A Strategy for Addressing Cyber Security Challenges
1 like1,433 views
The document discusses the growing challenges of cybersecurity faced by individuals, businesses, and governments, emphasizing the complexity of the threat landscape, including cyber crimes costing significant financial losses. It outlines strategies to address these challenges through education, research, policy development, and collaboration among various stakeholders to enhance cybersecurity readiness. The importance of building capacity, supporting cybersecurity education and research, and integrating security into existing curricula is highlighted as essential for a robust national response to cyber threats.
A Strategy for Addressing Cyber Security Challenges
- 1. A Strategy for Addressing Cyber Security Challenges Mustaque Ahamad Professor of Computer Science, Georgia Ins>tute of Technology Global Professor of Engineering, New York University Abu Dhabi Co-‐founder and Chief Scien>st, Pindrop Security
- 2. A Couple of Observa>ons • Cyber security has become an extremely important problem for people, businesses and governments. • Addressing cyber security challenges presents serious challenges. • Cyber now reaches into cri>cal physical systems. • Cyber security is going to be a journey, not a des>na>on.
- 3. Are Things Really Bad? • Growing sophis>ca>on of the threat landscape – Cyber criminals, hack>vits, terrorists and na>on-‐states – Cyber crime costs are reaching half a trillion dollars (In India, 0.21% of GDP, McAfee 2014 Report) – Greatest transfer of wealth (Keith Alexander, hXp://foreignpolicy.com/2012/07/09/nsa-‐chief-‐cybercrime-‐cons>tutes-‐the-‐greatest-‐transfer-‐of-‐wealth-‐in-‐history/ ) • Complex technology ecosystem – “Reflec>ons on trus>ng trust” • People, processes and coordina>on across mul>ple stakeholders
- 4. Threats + Vulnerabili>es => AXacks • Can we make threats go away? • AXribu>on is extremely difficult • Global and transna>onal • How can we address vulnerabili>es? • Security errors in sofware (over 1700 entries in NVD in last 3 months) • Asymmetry – aXackers only need to find one bug, we need to fix all • People are weak links • Only higher assurance, no perfect security – Stronger preven>on and early detec>on – Faster recovery and remedia>on
- 5. So, What Can We Do? • Educa>on – Developing the “security mindset” – Undergraduate and graduate programs • Research – Rapidly evolving field • Policy, legal and regula>on – It is much more than technology
- 6. Educa>ng Cyber Security Professionals • US Na>onal Ini>a>ve for Cybersecurity Educa>on (NICE) hXp://csrc.nist.gov/nice/framework/
- 7. Capacity Building for Educa>ng Cyber Security Professionals • What do we do? – Undergraduate or graduate programs? – Integra>ng security concepts in CS curriculum? – Voca>onal programs? • How do we do it? – So, where do we find cyber security faculty? – Developing hands on projects and laboratories • US Response – Centers of Excellence Program (NSA/DHS) – Scholarship-‐for-‐Service (SFS) Program) – NSF SaTC Educa>on Projects • Curriculum development, sharing, workshops etc.
- 8. Research Capacity Building • Evolving threat landscape and rapidly changing technologies – Gelng ahead of emerging threats – “Test and verify” rather than “trust but verify” • Diverse set of research challenges – Trustworthiness of technology to human dimension • Real-‐world impact of research – Tech transfer and commercializa>on
- 9. Example I: Malware Analysis • Scalable malware analysis system processes approximately 250K samples a day • Extrac>ng features from communica>on paXerns • Big data due to deep packet analysis and event volume • Machine learning for aXribu>on • Visualiza>on and ac>onable intelligence Mariposa Botnet Tracking and Takedown
- 10. Example II: Data-‐Driven Cyber Risk • Collect cyber risk relevant data from mul>ple sources – Vulnerabili>es – Exploit kits and malware – AXack data (public and private) • Analy>cs and visualiza>on – Lean back and lean forward Calendar view of reported vulnerabili>es
- 11. Na>onal R&D Strategy: US Example • Na>onal Science Founda>on Secure and Trustworthy (SaTC) – Launched afer developing a na>onal strategy ( hXps://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf) – Interdisciplinary including behavioral and economic aspects • DHS, DARPA and NSA Ini>a>ves – Cri>cal infrastructure security (CPS) – Resilient and transparent compu>ng – Science of security • Networking and Informa>on Technology Research and Development (NITRD) Program – Coordinated across mul>ple agencies – High level goal is to maintain US technological leadership in this field
- 12. Cyber Security Policy • Policy development is as important as best technical safeguards • Should companies and government agencies required to prac>ce certain level of cyber hygiene? • Informa>on sharing and coordina>on • Privacy • Legal and enforcement issues
- 13. Lessons Learned • Educa>on capacity building – Aggressively support centers like CERC IIIT Delhi – CS curriculum needs to be augmented with cyber security offerings at all levels – “Educa>ng the educators” – summer schools, workshops and hosted programs – What do we do about faculty? • Incen>ves for CS faculty members to shif/expand their research into cyber security • Be crea>ve (professor of prac>ce, global professor etc.)
- 14. Lessons Learned Contd. • Research capacity building – You cannot be a major player without a strong research base • How many papers at security conferences from India? – Launch/seed a few ambi>ous (and high risk) research projects like NSF’s fron>ers – Start/get security conferences to India to grow the community – Applied research exper>se • Cannot only rely on security vendor professionals for crisis handling • CDC for cyber, CERT 2.0? – Coordina>on across Na>onal Labs, DRDO?? – Home grown cyber security companies??
- 15. Lessons Learned Contd. • Cyber security is much more than technology – Policy, regulatory and legal dimensions – Cyber security maturity model and best prac>ces – Preparedness assessment – Conversa>ons at the highest level (WEF ini>a>ve) – Informa>on sharing, coordina>on and mutual aid – Informal trust networks
- 16. Conclusions • Cyber risk ranks among the top global risks (2015 WEF Global risks report) • Na>onal response is of cri>cal importance • Need to move at “network speed” • It is all about capacity building • Ignore research at your own peril