April 16, 2014

avatar

Report on the NSF “Secure and Trustworthy Cyberspace” PI meeting

The National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Principal Investigator Meeting (whew!) took place Nov. 27-29, 2012, at the Gaylord Hotel just outside Washington, DC.  The SaTC program is NSF’s flagship for cybersecurity research, although it certainly isn’t the only NSF funding in this area.  The purpose of this blog posting is to tell a bit about the event.  While I’m one of the NSF program officers for SaTC, the following reflects my opinions, and does not necessarily speak for NSF.  The program for the event was organized by Carl Landwehr and Lance Hoffman from George Washington University (with help from other people mentioned below), and logistics were handled by the Annapolis, MD, office of Vanderbilt University.  I was the cat herder, but all the credit goes to the GWU, Vanderbilt, and other organizers.

The agenda and slides for the event can be found at http://cps-vo.org/group/satc/program. In addition to the knowledge gained and colleagues met, attendees also went home with copies of Control Alt Hack, a new game designed to teach cybersecurity concepts.

The purpose of the PI meeting was to build the community of PIs, encouraging them to interact and find new areas for research and collaboration, as well as to identify new areas for future NSF investment.  It was explicitly not designed for each PI (or even a substantial fraction) to give a technical talk; with over 750 current grants in place (and more than 800 current PIs and co-PIs), that would have been impossible.  Towards that end, there were several events designed for specific purposes, which I’ll describe below.  (I hope speakers whom I don’t mention won’t be too offended!)

The event opened with welcoming remarks from Dr. Subra Suresh (director of NSF) and Dr. Farnam Jahanian (assistant director of NSF for Computer and Information Science and Engineering), who spoke about the NSF mission and the importance of SaTC.

Dr. Eric Grosse (VP of security engineering at Google) spoke about what keeps him up at night, and where he would like to see more research.  He noted that Google’s goal is to get security for home users to the same (imperfect) level as corporate users.  He also sees protecting individuals from government snooping as a key requirement.  His key worries are malware (mostly on client machines), authentication (users lose their credentials and use common passwords), network security (including certificate authority issues), product vulnerabilities (which are getting better but still have a long way to go), and economic crimes.  He noted hardware and software supply chain risks and issues with systems being constantly updated, noting that fuzz testing is (unfortunately) still a very effective way to find problems.  [NSF funds research in all of these areas, and is co-sponsoring an upcoming workshop on hardware supply chain issues.] Five years ago, XSS was the most common vulnerability, and today it still is.  A browser rollback feature – i.e., after you visit a bad site and realize it, you can click a button to undo the damage – is still a wish.  (Of course, undo isn’t possible if information is stolen, since it can’t be “un-stolen.”)  In response to a question, he said that collaboration with Google is possible on smaller products, but not likely with Chrome or Gmail, at least to start.

To encourage interdisciplinary thinking, next was a panel (“Crossing the Line: Recent Research Results that Cross Disciplines”) with four of the coolest recent research projects I’ve seen:

  • Mike Byrne (Rice University) talked about surprising results from human factors testing of voting machines, which grew from a partnership between psychology and computer science;
  • Fabian Monrose(University of North Carolina Chapel Hill) explained how to understand encrypted speech by analyzing packet sizes, which was  a partnership with the linguistics department at his school;
  • Vern Paxson (ICSI) described their analysis of the economics of spam networks, and how they were able to reduce spam by choking off the financial blood supply, which led them to collaboration with a host of US and international government agencies; and
  • Dan Boneh (Stanford University) explained how using concepts similar to those in learning music, users can learn a password that they’re not aware of knowing (a psychology/computer science collaboration).

While many of the attendees had seen one or more of these talks before, the condensed 15-minute versions gave a hint of this research – and I encourage anyone to look at the slides and read the corresponding papers for more details.

Later that morning, Angela Sasse (University College London) spoke about the value of multidisciplinary work, as well as barriers to that work.  As an example, much of the work in usable security has shown that efforts to replace passwords are too slow and unreliable.  Instead, we need to be making the system accommodate people, instead of having people accommodate the system.  Security isn’t anybody’s goal; it’s what we have to do to accomplish our tasks.  Security designers don’t spend enough effort looking at the human implications of their designs – CAPTCHAs are an anti-usability feature, and they have a negative impact on organizations that use them.  Only by looking at security from a multi-disciplinary perspective will we come up with solutions that are both secure and usable.

The next section of the event was a discussion of the Federal Cybersecurity R&D Strategic Plan, in three parts (What is it; What Gets Funded; and What’s the Future – An Open Discussion).  This was the only recorded portion of the PI meeting, so I’ll just point you to it, and thank the speakers – Bill Newhouse (NIST), Tomas Vagoun (NITRD), Doug Maughan (DHS), Keith Marzullo (NSF), Brad Martin (ODNI), and Steve King (OSD).  If you know the acronyms, you must be a Washingtonian!  What I found surprising about this panel is that the audience (both in the room and online) asked relatively few questions about the strategy itself, and made few suggestions for changes.  I hope that the call for comments published in the Federal Register allowed enough time for thoughtful suggestions.

Towards the mission of encouraging interdisciplinary work was Cross Disciplinary Conversations –one-on-one discussions between researchers from different disciplines, set up by matching skills and interests selected on a registration form.  Attendees reported that this was a highly valuable part of the meeting.  The software for interest matching was developed by Apu Kapadia and Zahid Rahman from Indiana University, and Elaine Shi from the University of Maryland also helped organize this event.  They undoubtedly have an interdisciplinary future – one of the matches was between a husband and wife!

Finally, we wrapped up a long day with poster sessions organized by Micah Sherr (Georgetown University) – most of the posters are available here. Birds of a Feather sessions ran in parallel, including a discussion of trust (involving social scientists and computer scientists, and how their views differ), cyber physical systems security, issues with interdisciplinary research, and community diversity (increasing numbers of women and underrepresented minorities in the cybersecurity research community).

The second day started with welcomes from NSF leadership (Myron Gutmann, assistant director of NSF for Social, Behavioral & Economic Sciences and Alan Blatecky, director for the NSF Office of Cyberinfrastructure).

The first panel approached Transition to Practice from perspectives of academics transitioning their technology (Paul Barford (University of Wisconsin) and Vern Paxson (ICSI)), government program managers encouraging transition (Doug Maughan (DHS)), venture capitalists investing in technology (Becky Bace (University of South Alabama)), and the needs of the commercial industry (Ron Perez (CSRA)).  Transition is complicated, and requires skill sets well beyond just technical expertise.  There are many different transition paths, including not only the obvious commercialization, but also open sourcing, licensing, use by operational government agencies, etc.  Government programs like SBIR and STTR can help, as can NSF-specific programs like iCorps, and the Transition to Practice perspective and option within the SaTC program.  Some of the chatter in the hall after this panel was about the balance between NSF’s primary mission of basic research and its efforts to encourage transitional work.  It’s noteworthy that >90% of SaTC funding goes into basic research and less than 10% into transition.

The “Teaching and Learning: Competitions and Cybersecurity” panel included three viewpoints on how to get students involved in cybersecurity through competitions.  Nick Weaver (ICSI) talked about the tradeoffs between built-it competitions and skills competitions (a.k.a. “break it”).  Built-it requires more effort by participants, and doesn’t have the “cool” factor of winning that break-it competitions have.  Ben Cook (Sandia) described a hybrid competition where teams built a simplified voting system, and then attacked each others’ systems.  [Ob disclosure: I helped with the design of their project.]  Ron Dodge (US Military Academy) talked about some of the pros & cons of different approaches to competitions.  One factor that I believe should get more attention is that break-it competitions bring out the worst in macho behavior, and by doing so chase away many women – thus denying our field many of the brightest contributors.  I hope that hybrid efforts like Sandia’s will help reduce that negative.

John Mitchell (Stanford University) spoke about security and privacy issues with Massively Open Online Courses.  Unfortunately I missed most of his talk.

The afternoon was given to 19 (!) parallel breakout sessions, covering a wide variety of topics.  Attendees were assigned to groups based on interests expressed when they registered, and each group of 10-20 people was given a set of questions to address.

The day wrapped up with more posters and Birds of a Feather sessions.

The third day began with reports out from the working groups.  Daniel Weitzner (MIT) and Michael Reiter (University of North Carolina Chapel Hill) organized brief presentations from the previous day’s groups – see the slides for a summary of their recommendations.  I hope to have a report to share before long with more detail.  The goal of this exercise was (in part) to identify areas for future NSF solicitations, so it’s worth looking at the outcomes to get ideas.

The PI meeting concluded with Stuart Firestein (Columbia University) speaking about the topic of his recent book “Ignorance: How it Drives Science”.  I wish I could summarize his talk, but it’s hard.  I encourage you to look at his slides, read his book, and – if you ever have a chance – see him!  While the talk has nothing to do with security, it has everything to do with how we think about science, and it’s entertaining too!

The post-event survey (and informal comments made to me in the halls) showed that the Cross Disciplinary Conversations was the most popular event, and that most attendees found the agenda useful and would return whether or not it was required by the terms of their grants.

The next SaTC PI meeting will be in 2014 (date and time not yet determined).  The best way to get an invitation is to become a SaTC PI, so think up great ideas, write proposals, and come join us!