Researchers, Industry, NSA meet, discuss Privacy, Artificial Intelligence
Raleigh, NC
February 2, 2017
The winter 2016 quarterly Science of Security (SoS) Lablet meeting, sponsored by NSA, was hosted at North Carolina State University on February 1 and 2, 2017. Laurie Williams and Munindar Singh, Principle Investigators at NCSU, hosted the event. In addition to speakers from the Lablets and NSA, corporate speakers provided insights into the problems of privacy and security. Presentations of current research and interim findings stimulated thought and discussion.
"Federal Privacy R&D Priorities" were discussed by Tomas Vagoun of NITRD. The modern definition of privacy expands the old definition from a right to be left alone to new concerns about large scale data collection, analysis and algorithmic decision-making. Privacy concerns are the effects of authorized PII processing. Current federal priorities for privacy research include multidisciplinary approaches to privacy research and solutions; understanding and measuring privacy desires and impacts; developing system design methods that incorporate privacy desires, requirements, and controls; increasing transparency in data collection, sharing, use, and retention; assuring that information flows and use are consistent with privacy rules; developing approaches for remediation and recovery; and reducing privacy risks of analytical algorithms. An NSF survey identified the last two topics as areas of major research gaps.
David Hoffman, Global Privacy Officer from Intel, spoke on the relationship between privacy and security. In his presentation "It Takes Data to Protect Data," he said that security and privacy are neither tradeoffs nor a zero sum game. Rather, the two should be thought of as needing to be in balance. It should be a process of adding to the other when one is increased. Risks are radically changing—new technologies have been created that allow a small group to inflict extreme harm on a large number of people using drones, germs, robots, and hackers—the threat has become asymmetric. “Good cybersecurity is good for privacy,” he concluded.
NSA’s Dave Marcos presented "Researching the Science of Privacy." In his view, the Science of Privacy is a principled and methodological approach to privacy risk addressing the following research challenge questions: Can it be considered? Can a mathematical method be developed to evaluate privacy risk? How can a privacy accountability framework be built for Big Data? Can we apply current advances in engineering such as digital rights management, differential privacy, homomorphic encryption, and secure multi-party computation? How can the effectiveness of current privacy frameworks and associated controls be evaluated?
Bill Scherlis, Lablet PI at Carnegie Mellon, described a conference CMU hosted in the summer of 2016 on "Safety and Control for AI-based Systems." Artificial Intelligence is now embedded in critical infrastructure and has a big impact on security. We need assurance judgments about AI systems and for them to become reliable and trustworthy. AI safety is multidimensional and must be addressed in the mission context.
Seven technical research presentations were offered. Giulia Fanti (UIUC) spoke on "Anonymity in the Bitcoin P2P Network". NCSU’s Dave Roberts offered "A Control-theoretic View of AI for Security" and Jessica Staddon spoke on "Privacy Incidents, Privacy News and News about Incidents." "Why Can't I Put Down My Phone? The Paradox of Computing in Modern Work Environments" by Jennifer Cowley and "Discovering a Natural Language Semantics for Privacy" by Travis Breaux were Carnegie Mellon’s contributions. "Security and Privacy in Machine Learning" by Nitin Vaidya (UIUC) and "How Good is a Security Policy against Breaches?" by Özgür Kafali (NCSU) completed the set.
Adam Tagert, Science of Security & Privacy Technical Director from NSA’s, provided a program update. He noted that the lablets generated 114 publications in 2016 and outlined each Lablet’s activites. NCSU has worked on a game theoretic model for IDS, how users do better against phishing with better tools but don’t trust the tool; optimized recon of SDN; using flows; new vie of resilient architectures; and 6 OEM SEAndroid permissive policies and unintended privilege escalation. UIUC conducted a summer interns program and a Bitcoin networking class. UMD is looking at how to get users to use 2-factor authentication with OSTP. CMU and UTSA have collaborated on Polidroid, a website to help detect and repair potential privacy violations in mobile app source code, and UberSpark expansion.
More than a dozen excellent student poster presentations provided an opportunity to see a range of Science of Security research and discuss issues, methods and findings. These are available for viewing on the Science of Security Virtual Organization website at:
The annual national conference, HoTSoS, will be held April 4 and 5, 2017. Hosted by the University of Maryland, College Park and Vanderbilt University, it will be in Hanover, MD.