Date post: | 16-Jul-2015 |
Category: |
Technology |
Upload: | cybersecurity-education-and-research-centre |
View: | 542 times |
Download: | 2 times |
A Strategy for Addressing Cyber Security Challenges
Mustaque Ahamad Professor of Computer Science, Georgia Ins>tute of Technology Global Professor of Engineering, New York University Abu Dhabi
Co-‐founder and Chief Scien>st, Pindrop Security
A Couple of Observa>ons • Cyber security has become an extremely important problem for people, businesses and governments.
• Addressing cyber security challenges presents serious challenges.
• Cyber now reaches into cri>cal physical systems.
• Cyber security is going to be a journey, not a des>na>on.
Are Things Really Bad? • Growing sophis>ca>on of the threat landscape – Cyber criminals, hack>vits, terrorists and na>on-‐states – Cyber crime costs are reaching half a trillion dollars (In India, 0.21% of GDP, McAfee 2014 Report)
– Greatest transfer of wealth (Keith Alexander, hXp://foreignpolicy.com/2012/07/09/nsa-‐chief-‐cybercrime-‐cons>tutes-‐the-‐greatest-‐transfer-‐of-‐wealth-‐in-‐history/ )
• Complex technology ecosystem – “Reflec>ons on trus>ng trust”
• People, processes and coordina>on across mul>ple stakeholders
Threats + Vulnerabili>es => AXacks • Can we make threats go away?
• AXribu>on is extremely difficult • Global and transna>onal
• How can we address vulnerabili>es? • Security errors in sofware (over 1700 entries in NVD in last 3 months)
• Asymmetry – aXackers only need to find one bug, we need to fix all
• People are weak links • Only higher assurance, no perfect security – Stronger preven>on and early detec>on – Faster recovery and remedia>on
So, What Can We Do? • Educa>on – Developing the “security mindset” – Undergraduate and graduate programs
• Research – Rapidly evolving field
• Policy, legal and regula>on – It is much more than technology
Educa>ng Cyber Security Professionals • US Na>onal Ini>a>ve for Cybersecurity Educa>on (NICE) hXp://csrc.nist.gov/nice/framework/
Capacity Building for Educa>ng Cyber Security Professionals
• What do we do? – Undergraduate or graduate programs? – Integra>ng security concepts in CS curriculum? – Voca>onal programs?
• How do we do it? – So, where do we find cyber security faculty? – Developing hands on projects and laboratories
• US Response – Centers of Excellence Program (NSA/DHS) – Scholarship-‐for-‐Service (SFS) Program) – NSF SaTC Educa>on Projects
• Curriculum development, sharing, workshops etc.
Research Capacity Building • Evolving threat landscape and rapidly changing technologies – Gelng ahead of emerging threats – “Test and verify” rather than “trust but verify”
• Diverse set of research challenges – Trustworthiness of technology to human dimension
• Real-‐world impact of research – Tech transfer and commercializa>on
Example I: Malware Analysis • Scalable malware analysis system processes approximately 250K samples a day
• Extrac>ng features from communica>on paXerns
• Big data due to deep packet analysis and event volume
• Machine learning for aXribu>on • Visualiza>on and ac>onable intelligence
Mariposa Botnet Tracking and Takedown
Example II: Data-‐Driven Cyber Risk • Collect cyber risk relevant data from mul>ple sources – Vulnerabili>es – Exploit kits and malware – AXack data (public and private)
• Analy>cs and visualiza>on – Lean back and lean forward
Calendar view of reported vulnerabili>es
Na>onal R&D Strategy: US Example • Na>onal Science Founda>on Secure and Trustworthy
(SaTC) – Launched afer developing a na>onal strategy (
hXps://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf)
– Interdisciplinary including behavioral and economic aspects • DHS, DARPA and NSA Ini>a>ves
– Cri>cal infrastructure security (CPS) – Resilient and transparent compu>ng – Science of security
• Networking and Informa>on Technology Research and Development (NITRD) Program – Coordinated across mul>ple agencies – High level goal is to maintain US technological leadership in this field
Cyber Security Policy • Policy development is as important as best technical safeguards
• Should companies and government agencies required to prac>ce certain level of cyber hygiene?
• Informa>on sharing and coordina>on • Privacy • Legal and enforcement issues
Lessons Learned • Educa>on capacity building – Aggressively support centers like CERC IIIT Delhi – CS curriculum needs to be augmented with cyber security offerings at all levels
– “Educa>ng the educators” – summer schools, workshops and hosted programs
– What do we do about faculty? • Incen>ves for CS faculty members to shif/expand their research into cyber security • Be crea>ve (professor of prac>ce, global professor etc.)
Lessons Learned Contd. • Research capacity building
– You cannot be a major player without a strong research base • How many papers at security conferences from India?
– Launch/seed a few ambi>ous (and high risk) research projects like NSF’s fron>ers
– Start/get security conferences to India to grow the community – Applied research exper>se
• Cannot only rely on security vendor professionals for crisis handling • CDC for cyber, CERT 2.0?
– Coordina>on across Na>onal Labs, DRDO?? – Home grown cyber security companies??
Lessons Learned Contd. • Cyber security is much more than technology – Policy, regulatory and legal dimensions – Cyber security maturity model and best prac>ces – Preparedness assessment – Conversa>ons at the highest level (WEF ini>a>ve) – Informa>on sharing, coordina>on and mutual aid – Informal trust networks
Conclusions • Cyber risk ranks among the top global risks (2015 WEF Global risks report)
• Na>onal response is of cri>cal importance • Need to move at “network speed” • It is all about capacity building • Ignore research at your own peril