Big Understanding
Networks, Sensors, & Mobility
Autonomy
Cybersecurity
[next]
Regional Meetings
Prior conferences
Upcoming conference
more about us

 

 

Cybersecurity
September 26-28, 2016
Washington, D.C.

Library Selection
Animal Weapons: The Evolution of Battle (Henry Holt, 2014)
By Douglas J. Emlen



 



agenda


Monday, September 26
6:00 PM
First-Timers Reception — Grand Ballroom Foyer, 2nd floor
6:30 PM
Reception — Plaza Foyer, 2nd Floor
7:00 PM
Welcome Dinner — Plaza Ballroom

Tuesday, September 27
7:30 AM

Breakfast Plaza Ballroom, 2nd floor (Buffet, Served Until 9:30 AM)

8:30 AM
Len Kleinrock, TTI/Vanguard Advisory Board
Conference Welcome
8:50 AM
Adam Ghetti, Ionic Security
Protecting Data, Not Networks  
We interact through information systems. For every human you exchange data with, there are thousands of information systems involved. It is impossible to trust each of them. Rather than trying to protect—and trust—networks, we can protect the data itself, by controlling data everywhere it travels and anywhere it resides, whether on the corporate network, in the cloud, or on mobile devices. We can enforce data security policies in applications, emails, and documents, and control who accesses applications, defending against the number one attack vector: stolen credentials.
9:35 AM
Simon Crosby, Bromium Inc.
Isolation and Endpoint Security: Lessons from Troy and Byzantium
The biggest difference between today’s corporate computing environments and 3000 years is that at least the original Trojan horse didn’t mutate 50 times per hour. Today, 99% of all malware does. Security vendors glibly promise protection, but gloss over Turing’s legacy: The “detect to protect” era is finished. There is a silver lining, though. Every device has CPU features that enable it to protect itself by design, even when unpatched, on a hostile network and in the hands of a user who clicks on everything. Hardware virtualization enhances protection via micro-segmentation and micro-virtualization. Endpoints automatically isolate all threats, self-remediate when attacked, and can safely run legacy applications. Drawing on architectural concepts from Byzantine fault tolerance enables us to track the execution of malware, eliminating false alarms and providing accurate, real-time forensic insights when an endpoint is attacked.  These, in turn, enable attacked endpoints to collaboratively help protect their peers.
10:15 AM
Coffee Break Ballroom Foyer
10:45 AM

Phil Cuff, Token One
A One-Time Pad For the Digital Age
Nowadays, trusted access depends on passwords that we all struggle to remember and use correctly. Passwords are a way of proving that you know a secret, and therefore you are who you claim to be. The ideal password would be one that no one could steal and use to impersonate you. TokenOne borrows an idea from the pre-digital era, the one-time pad, to create an authentication system in which your secret PIN is never entered, never transmitted, and never stored anywhere except in your memory. Hackers cannot determine your PIN, nor can TokenOne or the provider of the service or system you’re accessing. And it’s almost as easy as entering a PIN in the clear.

11:20 AM
Bob Flores, Cognitio, and Junaid Islam, Vidder
How to Stop Catastrophic Cyber Failure in Your Organization
There has been an absence of analysis of why currently deployed security systems aren’t working. For example, after the attack on the U.S. Office of Personnel Management, Congress and the federal agencies had hearings but not a single recommendation came out . . . nothing! Current approaches to stopping cyberattacks are failing. One problem is that organizations are focused on compliance, but compliance is not the same as stopping cyberattacks. To use a health metaphor, compliance is like eating your vegetables, while cybersecurity is going to the hospital. Obviously being healthy is important but if you get hit by car, eating a plate of carrots is not going to help—you need the ER. Paradoxically, spending on security without a focus on cyberattacks will make you more vulnerable: When it comes to security, more money equals more equipment equals more overworked personnel equals less getting done. I guarantee everyone here is spending more but not sure if their cyber risk is down—well, sorry folks, its going up.
12:05 PM
Members’ Working Lunch Plaza Ballroom
1:20 PM
Raluca Ada Popa, University of Berkeley and PreVeil
Enabling Computation on Encrypted Data to Prevent Cyber Attacks
Traditional security solutions protect sensitive data by building walls around it (e.g., firewall, access control). However, these are bound to fail because attackers eventually break in and steal the data. End-to-end encryption combined with computation on encrypted data is a far more effective solution, addressing many attackers in one shot. The data is always encrypted at a service provider and the service provider never gets the decryption key. Hence, even if attackers break in, they get access only to encrypted data. To be sure, designing a practical system with end-to-end encryption and computation on encrypted data is challenging due to problems with key recovery and key distribution, performance, and security. The PreVeil system makes some of these advances a reality.
2:00 PM
Francesca Spidalieri, Pell Center, Salve Regina University
Assessing the Cybersecurity of States and Nations
The federal government has actively worked to develop standards, policies, and regulations to enhance cybersecurity across the nation, increase its situational awareness, fight cybercrime, lower cyber risks, improve resilience, and promote information sharing. Cybersecurity, however, cannot be tackled at the federal level alone and states cannot wait for the federal government to provide all responses and solutions before taking action. They have a responsibility to secure their critical infrastructure as well as the data that has been entrusted to them by their citizens. No state is cyber ready, but in recent years, eight have made particularly noticeable strides in addressing cybersecurity issues and have positioned themselves as leaders in cyber preparedness by crafting innovative solutions to improve resiliency and promoting cybersecurity workforce development and business opportunities. An ongoing study, “State of the States on Cybersecurity,” highlights effective mechanisms and creative solutions that those state governments and their leaders have devised to take advantage of existing assets, to better protect critical infrastructure, to promote information sharing, to grow their cybersecurity industry, and to attract qualified talent to their states.  
2:35 PM
Robert Cunningham, MIT Lincoln Labs
Designing and Developing Cyber-Resilient Systems 
Businesses and governments used to have total control over the data supporting their operations, but those days are behind us now.  Today’s organizations leverage sensors, networks, storage and analytics to achieve incredible improvements in effectiveness and efficiency in exchange for sharing some data and giving up some control. Individuals are doing this too—thermostats and mobile phones record temperatures and location, and combine this information with weather information and maps to enable services that predict when to turn on home heaters so that your house will be warm when you arrive. All this sounds wonderful, but people, businesses and governments don’t understand exactly what they are sharing or with which organizations, and they therefore don’t know how to protect their data and ensure continuity of operations.  This talk will use an analysis of cloud storage to clarify the complexity of this environment and describe some efforts that we have been pursuing to build cyber-resilient systems in this exciting but complex computing world.
3:10 PM
Coffee Break Ballroom Foyer
3:40 PM
Yorke Rhodes, Microsoft
Does Blockchain Change How We Think About Security?
Blockchain technologies have caught the attention of the financial, supply chain, and IOT sectors because of their hyped robustness, verification and authenticity properties, and decentralized compute/storage. Do these same qualities offer better security, authentication and penetration controls? To be sure, blockchains transactions are secure in that they are processed at every node, but does that raise new security concerns in storing all the data every node—and transmitting all the data to and from them? What about privacy and data sovereignty? And are these things truly new: Sharding, state channels, ring signatures, additively homomorphic encryption, and zero-knowledge? How do they apply here? What are Smart Contracts and do they enhance security? Do these qualities offer new paradigms of how we think about security, authentication and penetration? Finally, are blockchains a net plus or minus for cybersecurity?
4:20 PM
Ingo Deutschmann, Behaviosec
Behavior Biometrics: Continuous Authentication for Mobile and Web Transactions
Great user experiences should never come with a security risk. BehavioSec has created the new model for strong, multi layered customer security. Now you can stop fraud, prevent attacks, and verify your customers — all without slowing them down. We call it behavioral biometrics, and it uses continuous machine learning to authenticate users based, not on what they do, but on how they do it.
5:00 PM
End of first day
6:30 PM
7:00 PM

Reception Plaza Ballroom Foyer
Dinner Plaza Ballroom


wednesday, September 28
7:30 AM

Breakfast Plaza Ballroom, 2nd floor (Buffet, Served Until 9:30 AM)

8:30 AM
Gen. Michael Hayden, Chertoff Group
Cybersecurity and Intelligence
The U.S. government has had trouble lately keeping secrets— Manning, Snowden, OPM, the list just keeps getting longer. Fortunately, historically, when the government doesn’t get something done, the private sector steps up and does. However, that turns things on their head: The government needs to conform to the needs of the private sector, not the other way around, when it comes to things like classification and encryption. This has consequences for how we think about the FBI/Apple case, and others to come. If there is to be an outsize role for the private sector in cybersecurity, what are its challenges? What are its limits?
9:10 AM
Scott Borg, U.S. Cyber Consequences Unit
Cybersecurity: Å Quantitative, Risk-Based Approach
Corporate cybersecurity can no longer be regarded as a purely technical matter. Cybersecurity policies need to be directly addressed by senior management and treated as strategic business decisions. To make these decisions with confidence, senior managers need to base them on a quantitative, economic analysis of cyber risks. Unless this is done, corporations will continue to be blindsided by losses they could have prevented. Fortunately, the concepts and models for accomplishing this are now far more advanced than most senior managers realize. In many cases, the new models have made it possible to reduce cyber risks without even spending more on cyber security. Ironically, cyber attackers have often made better use of economics than their corporate targets. This economic aspect of cyberattacks allows us to make some bold predictions about the new attacks that are coming.
9:45 AM
Srdjan Capkun, 3DB Technologies and ETH Zurich
Securing Cars and IoT
Increasingly, security systems, such as key-fobs for car entry, and unlock systems for laptops (e.g., by Apple), depend in part on proximity. But the measurement of proximity can be spoofed. Two-factor authentication systems solve these problems but come at a high cost in terms of user involvement and inconvenience. A system that securely measures the distance between the devices and is therefore spoofing resilient would enable both security and convenience of use—it would suffice that the fob is in the vicinity of the car, or the watch in the vicinity of the laptop for them to unlock. Such system needs to have high accuracy and range and needs to be low power. In 3DB Access we developed such a secure distance measurement system, based on ultra-wide band radio technology. Given its specifications, it is applicable to a wide variety of classical access control, as well as emerging IoT, applications and systems.
10:20 AM
Coffee Break Ballroom Foyer
10:50 AM
J Alex Halderman, University of Michigan
Automating Website Security
HTTPS was first introduced in the late 1990s for online credit card transactions. Nowadays it can protect every page load, not just passwords and financial data. Yet adopting HTTPS remained too complicated and expensive for the vast majority of smaller websites. The main hurdle involves certificate authorities, which vouch for the identity of a secure web server. The technical hoops are significant, there are large annual fees, and then, a year later, the certificate expires and the process has to be repeated from scratch. In 2012, researchers from academia and Mozilla joined with the Electronic Frontier Foundation to found Let's Encrypt, a non-profit certificate authority with a mission of making the switch to HTTPS vastly easier. Since its public launch in December 2015, Let's Encrypt has issued more than 7 million certificates. With funding support from over 35 industry sponsors, including Cisco, Akamai, and Facebook, the service is provided for free.
11:25 AM
Doug Emlen, University of Montana
Extreme Weapons
Every animal relies on a weapon of some kind. Cats have claws, eagles have talons, even the dogs we keep as pets have a respectable set of teeth. In rare cases, we find species whose weapons have become stunningly outsized, some with tusks or horns so massive that their bearers look like they will collapse under the weight. These animals are interesting in their own right, but as it turns out, the essential biology of animal arms races applies to our own weapons, too. A story that begins with animal weapons becomes the story of all weapons, with lessons for a world rife with conventional, nuclear, biological, and chemical weapons of mass destruction.
12:00 PM
Load buses (Box Lunch)
1:00 PM
Workshop and Lab Visit:
National Cybersecurity Center of Excellence, Rockville, Md.

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry experts, government agencies, and academia work together to address the most pressing cybersecurity issues of the business sector. The partnership enables the creation of practical cybersecurity solutions for specific industries or broad, cross-sector technology challenges. The NCCoE uses standards, best practices, and commercially available technology to develop modular end-to-end cybersecurity example solutions.

TTI/Vanguard’s visit will be twofold, entailing demos of solutions to problems in the areas of health IT, energy, financial services, and IoT/consumer products, as well as breakout roundtable sessions for the following industry sectors: health IT, energy, financial services, and transportation. The roundtable workshops, each led by an NCCoE domain expert, will provide a solutions-oriented deep dive into the issues facing that sector with a discussion on complex, technical cybersecurity challenges facing the industry. The intended outcomes will be to learn about current or emerging cybersecurity technologies that are being explored or used within the industry, and to explore how standards and best practices can be used to improve security or drive innovation.

Discussion questions to consider:

  1. Are there cybersecurity challenges within your industry that have been too complex or resource-intensive for your organization to tackle?
  2. What is hard about securing your infrastructure or network(s) today?
  3. How are standards or best practices being deployed to improve security and spur innovation?
  4. What are some of the business concerns surrounding the implementation of secure technologies?
  5. What new technology is your organization considering as a pilot to improve business operations or reduce costs?

Each conference attendee should select a first and second choice roundtable to attend. Register early to lock in your preference.

4:00 PM
End of Conference (buses to Dulles, Reagan National, and Ritz-Carlton)


home about us activities and deliverables contact faqs copyright