Homeland Security: Cyber Security R&D Initiatives

Dept. of Homeland Security Science & Technology Directorate Homeland Security: Cyber Security R&D Initiatives ACM CCS Alexandria, VA November 8, 2005 Douglas Maughan, Ph.D. Program Manager, HSARPA douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170

General DHS Organization (prior to 7/13/05) Coast Guard Secret Service Citizenship & Immigration & Ombuds Civil Rights and Civil Liberties Legislative Affairs General Counsel Inspector General State & Local Coordination Private Sector Coordination International Affairs National Capital Region Coordination Counter-narcotics Small and Disadvantaged Business Privacy Officer Chief of Staff Secretary (Chertoff) & Deputy Secretary (Jackson) Management (Hale) Science & Technology (McQueary) Border & Transportation Security (Beardsworth, act.) Emergency Preparedness & Emergency Response (Paulison, act.) Information Analysis & Infrastructure Protection (Stephan, act.)

Department of Homeland SecurityOrganization Chart (proposed end state) SECRETARY DEPUTY SECRETARY EXECUTIVE SECRETARY CHIEF OF STAFF MILITARYLIAISON INSPECTOR GENERAL ASSISTANT SECRETARY PUBLIC AFFAIRS UNDER SECRETARY FOR SCIENCE & TECHNOLOGY UNDER SECRETARY FOR POLICY GENERAL COUNSEL A/S CONGRESSIONAL & INTERGOVERNMENTAL AFFAIRS UNDER SECRETARY FOR MANAGEMENT UNDER SECRETARY FOR PREPAREDNESS DIRECTOR OF OPERATIONS COORDINATION ASSISTANT SECRETARY OFFICE OF INTELLIGENCE & ANALYSIS DIRECTOR OF COUNTER NARCOTICS OMBUDSMAN CITIIZENSHIP & IMMIGRATION SERVICES CHIEF PRIVACY OFFICER DIRECTOR CIVIL RIGHTS/CIVIL LIBERTIES FEDERAL LAW ENFORCEMENT TRAINING CENTER SCREENING COORDINATION OFFICE LABOR RELATIONS BOARD DOMESTIC NUCLEAR DETECTION OFFICE COMMISSIONER IMMIGRATION & CUSTOMS ENFORCEMENT DIRECTOR FEMA DIRECTOR CITIZENSHIP & IMMIGRATION SERVICES DIRECTOR TRANSPORTATION SECURITY ADMINISTRATION COMMANDANT US COAST GUARD COMMISSIONER CUSTOMS & BORDER PROTECTION DIRECTOR US SECRET SERVICE

Department of Homeland SecurityOrganization Chart—Preparedness (proposed end state) UNDER SECRETARY FOR PREPAREDNESS NATIONAL CAPITAL REGION DIRECTOR CHIEF MEDICAL OFFICER FIRE ADMINISTRATION ASSISTANT SECRETARY FOR GRANTS AND TRAINING ASSISTANT SECRETARY FOR INFRASTRUCTURE PROTECTION ASSISTANT SECRETARY FOR CYBER & TELE-COMMUNICATIONS

Science and Technology (S&T) Mission Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users.

S&T Organization Chart Under Secretary for Science & Technology (McQueary) Office of Plans Programs and Requirements (Evans, act.) Homeland Security Advanced Research Projects Agency (Kubricky, act.) Office of Systems Engineering & Development (Kubricky) Office of Research and Development (McCarthy)

Science and Technology Directorate Office of Research and Development Homeland Security Advanced Research Projects Agency Systems Engineering & Development GFE GFI Execution Industry Laboratories Industry Universities Universities Laboratories Centers Fellowships Scholarships Stewardship of an enduring capability Innovation, Adaptation, & Revolution Development Engineering, Production, & Deployment

Crosscutting Portfolio Areas • Chemical • Biological • Radiological • Nuclear • High Explosives • Cyber Security • Critical Infrastructure Protection (CIP) • USSS

Legacy of HSARPA NameHow is it different from DARPA? • Differences • 85-90% of funds for identified DHS requirements • 10-15% of funds for revolutionary research • Breakthroughs, • New technologies and systems • These percentages likely to change over time, but we need to meet today’s requirements

HSARPA Funding HSARPA funding is allocated from Appropriated line items

Cyber Security R&D Portfolio: Scope We focus on threats and issues that warrant national-level concern • Asymmetric capabilities make cyberspace an appealing battleground for our adversaries • Cyberspace presents an avenue to exploit weaknesses in our critical infrastructures • The most significant cyber threats are very different from “script-kiddies” or virus writers • Terrorism • Organized crime • Economic espionage

Critical Infrastructure Providers Post R&D DETER PREDICT PrioritizedRequirements Customers Pre R&D R&D DNSSEC SPRI Other Sectors e.g., Banking & Finance Critical Infrastructure Providers Customers * NCSD * NCS * USSS * National Documents R&D Coordination – Government & Industry Cyber Security Assessment Emerging Threats Workshops External (e.g., I3P) Rapid Prototyping Solicitation Preparation Experiments and Exercises CIP Sector Roadmaps BAAs Outreach – Venture Community & Industry SBIRs Supporting Programs R&D Execution Model

Critical Infrastructure Providers Post R&D DETER PREDICT PrioritizedRequirements Customers Pre R&D R&D DNSSEC SPRI Other Sectors e.g., Banking & Finance Critical Infrastructure Providers Customers * NCSD * NCS * USSS * National Documents R&D Coordination – Government & Industry Cyber Security Assessment Emerging Threats Workshops External (e.g., I3P) Rapid Prototyping Experiments and Exercises CIP Sector Roadmaps Solicitation Preparation BAAs Outreach – Venture Community & Industry SBIRs Supporting Programs R&D Execution Model

Rapid Technology Application Program (RTAP) • Similar to the existing Technical Support Working Group (TSWG) approach • Requirements Generation Panel • Identify general technology needs • Reduce collection of general needs • Explore issues and draft Statement of Requirements (SoR) • Write an SoR for each technology need in detail suitable for prototype procurement

Cyber Security RTAP Topics • #1 BOTNET Detection and Mitigation Tool • Customer: IAIP/NCSD • #2 Exercise Scenario Modeling Tool • Customer: IAIP/NCSD • #3 DHS Secure Wireless Access Prototype • Customer: S&T OCIO • Pre-solicitation at http://www.hsarpabaa.com

HSARPA Cyber Security Broad Agency Announcement (BAA 04-17) • A critical area of focus for DHS is the development and deployment of technologies to protect the nation’s cyber infrastructure including the Internet and other critical infrastructures that depend on computer systems for their mission. The goals of the Cyber Security Research and Development (CSRD) program are: • To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; • To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. • To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency. • http://www.hsarpabaa.com

BAA Technical Topic Areas (TTAs) • System Security Engineering • Vulnerability Prevention • Tools and techniques for better software development • Vulnerability Discovery and Remediation • Tools and techniques for analyzing software to detect security vulnerabilities • Cyber Security Assessment • Develop methods and tools for assessing the cyber security of information systems • Security of Operational Systems • Security and Trustworthiness for Critical Infrastructure Protection • 1) Automated security vulnerability assessments for CI systems • 2) Improvements in system robustness of critical infrastructure systems • 3) Configuration and security policy management tools • 4) Cross-platform and/or cross network attack correlation and aggregation

BAA TTAs (continued) • Security of Operational Systems • Wireless Security • Security tools/products for today’s networks • Solutions and standards for next generation networks • Investigative and Prevention Technologies • Network Attack Forensics • Tools and techniques for attack traceback • Technologies to Defend against Identity Theft • R&D of tools and techniques for defending against identity theft and other financial systems attacks, e.g., phishing

BAA Program / Proposal Structure • NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in DHS “customer” environments • Type I (New Technologies) – Funding NTE 36 months • New technologies with an applied research phase, a development phase, and a deployment phase (optional) • Type II (Prototype Technologies) – Funding NTE 24 months • More mature prototype technologies with a development phase and a deployment phase (optional) • Type III (Mature Technologies) – Funding NTE 12 months • Mature technology with a deployment phase only.

BAA 04-17 Proposal Summary http://www.hsarpabaa.com/; Solicitation Awards; BAA04-17 Awards

Small Business Innovative Research (SBIRs) • http://www.hsarpasbir.com • CROSS-DOMAIN ATTACK CORRELATION TECHNOLOGIES (SB04.2-001) • Objective: Develop a system to efficiently correlate information from multiple intrusion detection systems (IDSes) about “stealthy” sources and targets of attacks in a distributed fashion across multiple environments. • REAL-TIME MALICIOUS CODE IDENTIFICATION (SB04.2-002) • Objective: Develop technologies to detect anomalous network payloads destined for any service or port in a target machine in order to prevent the spread of destructive code through networks and applications. These technologies should focus on detecting “zero day attacks”, the first appearance of malicious code for which no known defense has been constructed.

SBIR FY05.2 Submission • Hardware-assisted System Security Monitoring OBJECTIVE: This topic seeks technologies that provide a hardware-assist for the monitoring of system security. It is expected that the resulting solutions would be some type of inexpensive coprocessor board that would work with existing hardware and software, resulting in a system with much higher assurance than currently available. By putting the monitoring capability in hardware it is much more difficult for an attacker to disable this part of the system because the board is isolated from potential remote attackers and would require physical access to compromise the hardware-assist board, thus, providing the owner/user technology that can monitor the security health of the system in near real-time. This will ensure that even when the machine is on, but the user is not using the machine, the system will be monitored and can even be "shut down" so unknown communications is not sent while the user's away. The hardware-assist system should have the capability to collect and store information for forensic purposes and the system should also have capability to report security related events to a central monitoring station. • Solicitation at http://www.hsarpasbir.com

DHS / NSF Cyber Security Testbed • “Justification and Requirements for a National DDOS Defense Technology Evaluation Facility”, July 2002 • We still lack large-scale deployment of security technology sufficient to protect our vital infrastructures • Recent investment in research on cyber security technologies by government agencies (NSF, DARPA, armed services) and industry. • One important reason is the lack of an experimental infrastructure and rigorous scientific methodologies for developing and testing next-generation defensive cyber security technology • The goal is to create, operate, and support a researcher-and-vendor-neutral experimental infrastructure that is open to a wide community of users and produce scientifically rigorous testing frameworks and methodologies to support the development and demonstration of next-generation cyber defense technologies

DETER Testbed Architecture Cyber Defense Experiments run on Virtual Internet • 3 major sites; over 200 nodes • GOAL: By end of FY07 to have 1000 nodes distributed at possibly up to 6 sites UCB Internet Sparta USC-ISI

A Protected REpository for Defense of Infrastructure against Cyber Threats • PREDICT Program Objective “To advance the state of the research and commercial development (of network security ‘products’) we need to produce datasets for information security testing and evaluation of maturing networking technologies.” • Rationale / Background / Historical: • Researchers with insufficient access to data unable to adequately test their research prototypes • Government technology decision-makers with no data to evaluate competing “products” End Goal: Improve the quality of defensive cyber security technologies

Begin the dialogue between HSARPA and industry as it pertains to the cyber security research agenda Discuss existing data collection activities and how they could be leveraged to accomplish the goals of this program Discuss data sharing issues (e.g., technical, legal, policy, privacy) that limit opportunities today and develop a plan for navigating forward Develop a process by which “data” can be “regularly” collected and shared with the network security research community ATTENDEES AOL UUNET Verio PREDICT participant XO Comms Akamai Arbor Networks System Detection Cisco PCH PREDICT participant Symantec USC-ISI PREDICT participant Univ. of WA PREDICT participant CERT/CC LBNL PREDICT participant Internet2 PREDICT participant CAIDA PREDICT participant Merit Networks PREDICT participant Citigroup Industry Workshop 2004

Data Collection Activities • Classes of data that are interesting, people want collected, and seem reasonable to collect • Netflow • Packet traces – headers and full packet (context dependent) • Critical infrastructure – BGP and DNS data • Topology data • IDS / firewall logs • Performance data • Network management data (i.e., SNMP) • VoIP (1400 IP-phone network) • Blackhole Monitor traffic

: PREDICT Information • https://www.predict.org • Recent Workshop • http://www.hsarpacyber.com/public/PREDICT/

Internet Infrastructure Security Motivation • The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness • NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS • The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.

Domain Name System Security (DNSSEC) Program • DNSSEC Program Objective “Carry forward to completion the recommendation from the National Strategy to Secure Cyberspace by engaging industry, government, and academia to enable all DNS-related traffic on the Internet to be DNSSEC compliant” • Rationale / Background / Historical: • DNS is a critical component of the Internet infrastructure and was not designed for security • DNS vulnerabilities have been identified for over a decade and we are addressing these vulnerabilities End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures

The Domain Name System Root • DNS database maps: • Name to IP addresswww.dhs.gov = 206.18.104.198 • And many other mappings (mail servers, IPv6, reverse…) • Data organized as tree structure: • Each zone is authoritativefor its own data • Minimal coordination between zone operators edu mil ru isi darpa usmc mil nge alpha

DNS Attacks • Attacks via and against the DNS infrastructure are increasing • Attacks are becoming costly and difficult to remedy • Consumer confidence in Internet accuracy is decreasing • Financial/large enterprises are seeing a significant increase in online attacks for fraudulent purposes • Hijacking (virtual theft of domain names) • http://www.icann.org/announcements/hijacking-report-12jul05.pdf • Phishing (look-alike fraudulent emails and web sites) • Pharming (phishing combined with DNS attacks) • Other attacks include DNS name mismatches or browser tricks aimed at careless users

DNSSEC – What it provides • Provides an approach so DNS users can: • Validate that data they receive came from the correct originator, i.e., Source Authenticity • Validate that data they receive is the data the originator put into the DNS, i.e., Data Integrity • Approach integrates with existing server infrastructure and user clients • DNSSEC awareness by application • Results of DNSSEC validation functions provided to applications • Applications can take different actions based on DNSSEC validation results, e.g. won’t connect to www.bankofamerica.com without good validation but will connect to www.cnn.com without it. • Examples: • Web browsers • Email servers and clients

DNSSEC Initiative Activities • Roadmap published in February 2005 • http://www.dnssec-deployment.org/roadmap.php • Multiple workshops held world-wide • DNSSEC testbed developed by • http://www-x.antd.nist.gov/dnssec/ • Involvement with numerous deployment pilots • Working with Civilian government (.gov) to develop policy and technical guidance for secure DNS operations and beginning deployment activities at all levels. • Working with the operators of the “.us” and “.mil” zones towards DNSSEC deployment and compliance

DNSSEC Design / Use • Secure DNS Guidance Documents • NIST 800 Series Documents for operators and policy/decision makers. • Define the problem space • Outline BCP for securing current DNS operations • Guidelines for deployment and use of DNSSEC • Series of outreach efforts • Announcement from: http://csrc.nist.gov/publications/drafts.htmlAugust 11, 2005: Draft NIST Special Publication 800-81, Secure Domain Name System (DNS) Deployment GuideRequest for Comments closed Sept. 29th, 2005

Secure Protocols for the Routing Infrastructure (SPRI) • BGP is the routing protocol that connects ISPs and subscriber networks together to form the Internet • BGP does not forward subscriber traffic, but it determines the paths subscriber traffic follows • The BGP architecture makes it highly vulnerable to human errors and malicious attacks against • Links between routers • The routers themselves • Management stations that control routers • Work with industry to develop solutions for our current routing security problems and future technologies

SPRI Activities To Date • Formation of government and industry “steering committee” • DHS, DOD, DOCommerce, NIST, ICANN, IETF • Held first industry requirements workshop; March 15-16, 2005 in WDC • Held second workshop on operational security; May 18-19, 2005 in Seattle in conjunction with NANOG. • Held third workshop on registry operations; Sept. 13-14, 2005 in WDC; Outputs submitted at recent ARIN mtg

Cyber Security Assessment Activities • Cyber Economics Study • Dept. of Treasury – “Key Business Processes in the event of a Crisis” Study

Economic Analysis of Cyber Security and Private-Sector Investment Decisions The objective of the study is to investigate Internet stakeholders’ investment decisions for bolstering the security of their information technology (IT) networks. To achieve the study objectives, RTI will • review existing studies to assess the economics of cyber security, • conduct a series of interviews within eight industry sectors to assess companies’ investment decisions related to securing their IT networks, and • identify potential areas for government involvement and/or support for the deployment and adoption of existing cyber security technologies. DHS/Cyber Security IMPACT • DHS is interested in economic decisions that may lead to inadequate investment in cyber security measures. • Better information on the costs and benefits of security technologies and adverse events will help inform private investment decisions. • Understanding the public goods nature of Internet security may inform government’s involvement in cyber security. SCHEDULE

Prototyping of a Business Process Model (A Computer Simulation) of the Finance Sector DESCRIPTION / OBJECTIVES / METHODS • “Proof of Concept” activities are designed to assess initial technical and operational feasibility, including scoping and development of a concept of operations, before stakeholders invest substantial resources in full-scale development. • Various private and public-sector stakeholders have determined the immediate operational need for this capability; it meets several gaps defined by the Treasury Department and sector-level coordinating councils. • The research involves 4 phases: Engage SMEs to help define the logical and physical extent of the sector at a high level; Determine an appropriate subset of sector transactions to model as a proof of concept; Use rapid prototyping to define simulation requirements; Report on technical and operational feasibility DHS/Cyber Security IMPACT • This project addresses the requirement for a man-in-the loop simulation that emulates sector-wide disruptions and their operational (business) impact. • Sector-level simulation of impacts resulting from cyber and physical disruptions of business processes and transactions between critical entities in the Finance Sector will provide government and industry stakeholders and users with unique insight of operational risks, single points of failure, and mitigation strategies. • Potential users include risk managers responsible for the operational health of the sector; also enterprise risk managers BUDGET & SCHEDULE TASK FY05 FY06 FY07 Proof of Concept (Feasibility) Phase 1 Requirements Definition Phase 1 Simulation Design Phase 1 Implementation, Integration, Testing, and Roll-out

Rapid Prototyping – Authoritative SSL Auditing PROJECT DESCRIPTION / OVERVIEW Client Machine Goal: Enable organizations to audit secure communications to prove policy compliance, investigate attacks, and arbitrate disputes.Approach: Use a passive network device to record SSL traffic, sign it with a hardware security module, and open communications when necessary. Requires the cooperation of the original secure sever to keep its keys secure. Web portal restricts access to authorized personnel. • Status: Alpha Aug 15, 2005; Beta planned for Dec 15, 2005 • End Users: Information technology and security officers in government agencies and commercial organizations, especially those that need to comply with regulations such as HIPAA, FACTA, and Sarbanes-Oxley. Client Machine Client Machine Server Machine Server Machine Client Machine Server Machine Client Machine Server Application Client Application Network Switch SSL Client SSL Server Key Shield Portal Device Auditing Device Auditing Portal Recording Application Signing Application BUDGET & SCHEDULE DHS/Cyber Security Impact • Complete, authoritative records of electronic transactions • Ensure users/organizations follow security policies • Better investigate attacks and fraud over SSL • All records remain confidential until specifically reviewed • Very low total cost of ownership encourages adoption TASK FY05 FY06 FY07 Reqmnts. & Design Alpha System Beta System Final System

Emerging Threats – VME-DEP • Virtual Machine Environment - Detection and Escape Prevention • VME use is increasing in industry and government, and is starting to be used in classified networks • Goals of this project are to • Gain a better understanding of where VMEs are used and for what purpose • Determine how an attacker might break the security models defined by a VME • Develop techniques for preventing those attacks • Develop a “secured” open source VME

Emerging Threats - NGCD • Next Generation Crimeware Defenses • Crimeware: Malicious software specifically designed to steal identity information and other associated financial information • Goals of this project are: • Gain an understanding of the nature of crimeware technologies and how to defend against their increasing sophistication • Collect and analyze crimeware samples • Build threat and vulnerability models based on the attack types and goals of stealing access credentials and identity information and correlated to popular computing environments • Develop a “secure computing environment”: web browser (based on open-source Mozilla), secure keyboard and embedded co-processor to proactively prevent crimeware

The Institute for Information Infrastructure Protection (I3P) • The I3P is a consortium of 24 academic and not-for-profit research organizations • The I3P embodies a concept developed in studies between 1998 and 2000 by PCAST, IDA, and OSTP • The I3P was formed in September 2001 and funded by congressionally appropriated funds assigned to Dartmouth College • DHS/S&T/HSARPA now oversees the I3P funding • $17.883 M Congressional Earmark for the Institute for Security Technologies Studies (ISTS) at Dartmouth College • Inherited from Office of Domestic Preparedness (ODP) during R&D consolidation activity

Other Activities – Institute for Infrastructure Protection (I3P) • Creation of two research plans for cyber security, one in Supervisory Control and Data Acquisition (SCADA) systems, and one in economic and policy issues • Two Independent Research Advisory Boards (RABs) established to review final research plans submitted for I3P support. • Two-year, $8.5 million research program to protect SCADA systems in the oil and gas industry and other critical infrastructure sectors. • Led by Sandia, comprises 10 research institutions with expertise in cyber security, risk management, and infrastructure systems analysis. • Kickoff meeting held April 14-15 at Sandia National Laboratories’ Center for SCADA Security in Albuquerque • Attended by project researchers along with oil and gas experts from ChevronTexaco, Ergon Refining, Public Utility of New Mexico, and Williams • Provided training on SCADA hardware, software, and typical system configurations, as well as common threats and vulnerabilities associated with these systems

I3P Cyber Economics Project • Two project goals: • How to quantify the cost of cyber security and the effects of cyber attacks? • How to measure the effectiveness of current security tools and policies? • Three intertwined threads • National perspective: • Views the information infrastructure as an element of national security, where cyber security incidents can disrupt, impair or destroy critical economic capabilities. • Enterprise or corporate perspective: • Considers the effects of degraded or destroyed infrastructure on the degree to which an enterprise can maintain its bottom line by developing and delivering products and services. • Technological perspective: • Addresses those technologies that protect the infrastructure, by deterring particular threats, preventing certain classes of attacks, or mitigating the consequences of attack. • Participants: RAND Corporation, University of Virginia, MIT Lincoln Laboratory, George Mason University, Dartmouth

Experiments and Exercises • Experiments • U.S. / Canada Secure Blackberry Experiment • PSTP-agreed upon deployment activity • Oil and Gas Sector • Working with DOE and industry • Finance Sector • CIDDAC • U.S. NORTHCOM • CWID 2005 (originally known as JWID) • Exercises • National Cyber Security Exercise (Cyber Storm) • National Critical Infrastructure Exercise (NCIE) • Exercise led by industry

US-CAN Secure Wireless Trial • Objective • Test effectiveness of US/Canadian cross-border secure wireless architecture to cope with real-time communication in variety of scenarios • Technologies • PKI (S/MIME), Identity-based encryption, enforcement of policy and compliance • Trial Activity • July: U.S.-only initial four-day test period • October: Four-day test period with 35 activities and with 40+ participants acting out homeland security scenarios using BlackBerry devices

Homeland Security: Cyber Security R&D Initiatives