Tuesday, March 30, 2010
Panel Members:
Summary by Ryan Poyar
The first panel of the 2010 annual security symposium kicked things off to a great start and an interesting discussion. The topic was the Visualization of Security. The focus of the panel was to address the issue of how to use the vast amounts of data that is available in a way that can help predict and protect systems from future threats. Alok Chaturvedi, a professor at Purdue, initiated the discussion by describing how using visualization could potentially make it possible to display large amounts of data in a meaningful way. Donald Robinson from Northrop Grumman rationalized the use of using visualization with his argument that as humans we are naturally very good at recognizing patterns and making sense of visualizations as opposed to dealing with raw data. Currently, this technique is being researched through the project VACCINE (Visual Analytics for Command, Control, and Interoperability Environments) which is primarily focused on helping the mission of the Department of Homeland Security. As one of the researchers working on VACCINE, Ross Maciejewski described that the goal of the project was to be able to determine potential threats from an abundance of streaming real-time data sources and then further to provide real-time targeted counter measures against each threat. While all of this sounds very good in theory, getting it to work in practice requires many hurdles to be overcome. The discussion for the remainder of the panel was a debate on who should be responsible for making the threat determination from the data and then who should determine the correct response. Even in a non-real-time environment with only humans this is a very tricky endeavor. It seems that it is necessary for a specific expert in each field to analyze the data from their perspective and look for threats based on their expertise only. If a threat is found, it is then very difficult to determine who has the right background and is the best choice to mitigate it. Further, who has the ability to foresee threats that cross multiple disciplines? If we have a difficult time answering these questions in a detailed, comprehensive, non-real-time environment how will we be able to design a system a priori that can answer future questions in real-time?
Tuesday, March 30, 2010
Summary by Jason Ortiz
Mike McConnell, retired Admiral of the Navy, former Director of NSA and former Director of National Intelligence delivered the opening keynote speech for the eleventh annual CERIAS Security Symposium. The majority of this keynote was devoted to recounting his experiences and efforts to move forward national cyber capabilities. The following is a summary of those efforts.
Admiral McConnell opened the address with a simple statement: “The nation is at significant risk.” He pointed out that the United States’ economy and livelihood is in information streams. If those streams are interrupted or tampered with, the United States could lose trillions of dollars almost instantly.
McConnell continued the keynote by making three predictions. The first of those was the idea that the United States will continue to talk about cyber defenses but not really do anything until after a catastrophic cyber event. The Admiral supported this idea by pointing out that if extremist groups were to focus their efforts on cyber attacks, they could disrupt transportation and the economy. As evidenced by attacks last spring in California (criminals cut fiber optic cables), they could also disrupt services such as 9-11 service, internet connectivity, and cellular phone service.
McConnell’s second prediction was that after a catastrophic event, the government of the United States would suddenly lurch into action. They will pass laws, appropriate money and work to prevent the same sort of catastrophe from reoccurring. After all, Washington D.C. responds to four things: crisis, the ballot box, money and law. A catastrophic cyber attack would generate changes or problems in all four of these areas.
McConnell then proceeded to explain the most important aspects of cyber security as he learned as Director of the NSA. The first most important aspect is authentication. The second most important aspect is data integrity. The third aspect is non-repudiation. The fourth is availability, and the least important aspect is the ciphertext itself (encryption).
Finally, the third prediction made by Admiral McConnell was that the United States would reengineer the internet. He explained how the military uses the internet and predicts that the entire national network will be implemented in a similar manner in the future. Concerning the government, it is McConnell’s belief that the government can help to implement the redesigned and more secure network.
Yes, I have been quiet (here) over the last few months, and have a number of things to comment on. This hiatus is partly because of schedule, partly because I had my laptop stolen, and partly health reasons. However, I'm going to try to start back into adding some items here that might be of interest.
To start, here is one item that I found while cleaning out some old disks: a briefing I gave at the NSA Research division in 1994. I then gave it, with minor updates, to the DOD CIO Council (or whatever their name was/is -- the CNSS group?), the Federal Infosec Research Council, and the Criticial Infrastructure Commission in 1998. In it, I spoke to what I saw as the biggest challenges in protecting government systems, and what were major research challenges of the time.
I have no software to read the 1994 version of the talk any more, but the 1998 version was successfully imported into Powerpoint. I cleaned up the fonts and gave it a different background (the old version was fugly) and that prettier version is available for download. (Interesting that back then it was "state of the art"
I won't editorialize on the content slide by slide, other than to note that I could give this same talk today and it would still be current. You will note that many of the research agenda items have been echoed in other reports over the succeeding years. I won't claim credit for that, but there may have been some influences from my work.
Nearly 16 years have passed by, largely wasted, because the attitude within government is still largely one of "with enough funding we can successfully patch the problems." But as I've quoted in other places, insanity is doing the same thing over and over again and expecting different results. So long as we believe that simple incremental changes to the existing infrastructure, and simply adding more funding for individual projects, is going to solve the problems then the problems will not get addressed -- they will get worse. It is insane to think that pouring ever more funding into attempts to "fix" current systems is going to succeed. Some of it may help, and much of it may produce some good research, but overall it will not make our infrastructure as safe as it should be.
Yesterday, Admiral (ret) Mike McConnell, the former Director of National Intelligence in the US, said in a Senate committee hearing that if there were a cyberwar today, the US would lose. That may not be quite the correct way of putting it, but we certainly would not come out of it unharmed and able to claim victory. What's more, any significant attack on the cyberinfrastructure of the US would have global repercussions because of the effects on the world's economy, communications, trade, and technology that are connected by the cyber infrastructure in the US.
As I have noted elsewhere, we need to do things differently. I have prepared and circulated a white paper among a few people in DC about one approach to changing the way we fund some of the research and education in the US in cybersecurity. I have had some of them tell me it is too radical, or too different, or doesn't fit in current funding programs. Exactly! And that is why I think we should try those things -- because doing more of the same in the current funding programs simply is not working.
But 15 years from now, I expect to run across these slides and my white paper, and sadly reflect on over three decades where we did not step up to really deal with the challenges. Of course, by then, there may be no working computers on which to read these!