Cybersecurity Research Challenges Cybersecurity Summit, Crystal City, VA May 8, 2008 Jeannette M. Wing Assistant Director Computer and Information Science and Engineering Directorate National Science Foundation and Presidents Professor of Computer Science Carnegie Mellon University 2CybersecurityJeannette M. Wing Outline The Setting: Then and Now Whats Missing Long-term outlook Big picture 5 new research areas 3CybersecurityJeannette M. Wing The Setting: Then and Now We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerableto the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrows terrorist may be able to do more damage with a keyboard than with a bomb Computers at Risk, National Academies CSTB Study, p Trust in Cyberspace, CSTB Study Improving Cybersecurity for the 21 st Century, CSTB Study. ubiquity networked systems 88 everywhere, everyone, all the time, embedded, invisible, visible, mobile, wearable, handheld, remote, peta, tera, giga, mini, micro, nano, good guys, bad guys 2001 September 11 4CybersecurityJeannette M. Wing Credit: NCO/NITRD Credit: U.S. Department of Homeland Security Credit: NCO/NITRD 5CybersecurityJeannette M. Wing Whats Missing in Our Thinking Be proactive, not reactive. We are using yesterdays solutions to address todays threats. We should be ready today for tomorrows threats. We are not. Anticipate the future. Long-term outlook Big picture view Foundational research 6CybersecurityJeannette M. Wing Long-Term Outlook: Who and Why Threats Today: hackers, criminals Tomorrow: organized crime, terrorists, nation-state, enemy state Motivation Today: fame, money Tomorrow: power, control Attacks Use cyberattack as an amplifier of a physical attack Cyberspace is an enabler Attack the Internet More likely as we put more key functionality on-line Use cyberspace to hide Today (2008) 7CybersecurityJeannette M. Wing Long-Term Outlook: How Today: code-level vulnerabilities Flaws in the code Tomorrow: component-level vulnerabilities Flaws in the design module, system, application, service, aka interface mismatch, composition flaws, feature interaction, Simple examples of design-level flaws - Netscape browser and Domain Name Server spoofing attack, Princeton [DFW96] - Google Desktop Search and Java applets, Rice [NFW04] - Microsoft Outlook and IE settings, Microsoft Research and Carnegie Mellon [PW05] 8CybersecurityJeannette M. Wing Big Picture: Its not just security Trustworthy systems Security Reliability Privacy Usability High Confidence Systems Cyber Security and Information Assurance Holistic view Technical: The whole stack hardware program prog. lang. O/S compiler system arch. application service Non-Technical Psychology and human behavior - Usable security- Social engineering attacks- Privacy - Insider threat- Attackers motivation Economics, risk management, law, politics people 9CybersecurityJeannette M. Wing Credit: NCO/NITRD 10CybersecurityJeannette M. Wing Whats Missing? 1.Foundations 4. Privacy 3. Metrics 2. Software security 2. Composability 5. Usability Credit: NCO/NITRD 11CybersecurityJeannette M. Wing 1. Foundations New models, logics, and theories for analyzing and reasoning about Security Reliability Privacy Usability Crypto for quantum 12CybersecurityJeannette M. Wing Foundations: Security Models Spread of Code Red Worm 2001 Wheres the perimeter? What do you try to protect? Today: Security Without BordersYesterday: Security Perimeter - Bell-LaPadula model, Orange Book - Lampsons access rights matrix - Secure O/S kernel Egeskov Slot, Denmark (1554) drawbridge moat 13CybersecurityJeannette M. Wing Foundations: Logics for Reasoning About Privacy This privacy statement goes on for seven screenfuls! Do you read these? What are they saying? Can you trust them? Credit: Microsoft 14CybersecurityJeannette M. Wing Foundations: Cryptography Quantum/traditional cryptography immune to quantum-based attacks Traditional cryptography based on RSA is breakable by Shors quantum algorithm Credit: Oxford University 15CybersecurityJeannette M. Wing 2. Security Architectures What we have Point solutions to point problems, e.g., Code-level solutions buffer overruns Firewalls for intrusion detection What we need Integration of solutions Up and down the vertical stack, from hardware to applns. At each layer, e.g., routers and links at the network layer Compositionality of components and services 16CybersecurityJeannette M. Wing Component A Local Security Policy (SP A ) Composition of Components and of Security Policies Global Security Policy (GSP) Component B Local Security Policy (SP B ) || Consider the composition A || B: A || B GSP A || B SP A and A || B SP B ? ?? Consider more simply, SP A SP B : SP A SP B GSP SP A SP B SP A and SP A SP B SP B ?? ? 17CybersecurityJeannette M. Wing Google Desktop Search Google Desktop Search results results Credit: Google 18CybersecurityJeannette M. Wing Netscape and Domain Name Server browser DNS server Give me an IP address for user.foo.com Here is one: user.foo.com [ , , ] user.bar.com [ , ] Names to IP addresses mapping 19CybersecurityJeannette M. Wing 3. Security Metrics Computing Research Associates Grand Challenges on Trustworthy Computing, November 16-18, Challenge #3: Within 10 years, develop quantitative information-systems risk management that is at least as good as quantitative financial risk management. 20CybersecurityJeannette M. Wing Measuring the Relative Attack Surface 2. Windows w/IIS enabled is only slightly worse for Windows Server 2003, in contrast to its predecessors. 1. Windows Server 2003 is more secure than previous versions. 3. Windows in lockdown mode for NT4.0 and 2000 are each more secure than raw mode. Windows NT 4Windows 2000Windows Server 2003 RASQRASQ with IIS enabledRASQ with IIS Lockdown 21CybersecurityJeannette M. Wing Attack Surface The attack surface of a system is the ways in which an adversary can enter the system and potentially cause damage. Reduce the attack surface Increase systems security system surface 1. Methods 2. Channels 3. Data Attacks Entry/Exit Points 22CybersecurityJeannette M. Wing 4. Privacy Today: Threats to citizens privacy in many sectors of daily life Health, financial, e-commerce, social networks, e-voting Fundamental challenge: Once someone learns a secret about you, you cannot take away that knowledge Different from security (e.g., revoking access to a file, changing a lock on a door) 23CybersecurityJeannette M. Wing Privacy: A Few Questions to Ponder 1.What does privacy mean? 2.How do you state a privacy policy? How can you prove your system satisfies it? 3.How do you reason about privacy? How do you resolve conflicts among different privacy policies? 4.Are there things that are impossible to achieve wrt some definition of privacy? 5.How do you implement practical mechanisms to enforce different privacy policies? As they change over time? 6.How do you measure privacy? (Is that a meaningful question?) 24CybersecurityJeannette M. Wing Privacy and Confidentiality What other privacy policies does the database enforce? Doctor Billing bill X-ray Patient Database Only the doctor may see the X-ray privacy policy 25CybersecurityJeannette M. Wing Privacy and Software Analysis extraction tool application code policy 26CybersecurityJeannette M. Wing 5. Usability The user is the weakest link in security. Challenges Striking a balance between control and convenience Users are human. Targets of social engineering attacks Sources of insider threats 27CybersecurityJeannette M. Wing Usable Security (IE) Clicking Your Way Through Security 28CybersecurityJeannette M. Wing Usable Privacy (Firefox) Clicking Your Way Through Privacy 29CybersecurityJeannette M. Wing Summary of Research Challenges New research foci 1.Theoretical foundations: models, logics, crypto 2.Software architecture 3.Metrics 4.Privacy 5.Usability Enhanced investments in existing research foci: 1.Software security engineering 2.Networking 3.Testbeds 30CybersecurityJeannette M. Wing Summary of Whats Missing Anticipate tomorrows threat. Take a broad view. Long-term Holistic Research Basic research in new areas Enhanced investments in existing areas Education 31CybersecurityJeannette M. Wing Global Competitiveness Cyber Security Information Assurance Science and Engineering 32CybersecurityJeannette M. Wing Cyber Security: The US Leads. Asia Korea Institute of Information Security and Cryptography (KIISC), est. 1990; now 2000 members, 80 agencies and institutes Singapore in 2005 announces $24M for 3 years Taiwans annual spending is $7M Taiwan Institute Security Center (TWISC) founded August 2005; now 20 professors, 30 graduate students CyLab/Korea, CyLab/Japan (MS program), CyLab/Singapore (CERT) Europe Germany on August 18, 2006 announces Europes first Cybersecurity Plan CyLab/Greece (MS program) Middle East CyLab/Qatar (CERT), $25M 33CybersecurityJeannette M. Wing Information Assurance: Europe Leads in Some Areas Europe invests more than the US in High-Confidence Systems (see Insup Lees talk) Programming Language Theory Formal Methods 34CybersecurityJeannette M. Wing Science and Engineering: Who to Watch China China has the will, the hunger, the power, the people, the smarts They want a home-grown Nobel Prize winner, Fields Medalist, and/or Turing Award winner within 10 years C.N. Yang Shing-Tung Yau Andrew Yao US still leads in research know-how: quality, integrity, long-term view But maybe not in 10 years Cyber security: SHA-1 broken by three Chinese (two from Shandong University) 35CybersecurityJeannette M. Wing Funding 36CybersecurityJeannette M. Wing ACI Thank you! 37CybersecurityJeannette M. Wing Cyber Security NSF funds nearly 100% of the basic research in cybersecurity. DARPA: classified NSA: classified HS-ARPA: a disappointment NIST: Security metrics? 38CybersecurityJeannette M. Wing Computer Science NSF funds 86% of all university research in computer science. We need to add more diversity in funding models and funding styles to basic research in cyber security (and computer science more generally) Long-term Sustained High-risk Teams, especially interdisciplinary Large systems Old-DARPA style, NSF center-sized grants 39CybersecurityJeannette M. Wing Two Suggestions for Diversifying the Portfolio 1.Look to NIH for basic and applied research in CS Intellectual argument makes sense Medicine, healthcare, biology need fundamental advances in CS to carry their out their own visions for the future. Its not just massive data crunching, its fundamental algorithms and data structures. Applicable to cybertrust too, e.g., privacy, genomic databases 2.Look to DOE for basic, not just applied research in CS Algorithms: France (INRIA) in 1992 produced the best mesh generator TetMesh-GHS3D,Now used at Sandia, Livermore Software Technology, Software: getting the code right (PL), job scheduling (O/S), Hardware: 131,072 processors, TFLOPS, petabyte storage systems Global competitiveness 40CybersecurityJeannette M. Wing Non-Technical Issues Classified versus unclassified research Foreign students Academia-Industry relations Focus on IP More complex regulations: tax rules, export rules, conflict of interest rules, Education: Computational thinking will be a necessary skill for everyone to function in todays modern society. IA G Ecosystem 41CybersecurityJeannette M. Wing Readings and References CSTB Studies, National Academies Computers at Risk, 1991 Trust in Cyberspace, 1999 Cybersecurity Today and Tomorrow: Pay Now or Pay Later, 2002 IT for Counterterrorism: Immediate Actions and Future Possibilities, 2003 Improving Cybersecurity for the 21 st Century: Rationalizing the Agenda, 2007 (likely). Federal Plan for Cyber Security and Information Assurance Research and Development, NSTC IWG on CSIA, April Cyber Security: A Crisis of Prioritization, PITAC, February J.M. Wing, Computational Thinking, CACM, March 2006. 42CybersecurityJeannette M. Wing Security Axiom Good guys and bad guys are in a never-ending race! Trustworthy Thank you. 44CybersecurityJeannette M. Wing Academia-Industry Relations Old Model Go it alone Individual work Slow, serial Focus on ideas Basic research Less focus on specific ideas Simpler regulations Funding sufficiency Companies had money Indirect benefits New Model Partnered Joint work Fast, parallel Focus on IP Bayh-Dole (1985) Applied research More focus on specific ideas Complex regulations Tax rules, export rules, COI Funding challenges Research $ at program manager level Direct benefits 45CybersecurityJeannette M. Wing Credits Copyrighted material used under Fair Use. If you are the copyright holder and believe your material has been used unfairly, or if you have any suggestions, feedback, or support, please contact: Except where otherwise indicated, permission is granted to copy, distribute, and/or modify all images in this document under the terms of the GNU Free Documentation license, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation license (http://commons.wikimedia.org/wiki/Commons:GNU_Free_Documentation_License)http://commons.wikimedia.org/wiki/Commons:GNU_Free_Documentation_License