cacr director's update 2015
TRANSCRIPT
CACR Director’s Update Von Welch
Director, CACR
CACR Seminar Series January 22nd, 2015
Welcome 2015 Spring Seminar Series
• 02/05/2015 Cornell University's Rafael Pass • 02/19/2015 Penn State's Christopher French • 03/05/2015 Northeastern University's Engin Kirda • 04/02/2015 Duke's Aswin Machanavajjhala, PhD • 04/16/2015 Indiana University's ScoR Shakelford
Latest: hRp://www.cacr.iu.edu/events/674
January 22, 2015 CACR Director's Report
Thank yous • Marjorie Young • Marion Conaty • Dara Eckart • Sarah Portwood • And everyone else who make these talks possible
January 22, 2015 CACR Director's Report
Thank you to Fred H. Cate
Founding CACR Director 2003-‐2014 Now a CACR Senior Policy Fellow
January 22, 2015 CACR Director's Report
CACR Administration and Staff • David Delaney
Deputy Director
• Dara Eckart Administra\ve Director
Associate Directors: • Bill BarneR • Mark Bruhn • ScoR Orr
• Leslee Cooper • Randy Heiland • Craig Jackson • Ryan Kiser • Mark Krenz • Sarah Portwood • Susan Sons • Marjorie Young Plus many fellows and students…
January 22, 2015 CACR Director's Report
THE CYBERSECURITY LANDSCAPE
January 22, 2015 CACR Director's Report
Software Foundation • Heartbleed, ShellShock, NTP…
• Founda\onal socware of the Internet isn’t as solid as we would like.
January 22, 2015 CACR Director's Report
Breaches, breaches, breaches… • Target, Home Depot, etc.
• Cybercrime is geeng more organized, aiming higher and geeng beRer.
• Our different networks are integrated.
January 22, 2015 CACR Director's Report
We’re not changing behavior • Password “123456” reigns supreme in 2014 … Again! • Caveat – this is from “leaked
passwords”
• Why not? • Are people not directly effected? • Consequences too distant?
January 22, 2015 CACR Director's Report
Adoption of Two-‐Factor Auth and Password Managers
January 22, 2015 CACR Director's Report
Cybersecurity as Risk Management Growing need by cybersecurity professionals to understand cybersecurity’s role in suppor\ng the mission of the organiza\on by managing risk.
January 22, 2015 CACR Director's Report
Transition to Practice • Widening gap between sophis\ca\on of cybersecurity research and what is applied.
• Programs in NSF, DHS, etc. focusing on geeng research into prac\ce.
January 22, 2015 CACR Director's Report
We’re still waiting for the big one…
January 22, 2015 CACR Director's Report
MY WISH LIST
January 22, 2015 CACR Director's Report
Learn from our mistakes • Breach repor\ng is nice, but knowing what actually went wrong is much beRer.
• Think Na\onal Transporta\on Safety Board reports – not fast, but detailed. • Mandiant APT1 is a good example.
• More sharing of intelligence, mistakes in the community – too closed right now.
January 22, 2015 CACR Director's Report
Better Software/ConTiguration Checking Tools • Economics are against cybersecurity • Race to develop, deploy, reconfigure, sell
trumps cybersecurity in most cases.
• Need immediate feedback -‐ tools to check socware and configura\on of systems. • Easy, integrated, real \me and clear.
January 22, 2015 CACR Director's Report
More funding spanning research and operations • We need to bring together those wrestling with real-‐world problems and those with innova\ve research ideas.
• Span from brainstorming workshops, through experimenta\on, prototypes, and deployment.
• Culture change needed to create this sort of collabora\on.
January 22, 2015 CACR Director's Report
TURNING TO CACR
January 22, 2015 CACR Director's Report
About CACR • Part of Pervasive Technology Ins\tute • p\.iu.edu
• Supported by VPIT, NSF, DHS, DOE. • Partnership with University Informa\on Technology Services, School of Informa\cs and Compu\ng, Maurer School of Law, Kelly School of Business.
January 22, 2015 CACR Director's Report
CACR VISION • Interweave technical and policy exper\se. • Draw on Indiana University’s wide range of scholarly exper\se in computer science, informa\cs, accoun\ng and informa\on systems, criminal jus\ce, law, organiza\onal behavior, public policy, and other disciplines.
• Bridge with Indiana University’s extensive prac\cal experience in cybersecurity of its opera\onal units.
January 22, 2015 CACR Director's Report
CACR And IU • CACR exists to serve the Na\on, State and IU. • Per our vision, we aim to improve cybersecurity at IU and IU through cybersecurity.
• Talk to us about coordina\on of cybersecurity ac\vi\es, or collabora\on on cybersecurity policy, opera\onal, or applied research.
January 22, 2015 CACR Director's Report
Cybersecurity @ Indiana University
Impressive! • CACR • REN-‐ISAC • SOIC -‐-‐ Master’s Degree in Cybersecurity • University Informa\on Security Office • University Informa\on Policy Office • Many researchers and prac\\oners in other schools and offices.
January 22, 2015 CACR Director's Report
CACR ACTIVITIES
January 22, 2015 CACR Director's Report
Trustworthy Science
Maintaining the trust of scien\sts and the public in the CI, data and science is cri\cal.
Challenge is understanding increasing
threats to computa\onal science, cultural and requirements of individual domains, large distribute science communi\es,
unique assets such as instruments, data, etc.
January 22, 2015 CACR Director's Report
Science pushes IT hard!
January 22, 2015 CACR Director's Report
HPC HTC
Science Gateways
Big Data
Distributed Everything
Bleeding-‐edge Networks
TrustedCI.org: Center for Trustworthy ScientiTic Cyberinfrastructure
Providing leadership and addressing cybersecurity challenges for the NSF community.
January 22, 2015 CACR Director's Report
CTSC Accomplishments • Engaged with over a dozen NSF projects -‐ 5 large facili\es.
• Organized NSF Cybersecurity Summits for Large Facili\es and CI
• Training, best prac\ces
• Developed Cybersecurity Program Guide for NSF CI
• Authoring cybersecurity chapter for NSF Large Facili\es Manual
January 22, 2015 CACR Director's Report
We rely increasingly on our socware stacks – both the ones we write and
others.
Open nature leads to large aRack surfaces.
Socware integrity is
cri\cal.
A joint effort: Morgridge Ins\tute for
Research (lead) University of Illinois Urbana Champaign
University of Wisconsin – Madison
Indiana University
Funded by DHS
January 22, 2015 CACR Director's Report
Miron Livny, MIR
Jim Basney, UIUC
Bart Miller, UW
Von Welch, IU
https://continuousassurance.org/
A Framework for Software Assurance
January 22, 2015 CACR Director's Report
Results
Package Package Package
Tool Tool Tool
Pla'orm Pla'orm Pla'orm
Current: 396 & bring your own
Current: 8
Perform Assessment
Result Viewer Result Viewer Result Viewer
Current: 2
Current: 700+ Cores
View Results
Parse Results Parsed
Results
Current: 9
IU’s Role in SWAMP
• CACR: Cybersecurity
• RT/ High Throughput Compu\ng (w/Global Research NOC): User Support and Monitoring
January 22, 2015 CACR Director's Report
XSIM: Extreme Scale Identity Management for Science
Tradi\onal compu\ng with users all managed by data center.
January 22, 2015 CACR Director's Report
Image credit: Ian Bird/CERN Image credit: Lawrence Livermore National Laboratory (via Wikipedia)
Modern science has large mulL-‐site collaboraLons.
Science collaboratory identity management
• Based on interviews with 18 sites and projects. • Simple model for describing collaboratory IdM.
January 22, 2015 CACR Director's Report
• IdenLfied factors that inhibit and encourage delegaLon from compuLng center to collaboraLon.
IU NSA CertiTication • Indiana University designated as a Na\onal Center of Academic Excellence in Informa\on Assurance/Cybersecurity through academic year 2021.
• Many thanks to ScoR Orr, Drew Simshaw, and all the faculty and staff who gather needed informa\on.
January 22, 2015 CACR Director's Report
Indiana National Guard • Par\cipate in community-‐building cyber discussions with the Indiana Na\onal Guard
• Facilitate tour of ING cyber training facili\es at Muscatatuck by senior homeland security officials
• Contribute to IU leRer of support for ING’s efforts to expand its cyber force.
January 22, 2015 CACR Director's Report
Consultation to NSA on Cyber • In the wake of Edward Snowden’s disclosures,
organized a day-‐long discussion between faculty and senior NSA officials at NSA headquarters in Fort Meade, Maryland.
• Guidance on privacy, whistleblowing, transparency, secrecy, and related topics.
• Maurer School of Law Prof. and CACR Senior Fellow David Fidler’s appointment as Scholar in Residence of the President’s Privacy and Civil Liber\es Oversight Board (Jan-‐Aug 2015).
January 22, 2015 CACR Director's Report
DOD Minerva Proposal Coordinated the development of a mul\disciplinary cyber research proposal through the defense department’s MINERVA social science research ini\a\ve.
Seven faculty from six IU disciplines (law, journalism, psychology, policy, linguis\cs, interna\onal affairs) joined the effort to propose a study of societal trust and stability.
January 22, 2015 CACR Director's Report
CACR Strategic Plan • Strategic Planning ac\vi\es Oct’14-‐March’15 • Expect to…
Refresh the fellows program Establish strong connec\ons with more schools and other IU campuses
Define opportuni\es to provide exper\se to the community; etc.
Refine and focus Security MaRers • Thoughts? Input? We’re happy to chat.
January 22, 2015 CACR Director's Report
2014 CACR Cybersecurity Summit • June 2014 Summit in Indianapolis • Featured two senior Homeland Security officials responsible for cyber opera\ons and R&D.
News about 2015 CACR Cybersecurity Summit coming soon!
January 22, 2015 CACR Director's Report
Cyber Faculty Discussion • Feb. 25 • Extending from the MINERVA collabora\on. • Professors Shannon Mar\n and Tony Fargo are featured speakers in a faculty discussion of their cyber research interests and establishing collabora\ve research teams at IU.
January 22nd, 2015 CACR Director's Report
Thank you
cacr.iu.edu
January 22, 2015 CACR Director's Report