Show 116: Doug Maughan Discusses the Current State Of Cyber Security In the U.S. Department Of Homeland Security

November 30, 2015

Gary talks to Dr. Doug Maughan about scientific research in computer security and its relationship to wider government efforts in security.  Maughan is currently the Cyber Security Division (CSD) Director for the Homeland Security Advanced Research Projects Agency. With a Ph.D. in Computer Science and over 10 years of experience working with the Department of Homeland Security (DHS), Maughan focuses his expertise on advancing the state of security technology through the research “valley of death.” Listen as Gary and Doug discuss tech transfer, the relationship between scientific research and government funding, and the widening gap between scientific computer security results and the insufficient computer security measures attempted by the government today.

Listen to Podcast

Transcript


Gary McGraw: This is a Silver Bullet Security podcast with Gary McGraw. I’m your host, Gary McGraw, CTO of Cigital and author of Software Security. This podcast series is co-sponsored by Cigital and IEEE Security and Privacy Magazine. This is the 116th in a series of interviews with security gurus, and I’m super pleased to have today with me Doug Maughan. Hey Doug.

Doug Maughan: Hey Gary. How’re you doing?

McGraw: I’m good. Thanks for joining us from Utah. Doug Maughan is CSD Division Director in HSARPA within the Science and Technology Directorate of the Department of Homeland Security. Doug directs cyber research and development at HSARPA. Prior to his work at DHS, Doug was at DARPA as Program Manager in the Advanced Technology Office. (I think I first met Doug when he was at DARPA.) Doug also worked for the NSA as a Senior Computer Scientist. Doug did his undergrad work at Utah State, earned a Master’s in CS from Johns Hopkins and a PhD from UMBC (University of Maryland, Baltimore County). Doug lives in Maryland with his family and is currently calling in from Southern Utah. Thanks for joining us, Doug.

Maughan: Thanks again, Gary.

McGraw: Let’s talk about science and the important role that government funding plays in supporting academia and hard-edge science. You spent time at DARPA and now you’re at HSARPA funding mostly early-stage science, and some tech transfer activities. Which projects that you funded do you think were the most important over your career of doing this sort of thing?

Maughan: I think a lot of them have been significant. I think for starters, probably the more impactful ones that people don’t actually see involve some of the work we’ve funded at DARPA. We’re doing some work in distributed denial of service defense technology, for example, with a company like Arbor Networks which is still one of the staple companies for dDoS defense. Based on some of the work I funded 15-16 years ago, even though dDoS hasn’t gone away, we’ve still made a pretty significant dent in the problem. Now it’s kind of getting worse again, so, we’ve started to fund some additional work in this area. Looking at solutions to defend against dDoS to a 911 center or other critical infrastructure. I think that’s a key area that has impact on everyone.

McGraw: Yeah. That’s great. That’s a perfect example. Anything else come to mind?

Maughan: As you know, Gary, we’ve been behind the Domain Name System security and the DNSsec initiative for the last decade. I think we’re still waiting for the killer app from DNSsec, but we’ve got almost global understanding and a lot of deployments of DNS security. We’re now doing very similar things with routing security with the routing public key infrastructure and security for the Border Gateway Protocol. Again, all of which is a global piece of cyber security which, while everybody doesn’t have to implement it, it does have global impact.

McGraw: Yeah, “invisible” is a cool way of putting it.

Maughan: Yeah. It’s just like the air and water, we need security of cyberspace don’t want people to even notice it.

McGraw: So, one of the biggest challenges that everybody in technology faces—who has even a pinky in science land—is this notion of tech transfer. How, in your view, does tech transfer really work? How long does it really take?

Maughan: You know, I’ve learned a lot of lessons about tech transfer. I think what people don’t understand is we often spend 80% of the money on the science and leave 10-20% to try and transition. And in fact, the work factor is the exact opposite. It takes about 20% of the work to do the science and the research, and it takes 80% of the work to actually transition it and commercialize it. It’s a lot harder than people ever think because there are so many aspects to transitioning and commercializing. One of the things I learned at DARPA and then brought over to DHS was this issue of transition and most researchers don’t think about transition until well down the timeline of their research. And so what we did at DHS, and have been doing for 12 years now. When we do solicitations we require—again at DHS, we’re not really doing basic science, it’s applied through transition—but when we do solicitations, we require a significant part of that proposal to be about the transition and what the commercial opportunities are. And that’s a significant evaluation criterion because if it doesn’t have commercial potential and the ability to make it into the market, we’re less likely to fund that research. Gone are the days of just funding research and having it sit on a shelf.

McGraw: Yeah. That’s interesting, but the real question is if you have a good scientist, can they actually do tech transfer? I know a lot of really excellent academics who publish great papers and they do great work but I don’t think they could build a product to save their life or even pitch something to a VC. So what do you do about that?

Maughan: So, we’ve seen plenty of scientists who don’t want to be entrepreneurs. That’s fine. There’s a separate program we’ve initiated. It came out of the White House Comprehensive National Cybersecurity Initiative called Transition to Practice where we have engaged with VCs, with angel funders, with incubators, and worked to bring technology out of the labs, out of the hands of the scientists if they’re not going to be an entrepreneur, and being able to license those technologies or make those technologies available for open source such that we’ve been able to get those technologies out of the labs and into the market.

McGraw: Is that sort of an In-Q-Tel model?

Maughan: It’s a little different from In-Q-Tel in the sense that we’re still earlier stage when we’re doing that compared to the In-Q-Tel model which is a later-stage approach.

McGraw: Right. Let’s talk about what some people call the “research valley of death.” Do you think that the research valley of death is real? We’ve sort of been addressing it so I think the answer is yes, but what’s your experience with that?

Maughan: It certainly is. In fact, as I said, we often times put way more money in for the research piece than we do in for the transition piece. And, in fact, the harder part is that timeframe between when you’ve done the research and you’ve done some development but you’ve been unsuccessful in getting the technology more mature, getting the technology into pilots or red teamed or customer deployments and people don’t understand that that takes time. That takes a lot of work and that’s not research. They’re not quite product yet either. There’s a fair amount of effort that needs to go in there and that all takes a little bit of money too. So, that’s another thing we actively fund is those kinds of activities to try to help the entrepreneur or researcher along the commercialization path.

McGraw: That makes sense. I think you sat on the jury once or twice when we did Department of Commerce Advanced Technology Program stuff a million years ago at Cigital. That was one way to get across the research valley of death, but it was politically difficult. In fact, some people called that ‘corporate welfare,’ I remember. And the whole idea of transitioning stuff from the lab to VCs came as a foreign thought because people figure VCs will just pick up any shiny object and fund it. But, that’s just not the case.

Maughan: Yeah, that is not the case. And they’re not actually going to invest in those technologies that are in the valley of death. VCs are only going to invest in the technology that is just across the valley of death and starting down the commercialization path where they can see a big return on investment. It’s getting it to a point where it’s actually in front of them that they will make that investment and that’s a long path from where the research was.

McGraw: One of the disturbing things that’s happened lately, I guess since the recession really, is that the amount of money being poured into basic science by the government has actually gone down about 3% across the board and this is if you count even the medical research and IH stuff and everything.

Maughan: I think those numbers might even be low. If you look at the trend from the 70s and 80s, it used to be 70% government funded on the research and 30% private sector. That’s all almost completely flipped now. The government is 20-30% of funding of research and on a downward trend which I think is a little bit disturbing.

McGraw: I think that’s incredibly disturbing as a member of an advanced society, building the best tech, we need to do more of that. My opinion is that the government should be doing way more basic research and not less. And shouldn’t be leaving it to the private sector. You share that opinion?

Maughan: I do share that opinion and I think certainly in the case in the higher tech fields and in this case the cyber security realm because of the rapid pace of change in the technology and the innovation that’s happening. I think it’s even more important that we are putting more money into this to spur the innovation that needs to happen.

McGraw: OK. So, we’ll establish that more basic research should happen at the government. But then we’ve got that valley of death thing, and the question is whether the corporate world should be reaching back through the valley of death and pushing things along to the kind of VC-ready level. Should the private sector be doing that or is that a government job too?

Maughan: I think every technology is going to be a little bit different. I think there are numerous models you can use. In some cases, the government can help push that along depending on the technologies, where there might not be a big market. For example, in technologies to support law enforcement, which we worry about at DHS, that’s not a big market. There’s not going to be a lot of investors because there is not a generic IT solution, a solution will be specific to law enforcement. So the government has to put a little bit more money in there to make that more successful. But if it’s generic IT kind of thing, then certainly the private sector should be reaching back and co-investing or even making some investments. I think you’re starting to see some of the critical infrastructure sectors and more and more larger companies taking advantage of the government funded R&D at an earlier stage than they have in the past.

McGraw: That’s good. We’ll be right back after this message.

This is Gary McGraw, your host for the Silver Bullet Security podcast. If you like what you’re hearing here, you should check out my monthly security column published by SearchSecurity and Information Security Magazine. You can find the most recent column at www.SearchSecurity.com/McGraw. All of my writings are collected on my web page at https://www.garymcgraw.com/technology/writings/. Thanks for listening.

McGraw: So let’s switch gears a little bit. This is a slightly difficult subject. Academic computer security efforts kind of like Fred Schneider’s Science of Security stuff are almost wholly disconnected with the kind of security operations center, network operations center, operational security mostly practiced in the government. There’s a world of difference between those things. Why?

Maughan: You can blame anyone you want—but I think in large measure it tends to be back to our conversation earlier about transition. Many of the academic researchers who are doing that basic science, that’s what they want to do and they’re not worried about the transition. In large measure, it’s up to the government to determine what things coming out of there have significant relevance and continue to fund them past the basic science and into the applied and the development and transition activities.

McGraw: Well, let’s talk about something slightly different. So, I’m not thinking mostly about tech transfer. Instead, I’m thinking ‘why is the government sometimes missing the boat when technology has been transferred out that the government invented?’ But it’s not being picked up by maybe the contractors or the sub-contractors who are doing operational security and so that sort of leaves the government behind, say, in security engineering or software security or any of the stuff I’ve been focused on for the last 20 years.

Maughan: The government will often times be an early adopter of some technologies from a tech and evaluation perspective, but they seem to be a slower buyer from an acquisition perspective. That’s an acquisition piece. I think that there’s also this awareness piece that the government’s not even aware of—those technologies that are coming out of the academic space but they still may not be mature enough to be into the commercial space. That’s where I think the government has a role. Here’s one of the roles that DHS tries to play. I count on the National Science Foundation, the Department of Energy, and other agencies who fund basic research to produce the outputs that I can use as inputs into the programs that we run. We’re not worried about basic science; we’re worried about where someone’s already done two or three years of research. We know what the cool ideas are. We’re taking the next step with carrying down the field another 10 or 20 or 30 yards towards commercialization and transition, and I just don’t think we, the government, do enough about it.

McGraw: No. It’s kind of funny. It’s kind of like the government makes some really nice, nutritious dog food and fails to eat it.

Maughan: Well, and sometimes, there’s danger in doing that too. And we’re seeing, I think, more and more COTS products, from the DHS perspective. We buy COTS. We’re very rarely doing GOTS (government off the shelf) because it’s not sustainable. You pay a lot more for something that’s GOTS than you do for something you can get in the commercial marketplace.

McGraw: That makes total sense, but then you end up with some contractors putting in ridiculous cross-site scripting bugs that we could have found in our sleep automatically. In the 90s in fact, you funded research to make that stuff go away automatically and yet the same department…I guess the government’s just so darn big, it’s difficult.

Maughan: It is, and again, some of the technologies that the government is buying are five to 10 years old.

McGraw: Right. And that’s an eternity.

Maughan: That’s right. And, in this area, we don’t always put the bleeding edge technology into operation.

McGraw: Let’s talk about open source for a minute. You’ve been a huge proponent of open source in security. You’ve funded a lot of open sourced stuff and caused a lot of people to build things that were then open source which is pretty cool. But, in light of the heartbleed stuff and other spectacular failures in open source, are you still a big open source proponent? And, what do you think we can do to ascertain the security of a piece of open source stuff?

Maughan: So, yep, I’m still a huge believer in open source. I think it’s just another model, another avenue for getting the technology out there and commercialized. I’m one of those that believes that open source doesn’t necessarily mean that it’s more or less secure than proprietary solutions. I still believe that there are places where open source is a good solution or a better solution. As you know, we’ve had a number of successes. I think our most successful activity in open source was the Suricata work with the open IDS / IPS system that we funded back in 2007 to 2010 and it’s still out. And the key there was getting the vendors to take their code and put it into their product. And, the licensing was favorable. So, I think there’s a number of avenues we need to think about to continue to make open source more useful. One is the licensing issue always trips people up. We need to make sure that’s clear. I think there’s other things you can do. You may be familiar with our software assurance marketplace which is an open and available software testing facility that includes a lot of tools for software testing. Heartbleed was a resource issue. It wasn’t an intentional problem. What I’ve discovered is that more and more of the researchers just don’t have the resources available to them to test their software. They don’t want to take time. You know, so tools to help make things better so we don’t have the heartbleeds in the future is another piece where DHS is spending a fair amount of resources.

McGraw: And tools are important, but I always like to say “a fool with a tool is still a fool.” [both laugh]

Maughan: That is true. And, maybe a fool with a whole bunch of tools isn’t quite as big a fool. [both laugh]

McGraw: You’re always such an optimist, Doug. You know, I think it’s the optimism you grew up with out there in the vowel state areas. [both laugh] So you have a cyber PhD and many years of academic training. What are your thoughts about professional certifications? Have you ever thought about that?

Maughan: Yeah. I think about it all the time. That’s all part of the educational piece. I think we’re woefully behind in our education and our training. We’re seeing it now. It’s not just the U.S. Every country I’ve been to in the last three years—every government is worried about their education and their training and their next generation of cyber professionals. Do we have to have certifications? I think certifications are good. I think they prove that people have some amount of knowledge. Are they the silver bullet to solve all of our problems? No. But, I think it has to be part of the equation. We have to make sure people have some basic skills, can work in the field, and continue to get better. This is not a field where you can just get your degree or get your certification and stop. Technology is advancing so rapidly, you really have to stay buried in the area in order to even keep up. I think the professional certifications are just one piece of the puzzle and I think they’re good and Hands-on experience is another great way. Not everybody likes to get those certifications or thinks they’re useful, but I still think there are plenty of things we have to show education and training going forward.

McGraw: I sort of think about it like the medical domain. You know, we need some brain surgeons, we need some regular surgeons, we need some general practitioner medical doctors, we need some nurses, we need a whole bunch of EMTs—way more. And, those people have different levels of training, degrees, certifications, and so on. And in some sense, I think computer security is in the same boat.

Maughan: Yeah, I would agree with that. I think that’s a very good analogy because we have people who need to be hardware specialists and network specialists and malware analysts. Same kind of model. The question is how important are those certifications and I suspect the medical field has probably 100 years on us from where cyber security is. And maybe in 100 years, we’ll be as mature as the medical field.

McGraw: I think we’re still sawing off limbs with a saw, basically.

Maughan: Yeah, I think you’re probably right.

McGraw: That kind of hurts. [both laugh]

Maughan: Yes it does.

McGraw: Civil War surgeon level: Achieved. So, quickly discuss two or three of the programs you’re currently funding now at HSARPA. I think your budget’s now something like $70 million a year. Is that right?

Maughan: It’s a little higher than that, but yeah. Pretty close. It’s in the $80-90 million range.

McGraw: That’s great. That’s a far cry from—I remember being on your advisory board maybe 15 years ago when you just got started. (2003 was it?) And the budget was seven million. So, that’s a big change.

Maughan: We’ve grown the program and we think we’re doing some cutting edge stuff and we’re having an impact not only locally, but globally—doing a lot of work internationally. I think I would probably highlight three or four programs for you, Gary that I think are key. One as you know is at the core of everything is software. And the software vulnerabilities continue to plague us. We have a suite of programs that are being run in the software assurance area. You may have seen a couple of our solicitations that just came out last week on software static tool modernization project where we’re trying to up our game on the static tools. Another one in application security testing. So, at the core of everything is software. We still don’t have good software development tools—as good as they should be. It all ties into our model to use the software assurance marketplace. That’s a key piece for us. Software is at the core of everything and we need to try and do a better job of building better software.

McGraw: All I have to say about that is: ‘hallelujah.’

Maughan: Yeah, and you know, Gary, it’s still not enough. I mean, we could spend another order of magnitude in funding and we still won’t fix all the software bugs. But we really need more people paying attention to this. More importantly, back to the education piece, we actually need to fix our educational system to be teaching this software security much earlier in the pipeline than we are today. I think there’s all kinds of things we can do to fix software.

McGraw: I agree with all of those things.

Maughan: I knew you would. The second area I think is key for us is that everything online is about identity. We don’t have good systems and solutions for identity management to be able to tell who you are online. You know, the old cartoon of the 70s that says ‘nobody knows you’re a dog on the internet’? Well it’s still valid. It’s still true. And part of that identity is what would help us in the attribution piece for those people doing bad things online. There have been several analogies of internet driver’s licenses and those kinds of things. At the core of it, it’s still an identity problem and our ability to do identity management. So we’ve got some new work going on there—on the identity side. Hopefully we’ll be able to make some impact there. A third area that I would like to focus on is this whole area of cyber physical systems and the security of those—the Internet of Things. You know, more and more connected devices. We’re looking at everything from automotive security, medical devices, building systems, aircraft, etc. All of these things that didn’t used to be connected but now are. How do we build security into some of the future designs of these systems? We’re working with auto manufacturers and their suppliers. So, I think that’s a key area for us as we look at the security of the future of all these devices that are going to be out there. How do you make sure they can be protected and not compromised? That’s another key area that we’ve just initiated a new program in last year and are doing some interesting work. And our fourth one that I’d just like to touch on is mobile security. We’re leading the department in trying to put mobile solutions into government. We’re not starting fresh. We’re using commercial products. The commercial market is so large, but the question is how do we add some additional capability to make it more usable by government, and more secure? So, DHS is in a very leading position. S&T is leading the Department in this space and trying to push it out across the entire federal government. I think mobile is here to stay and we’ve got to make sure we’ve got security solutions that are acceptable to government that might be a little higher security than your commercial market would worry about. We need to be thinking about that from a government perspective.

McGraw: Very nice. Listen, this has been a great conversation. And I have got to say that your persistence doing this stuff over many years is greatly appreciated. Thanks for sticking with it, Doug.

Maughan: Thank you very much, Gary. It’s good to talk to you.

McGraw: So I’ve got one last question for you which is a doozy. Who is the best all-around baseball player—not pitcher—in the history of the game?

Maughan: You know, that’s a tough question. I’m going to have to go with—because I’m an Orioles fan—I think it’s got to be Cal Ripken.

McGraw: There you go. That was quick. You’re quick on the draw. I know you’re a baseball guy.

Maughan: Well, I was debating between Cal Ripken and Derek Jeter. I’m not a Yankees fan, but Derek was a great player. But, I’ve got to go with Cal.

McGraw: There you go. Well, thanks for your time. You did great.

Maughan: Thanks so much, Gary. Take care.

McGraw: This has been a Silver Bullet Security podcast with Gary McGraw. Silver Bullet is co-sponsored by Cigital and IEEE Security and Privacy Magazine and syndicated by SearchSecurity. The September/October 2015 issue of IEEE S&P is devoted to the economics of cybersecurity. The issue features our interview with European cryptographer Bart Preneel. 

show 116 - Dr. Doug Maughan