2009Cybersecurity
SummitReport
Arlington,Virginia
September14–15,2009
This workshop is supported by the National Science Foundation
under Grant No. 0821879.
2009 Cybersecurity Summit Report1
TableofContents
2009 Cybersecurity Summit Program Committee
Executive Summary
Observations from Summit Chair James A. Marsteller
Overview
Program Committee and Program
Attendee Participation
Plenary Sessions
Thinking Outside the Box
FBI Update
Community Updates
Cybersecurity Policy Directions: Implications for Education and Research
Cybersecurity Research Challenges
Driving Security Improvements Through Research and Development
Technical Track Sessions
Server Virtualization and Security: Dos and Don’ts
Getting to Know Bro
Domain Name System Security (DNSSEC): Lessons Learned and Deployment for Research Facilities
Operations and Management Track Sessions
Report from the NIST 800-53 Trenches
Federated Identity Management: Challenges and Solutions
Developing an Information Security Program: Addressing the NSF Cooperative Agreement
Emerging Trends Track
Losing Control? The Impact of Cloud Storage, Services, and Mobile Computing on Infrastructure Planning
Participant Evaluation Summary
Conference Program
Conference Attendees
2009 Cybersecurity Summit Report1
2009CybersecuritySummitProgramCommittee
JamesA.Marsteller,Chair,PittsburghSupercomputingCenter
MineAltunay,FermiNationalAcceleratorLaboratory
ThomasF.Carruthers,NationalScienceFoundation
JohnW.Cobb,OakRidgeNationalLaboratory
MichaelCorn,UniversityofIllinoisatUrbana-Champaign
DavidHalstead,NationalRadioAstronomyObservatory
ArdothA.Hassler,NationalScienceFoundation
AlbertLazzarini,CaliforniaInstituteofTechnology
MargaretMurray,UniversityofTexasatAustin
RodneyJ.Petersen,EDUCAUSE(StaffLiaison)
ValerieVogel,EDUCAUSE(StaffLiaison)
ExecutiveSummary
ObservationsfromSummitChairJamesA.Marsteller
IhavebeeninvolvedwitheachCybersecuritySummitintheroleofaprogramcommitteechairandmember,breakoutsessionleader,orspeaker.ThisparticipationhasallowedmetodevelopadeepunderstandingoftherelationshipbetweentheSummit,thecommunityitserves,andthesponsor(NSF).Ihavebenefitedfromtheknowledgeandrelationshipsgainedateachsummitoverthepastfiveyears.Based onmyexperience,IhavemadesomeobservationsthatIbelievecouldbeusedtoimprovefuturesummits:
First,letmestatethattheresearch and education communitygreatlyappreciatesandbenefitsfromtheCybersecurity Summit.FeedbackfromsummitattendeesshowsastrongdesirethattheNSFcontinuestosponsorfuturesummits.Withthe budgetcutsmanyfacilitiesareexperiencing,thesummitoffersalow-costopportunitytocollaborateonimprovingsecuritylocallyandatthecommunitylevel:96.7%ofattendeesgavethesummitahighsatisfactionrating,and86%plantoattendnextyear(thisisasignificantincreasefromtheprevioussummitfigureof51%planningtoattendafuturesummit).
Theeducationalsessiononintrusiondetectionsystemsthatwasaddedthisyearwasverywellreceived.Manytechnicalattendeeshavesoughttrainingoreducationalcontentinthesummitforsometime.Iwouldstronglysuggestasimilartrainingsessioninfuturesummits.
Feedback fromthisyear’sattendeessuggeststhatthesummitbeextendedtotwofulldays,thusallowingformoretopicstobecoveredandtomakethesummitmoreattractiveforthosewhomusttravellongdistances.
Iwouldsuggestthat theNSFconsideragreatercommitmenttosupportingtheCybersecuritySummitexperiencebyextendingfundingforamultiyearperiod.Thepriorawardwasforatwo-yearperiod,whichhelpedgreatlyinplanningandcontinuity.Ialsobelievethat,giventherightsetoftoolsandleadership,thereisgreatpotentialforthesummittoactasthecatalystforempoweringthecommunitytostrengthenandadvanceinformationsecuritypractices.
Overview
The2009CybersecuritySummitwasheldSeptember14and15inArlington,Virginia.Thepurposewasthesameasinthepreviousthreemeetings:tobringtogetherstakeholdersfromtheuniversityandgovernmentresearchcommunitiestoestablishandmaintaincollaborativeeffortsadvancingcybersecurity.Theeventdrew92attendeesfromuniversities,researchfacilities,and federal agencies (NSF,DOD,DOE,NIST,DHS, and others), including twointernationalparticipants(fromChileandSwitzerland).
Basedonattendeecommentsfrompastyears,theprogramcommitteemadeafewchangestothe2009summit.Thebreakoutsessionswerereplacedwithtracks in three subject areas: Technical,OperationalandManagement,andEmergingTrends.Rather than using previous years’ report-based format, sessionswereinformational.Anotherchangecameearlierintheyear,whentheprogramcommitteesurveyedpastattendeesforthemostrelevanttopicstoincludeintheupcomingsummit.Thismarkedthefirsttimethecommunityhaddirectinputintothecontentofthesummit,andtheresponsewasverypositive.
Theaveragesessionlengthwasshortenedtoamaximumofone and a half hourstoaccommodatethetopicsselectedbythecommunity.Morepaneldiscussions, which wereverypopularinthepastyear, were added.Anotherpopularofferingwasanintroductorytrainingsessiononaleadingintrusiondetectionsystem.Theprogramcoveredadiverselistoftimelysubjectsrangingfromtechnicaldiscussions,to policyandsecurityprograms,tostrategicplanningdiscussionsontherapidlychangingsecurityenvironment.
Finally,thesummitendedwithatownhallmeeting, where attendeesprovidedfeedbackonthesummitchangesandcontemplatedhowthesummitshouldevolve.Many commentsexpressedthevalueofthesummitanditscontinueddevelopment.Therewereanumberofsuggestionsandcommentsformovingforward:
“Featuredfacility”:Selectafacility/communitymemberforeachsummittopresenttheirsecurityprogram,howitwasdeveloped,changesmadeoverthepastyear(basedonpreviousCybersecuritySummits/security conferences/security events),etc.
Organizeasacommunitytohavegreaterinfluencewithvendors(developingpatchesforzero-dayvulnerabilities,bettercustomerservice/servicingofneeds,etc.).
Suggestedtopics for futuresummits:revisiting the use of one-timepasswords; developingasecuritytrainingandawarenessprogramforstaff; protectingdatainthecloud; NIST800-53toolkit; incident response.
Allofthesummitshavehadsimilargoals:
Shareinformationandideas.Bysharinginformationandideas,participantscanunderstandthecommonissuesandproblemsthataffectsecurityintheresearchandeducationcommunities.Theycanlearnhowothershavesolvedtheseproblemsand/oridentifyproblemsinsecuringtheresearchcyberinfrastructurethatneedfurtherdiscussionandattention.
Developunderstandingofourcommunities’diverseperspectives.Whilebalancingsecurityandusabilityintheresearchenvironment,workshopattendeesdiscussandanalyzethesimilaritiesanddifferencesbetweensmallandlargecomputing/researchfacilities.
Discussourcommunities’strengthsandweaknesses.Theacademicandresearchcommunitieshavespecific,uniquerequirementsforprovidingopen,collaborativeenvironments.Participantsdiscussandanalyzethestrengthsandweaknessesrelatedtosecurityoftheseenvironments.
Identifyourcommunities’securityneeds.Attendeesexplorethecompetingneedsofproviding anopen,collaborativeresearchenvironmentandprotectingthesecurityandintegrityofthenation’sresearchcomputinganddataassets.Theystrivetodescribeasecurecomputingenvironmentthatminimizesnegativeimpact,eitheron(1)researchersandtheirproductivityor(2)computerandnetworkperformance.
ProgramCommitteeandProgram
Inanefforttostrengthencontinuitybetweensummits,JamesMarstellerofthePittsburghSupercomputingCenterfilledtheroleofprogramchairagainthisyear.Theprogramcommitteeincludedmemberswhocamefrommanydifferentresearchandeducationalinstitutions and federalagencies, as well asRodneyPetersenfromEDUCAUSE.ThefirstprogramcommitteemeetingtookplaceMarch20,2009,andcontinuedbiweeklyuptothesummit.TheprogramcommitteereceivedgeneroussupportfromEDUCAUSEinplanningtheworkshop,recordingmeetingminutes,communicatingmeetingtimes,andcoordinatingtheprogramschedule.
Foralistoftheprogramcommitteemembers,seepage1ofthisreport.Acopyoftheconferenceprogramcanbefoundon pages 9–10ofthisreport.
AttendeeParticipation
Thisinvitation-onlyeventincludedindividualsrecommendedtotheprogramcommittee,somepreviousyears’attendees,programcommitteemembers,andothers.Adiversegroupofparticipantswassought,includingthosefrombothlargeandsmallresearchfacilitiesanduniversitiesaswellasfederalagencies.
The92attendeesfromuniversities,researchfacilities,andfederalagenciesincludedtwointernationalattendees (fromChileandSwitzerland).Thecountsofattendeesbyselectedorganizationwere as follows:
Organization / Number of AttendeesUCAR/NCAR / 2
National Radio Astronomy Observatory / 2
National Astronomy and IonosphereCenter / 1
National High Magnetic Field Laboratory / 2
National Optical Astronomy Observatory / 2
Gemini Observatory / 2
IndianaUniversity / 2
LBNL / 3
ORNL / 4
NSF / 18
The National Ecological Observatory (NEON) / 3
University of Illinois / 4
Other federal agencies / 4
EDUCAUSE / 3
Otherorganizationswererepresentedbyoneortwoattendees.
Thesefiguresarebasedonsummitregistrations.Notethatsomeindividualsmayhaveregisteredundertheirparentinstitutioninsteadoftheirdepartment/center,whichwillaffectoveralltotals.
CountsbyState
Participantsfrom20states,theDistrictofColumbia,andPuertoRicoattendedtheworkshop:
State or District / Number of Attendees / Percentage of AttendeesVirginia / 24 / 26.7%
District of Columbia / 8 / 8.9%
Illinois / 8 / 8.9%
Indiana / 7 / 7.8%
California / 7 / 7.8%
Colorado / 6 / 6.7%
Pennsylvania / 4 / 4.4%
Tennessee / 4 / 4.4%
Arizona / 4 / 4.4%
Texas / 3 / 3.3%
Florida / 3 / 3.3%
Maryland / 2 / 2.2%
Hawaii, Louisiana, Massachusetts, Michigan, New Jersey, North Carolina, Ohio, Puerto Rico, Washington, Wisconsin / 1 each / 11.1%
CountsbyInstitutionalSize
Oftheattendees,40%camefromlarge(18,000-plus)institutions,6%fromlarge-mediuminstitutions(8,000–17,999),4%frommediuminstitutions(2,000–7,999),and0%fromsmallinstitutions(under2,000);49%didnotgivetheirinstitutionsize.
CountsbyFunctionalTitle
Bytitle,36%ofattendeesidentifiedthemselvesassupportIT,20%asseniorIT,5%asCIOs,8%asotherexecutivelevel,1%asfaculty,4%assales,and24%as“other.”
Thedatainthefollowingtablesregardingsummitattendeescomefromtheparticipantevaluationscompletedattheendofthesummitby30respondents.Notethatsomerespondentscheckedmorethanonecategoryforeachofthethreequestions.
- Whichareaofsciencedoesyourjoborinterestmostcloselyrelateto?Checkallthatapply.
OD/OCI:OfficeofCyberinfrastructure(DTF,ETF,PACI) / 20.0%
ENG/CMS:Engineering—CivilMechanicalSystems(NEES) / 3.3%
ENG/EEC:Engineering—EngineeringEducationCenters(NNIN) / 3.3%
GEO/ATM:Geosciences—AtmosphericSciences(AMISR,JRO,NAIC,UARF,MHO,Sondrestrom,NCAR,UNIDATA) / 13.3%
GEO/EAR:Geosciences—EarthSciences(IRIS,GSEC,UNAVCO,Earthscope) / 6.7%
GEO/OCE:Geosciences—OceanSciences(ODP,NOSAMS,IODP,SODV) / 10.0%
MPS/AST:MathPhysicalSciences—AstronomicalSciences(ALMA,Gemini,NAIC,EVLA,NRAO,NSO,NOAO) / 46.7%
MPS/DMR:MathPhysicalSciences—MaterialsResearch(CHESS,NHMFL,SRC,CHRNS,LENS) / 16.7%
MPS/PHY:MathPhysicalSciences—Physics(IceCube,LHC,LIGO,NSC) / 20.0%
BIO/DBI:BiologicalInfrastructure(NEON) / 10.0%
Nodirectsciencearea / 6.7%
Othersciencearea / 3.3%
- Whichfunctiondoesyourjoborpositionmostcloselyrelateto?Checkallthatapply.
FacilitiesOperationand Management / 35.5%
FacilityUser / 6.4%
GovernmentProject/ProgramManager / 16.1%
ITSecurityManagement / 38.7%
ITSecurityPolicy / 32.3%
NetworkorComputerSecurityEngineering / 19.3%
Other / 6.4%
- Whichcategoryfitsyourorganizationbest?Checkone.(Note: Somerespondentscheckedmorethanonecategory.)
AcademicInstitutionorOrganization / 19.3%
CommercialIndustry / 0.0%
DOD / 3.2%
DOE / 12.9%
DOEFacility / 9.8%
NASA / 0.0%
NSF / 19.3%
NSFLargeFacility / 32.3%
OtherGovernmentFacility / 0.0%
Other / 3.2%
PlenarySessions
ThinkingOutsidethe Box
Speaker:EugeneH.Spafford,ProfessorandExecutiveDirector,CERIAS,PurdueUniversity
Overthepastsixdecades,computingtechnologyhasundergoneaseriesofrevolutionsthathavechangedtheworld.Computingtoucheseveryone’slife,yetfewstoptothinkabouttheincrediblerateofchangeoftheunderlyingtechnology.TheWorldWideWebisjust20yearsold,andInternetcommerceisevenyounger.Withtheexpansionofthereachofcomputing,networks,andallthatwedowithcomputers,wehavealsoseennewthreatsemergetosecurity,privacy,andeven(tosomeextent)oursocialinteractions,yetwecontinuetopursuesolutionsusingoutmodedmodelsandparadigmsthatsometimesworsentheproblems.Thistalkwilldiscusssomeofthemajorchangeswehaveseenincomputingandtheirimplicationsforsecurityandprivacy.Moreover,itwilladdresshowsomeofourbasicconceptsincomputingtechnologyhavefailedtoadaptwiththecomputinghardware,andhowthatultimatelyshapeswhatwedo(anddonotdo)inresearchtoaddressurgentproblems.Wemustchallengesomeofourfundamentalviewsofhowweusecomputing,andthenatureofprivacy,ifwewishtoseeimprovement.
FBIUpdate
Speaker:ShawnHenry,AssistantDirector,CyberDivision,FederalBureauofInvestigation
ShawnHenry,AssistantDirectoroftheCyberDivision,FederalBureauofInvestigation(FBI),briefedthecommunityoncurrentFBIinformationsecurityactivities.Heprovidedanoverviewofpastinvestigations,currenttrendsincybercrime/threats,andthebureau’sresponsetocurrentconditions.AssistantDirectorHenryalsosharedtimelyinformationandintelligencewiththecommunityinordertoraiseawarenessandpreventfuturehostileacts.
CommunityUpdates
Speakers:MineAltunay,Head,OpenScienceGrid(OSG)Security,FermiNationalAcceleratorLaboratory;KenKlingenstein,Director,Internet2MiddlewareandSecurity,UniversityofColoradoatBoulder;JamesA.Marsteller,InformationSecurityOfficer,PittsburghSupercomputingCenter;DougPearson,REN-ISACTechnicalDirector,IndianaUniversity;DavidG.Swartz,AssistantVPandCIO,AmericanUniversity
CommunityupdatesfromEDUCAUSE/Internet2HigherEducationInformationSecurityCouncil(formerlytheSecurityTaskForce),InCommon,theOpenScienceGrid,REN-ISAC,andTeraGrid.
CybersecurityPolicyDirections:ImplicationsforEducationandResearch
Panelists:RobertB.Dix Jr.,VicePresident,GovernmentAffairsandCriticalInfrastructureProtection,JuniperNetwork,KarlLevitt,ProgramOfficer,CISE,LenoreZuck,ProgramOfficer,CISE,andPaulMarkovitz,BranchChief,Security,Architecture,PolicyandPlans,NationalScienceFoundation
Sessionmoderator:RodneyJ.Petersen,GovernmentRelationsOfficerandDirectorofCybersecurityInitiative,EDUCAUSE
TheWhiteHouse60-daycyberspacereviewisthelatestinaseriesofgovernmenteffortstoraisevisibilityoftheseriousnessofcybersecuritytoournation’seconomicandnationalsecurity.Thefinalreportcalledonthefederalgovernmentto“expandsupportforkeyeducationprogramsandresearchanddevelopmenttoensuretheNation’scontinuedabilitytocompeteintheinformationageeconomy.”TheFederalTradeCommission’sreport,“SecurityinNumbers:SSNsandIDTheft,”andcongressionalproposalstoupdatetheFederalInformationSecurityManagementActareamongthemanyinformationsecurityreformsunderconsiderationforboththepublicandprivatesectors.Thispanelexploredthepublicpolicydimensionsofcybersecurityandtheirimplicationsforresearchfacilities.
CybersecurityResearchChallenges
StrategicDiscussiononCybersecurityPlanning
Panelists:MichaelA.Corn,ChiefPrivacyandSecurityOfficer,UniversityofIllinoisatUrbana-Champaign;WalterDykas,CyberSecurityProgramManager,OfficeofScience,UnitedStatesDepartmentofEnergy;KathleenR.Kimball,SeniorDirector,ITSSecurityOperationsandServices,ThePennsylvaniaStateUniversity;StefanLueders,DeputyComputerSecurityOfficer,CERN
Sessionmoderator:GeorgeO.Strawn,CIO,NationalScienceFoundation
Thefomentofactivitysurroundingsecurityoperationstendstodrownoutthetimeandresourcesforstrategicplanningwithregardtosecurity.Allsecuritymanagershaveamentalportfolioofthingstheyshouldbedoingifonlytheyhadthehumanandfundresources:however,it’sdifficulttodesignyournexthousewhenyoucan’taffordadeadboltforyourfrontdoor.Nevertheless,securityprofessionalsandcampusexecutivesneedtolookatthestrategicdimensiontotheevolutionofsecurityoperations.Aretherearchitecturalprinciplesormetricsweshouldbeexaminingthatwillguidethenextfiveyearsofplanning?Istherealoomingparadigmshiftweshouldtrytoanticipate?Thissessionpresentedabroad-rangingdiscussionofthesequestions,fromtheoperationaltotheexecutiveperspective.
DrivingSecurityImprovementsThroughResearchandDevelopment
Speaker:DouglasMaughan,ProgramManager,CyberSecurityR&D,ScienceandTechnologyDirectorate,UnitedStatesDepartmentofHomelandSecurity
TheDirectorateforScienceandTechnology(S&T)istheprimaryresearchanddevelopmentarmoftheU.S.DepartmentofHomelandSecurity.S&TusestheHomelandSecurityAdvancedResearchProjectAgencytoengageindustry,academia,government,andothersectorsininnovativeresearchanddevelopment,rapidprototyping,andtechnologytransfertomeetoperationalneeds.AcademicorganizationssuchastheComputingResearchAssociationandindustrygroupshavecalledforincreasedfundingforcybersecurityR&D.ThiskeynotewilldescribewhattheS&Tdirectorateisdoingtodrive,discover,anddelivernewsolutionstoaddresscybervulnerabilitiesaswellaswhatresearchareasitconsidersnear-termpriorities.
TechnicalTrackSessions
ServerVirtualizationandSecurity:DosandDon’ts
Speaker:KevinSullivan,CoordinatorforSpecialProjects,PittsburghSupercomputingCenter
Withshrinkingbudgetsandthepressuretoreducecosts,manyorganizationsareturningtoservervirtualizationasatechniquetodomorewithless.Thissessionreviewedthebasicsofvirtualizationandbestpracticesthatyoucanusetobenefitfromservervirtualizationtoday.Ofcourse,addingmultipleservicestoasinglepieceofhardwarealsoincreasesrisk;therefore,howtoavoidmistakesthatcouldaffectthesecurity,availability,andperformanceofmission-criticalITserviceswerealsoaddressed.
SessionResources:
Gettingto KnowBro
Speakers:SethHall,NetworkSecurityEngineer,TheOhioStateUniversity; RobinSommer,ResearchScientist,InternationalComputerScienceInstitute(ICSI)
Anintroductorytrainingsessionwasconductedonapopularintrusion detection system.Theopen-sourceBronetworkintrusiondetectionsystemprovidesaflexibleframeworkforhigh-performancetrafficinspection.Bro’sextensiveapplication-layeranalysisprovidesdeepinsightintoeachsession’sactualactivity,anditscustomscriptinglanguageenablesexperiencedanalyststocustomizethesystem’soperationtotheirneeds.Inaddition,Broalsosupportsstandardsignature-basedanalysistobridgethegapbetweentraditionalIDSanalysisanditsmorepowerfulscript-basedapproach.
SessionResources:
DomainNameSystemSecurity(DNSSEC):LessonsLearnedandDeploymentforResearchFacilities
Speakers:JamesM.Galvin,DirectorStrategicRelationshipsandTechnicalStandards,Afilias;MattLarson,VicePresident,DNSResearch,VeriSign;ScottRose,DNSSECProjectLead,NationalInstituteofStandardsandTechnology
Sessionmoderator:DouglasMaughan,ProgramManager,CyberSecurityR&D,ScienceandTechnologyDirectorate,UnitedStatesDepartmentofHomelandSecurity
TheDomainNameSystemSecurityExtensions,knownastheDNSSEC,isasuiteofIETFspecificationsforsecuringcertainkindsofinformationprovidedbytheDNSasusedonIPnetworks.ItiswidelybelievedthatdeployingDNSSECiscriticallyimportantforsecuringtheInternetasawhole,butdeploymenthasbeenhamperedbythedifficultyofdevisingabackward-compatiblestandardthatcanscaletothesizeoftheInternetanddeployingDNSSECimplementationsacrossawidevarietyofDNSserversandresolvers(clients).ThissessionwillfocusonthetechnicalaspectandtrendsofimplementingDNSSECforindustryandacademia,aswellashow.educansignaltotherestoftheInternetcommunitythatitwillleadthewaywithdeploymentofDNSsecurityextensions.DiscussiononlessonsthatcanbelearnedfromtheDNSSECinitiativeinthe.govand.orgdomainswillalsobehighlighted.
SessionResources:
OperationsandManagementTrackSessions
ReportfromtheNIST800-53Trenches
Speaker:DanPeterson,ESnetSecurityOfficer,LawrenceBerkeleyNationalLaboratory
NIST800-53presentsanintegratedyetpotentiallyoverwhelmingmethodologyformappingadequatesecuritycontrolstosecurityrequirements.Integrationisachievedbyconsideringtechnical,operational,andmanagementaspectsofsecurityrequirementsasawhole.Yetdifficultiesresultfromsite-orenterprise-specificcombinationsoffactors,includingevolvingtechnologiesandhardwareandsoftwareinfrastructures,limitedtimeandresources,differencesinperceptionbyandimpactprioritizationbetweenmanagementandtechnicalstaff,andthenecessityofdealingwithamassivesetofforms.ThissessionwilladdressESnet’swiki-basedapproachtomotivatingandimplementingamaintainablesecurityauditprocess.
SessionResources:
FederatedIdentityManagement:ChallengesandSolutions
Speakers:ClairW.Goldsmith,SeniorAdvisorforInformationTechnology,UniversityofTexasatAustin;Ardoth A. Hassler, NSF Senior IT Advisor/Associate VP, University Information Services,GeorgetownUniversity;KennethJ.Klingenstein,Director,Internet2MiddlewareandSecurity,Internet2;ReneeShuey,PrincipalLeadofIdentityandAccessManagementInitiative,ThePennsylvaniaStateUniversity
NSFandNIHhavejoinedtheInCommonFederationandareenablingtheirapplicationstousefederatedidentityformembersoftheInCommonFederation,anorganizationthatprovidesafederatedtrustframeworkforresearchandeducationinstitutionsandtheirpartners.ThissessionreviewedthemanagementandoperationalopportunitiesandchallengesassociatedwithimplementingfederatedIdM,including:whatfederatedIdMdoesanddoesn’tdo;levelofassuranceissues(IdentityAssuranceFramework);andhowlargefacilitiescanleveragethesetechnologies.
SessionResources:
DevelopinganInformationSecurityProgram:AddressingtheNSFCooperativeAgreement
Speaker:AbeSinger,ChiefSecurityOfficer,LIGOLab,CaliforniaInstituteofTechnology
Sessionmoderator:Ardoth A. Hassler, NSF Senior IT Advisor/Associate VP, University Information Services,GeorgetownUniversity
NSFcooperativeagreementsrequiretheawardeetodevelopasecurityprogramandpresentittotheNSF,buttheydonotmandatespecificsecurityrequirements.Thistalkaddressedwhatthismeans,howtoapproachputtingtogetherasecurityprogram,andwhattheelementsoftheprogrammightcontain,as well ashowtopresentasecurityprogramtotheNSF.
SessionResources:
EmergingTrendsTrack
LosingControl?TheImpactofCloudStorage,Services,andMobileComputingonInfrastructurePlanning
Speakers:MichaelA.Corn,ChiefPrivacyandSecurityOfficer, and AnthonyS.Rimovsky,AssociateDirector,UniversityofIllinoisatUrbana-Champaign;StevenWorona,DirectorofPolicyandNetworkingPrograms,EDUCAUSE
Whetherit’stheiPhone,Dropbox,orAmazon’sS3,infrastructurearchitectsanddesignersarenowunderpressuretoaddress“thecloud”intheiroperationalplans.Cloud-basedservices,togetherwithpowerfulportabledevices,havefundamentallyaltereduserexpectationsfordataaccessandinfrastructuretransparency.Thispanelengagedtheaudienceinadiscussionoftheactualandanticipatedeffectsthisishavingonoperationsandsecuritymanagersfromboththetechnicalandpolicydimensions.
ParticipantEvaluationSummary
Thissectionsummarizeskeyresultsfromtheparticipationevaluations.Answerstothefirstquestioncamefrom30respondents;29attendeesrespondedtothesecond.ResultsarebasedonaLikertscale,where1=notsatisfiedand
5=verysatisfied.
Overall,howsatisfiedwereyouwithyoursummitexperience? / 56.7% / 40.0% / 0.0% / 3.3% / 0.0%
Howsatisfiedwereyouwiththeoveralllogisticsofthesummit? / 75.9% / 20.7% / 3.4% / 0.0% / 0.0%
We received 29 responses to a third question gauging interest in future summits, with a majority indicating they would attend:
Question / Yes / No / NotSureWouldyouattendafuturesummit? / 86.2% / 0% / 13.8%
ConferenceProgram
Monday, September 14, 2009
Session TimeSession Details
7:30–8:30a.m.Breakfast
7:30 a.m.–5:30p.m.RegistrationDesk
8:30–8:45a.m.WelcomeandIntroductions
8:45–9:45a.m.ThinkingOutsidetheBox
9:45–10:00a.m.RefreshmentBreak
10:00–11:00a.m.FBIUpdate
11:00 a.m.–12:00 noonCommunityUpdates
12:00 noon–1:00p.m.Lunch
1:00–2:00p.m.CybersecurityPolicyDirections:ImplicationsforEducationandResearch
2:00–3:00p.m.StrategicDiscussiononCybersecurityPlanning
3:00–3:15p.m.RefreshmentBreak
3:15–4:15p.m.TechnicalTrack
ServerVirtualizationandSecurity:DosandDon’ts
Operations/ManagementTrack
ReportfromtheNIST800-53Trenches
3:15–5:30p.m.EmergingTopicsTrack
LosingControl?TheImpactofCloudStorage,Services,andMobileComputingonInfrastructurePlanning
4:15–5:30p.m.TechnicalTrack
IntrusionDetection:GettingtoKnowBro
Operations/ManagementTrack
FederatedIdentityManagement:ChallengesandSolutions
5:30–6:30p.m.Reception
7:30–9:00p.m.Birds-of-a-FeatherSessions
Tuesday, September 15, 2009
SessionTimeSessionDetails
7:30–8:30a.m.Breakfast
7:30 a.m.–12:30p.m.RegistrationDesk
8:30–9:30a.m.DrivingSecurityImprovementsThroughResearchandDevelopment
9:30–9:45a.m.RefreshmentBreak
9:45–11:15a.m.TechnicalTrack
DomainNameSystemSecurity(DNSSEC):LessonsLearnedandDeploymentforResearchFacilities
Operations/ManagementTrack
DevelopinganInformationSecurityProgram:AddressingtheNSFCooperativeAgreement
11:15–11:30a.m.Break
11:30 a.m.–12:00 noonTownHall
FutureSummit—What’sNext?
12:00 noon–12:30p.m.ClosingRemarks
ConferenceAttendees
2009 Cybersecurity Summit Report1
JamesF.Allan
ProgramDirector
NationalScienceFoundation
Arlington,VAUSA
(703)2928581
WilliamAltmire
TelecommunicationsBranchChief
NationalScienceFoundation
Arlington,VAUSA
(703)2924201
MineAltunay
OSGSecurityOfficer
FermiNationalAcceleratorLaboratory
Batavia,ILUSA
(630)8406490
WarrenG.Anderson
Scientist
UniversityofWisconsin–Milwaukee
Milwaukee,WIUSA
(414)5595366
MatthewArrott
eScienceProgramManager,Calit2
UniversityofCalifornia,SanDiego
LaJolla,CA
(858)8225281
BillBaker
ResearchProgrammer
UniversityofIllinoisatUrbanaChampaign
Urbana,ILUSA
JamesJ.Barlow
HeadofSecurityOps/IncidentResponse
NationalCenterforSupercomputingApplications
Urbana,ILUSA
(217)2446403
DarrenBennett
ChiefSecurityOfficer
SanDiegoSupercomputerCenter
LaJolla,CAUSA
(858)8225479
BenjaminBergersen
USAPInformationSecurityManager
NationalScienceFoundation
Arlington,VA
(703)2928051
KaranBhatia
ComputerScientist
NEESConsortium,Inc.
Summit,NJUSA
(858)9640653
RichardBraman
SeniorSystemsAdministrator
IRIS
Seattle,WAUSA
(206)5470393
ThomasF.Carruthers
ProgramOfficer
NationalScienceFoundation
Arlington,VAUSA
(703)2927373
JohnW.Cobb
R&DStaffMember
OakRidgeNationalLaboratory
OakRidge,TNUSA
(865)5765439
MichaelA.Corn
ChiefPrivacyandSecurityOfficer
UniversityofIllinoisatUrbanaChampaign
Urbana,ILUSA
(217)2650588
RobertB.Dix Jr.
VicePresident,GovernmentAffairsCritical
InfrastructureProtection
JuniperNetworks,Inc.
Herdon,VAUSA
(571)2032687
WalterDykas
CyberSecurityProgramManager,OfficeofScience
U.S.DepartmentofEnergy
Germantown,MDUSA
(301)9038226
DavidEscalante
DirectorofComputerPolicySecurity
BostonCollege
ChestnutHill,MAUSA
(617)5526909
BrianP.Fairhurst
AssociateDirector,Management andAdministration
NationalHighMagneticFieldLaboratory(NHMFL)
Tallahassee,FLUSA
(850)6454864
MichaelFleming
NetworkSecAdmin
NationalOpticalAstronomyObservatory
Tucson,AZUSA
(520)3188496
CesarFlores
ComputerGroupManager
TexasA&MUniversity
CollegeStation,TXUSA
(979)8458948
CraigFoltz
ProgramManager,DivisionofAstronomicalSciences
NationalScienceFoundation
Arlington,VAUSA
(703)2924909
TimothyFredrick
SystemAdministrator
UniversityCorporationforAtmosphericResearch
(UCAR)/NCAR
Boulder,CO
(303)4971498
JamesM.Galvin
Director, StrategicRelationshipsandTechnicalStandards
Afilias
Horsham,PAUSA
(416)6193045
ClairW.Goldsmith
SeniorAdvisorforInformationTechnology
UniversityofTexasSystem
Austin,TXUSA
(512)4994334
StevenGrandi
Manager,ComputerInfrastructureSvcs/CIO
NationalOpticalAstronomyObservatory
Tucson,AZUSA
(520)3188228
SethHall
NetworkSecurityEngineer
TheOhioStateUniversity
Columbus,OHUSA
(614)2929721
DavidHalstead
AssistantDirector,CIO
NationalRadioAstronomyObservatory
Charlottesville,VAUSA
(434)2960292
NakitaHarris
GrantAgreementSpecialist
NationalScienceFoundation
Arlington,VAUSA
(703)2922182
ArdothA.Hassler
NSFSrITAdvisor/AssocVPUnivInfoServices
GeorgetownUniversity
Washington,DCUSA
(202)6871973
VictorHazlewood
SeniorHPCCyberSecurityAnalyst
OakRidgeNationalLaboratory
OakRidge,TNUSA
(865)5748312
ShawnHenry
AssistantDirector,CyberDivision
FederalBureauofInvestigation
Washington,DCUSA
(202)3243000
JamesBabcockHughes
SeniorScientificProgrammer
CerroTololoInteramericanObservatory
Tucson,AZUSA
(520)3188277
JulioE.Ibarra
AssistantVicePresident
FloridaInternationalUniversity
Miami,FLUSA
(305)3484105
KathleenR.Kimball
SeniorDirector,ITSSecurityOperationsand
Services
ThePennsylvaniaStateUniversity
StateCollege,PAUSA
(814)8639533
KennethJ.Klingenstein
Director,Internet2MiddlewareandSecurity
Internet2
Longmont,CO
(303)5706098
ScottL.Ksander
CISO/Exec.DirectorITNetworksandSecurity
PurdueUniversity
WestLafayette,INUSA
(765)4968289
JayKusler
NSCLComputerDepartmentHead
MichiganStateUniversity
EastLansing,MIUSA
(517)3248118
RonaldR.Lambert
Manager
CerroTololoInteramericanObservatory
Tucson,AZUSA
(520)3188277
MattLarson
VicePresident,DNSResearch
VeriSign,Inc.
Dulles,VAUSA
(703)9483239
JeffS.Leithead
ContractsandAgreementsOfficer
NationalScienceFoundation
Arlington,VAUSA
(703)2924594
NickLock
ISManager
GeminiObservatory
LaSerenaCHILE
5651205623
StefanLueders
DeputyComputerSecurityOfficer
CERN
GenevaSWITZERLAND
41227674841
RuthMarinshaw
AssistantViceChancellorforResearchComputing
UniversityofNorthCarolinaatChapelHill
ChapelHill,NCUSA
(919)9624314
PaulMarkovitz
BranchChief,Security,Architecture,PolicyandPlans
NationalScienceFoundation
Arlington,VAUSA
(703)2928150
CoraB.Marrett
ActingDeputyDirector
NationalScienceFoundation
Arlington,VAUSA
(703)2928001
DouglasMaughan
ProgramManager,CyberSecurityR&D,ScienceandTechnologyDirectorate
UnitedStatesDepartmentofHomelandSecurity
Washington,DCUSA
(202)2546145
AnnF.Miller
GrantAgreementSpecialist
NationalScienceFoundation
Arlington,VAUSA
(703)2928709
PaulMorris
ProgramOfficer
NationalScienceFoundation
Arlington,VA
(703)2924229
PatrickMurphy
ComputingSecurityManager
NationalRadioAstronomyObservatory
Charlottesville,VAUSA
(434)2960372
pmurphy+
MargaretMurray
Net/SecResearchAssociate
UniversityofTexasatAustin
Austin,TX
(512)2327124
DougPearson
TechnicalDirector,RENISAC
IndianaUniversity
Bloomington,INUSA
(812)8553846
dodpears@renisac.net
RodneyJ.Petersen
GovernmentRelationsOfficerandDirectorofCybersecurityInitiative
EDUCAUSE
Washington,DCUSA
(202)3315368
DanPeterson
ESnetSecurityOfficer
LawrenceBerkeleyNationalLaboratory
Berkeley,CAUSA
(510)4867275
GeneRackow
CyberSecurityEngineer
ArgonneNationalLaboratory
Argonne,ILUSA
(630)2527126
AnthonyS.Rimovsky
AssociateDirector
UniversityofIllinoisatUrbana-Champaign
Urbana,ILUSA
(217)4934551
JosephRinkovsky
UnixSystemsSpecialist
IUPUI
Indianapolis,INUSA
(317)2786092
ShannonRoddy
Security/SystemsAdmin
CaliforniaInstituteofTechnology
Livingston,LAUSA
(225)6863106
sroddy@ligola.caltech.edu
JamesA.Rome
SecurityConsultant
OakRidgeNationalLaboratory
OakRidge,TNUSA
(865)4825643
ScottRose
DNSSECProjectLead
NationalInstituteofStandardsandTechnology
Gaithersburg,MDUSA
(301)9758439
PaulineRoth
AssociateDirectorofAdministration
GeminiObservatory
Hilo,HIUSA
(808)9742508
JeanReneRoy
ProgramDirectorNSFLargeFacilitiesProjectsGroup
NationalScienceFoundation
Arlington,VAUSA
(703)2924432
NigelSharp
ProgramDirector
NationalScienceFoundation
Arlington,VAUSA
(703)2924905
AbeSinger
ChiefSecurityOfficer,LIGOLab
CaliforniaInstituteofTechnology
Pasadena,CAUSA
(626)3953065
PatrickD.Smith
Manager,TechnologyDevelopment,Polar
ResearchSupport
NationalScienceFoundation
Arlington,VAUSA
(703)2927455
RobinSommer
ResearchScientist
InternationalComputerScienceInstitute(ICSI)
Berkeley,CAUSA
(510)6662886
EugeneH.Spafford
ProfessorExecutiveDirector,CERIAS
PurdueUniversity
WestLafayette,INUSA
(765)4947805
KristinSpencer
Contracting/AgreementsOfficer
NationalScienceFoundation
Arlington,VAUSA
(703)2924585
JacquelineG.Steele
SeniorEngineerHighPerformance
ComputingSecurityAssessments
HighPerformanceComputingModernizationProgramOffice
Lorton,VAUSA
(256)5413705
AdamD.Stone
Policy,Assurance,andRiskManagement,OCIO
LawrenceBerkeleyNationalLaboratory
Berkeley,CAUSA
(510)4864650
GeorgeO.Strawn
CIO
NationalScienceFoundation
Arlington,VAUSA
(703)2928102
KevinSullivan
CoordinatorforSpecialProjects
PittsburghSupercomputingCenter
Pittsburgh,PAUSA
(412)2681555
DeniseSumikawa
ComputerProtectionProgramManager
LawrenceBerkeleyNationalLaboratory
Berkeley,CAUSA
(510)4865519
DavidG.Swartz
AssistantVPandCIO
AmericanUniversity
NWWashington,DCUSA
(202)8852612
RobertTawa
DirectorofComputing
TheNationalEcologicalObservatory(NEON)
Boulder,COUSA
(720)7464844
JonTruan
InformationSystemsSecuritySpecialist
OakRidgeNationalLaboratory
OakRidge,TNUSA
(865)5749623
WilliamTurnbull
AssociateCIOforAdvancedTechnology
U.S.DepartmentofEnergy
Washington,DCUSA
(202)5860166
AngelM.Vazquez
SysAdmin/Consultant
NationalAstronomyandIonosphereCenter
Arecibo,PRUSA
(787)8782612x304
AlanVerlo
NetworkEngineer
UniversityofIllinoisatChicago
Chicago,ILUSA
(312)9963002
BrianWee
ChiefofExternalAffairs
TheNationalEcologicalObservatory(NEON)
Washington,DCUSA
(202)5524707
VonWelch
Director,CyberSecurity
NationalCenterforSupercomputingApplications
Urbana,ILUSA
(217)2657139
ScottWiant
SeniorDataEngineer
TheNationalEcologicalObservatory(NEON)
Boulder,COUSA
(720)7464851
StevenWorona
DirectorofPolicyNetworkingPrograms
EDUCAUSE
Washington,DCUSA
(202)3315358
2009 Cybersecurity Summit Report1