Broadening international engagement, more usable cyber security products, and secure mobile computing are among some of the hardest areas that the research and development branch of the Department of Homeland Security (DHS) is addressing, the head of the cyber division within the branch said on Wednesday.
In addition to these challenging focus areas, a number of other difficult areas of focus for the Cyber Security Division of the Science and Technology (S&T) Directorate are also “trying to execute” include secure software, support for law enforcement, critical infrastructure security, measurement and metrics, data privacy, education, and technology transition, Douglas Maughan, director of the CSD Division, said at his group’s annual R&D Showcase and Technical Workshop.
Cyber security is “not a U.S. only problem” but is a “global sport,” Maughan said, adding that his division currently has arrangements at various levels with 14 countries. This provides opportunities to leverage investments in other countries, he said, mentioning that this year S&T and an international partner will issue a joint bilateral call with more in 2017 that will “require a U.S. and a foreign research team to put in a joint proposal and it will be jointly funded and managed between us and our international partners.”
The division is also working to create a Global Governance Cybersecurity R&D Consortium that will collaborate on requirements and on funding technologies that “will benefit all countries involved,” Maughan said.
Measurement and metrics is a problem that is outlined in the federal cyber security R&D strategic plan released by the White House last week, Maughan said.
“We still have not made significant progress in the measurement and metrics world that we need to,” Maughan said. “We’ve got to spend more time and energy and money on metrics and how to measure security.”
Measuring the effectiveness of R&D investments is also important, he said.
In the areas of secure software, Maughan said many of the top vulnerabilities today are the same as five years ago. “Don’t be surprised when you see something from us that says, ‘any software you deliver is going to have to be tested and evaluated in our software assurance marketplace,” adding later that “we won’t accept it if it doesn’t pass.”
With mobile computing devices, Maughan said that S&T has a number of projects underway that ultimately are trying to “improve the security of mobile devices from the government perspective. We’re buying commercial devices; we have to improve the security of those devices.”
As for “human-centric” cyber security, there have been too many computer scientists working the issue and not enough business people, psychologists and sociologists, Maughan said. “It’s time we start thinking more about the human as part of the cyber security equation,” he said, adding that there is a lack of usability when it comes to many of the cyber security products on the market.
There is a growing amount of cyber criminal activity in part because it is safer for cyber criminals to operate online than to physically expose themselves, Maughan said. Traditional law enforcement on the other hand is struggling in the “digital world” even though there is a growing amount of digital evidence to exploit, he said. That’s because the markets for these capabilities that law enforcement needs are so small that the business community isn’t interested, he said.
DHS’ Immigration and Customs Enforcement division that targets cyber crime is using Google [GOOG] and Excel, which aren’t scalable, Maughan said. Automated tools are needed for law enforcers to do their jobs, he said. Education is part of the answer here, which means getting people interested, he added.