ActiveCyber Interview With Dr. Doug Maughan – DHS HSARPA Cyber Director

Learn about the expansive portfolio of cyber security research going on at DHS HSARPA as Dr. Doug Maughan lays out the many cyber research programs planned and underway to tackle cyber’s tough problems in this interview with ActiveCyber.

I attended the DHS HSARPA Cyber R&D Showcase held in Washington, D.C. a little while back and was deeply impressed with the breadth and depth of the current cyber research but, even more enticed with some hints of what was to come. So I was very excited when Dr. Doug Maughan, the Director of Cyber Research at DHS HSARPA, agreed to an interview so I could share what I learned with my ActiveCyber audience. Recently, we were able to synch up for this exchange which I believe you will find quite informative. And hopefully the interview will motivate you to sign up to at least one of the coming events sponsored by Dr. Maughan’s group.

Spotlight on Dr. Doug Maughan

» Title: Cyber Director, Department of Homeland Security Advanced Research Projects Agency (HSARPA) within the Science and Technology Directorate
» Email: SandT-Cyber-Liaison@HQ.DHS.GOV
» Website: scitech.dhs.gov/cyber-research

Read his bio below.

April 12, 2016

Chris Daly, ActiveCyber: DHS recently announced the closure of the Cyber and Resilience National Dialogues. What did you learn from these collaborative interactions and what can we expect to come out of these initiatives?

Dr. Doug Maughan, DHS HSARPA Cyber Director: On May 18, 2015 the Department of Homeland Security (DHS) Science & Technology Directorate (S&T) launched the National Conversation Campaign: A Trusted Cyber Future to discuss a variety of topics relevant to protecting our cyber ecosystem. To accomplish this goal, DHS S&T’s Cyber Security Division (CSD) held both online and 12 in-person discussions around the country to engage a wide range of stakeholders to share new ideas, tools, and recommendations. This conversation brought together highly-engaged cybersecurity participants whose insights have been invaluable as S&T looks at future research and development (R&D) investments and priorities in these areas. Additionally, this cybersecurity conversation facilitated feedback for the development of the White House Federal Cybersecurity R&D Strategic Plan released in February 2016. The community can expect future R&D programs from the various agencies to address many of the topics identified in the Federal R&D Plan.

ActiveCyber: What are the major cyber issues emerging from the growing deployment of the Internet of Things? What is your approach to dealing with these issues from a DHS Cyber S&T perspective?

Dr. Maughan: There are numerous cybersecurity issue emerging from the growth of IoT to include software vulnerabilities abounding in many devices, an inability to identify rogue devices inserted into networks, devices that are not designed to provide authentication, and a lack of capability to securely update the software on remote devices. To answer some of these problems, we have initiated a solicitation looking for innovative technologies that can be deployed both into the government and private sectors.

ActiveCyber: Quantum computing poses major impacts to securing critical infrastructure due to dependencies on PKI and other cryptographic technologies that are not quantum resistant today. What are your thoughts about this issue and what is the Cyber S&T Directorate doing in this area?

Dr. Maughan: The areas of quantum computing and quantum cryptography are still in the basic research arena. Because S&T’s Cyber Security Division is more focused on applied research and transition activities, we are not currently funding many of these basic research activities. We have, however, as part of our Transition To Practice (TTP) program, been working with some of the National Labs to help them commercialize solutions.

ActiveCyber: The PREDICT data repository and DETER test bed have been active for a few years now. Please describe the purposes of these tools and what types of results have been achieved through these initiatives? How are these tools positioned to support dynamic defenses?

Dr. Maughan: The Protected Repository for the Defense of Infrastructure Against Cyber Threats (PREDICT) data repository – recently re-branded as the Information Marketplace for Policy and Analysis of Cyber-risk & Trust (IMPACT) program – provides data to researchers. There have been many researchers, both academic and industry, that have used the data from the PREDICT repository to test new solutions. Other agencies have been requiring their researchers to use the data in the PREDICT repository.

The Defense Technology Experimental Research (DETER) testbed is an open, globally available testing facility. It too, has been used by thousands of researchers to test their ideas. One of the areas of significance is the number of college classes, which is over 50, that are using the DETER testbed to teach the next generation about networking and security.

Both of these research infrastructures are well positioned to support dynamic defenses. The PREDICT datasets can help those developing new solutions to test using these datasets. The DETER testbed provides an environment to test these new solutions in a non-destructive environment.

ActiveCyber: DHS Cyber S&T has provided investments towards development and understanding of cyber economic investment incentives and models. What is the motivation behind this investment, what has DHS achieved to date, and what plans do you have in moving forward in this area?

Dr. Maughan: At the end of the day much of what happens in cyberspace is motivated by economics. Criminals have moved online to get money from those using online capabilities. Decisions are made daily by CISOs and others who have to defend networks and systems, and these decisions are largely based on economic factors. We’ve funded several research efforts to date and will continue to fund small efforts in this area looking at disincentives for criminals and the role of insurance as it applies to cyber economics. This area was also called out in the 2016 Federal R&D Plan.

ActiveCyber: Cyber analytics is a hot area for investment and innovation by all media accounts. What is Cyber S&T doing to invest in this area? What role does machine learning play in the investment portfolio for this area? How do you see dynamic defenses improving as a result of improvements in cyber analytics?

Dr. Maughan: Many of the areas we are funding include an aspect of cyber analytics. There’s an aspect of analysis that happens in all R&D. What is changing is the use of analytics in operational environments to better integrate data inputs and to make better decisions about situational awareness and how to react. Machine learning is just one method for doing analytics and is getting more usage because the algorithms are getting better and processing capability is much faster. Dynamic defenses require swift movement, which requires the ability for faster and better decision making that is driven by cyber analytics.

ActiveCyber: Cloud security continues to be a major concern for agencies as they move more and more sensitive applications and data to the cloud. What types of innovation do you see emerging to assist cloud providers and cloud stakeholders in securing their resources? What role do you foresee cloud access security brokers playing in this area? Do you believe that micro-segmentation of workloads and network function virtualization could provide possible panaceas to cloud security problems?

Dr. Maughan: Cloud by its nature is dynamic, resilient, and scalable, which are all necessary qualities for security. Capabilities currently used by the cloud for load balancing and availability can be extended to provide for confidentiality and integrity, and can enable a response to events in relevant time frames. The dynamic nature of cloud also offers increased opportunity to enable Moving Target Defense (MTD) protections for cyber security. By extending the capabilities of the cloud to techniques such as dynamic platforms, dynamic networks, and dynamic runtime environments, cloud architectures and those that provide cloud services can adapt to evolving threats. While there is no “panacea” for cloud security problems (and there never will be), having systems and architectures that are dynamic and able to adapt to threats, either autonomously or through manual control, will shift the advantage away from attackers and back to those responsible for defense.

ActiveCyber: Could you explain the background, stakeholders, and purpose of the Apex NGCI Program and its collaboration with the Financial Sector? What types of issues will be researched through this program and what is the timeline for the rollout and execution of the program? What are your hopes and expectations regarding the outcomes from this program?

Dr. Maughan: Cyber attacks threaten national security by undermining information-dependent critical infrastructure. DHS identified 16 critical infrastructure sectors designated in the Presidential Policy Directive (PPD-21) – Critical Infrastructure Security and Resilience. DHS S&T and the Financial Services Sector (FSS) have focused on three major challenges:

• Adversaries are infiltrating our systems and networks without our knowledge,
• The sectors’ understanding of the cyber situation is inaccurate, incomplete, or only achieved forensically and after the infiltration has occurred, and
• Network owners/operators lack strong methods to respond and mitigate the impact of adversaries on our systems, while still allowing for the sector to maintain adequate operating capacity.

The Next Generation Cyber Infrastructure (NGCI) Apex Program addresses these challenges by providing technologies and tools to confront advanced adversaries when they attack U.S. cyber systems and networks. The first three years of the NGCI Apex program will focus on deployment and transition of cutting edge technologies to the financial services sector. In later phases, the tools and technologies developed for the financial sector will be adapted to address a broader set of sectors, including the government, energy, and communications sectors. It uses a flexible, repeatable development, testing and evaluation approach to accelerate the transition of mature, relevant research results into the FSS critical infrastructure. This is achieved through direct pilot integration or via managed security services partners, venture capital entities, or open source programs.

Working with sector CISOs, NGCI has established the Cyber Apex Review Team (CART) to define prioritized requirements, plan and execute test and evaluation activities, and carry out the most appropriate methods of technology deployment and transition.
The NGCI will concentrate on delivering capabilities identified by the financial sector to address five primary areas:

• Dynamic Defense: Present changing external and internal network layouts that are harder for adversaries to probe, breach and exploit, significantly increasing the economic costs for a potential attacker.
• Network Characterization: Provide improved, real-time understanding of a network, including the internal communication patterns of connected assets, to enable immediate anomaly detection and rapid response to cyber incidents.
• Malware Detection: Deliver improved ability to detect and prevent the execution of malware in all formats and to predict the likely evolution of malware code.
• Software Assurance: Decrease false positive rates and accelerating the analytic timeline to increase the likelihood of finding software defects in complex software code.
• Insider Threat: Deliver the capability to detect data exfiltration below the network level, as well as predict and model potential insider threats.

ActiveCyber: What types of initiatives do you have underway or planned to encourage innovation in the cyber task area? How is industry and academia responding to these initiatives? How has your Technology Transfer Program helped transition emerging technology out of the lab into the hands of cyber practitioners? What types of changes do you envision in the TTP over the next year?

Dr. Maughan: Earlier this year DHS Homeland Security Innovation Program (HSIP) released the Innovation Other Transaction Solicitation (OTS) with the goal of engaging start-ups, incubators, and those who historically have been atypical partners for government, to consider the Department as a viable customer and transition partner. The first call, Internet-of-things is seeking novel ideas and technologies to improve situational awareness and security for protecting IoT domains, including the 16 critical infrastructure sectors monitored by DHS. Just this past February S&T awarded its first OTA IoT award to Pulzze Systems, Inc., a small business based in Santa Clara, California, to advance detection capability and security monitoring of networked systems.

The Transition To Practice (TTP) program focuses on moving mature cybersecurity technologies that were developed in Federal laboratories into the private sector for further development into commercially viable products with potential for widespread distribution in the marketplace. Much of the research community is insular, and really only focused on making connections to other researchers. TTP has served as a connecting point – bringing the research community together with the business community – to match technologies with partners to transition technology into the marketplace. Without commercialization, the government funded technologies would not reach a state that makes them widely deployable and supportable. To enable this we’ve introduced pitch training, business education, and provided opportunities to meet with end-users and commercialization partners through our TTP Technology Demonstration events and our booth presence at the RSA conference, as well as the relationships S&T has built.

Now in its fourth year, TTP has added program aspects yearly. For example, education was added in the second year and market research and the RSA booth presence were added in the third year. At this point, we do the following items with each class of technologies in the TTP program, but we are continuously working on outreach engagements and streamlining the transition path to be more efficient.

1. Pitch training
2. Publish a Technology Guide
3. Business education
4. Test and Evaluation
5. Pilots
6. Market Research studies
7. Demo Day Events in DC, NYC, Houston and Silicon Valley
8. RSA Booth and attendance by our researchers (Note: Most of the researchers have never been to this event before and it’s eye opening for them)

ActiveCyber:  What upcoming events are planned to engage cyber researchers and technology developers and where can these folks learn more about DHS Cyber S&T?

Dr. Maughan: S&T CSD is actively engaging the cybersecurity industry to help introduce our R&D projects and mature technologies to our stakeholders. In the next few months CSD’s TTP program will be hosting several technology demonstrations around the country to engage the energy and financial services, and government sectors, integrators, investors and IT professionals. On May 18 we will engage the energy sector in Houston, Texas. On June 14 we will demo for the financial services sector in New York City and on June 20 we will be engaging government and industry in Washington, DC. All of the events are open to cybersecurity professionals looking to learn more about the program and/or to transition, pilot, deploy, or commercialize a technology.

Additionally, this fall we will be hosting a Government Cyber Security Small Business Innovation Research (SBIR) Workshop in partnership with Department of Defense and National Science Foundation, to allow our phase II and III SBIR performers the opportunity to collaborate and present their research to government and private sector cybersecurity leaders. We are still firming up dates, but as soon as we have information we will post it on our events page. To provide readers background on this event, I suggest referring to the 2015 workshop registration website.

Yearly we also launch a R&D Showcase, which features the division’s entire portfolio. We held the 2016 Cyber Security Division R&D Showcase and Technical Workshop in February and will be looking to hold the 2017 conference in Spring 2017.

For more information on DHS S&T CSD, visit scitech.dhs.gov/cyber-research, follow us on Twitter @dhsscitech or Facebook, view our project videos on YouTube , view connect with us via email at SandT-Cyber-Liaison@HQ.DHS.GOV.

Thanks Dr. Maughan for informing me and the ActiveCyber followers on the many exciting efforts related to cyber security research at DHS. I know I will be signing up for at least one of the upcoming outreach events you mentioned. I also plan to follow-up on your invitation for another interview with you to drill down on one of these topics in the near future.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.