|
||
|
7 September 2013 NSA SATC Top Secret or Not
A sends: This email was sent to G. Greenwald a few days ago: I have tried to read and understand the O Globo article & slides under [Cryptome English mirror: http://cryptome.org/2013-info/09/nsa-br-mx-2/nsa-br-mx-2.htm ] where about SATC is mentioned: "A sigla SATC, que aparece na capa, quer dizer "Secure and Trustworthy Cyberspace", o departamento da NSA responsável por fazer da internet um ambiente seguro e confiável." [Google translation: "The acronym SATC, which appears on the cover, means 'Secure and Trustworthy Cyberspace', the department of the NSA responsible for making the Internet safe and reliable."] But isn't SATC a NSF program, where different agencies are involved?: http://www.nsf.gov/pubs/2013/nsf13578/nsf13578.htm [Cited URL contents follow.]
http://www.nsf.gov/pubs/2013/nsf13578/nsf13578.htm [Excerpt on SaTC] Program Title: Secure and Trustworthy Cyberspace (SaTC) Synopsis of Program: Cyberspace has transformed the daily lives of people for the better. The rush to adopt cyberspace, however, has exposed its fragility and vulnerabilities: corporations, agencies, national infrastructure and individuals have been victims of cyber-attacks. In December 2011, the National Science and Technology Council (NSTC) with the cooperation of NSF issued a broad, coordinated federal strategic plan for cybersecurity research and development to "change the game," minimize the misuses of cyber technology, bolster education and training in cybersecurity, establish a science of cybersecurity, and transition promising cybersecurity research into practice. This challenge requires a dedicated approach to research, development, and education that leverages the disciplines of mathematics and statistics, the social sciences, and engineering together with the computing, communications and information sciences. The Secure and Trustworthy Cyberspace (SaTC) program welcomes proposals that address Cybersecurity from a Trustworthy Computing Systems (TWC) perspective and/or a Social, Behavioral and Economic Sciences (SBE) perspective (see "Perspectives"). In addition, we welcome proposals that integrate research addressing both of these perspectives as well as proposals focusing entirely on Cybersecurity Education (see below). Proposals may be submitted in one of the following three categories: Small projects: up to $500,000 in total budget, with durations of up to three years Projects with Trustworthy Computing Systems and/or Social, Behavioral and Economic Sciences perspectives may include a Transition to Practice (TTP) option, described in a supplemental document of no more than five pages. This document should describe how successful research results are to be further developed, matured, and experimentally deployed in organizations or industries, including in networks and end systems used by members of the NSF science and engineering communities. Proposals with a TTP option may exceed the above-stated maxima by up to $167,000 for Small projects, $400,000 for Medium projects and $750,000 for Frontier projects. In addition, the SaTC program seeks proposals addressing Cybersecurity Education with total budgets limited to $300,000 and durations of up to two years. Cybersecurity education projects may not include any of the three perspectives named above.
2012 Secure and Trustworthy Cyberspace Principal Investigators' Meeting The Secure and Trustworthy Cyberspace (SaTC) program of the National Science Foundation will be holding a two-and-a-half-day conference of its principal investigators' from Tuesday morning, November 27, to Thursday noon, November 29, 2012 at the Gaylord National Hotel and Convention Center in National Harbor, MD (in the Washington, DC area). SaTC is an interdisciplinary program including technologists, social scientists, and educators from programs sponsored by the NSF CISE, SBE, and EHR directorates. This PI meeting will encompass all of these perspectives on cybersecurity through plenary talks, breakout sessions, posters, and informal Birds of a Feather gatherings. The technology portion of SaTC replaced the Trustworthy Computing (TC) and Cyber Trust (CT) programs, so former TC and CT PIs are now SaTC PIs. We are pleased to announce the addition of the Science of Security (SoS) Community Meeting that will immediately follow the SaTC PI meeting after lunch on Thursday, November 29 and continue to the close of business on Friday, November 30 at the Gaylord. Government, industry, and academic members of the community will come together to discuss foundations for security science and ways individual elements can contribute to a general framework that supports the principled design of trustworthy systems, which may include multi-disciplinary contributions from mathematics, computer science, behavioral science, economics, physics, etc. Please mark the date on your calendar. It will be a great opportunity to build our community, highlight our accomplishments in the context of national initiatives, and discuss the future of cyber security research with government, industry, and academia.
Future of Federal Cybersecurity R&D Strategies Webcast Join a webcast of the Federal government's cybersecurity research and development strategies, a session of the NSF SaTC PI Meeting. Senior Federal representatives will review Government activities in implementing the Federal cybersecurity R&D strategic plan and discuss emerging areas in cybersecurity research that may warrant further focus.
Report on the NSF “Secure and Trustworthy Cyberspace” PI meeting January 3, 2013 By Jeremy Epstein The National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Principal Investigator Meeting (whew!) took place Nov. 27-29, 2012, at the Gaylord Hotel just outside Washington, DC. The SaTC program is NSF’s flagship for cybersecurity research, although it certainly isn’t the only NSF funding in this area. The purpose of this blog posting is to tell a bit about the event. While I’m one of the NSF program officers for SaTC, the following reflects my opinions, and does not necessarily speak for NSF. The program for the event was organized by Carl Landwehr and Lance Hoffman from George Washington University (with help from other people mentioned below), and logistics were handled by the Annapolis, MD, office of Vanderbilt University. I was the cat herder, but all the credit goes to the GWU, Vanderbilt, and other organizers. The agenda and slides for the event can be found at http://cps-vo.org/group/satc/program. In addition to the knowledge gained and colleagues met, attendees also went home with copies of Control Alt Hack, a new game designed to teach cybersecurity concepts. The purpose of the PI meeting was to build the community of PIs, encouraging them to interact and find new areas for research and collaboration, as well as to identify new areas for future NSF investment. It was explicitly not designed for each PI (or even a substantial fraction) to give a technical talk; with over 750 current grants in place (and more than 800 current PIs and co-PIs), that would have been impossible. Towards that end, there were several events designed for specific purposes, which I’ll describe below. (I hope speakers whom I don’t mention won’t be too offended!) The event opened with welcoming remarks from Dr. Subra Suresh (director of NSF) and Dr. Farnam Jahanian (assistant director of NSF for Computer and Information Science and Engineering), who spoke about the NSF mission and the importance of SaTC. Dr. Eric Grosse (VP of security engineering at Google) spoke about what keeps him up at night, and where he would like to see more research. He noted that Google’s goal is to get security for home users to the same (imperfect) level as corporate users. He also sees protecting individuals from government snooping as a key requirement. His key worries are malware (mostly on client machines), authentication (users lose their credentials and use common passwords), network security (including certificate authority issues), product vulnerabilities (which are getting better but still have a long way to go), and economic crimes. He noted hardware and software supply chain risks and issues with systems being constantly updated, noting that fuzz testing is (unfortunately) still a very effective way to find problems. [NSF funds research in all of these areas, and is co-sponsoring an upcoming workshop on hardware supply chain issues.] Five years ago, XSS was the most common vulnerability, and today it still is. A browser rollback feature – i.e., after you visit a bad site and realize it, you can click a button to undo the damage – is still a wish. (Of course, undo isn’t possible if information is stolen, since it can’t be “un-stolen.”) In response to a question, he said that collaboration with Google is possible on smaller products, but not likely with Chrome or Gmail, at least to start. To encourage interdisciplinary thinking, next was a panel (“Crossing the Line: Recent Research Results that Cross Disciplines”) with four of the coolest recent research projects I’ve seen: Mike Byrne (Rice University) talked about surprising results from human factors testing of voting machines, which grew from a partnership between psychology and computer science; While many of the attendees had seen one or more of these talks before, the condensed 15-minute versions gave a hint of this research – and I encourage anyone to look at the slides and read the corresponding papers for more details. Later that morning, Angela Sasse (University College London) spoke about the value of multidisciplinary work, as well as barriers to that work. As an example, much of the work in usable security has shown that efforts to replace passwords are too slow and unreliable. Instead, we need to be making the system accommodate people, instead of having people accommodate the system. Security isn’t anybody’s goal; it’s what we have to do to accomplish our tasks. Security designers don’t spend enough effort looking at the human implications of their designs – CAPTCHAs are an anti-usability feature, and they have a negative impact on organizations that use them. Only by looking at security from a multi-disciplinary perspective will we come up with solutions that are both secure and usable. The next section of the event was a discussion of the Federal Cybersecurity R&D Strategic Plan, in three parts (What is it; What Gets Funded; and What’s the Future – An Open Discussion). This was the only recorded portion of the PI meeting, so I’ll just point you to it, and thank the speakers – Bill Newhouse (NIST), Tomas Vagoun (NITRD), Doug Maughan (DHS), Keith Marzullo (NSF), Brad Martin (ODNI), and Steve King (OSD). If you know the acronyms, you must be a Washingtonian! What I found surprising about this panel is that the audience (both in the room and online) asked relatively few questions about the strategy itself, and made few suggestions for changes. I hope that the call for comments published in the Federal Register allowed enough time for thoughtful suggestions. Towards the mission of encouraging interdisciplinary work was Cross Disciplinary Conversations –one-on-one discussions between researchers from different disciplines, set up by matching skills and interests selected on a registration form. Attendees reported that this was a highly valuable part of the meeting. The software for interest matching was developed by Apu Kapadia and Zahid Rahman from Indiana University, and Elaine Shi from the University of Maryland also helped organize this event. They undoubtedly have an interdisciplinary future – one of the matches was between a husband and wife! Finally, we wrapped up a long day with poster sessions organized by Micah Sherr (Georgetown University) – most of the posters are available here. Birds of a Feather sessions ran in parallel, including a discussion of trust (involving social scientists and computer scientists, and how their views differ), cyber physical systems security, issues with interdisciplinary research, and community diversity (increasing numbers of women and underrepresented minorities in the cybersecurity research community). The second day started with welcomes from NSF leadership (Myron Gutmann, assistant director of NSF for Social, Behavioral & Economic Sciences and Alan Blatecky, director for the NSF Office of Cyberinfrastructure). The first panel approached Transition to Practice from perspectives of academics transitioning their technology (Paul Barford (University of Wisconsin) and Vern Paxson (ICSI)), government program managers encouraging transition (Doug Maughan (DHS)), venture capitalists investing in technology (Becky Bace (University of South Alabama)), and the needs of the commercial industry (Ron Perez (CSRA)). Transition is complicated, and requires skill sets well beyond just technical expertise. There are many different transition paths, including not only the obvious commercialization, but also open sourcing, licensing, use by operational government agencies, etc. Government programs like SBIR and STTR can help, as can NSF-specific programs like iCorps, and the Transition to Practice perspective and option within the SaTC program. Some of the chatter in the hall after this panel was about the balance between NSF’s primary mission of basic research and its efforts to encourage transitional work. It’s noteworthy that >90% of SaTC funding goes into basic research and less than 10% into transition. The “Teaching and Learning: Competitions and Cybersecurity” panel included three viewpoints on how to get students involved in cybersecurity through competitions. Nick Weaver (ICSI) talked about the tradeoffs between built-it competitions and skills competitions (a.k.a. “break it”). Built-it requires more effort by participants, and doesn’t have the “cool” factor of winning that break-it competitions have. Ben Cook (Sandia) described a hybrid competition where teams built a simplified voting system, and then attacked each others’ systems. [Ob disclosure: I helped with the design of their project.] Ron Dodge (US Military Academy) talked about some of the pros & cons of different approaches to competitions. One factor that I believe should get more attention is that break-it competitions bring out the worst in macho behavior, and by doing so chase away many women – thus denying our field many of the brightest contributors. I hope that hybrid efforts like Sandia’s will help reduce that negative. John Mitchell (Stanford University) spoke about security and privacy issues with Massively Open Online Courses. Unfortunately I missed most of his talk. The afternoon was given to 19 (!) parallel breakout sessions, covering a wide variety of topics. Attendees were assigned to groups based on interests expressed when they registered, and each group of 10-20 people was given a set of questions to address. The day wrapped up with more posters and Birds of a Feather sessions. The third day began with reports out from the working groups. Daniel Weitzner (MIT) and Michael Reiter (University of North Carolina Chapel Hill) organized brief presentations from the previous day’s groups – see the slides for a summary of their recommendations. I hope to have a report to share before long with more detail. The goal of this exercise was (in part) to identify areas for future NSF solicitations, so it’s worth looking at the outcomes to get ideas. The PI meeting concluded with Stuart Firestein (Columbia University) speaking about the topic of his recent book “Ignorance: How it Drives Science”. I wish I could summarize his talk, but it’s hard. I encourage you to look at his slides, read his book, and – if you ever have a chance – see him! While the talk has nothing to do with security, it has everything to do with how we think about science, and it’s entertaining too! The post-event survey (and informal comments made to me in the halls) showed that the Cross Disciplinary Conversations was the most popular event, and that most attendees found the agenda useful and would return whether or not it was required by the terms of their grants. The next SaTC PI meeting will be in 2014 (date and time not yet determined). The best way to get an invitation is to become a SaTC PI, so think up great ideas, write proposals, and come join us!
|