN-ISAC
• Lunch Keynote Address:
• Harvey Rishikof, Crowell & Moring
• Afternoon Panel:
• Privacy, Promises and Shortcomings of Technology
29

30. 2015 CACR Summit Agenda
Cybercrime and Fraud Track
• Speaker/Topic: Stephen Reynolds, Stephen Reynolds & Nick Merker - Ice Miller
• “Preventing, Insuring and Surviving Fund Transfer Fraud”
• Speaker/Topic: Mark Villinski, Kaspersky Lab North America
• “The Explosion of Cybercrime - The 5 Ways IT May be an Accomplice”
Privacy Track
• Speaker/Topic: Nate Anderson, Sears Holding Company
• “Privacy Lessons from the Field”
Governance, Risk Management & Compliance Track
• Speaker/Topic: Jeff Foresman, Rook Security
• “Compliance vs. Security – How to Build a Secure Compliance Program”
• Speaker/Topic: Scot Ganow, Esq., CIPP/US, Faruki, Ireland & Cox P.L.L.
• “Getting in Shape for Breach Season”
30

31. 2015 CACR Summit
• Registration: https://uits.iu.edu/cybersecurity-summit
• Additional Information: Contact CACR at cacr@indiana.edu
31

32. Thank you.
Von Welch vwelch@iu.edu
Craig Jackson scjackso@indiana.edu
Susan Sons susstewa@iu.edu
cacr.iu.edu
32