JASON on “Science of Cyber Security,” Recommends New Centers

On December 14, 2010, In Policy, Research, Security, By Peter Harsha

Steven Aftergood, of the always excellent Secrecy News blog, notes the release of a new report by the JASON panel, an influential, independent advisory committee for the Department of Defense that focuses on issues in science and technology, on the “Science of Cyber Security.” Specifically, DOD asked the panel to examine the theory and practice of cyber security, and “evaluate whether there are underlying fundamental principals that would make it possible to adopt a more scientific approach.”

The committee has released their report on the issue (the Federation of American Scientists managed to obtain a copy (pdf)), have concluded that there is a science of cyber security, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.” The primary recommendation of the committee is to have the DOD sponsor “multiple cyber-security science based centers and projects within universities and other research centers.” The programs should have “a long time horizon and periodic reviews of accomplishments.”

Centers, the panel believes, have several attractive features:

  • they give the sponsors access to the best ideas and people;
  • they give the sponsor a chance to bias the work towards their versions of common problems;
  • there is an opportunity for these centers and programs to leverage a unique collection of resources internal to the DOD, including defensive data and experience from running internal networks.

The centers would be different than DARPAs projects in that the centers “would be expected to make steady progress on a broad set of topics, rather than limit themselves to revolutionary ideas or to try to solve the latest cyber-security crisis.”

Centers would also act as connecting points for the software industry, which would accelerate the translation of new ideas into useful tools for developers. The panel believes that this would correct a long-standing deficiency wherein some very sophisticated approaches to assessing and reasoning about the security of current systems are not available in the form of developer tools, perhaps because there’s insufficient market for the private development of the tools.

A number of representatives from academia, industry and government briefed JASON on the issues, including CRA’s Government Affairs Chair Fred Schneider.

JASON reports often form the basis of action within DOD on S&T matters, and there’s no reason to suggest that the recommendations in this report won’t get consideration. Whether the investment in centers actually happens is, of course, also dependent on the DOD’s budget situation, which is in a bit of flux at the moment until Congress hammers out a final agreement on an FY 11 budget and the Administration releases its plan for FY 12. But it wouldn’t be surprising to see an effort to incorporate the reports recommendations in future DOD budgets.

In any case, the report is well-written and well worth a read.

Tagged with:
 
0 Comments
Leave A Response

House Panel Examines Cyber Attack Attribution

On July 15, 2010, In Security, By Chase Hensel

This morning, the House Committee on Science and Technology’s subcommittee on Technology and Innovation held a hearing entitled “Planning for the Future of Cyber Attack Attribution”. The hearing contained a panel of four witnesses — Dr. David Wheeler, a Research Staff Member of the Information Technology and Systems Division at the Institute for Defense Analyses, Mr. Robert Knake an International Affairs Fellow at the Council on Foreign Relations, Mr. Ed Giorgio, the President and Co-Founder of Ponte Technologies, Mr. Marc Rotenberg, the President of the Electronic Privacy Information Center.

The purpose of the hearing was to “discuss attribution in cyber attacks, and how attribution technologies have the potential to affect the anonymity and privacy of internet users.” Witnesses answered questions ranging from ‘Can attack attribution play a role in deterring cyber attacks?’, to ‘If attribution is futile, what other methods can we use to prevent cyber attacks?’ Witnesses emphasized that while attribution is important, it is not a cure-all, and should only be a part of the security tool box.

They claimed that automatic attack attribution — e.g. having computers automatically determine the origin of an attack — was dangerous because of the possibility for failure and the assignment of wrong identities to attackers. They also, thankfully, mentioned that the internet should not be ‘locked down’, and that different segments should have varying degrees of security and privacy.

The panel stressed that anonymity on the internet conflicts with attribution. A common sentiment was that attribution must not come at the cost of normal legal internet user-privacy. Witnesses went on to posit various methods to create attack attribution without a total loss of privacy.

While the hearing touched on many topics, one of personal interest was the role of the Government in limiting the amount of data that private companies, such as Google, can record on their users. The panel claimed that increased restrictions on private companies would better secure citizens in the face of company breakdown, like the Chinese hack on Google earlier this year.

Check out the hearing’s website and the webcast.

 
0 Comments
Leave A Response

The Change at DARPA

On March 29, 2010, In People, Policy, Research, Security, By Peter Harsha

Since about 2001, the computing community – through CRA and others, and with lots of mention on this blog – has aired concerns about policy changes at the Defense Advanced Research Programs Agency (DARPA), the Defense Department’s leading-edge research arm and arguably one of the two most important agencies in the history of computer science. In particular, we’ve been concerned with a set of policies that discouraged the participation of university-based researchers in DARPA-sponsored research – policies like the use of “go/no-go” decisions without regard to the realities of fundamental research, the use of prepublication review on basic and applied research, and an increased use of classification of research that precludes participation from most researchers in the university community.

With the change in Administration and a new DARPA Director (Dr. Regina Dugan) appointed, we have been hopeful that these problematic policies would be reviewed and reversed. We were considerably encouraged when Dugan selected CRA’s former Chair, Dr. Peter Lee, the Chair of Computer Science at Carnegie Mellon University, to head a new office at the agency chartered, in part, to reengage the agency with the university community. Both Dugan and Lee have been making the rounds to university campuses over the last year listening to the concerns and pledging to address them.

Last week, Dugan testified before the House Armed Services Committee and addressed this need to change explicitly. Here’s some of what she said:

Over the last few years, the University community has articulated concerns about DARPA’s commitment to basic research. There was much said on both sides about the veracity of these concerns. As I described previously, one of the elements of DARPA’s success is the Agency’s commitment to work at the intersection of basic science and application, so-called Pasteur’s quadrant. The tension created in Pasteur’s quadrant arguably serves as a catalyst for innovation. DARPA is not a pure science organization, but neither are we a pure application organization. We sit firmly at the intersection of the two and, to be successful, we need the minds of the basic scientist and the application engineer, those in universities, and those in industry. And we need them working together, often on a single project, in the cauldron created by the urgency and technical demands of Defense. This is almost a unique characteristic of DARPA projects, which are often multi-discipline, multi-community, and multi-stage.

University Outreach.

Upon arrival at DARPA, we were determined to understand and repair the breach with universities. We discovered the following: Between 2001 and 2008, DARPA funding to US research university performers did decrease in real terms, by about half. But, as importantly, a noble and recent focus in the Agency on solving nearer term problems for the Department had resulted in some additional, perhaps unintended, consequences. The nature of the work changed, from multi-year commitments, to those with annual “go, no-go” decisions governing continued funding, which made it difficult for universities to commit to graduate students. A later stage focus resulted in more work done by universities as subs to prime contractors responsible for integration efforts, and the resulting flow-down of restrictions on the use of foreign nationals, export control, prepublication review, among others.

We assessed that we could address many of the concerns identified. So last September I traveled to five universities – Texas A&M, Caltech, UCLA, Stanford and Berkeley – to meet faculty, deans, and presidents, graduate students and undergraduates. The goal was to speak honestly and directly with them. We laid out the concerns, as we understood them, and the changes we had made or intended to make. We asked for their feedback. And we asked for their renewed commitment as well. For researchers to renew their commitment to working on Defense problems. For university leaders to clear obstacles and encourage their best and brightest to serve in Government. This service is, of course, in our shared self-interest because the quality of Government research sponsorship goes directly as the quality of the program leadership.

We continue to work on the issues: by educating our program managers to include basic research as an element in their programs, where appropriate, and to protect the integrity of this work under the provisions afforded fundamental research. The Agency has instituted new processes to ensure the necessary elements of academic freedom in basic research are balanced with the responsibilities of national security concerns. And we have increased transparency so that researchers can quickly determine whether restrictions apply to their work.

Since September, we have visited additional campuses across the country and spoken with university representatives to include Virginia Tech, Georgia Tech, MIT, and others. Our dialogue continues with more than 100 schools. We have more work to do, on both sides, but so far, it seems as if the breach is healing.

The full testimony is online and worth reading. This change at the agency is enormously positive, not only for the computing research community – which will gain (regain?) an important funding source and a different funding model than NSF – but for DOD and the country as well. After all, one of our biggest concerns with DARPA’s disengagement from the university community over the better part of the last decade was that it meant that some of the best minds in the country – indeed, some of the best minds in the world – were no longer thinking about defense problems. DARPA’s policy changes should help reclaim some of that mindshare, and in the process, better serve our warfighters and protect our country.

Tagged with:
 
0 Comments
Leave A Response
« Previous Entries
Go To Top »