Report on Fall 2018 Quarterly Science of Security and Privacy (SoS) Lablet Meeting

NSA and Lablet researchers meet to discuss 2019 SoS Lablet research projects

The fall 2018 quarterly Science of Security and Privacy (SoS) Lablet meeting was held at Carnegie Mellon University (CMU) on October 29-30, 2018, and was hosted by Bill Scherlis, Co-Principal Investigator (PI) for CMU.  Adam Tagert, NSA SoS Technical Director, welcomed the attendees and said that the focus of the quarterly was to introduce new Lablet research projects funded for 2019 and to enable better engagement between NSA and the Lablets.  The quarterly also addressed the history and future of the five Hard Problems, specifically with respect to how the Hard Problems will be covered in future quarterlies.  A panel discussion addressed Hard Problems coverage, relevance, the role of privacy, and completeness.

NSA representatives described Agency’s Information Assurance Research challenges for Cybersecurity at Scale.  The goal is to create resilient and scalable solutions for cybersecuity and cyberoperations focused on trust systems.  They noted that “Science of Security” has expanded to include privacy and Cyber-Physical Systems (CPS).  NSA also briefed on cybersecurity challenges from the operations perspective.  This overview of NSA academic programs included Industry and Academic Engagement office initiatives, including the Codebreaker Challenge, Senior Executive Academic Liaisons (SEALs), and other outreach programs that are expected to grow.

The Lablets presented overviews of research initiatives for 2019:

• University of Kansas’ Prasad Kulkarni looks to build tools and techniques that will allow users to know how secure their packaged software is and enable them to add security to it in his project titled “Customizable Run-Time Client-Side Security for COTS Binary Software.”  
• University of Illinois at Urbana-Champaign (UIUC) and University of Texas at Austin will collaborate on a study of “Resilient Control of Cyber-Physical Systems with Distributed Learning”. Presenter Sayan Mitra said this work will address complex interactions of dynamics and decision making with integration of hundreds of CPS components exposed to I/O attacks.   
• The goal of “Development of Methodology Guidelines for Security Research” is to aid the security research community in conducting and reporting methodologically sound science through implementation of community guidelines, according to NCSU’s Laurie Williams. 
• Vanderbilt University’s Claire Tomlin presented “Mixed Initiative and Collaborative Learning in Adversarial Environments,” a game theoretic approach to learning dynamic behavior safely.   
• Will Enck, North Carolina State University (NCSU) explained his research into “Reasoning about Accidental and Malicious Misuse via Formal Methods,” an analysis of mobile apps.   
• Hana Habib, CMU, discussed CMU’s Security Behavior Observatory (SBO) which will be looking at private browsing and users’ misconceptions about private browsing.  
•  Serge Egelman, International Computer Science Institute (ICSI), talked about research on “Dynamic Privacy Analysis at Scale,” and the difference between what software developers believe to be safety features in their programming and the preliminarily analysis which suggests they are not complying with law and regulation.  

Bill Sanders, Co-PI at UIUC, discussed the Discovery Partners Institute (DPI), “a physical brick and mortar institute in downtown Chicago,” that will support purpose-driven, public-private research focused on creating societally beneficial solutions to grand challenges.  Supported by the both state government and the private sector, the DPI is centered on four focus areas: computing and data; environment and water; food and agriculture; and health and wellness. These areas serve as the backbone of the collaborative efforts within the DPI and give them a unique identity as a national research and innovation leader.  The University campuses at Chicago, Springfield, and Urbana-Champaign will participate, along with Northwestern University. Dr. Sanders has been named Interim Director of the Institute.

Bill Scherlis offered a personal perspective on the seven-year history of the Science of Security project and the five Hard Problems.  The selection criteria for the Hard Problems were a high level of technical challenge, significant operational value, the likelihood of benefitting from emphasis on scientific research methods and improved measurement capabilities, and potential to identify synergetic common features.  The focus on methods is reflected in the “science” of security and privacy, particularly with respect to metrics and human behavior. He said that he believes the framework has been useful, and the emphasis on models has given us a way to assess our research.  Less successful aspects have been a failure to successfully connect with other research and operational communities, including the larger cybersecurity community, and initially not enough connection with mission needs.   He suggested potential new Hard Problems relating to AI engineering and Machine Learning, CPS and IoT, and the Cloud.  Following Dr. Scherlis’ presentation, Adam Tagert moderated a Lablet panel discussion on the “History and Future of the 5 Hard Problems”.

The next Quarterly Lablet Meeting will be held January 10 and 11, 2019, hosted by ICSI.