Friday, June 11, 2010

NITRD: "You're going the wrong way!"

If you remember the great 1980's movie "Planes, Trains, and Automobiles" the title of this post will make sense. When Steve Martin and John Candy are driving down the wrong side of the highway, another motorist yells "You're going the wrong way!" They deluded pair reply "How do they know where we're going?"

I am starting to feel like the motorist yelling "You're going the wrong way!" and I'm telling Federal research efforts like the Federal Networking and Information Technology Research and Development (NITRD) Program. This program describes itself thusly:

The NITRD Program is the primary forum by which the US Government coordinates its unclassified networking and information technology (IT) research and development (R&D). Fourteen Federal agencies, including all of the large science and technology agencies, are formal members of the NITRD Program, whose combined 2010 networking and IT R&D budgets totaled more than $4 billion.

This program proposes three Federal Cybersecurity Game-change R&D Themes:

  1. Tailored Trustworthy Spaces: Tailored Trustworthy Spaces (TTS) provide flexible, adaptive, distributed trust environments that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats. A TTS recognizes the user’s context and evolves as the context evolves. The user chooses to accept the protections and risks of a tailored space, and the attributes of the space must be expressible in an understandable way to support informed choice and must be readily customized, negotiated and adapted.

    The scientific challenge of tailored spaces is to provide the separation, isolation, policy articulation, negotiation, and requisite assurances to support specific cyber sub-spaces.

  2. Moving Target: Research into Moving Target (MT) technologies will enable us to create, analyze, evaluate, and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency. The characteristics of a MT system are dynamically altered in ways that are manageable by the defender yet make the attack space appear unpredictable to the attacker.

    MT strategies aim to substantially increase the cost of attacks by deploying and operating networks and systems in a manner that makes them less deterministic, less homogeneous, and less static.

  3. Cyber Economic Incentives: Cybersecurity practices lag behind technology. Solutions exist for many of the threats introduced by casual adversaries, but these solutions are not widely used because incentives are not aligned with objectives and resources are not correctly allocated. Secure practices must be incentivized if cybersecurity is to become ubiquitous, and sound economic incentives need to be based on sound metrics, processes that enable assured development, sensible and enforceable notions of liability and mature cost/risk analysis methods.


This is lovely. Great. However, if you're going to spend $4 billion, why not focus on better operations. The problem with this endeavor is that it is driven by researchers. This is my personal opinion, but researchers do not know what is happening inside real enterprises. Researchers reply "How do they know where we're going?" I know where they are going because I see these sorts of R&D efforts and I don't see them addressing the real problems in the enterprise.

Harlan Carvey always makes this point, and he is right: many enterprises are not conducting counter-intrusion operations at the level that is required for modern defense. We don't need output from a research project to be yet another aspect of digital security that is not designed, built, or run properly in the IT environment.

9 comments:

Keydet89 said...

Richard,

Ugh. You can't say that something doesn't work if you don't use it, and that's one of the biggest issues with CSIRPs and any type of security in the enterprise...too often, it's deemed a failure even when it's never employed, or employed properly.

John said...

I've often thought that one of the weaknesses of this blog was the lack of references to old Steve Martin and John Candy movies. Thank you, Richard, for addressing that gap. I hope you can work in more in the near future.

Anonymous said...

"What's that smell?"

"That's the vomit a researcher just deposited on my desk. Awful, isn't it?"

#1: blah blah blah. Fine, it sounds fun, but good luck managing even a small *one* of those in the real world.

#2: blah blah blah. Again, sounds fun, but I'd deem this impossible in the real world. Or possible, but grossly simplified like having VMs recreate themselves every 10 minutes. It doesn't fix vulns, but makes the attacker work more, I guess. Sounds like a lot of cost for little in return other than operational headache. We can't even keep up with and manage static environments that *are* homogeneous!

#3: Well, at least this point opens with a few widely-held assumptions every can agree about. A big "duh" about becoming more incentivized. However, this either means flat-out fines/punishments or accepting the reality of the gamble that risk management is. Better metrics probably won't magically find this hidden value we've been missing all these years.

-LonerVamp

webjedi said...

and of course the great one from that film... 'those aren't pillows!'

I have the unenviable role of being a former (well, still in my head, active) Ops person residing in a policy shop... trying to get people to focus less on the reporting and paperwork and realize we need some real tactical addressing of what's missing in situational awareness of our enterprise. As at the Federal Computer Security Forum last week, folks chimed up that 40 even 60% of their security budget is spent doing C&A activities... and that remaining 40% is left for ops, training, supplies, O&M, and so forth... tell me something isn't backwards here.

THe big discussion from Ron Ross at NIST (Mr. SP 800 himself) was that the government turned this into a paperwork and audit exercise... and my view is "well of course... this is how the government copes with something they don't grasp... make paperwork out of it rather than solve the problem".

Of course, where I'm at, I'll reference the Native American adage of "it's like yelling into the wind" ... and nobody seems to hear. I'm not sure, really, when USG will adopt private industry's tact to focus on looking and responding rather than just documenting and letting it sit.

Oh, and to address the metrics above... how can you have metrics when nobody has defined how and what to measure... the community needs to at LEAST come to some sort of agreement and standards on that.

The Ubiquitous Mr. Lovegroove said...

If any major progress is to be made in cybersecurity, then #3 should be promoted to #1.
It is and always will be about economic (or socio-political-economic) incentives

webjedi said...

Lest I remind anybody here... the government isn't incentivized. If that was the case, things would get done quickly, cheaply and correctly. There are no real ramifications for most employees (outside of personal morals, self-interest for the good of the nation, and the desire not to be bored) if things aren't accomplished. Mind you... this reflect employees who have gone beyond the probationary period.. otherwise they'd keep their head out of sight.

Government leadership, at least upper leadership, suffers from two things... in the DoD, it's the constant rotating of posts and commands... on the civilian side, the folks with "power", such as a cabinet secretary, is only there as long as the administration or they see fit. Their deputies are in the same boat, and one step lower are the SES's which get plugged in regardless of skills and expertise... often the fourth and fifth layers down are not empowered (or lack the power) to institute wholesale change that is be prescribed above.

Actually, what the USG could learn a bit from even the non-profit sector that surrounds them, such as a membership society like AAS, ACS, AFL-CIO, etc., is as their president, single member elected (in the USG form, appointed), but everybody else, such as the COO/CAO, are permanent career individuals who have power and actually runt he organization. The presidents are usually the "face" but the decisions and work are done by folks who will be there after those terms are up.

IMHO, THAT'S what's broken... we've got talented people here in the USG... but they leave, become frustrated, or burn-out because of the constant changing of directions and goals/plans.

Michael Cloppert said...

Academics have been almost completely disconnected from reality for the past 5-7 years.

I'm going to begin calling out useless solutions from researchers as such by name in the future. I suggest thought leaders in this space, such as yourself, do the same. The time for politeness has long since passed. Industry needs to begin flatly and overtly rejecting solutions to problems that are either largely solved, or no longer need solving.

Mike

(sorry for the shameless plug but this was spot on blog alignment between us, RB)

Richard Bejtlich said...

No problem Mike -- your post is great.

Russell Thomas said...

1. Yes, security operations deserves more attention, focus, and much better management and governance. But it's not an R&D problem (lack of fundamental knowledge or solutions).

2. You misread the NITRD R&D spending number. $4.5 billion is for all IT and networking R&D, not cybersecurity R&D. Instead, the federal R&D spending on cybersecurity is about $368 million, of which $243 million is spent by DoD (incl. DARPA and NSA). http://www.gao.gov/new.items/d10466.pdf Of this total, I would estimate that no more than $9 million is being spent on R&D for cybersecurity economics, usability, privacy, organization behavior, management science, and policy research. Furthermore, 100% of that spending is on small scale, near term research, and 0% on long term, large scale, solution-oriented research. (see p. 17-18 of the GAO report)

R&D spending in private industry in these areas is paltry, too. I bet that there are no more than 15 people worldwide employed by private industry (including consultants) who are engaging in privately funded R&D on cyber security economics and related topics. At $300K fully loaded per person, that is $4.5 million.