ODNI/NSA-Sponsored Cybersecurity Meeting in the Rockies

Hi All!

I attended the third annual by-invitation-only Computational Cybersecurity in Compromised Environments (C3E) workshop, held in Keystone Colorado this year from 9/25-28. The workshop is sponsored by the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) who bring together experts in cyber-security and other areas to discuss current challenges and formulate clever countermeasures to cyber-crime and, increasingly, covert cyber-warfare by nation-states. This year's topics were "Big Data and Intersecting Anomalies" and "Emergence."

Interestingly, the workshop location is not generally announced until after the meeting because ODNI/NSA events are targets for various sophisticated cyber-malefactors worldwide. In fact, I was personally introduced to "dangerous neighborhoods" at C3E'09 when I noticed my moderately well-protected laptop behaving strangely. I immediately severed all internet connections (as in literally pulling a cable and flipping the WiFi off switch). Upon closer inspection I noticed the master boot record had been changed. While it is certainly possible that a stray cosmic ray damaged the disk (the 2009 meeting, like the 2011 meeting, was in the Rockies), reports of other conferee electronics (phones, lapstops) having gone oddly haywire suggested otherwise.

In any case, earlier this week I joined astrophysicists, biologists, psychologists and other scientists/engineers along with those intimately involved in protecting our cyber-infrastructure and nation to help formulate novel approaches to rapidly identifying malicious intent amidst the blizzard of information available from myriad sources (Big Data and Intersection Anomalies). In addition, the group explored how something like an immune system might be developed based on distributed semi-autonomous mobile agents whose job would be to collaboratively measure their environments. In conjunction with higher level more centralized Big Data analytic controllers, such agents would not only identify known anomaly types but discover new ones through Emergent behavior. Such semi-autonomous emergence seems especially important to combat ever-evolving attack profiles.

The overall paradigm proposed at C3E'11 seems promising. However, as a systems theorist, I pestered the group at large (and then anyone who would listen over various meals) that active measures to "close the loop" could prove especially efficient since, as one speaker noted, "given enough data, one can find proof for any hypothesis, right or wrong." Subtle active engagement with potential anomalies would move detection from tea-leaves reading to a verifiable science that enabled identification of malicious behavior in the same way physicists uncover new physics -- by experiment as opposed to by observation only.

Furthermore, subsequent vigorous active engagement tied to effective attribution (physically locating the attack source(s), and perhaps even the human/state malefactor) might prove a game changer by raising the cost of malicious behavior. In addition, although the data is big, the actual number of sophisticated malefactors is small, so developing signatures (software and otherwise) is almost certainly possible, as noted by an ex-CIA employee turned cyber-security provider during his plenary talk. The NSA has a long and storied experience with signature collection and analysis. Thus, I am is hopeful that the next C3E meeting will explicitly consider closing the loop through active engagement, attribution, localization and neutralization of various threats.

However, the bad news, as presented by an SRI researcher, is that the number of "holes" in computer software is growing geometrically so that the "catch and patch" technique employed today is an exponentially losing battle. If (provably) true, the scenario has interesting implications. Accepting an inability to avoid cyber-infection might completely change the landscape of cyber-security which at least commercially, is almost invariably defensive. That is, since the sides in any conflict would be able to easily infiltrate each others' computer networks, the game may become one of mutually assured destruction -- which may or may not be a bad thing.

Chris Rose
September 29, 2011