TRUST, Berkeley Site Visit, April 26 - 28, 2006

TRUST Center Activities

Stephen B. WickerCornell University

Center Activities 2TRUST, Berkeley Site Visit, April 26 – 28, 2006

Center Activities

Focus on creative, collaborative events designed to stimulate and disseminate TRUST research

– Faculty/student workshops– TRUST/AFOSR– International Collaboration– DHS collaboration – External Advisory Board

Center Activities 3TRUST, Berkeley Site Visit, April 26 – 28, 2006

Exemplary Workshops

Participation from faculty, students, industry, and government.

Sensor Networking– Technology– Privacy Issues

Electronic Medical Records– Secure/Privacy-Aware Transport– Multi-Level Access

Computer Security– Trustworthy Interfaces– Securing E-Commerce

DHS– Beyond SCADA

Center Activities 4TRUST, Berkeley Site Visit, April 26 – 28, 2006

Sensor Networking Workshops

Sensor Networking Workshop - Cornell University, October 11, 2005– Cornell CS, Information Science, ECE, Civil Engineering– New York Dept. of Health/Wadsworth Labs– Sample Talks:

Resilience in Critical Infrastructure NetworksApplication Specific Sensor NetworksCo-Interpreting Sensor NetworksTools for Enhancing Social Navigation in Public Spaces

Lipid Bilayer Sensors (Fabrication and Measurements)

SiC Based Betavoltaic radioisotope micro-batteries

Center Activities 5TRUST, Berkeley Site Visit, April 26 – 28, 2006

Sensor Networks and Privacy - Cornell University, March 28, 2006

– Cornell CS, Information Science, ECE, Civil Engineering– Berkeley Law School– Sample Talks:

The Future for Sensor Networking: Technology, Applications, and Policy Issues

Infrastructure Data and Security: Conflicting Agendas Sensor Networks and Privacy Law Sensor Networks in Public Spaces Medical Sensor Networks: State of the Art Privacy-Aware Approaches to Data Collection Visualizing Spaces and the Sharing of Sensor Data

Center Activities 6TRUST, Berkeley Site Visit, April 26 – 28, 2006

Electronic Medical Records Workshops

Design Workshop for an Integrative Project related to Patient Portals - Vanderbilt University, December 16, 2005– Vanderbilt CS, Medicine– Cornell ECE, Berkeley EECS– Sample Talks:

• Integrative Projects in Trust • Summary of Published literature on Patient Portals • MyHealth at Vanderbil t Patient Portal • Legacy Systems Issues • Users of Healthcare Data • Social and Privacy Issues in Electronic Healthcare • Community Connectivity: Trust Considerations • TRUST Security Science Research Agenda

Center Activities 7TRUST, Berkeley Site Visit, April 26 – 28, 2006

Computer Security Workshops

Trustworthy Interfaces for Passwords and Personal Information - Stanford University, June 13, 2005

– Stanford, Berkeley, MIT– Bank of America, RSA, Microsoft– Sample Talks:

Trustworthy Interfaces for Passwords and Personal Information Trusted Path in Heterogeneous Environments Trusted Interfaces for Sensitive Data Evolution of The Threat and its Impact on Requirements Securing Online Transactions with a Trusted Digital Identity Fixing the Web Trust Model Trustworthy User Interface Design: Dynamic Security Skins Delayed Password Disclosure

Center Activities 8TRUST, Berkeley Site Visit, April 26 – 28, 2006

Trustworthy Interfaces for Passwords and Personal Information II - Stanford University, June 19, 2006

Statement of Purpose– Despite tremendous advances in computer technology in

general and information security in particular, users still typically provide personal information and credentials such as passwords the same way they did 30 years ago: through a text interface that they assume they can trust.

– The purpose of the workshop is to facilitate an effective solution to these problems by bringing together the designers of the cryptographic protocols with the implementers of the user interfaces.

Center Activities 9TRUST, Berkeley Site Visit, April 26 – 28, 2006

AF-TRUST-GNC

A new spinoff TRUST-related center focused on the needs of Air Force and other military vendors as the GIG/NCES rollout occurs

Will operate as a PRET with funding of about $1M per year. Emphasis is on mid-term to long-term opportunities, collaboration

Includes about 10 TRUST researchers

Center Activities 10TRUST, Berkeley Site Visit, April 26 – 28, 2006

The Proposed NCES/GIG Architecture?

Center Activities 11TRUST, Berkeley Site Visit, April 26 – 28, 2006

Need: Information Assurance & Security Tools

Problem– Assuring that legacy applications in a GIG setting can’t disrupt the

GIG through malfunction (or malice) Solution

– Invent new containment options linking virtual private networks, virtual machine monitors, and powerful management tools to automate the administration and tracking of key material, firewall configuration information, and security policies.

Proof that this is feasible?– DETER containment for in-vitro study of viruses/worms

Center Activities 12TRUST, Berkeley Site Visit, April 26 – 28, 2006

Need: Scalability, Real-Time and Fault-Tolerance Tools

Problem– Many applications need R/T response, high availability, scalability – Web Services target operators of commercial data centers, where

such requirements are relatively uncommon. Solution

– We will develop solutions and use them to augment the NCES/GIG technology base

– Then work with the Air Force to ensure that standards bodies and vendors pick up the necessary solutions.

Proof that this is feasible?– Our team has an unparalleled track record in these areas– Web Services are a new “context” for this work and pose some

new problems, but our prior work in related settings offers a deep technology base on which we can draw.

Center Activities 13TRUST, Berkeley Site Visit, April 26 – 28, 2006

Need: Discovery, Info. Arch., Mediation

Problem:– NCES includes a discovery component; it assists info consumers

in finding providers . Existing WS standards don’t scale to large settings.

– Scenario: airborne application needs radar imaging for a region over Faluja. Client must find the right sources; sources have affinity policies, platform has security policies.

Solution:– New technology options for service discovery and policy-based

mediation– Explore vendor incentives to ensure that they will cooperate in

developing needed information standards. avoiding stovepipe solutions

Feasibility– Our team is recognized for international leadership in new

technologies for discovery, security and other policy representations and enforcement

– TRUST brings us into close dialog with the major industry players and gives us leverage to establish needed standards

Center Activities 14TRUST, Berkeley Site Visit, April 26 – 28, 2006

International Collaboration

One of TRUST’s central goals: dissemination– Thrust: international collaboration– Focus: small number leading international groups

First major collaboration Taiwan– Authorized by Taiwan legislature– Personal attention from Taiwan Minister of State

Center Activities 15TRUST, Berkeley Site Visit, April 26 – 28, 2006

International collaborations: TAIWAN

About Taiwan– Internet users14.6 million– Broadband users 10.5 million– Population 22.7 million– In top three Asian software industry and web

services industry (with Japan & South Korea)– Has a high incident of security incidents

Large fraction appear to originate from China

Center Activities 16TRUST, Berkeley Site Visit, April 26 – 28, 2006

Taiwan groups

TWISC: Taiwan Information Security Center– Modeled on TRUST

Major members– STAG: Science and Technology Advisory Group

Executive Branch group Personally directed by a Minister-level staff member

– NSC: National Science Council (Taiwan’s NSF)– III: Institute for Information Industry

Public/Private software industry coordinating group– ITRI: Industrial Technology Research Institute

Public/Private eloectronics industry coordinating group– Major infrastructure groups (telecoms)– Government groups (law enforcement, public safety, etc)

Center Activities 17TRUST, Berkeley Site Visit, April 26 – 28, 2006

Anticipated collaboration

Parliament authorized funds effective 4/1 for TRUST collaboration

Initial collaboration with Berkeley & CMU– Plans for extension throughout TRUST

Estimated level: $2 million/year Directed by Dr. D. T. Lee

– former NSF program officer

Center Activities 18TRUST, Berkeley Site Visit, April 26 – 28, 2006

DHS TRUST Activities

Phishing, Spyware and Identity Theft work started with initial seed funding from NSF (PM Maughan)

DETER testbed funded with joint NSF/DHS funding. DHS is transitioning the research testbed into an Operational Testbed to be named DECCOR starting July 2006.

DETER was used in a major national cyber attack and defense exercise called Cyberstrom in February 2006, details still need to be cleared for release by DHS.

Center Activities 19TRUST, Berkeley Site Visit, April 26 – 28, 2006

DHS/TRUST Activities

DHS has established a center of excellence at SRI which is strongly partnered with TRUST (the PI at SRI Lincoln is a former student of Mitchell’s).

DHS-Cybersecurity Center and TRUST participants have held numerous tech transfer forums for the financial sector including Schwab, Bank of America, Symmantec, Oracle, Sun, … and numerous start ups (usually every 3-4 months). Rodriguez (former USSS) has been the facilitator

TRUST will be organizing an identity theft workshop at the Oakland ACM/IEEE Security conference in May 2006 with DHS and USSS sponorship.

Center Activities 20TRUST, Berkeley Site Visit, April 26 – 28, 2006

DHS Workshop and Outreach Activities

Visits paid by Birman, Gehrke, Sastry, Reiter to US Dept of Treasury to discuss tech transfer to financial institutions. TRUST planning to hold workshop at Cornell’s Wall Street campus.

Visits paid and testimony given by Schneider, Sastry, Birman,… to House Science Committee, Senate Armed Services Committee, House Homeland Security Select Committee, House Intelligence Committee on privacy and security

NITRD/DHS “Beyond SCADA: Secure Networked Embedded Control Sysems” organized by TRUST with Wicker, Joseph, Karsai, … in March 2006.