Cybersecurity is a huge global issue. And no one organization can solve these problems by itself. We need collaborative approaches. We need to partner. We need ecosystems. We need to bring together our very best. And it's going to take time.
Science Advisor, Communications Security Establishment
The TIM Lecture Series is hosted by the Technology Innovation Management (TIM) program at Carleton University in Ottawa, Canada. The lectures provide a forum to promote the transfer of knowledge between university research to technology company executives and entrepreneurs as well as research and development personnel. Readers are encouraged to share related insights or provide feedback on the presentation or the TIM Lecture Series, including recommendations of future speakers.
The third TIM lecture of 2015 was held at Carleton University on May 14th, and was presented by several speakers, each representing different collaborations to enable cybersecurity. In the keynote presentation, Deborah Frincke, Director of Research for the National Security Agency/Central Security Service in the United States, described the NSA's Research Directorate and its efforts to create breakthroughs in mathematics, science, and engineering that support and enable the wider organization's activities.
Next, Dan Craigen, Science Advisor at the Communications Security Establishment in Canada and a Visiting Scholar at the Technology Innovation Management program of Carleton University in Ottawa, Canada, launched the newest title in the "Best of TIM Review" book series, which he co-edited along with Ibrahim Gedeon, Chief Technology Officer at TELUS. The book features 15 of the best articles on cybersecurity published in the TIM Review, selected and introduced by the co-editors, and with a foreword from Eros Spadotto, Executive Vice President of Technology Strategy at TELUS. Cybersecurity: Best of TIM Review is available for purchase from Amazon in ebook format for Kindle. All proceeds support the ongoing operation of the TIM Review.
Finally, representatives from three companies – Denilson, Crack Semiconductor, and Bedarra Research Labs – described their approaches to collaboration and challenging cybersecurity problems.
Part I: An introduction to the Research Directorate of the National Security Agency
As Director of Research for the NSA, Frincke leads the only full-spectrum in-house research organization in the United States intelligence community, although its research activities extend beyond the organization through collaborations, linkages, and partnerships with industry, academia, and other government agencies, both within and beyond the United States. The NSA's overall objectives are to:
- defend the vital networks of the United States
- advance the goals of the United States and its alliances
- provide guidance to national decision makers
The Research Directorate engages with leading industries, universities, and national laboratories to both advance core competencies and to leverage work in overlapping disciplines. Through the NSA’s Technology Transfer Program, the Directorate licenses and shares internally developed technologies with industry, academia, and other government agencies. As examples of such work, Frincke provided an overview of some of the NSA's laboratories and research centres, including:
- Laboratory for Physical Sciences (College Park, Maryland)
- Laboratory for Telecommunication Sciences (College Park, Maryland)
- Center for Advanced Study of Language (College Park, Maryland)
- Research & Engineering (Emmerson III, Lavel, Maryland)
- Laboratory for Analytic Science (Raleigh, NC). For details, see the summary of the July 2014 TIM Lecture by David J. Harris.
- The Science of Security online community and network of "lablets"
Finally, Frincke shared some key lessons learned through the activities of the Research Directorate:
- It is important for a research organization to look ahead, but it must also assess the past and present. A key challenge is to plan for a future where there is an ever-more capable adversary. However, we must also assess technologies that are mature or perhaps past their primes, make decisions about whether or not to continue investing in those technologies, and determine what past activities can be drawn upon for further research.
- Research must consider the transition paths for new technologies, including research, training, and assistance with culture change. When facing the challenge of managing transitions from the Research Directorate to other directorates, one approach is to embed researchers in missions, which enables learning for new research and transitioning new technology, processes, culture, etc.
- There is a tendency to always want to "add"; however, doing "new" work means dropping something "old". We try to move on from research that is not coming along fast enough or identify technology that is sufficiently mature that it can be brought out of the NSA for further development.
- The diversity of classified and unclassified information, research, and devices within the NSA creates a balancing act this is all at once a physical problem (e.g., buildings), a people problem (e.g., access), a technology problem (e.g., security), and a culture problem (e.g., people).
- We try to invest two-thirds of our efforts into what "the customer" says they want and one-third into what they do not yet know they need or say they do not want, including new, radical innovations.
- We use strategic forecasting to understand "the outside world", the capacities and capabilities of the adversary, what is happening globally, technology, and investment trends/patterns. We need to make investment decisions along each of these dimensions: how much to invest and when.
Part II: Book launch
Dan Craigen introduced the fourth book in the Best of TIM Review series, which was launched at this event. The book stems from five issues on Cybersecurity published in the TIM Review:
These issues represent various research efforts and collaborations led by the Technology Innovation Management (TIM) program at Carleton University. In outlining the approach used in the TIM program and illustrated in the articles in the book, Craigen emphasized that technology is only a component of the overall solution to the cybersecurity challenges we are facing today. He stressed that we are as much facing a human behaviour problem as a technology problem. And, he called for multiple disciplines to come together (e.g., sociology, psychology, economics, entrepreneurship) to better understand the developing criminal markets and related mechanisms. The key messages were that cybersecurity is a global issue and that we need to partner and collaborate, using an ecosystem approach, because no one organization can solve these problems by themselves.
Craigen highlighted that we lack a science of cybersecurity, although this book highlights several steps being taken in that direction. Developing the science will take time, but it will allow us to develop a holistic, proactive approach to replace our current paradigm, which involves simply reacting to new events as though they are independent and do not share any underlying mechanisms or patterns. As evidenced by the articles in this book, efforts are going on to contribute to the science of security, by adding intellectual capacity through courses and research, and through the application of theory to practical problems in the real world.
The book presents different ways of thinking about cybersecurity problems. The hope is that these articles will contribute to theory and provide practical solutions, but also that they will sow the seeds of future research and discussion in different areas. Based on the five special issues published in the TIM Review from 2013 to 2015, the co-editors selected 15 that they feel provide particularly relevant insights into cybersecurity and, in general, contribute to a theory (or science) of cybersecurity. These articles have been divided into three categories:
- Understand: developing and applying models to examine what is happening today to see if it can enhance our understanding
- Technical: trying to advance our approaches on a technical level
- Future: looking out to where we might be in 10 to 20 years and how we might get there
Craigen then illustrated the diversity of thought in the selected articles and put them into context, as he and Ibrahim Gedeon did in the Preface to the book. Cybersecurity: Best of TIM Review is available for purchase from Amazon in ebook format for Kindle. All proceeds support the ongoing operation of the TIM Review.
Part III: Company presentations
In the third and final part of the lecture, representatives of three companies shared their current work and collaborations in cybersecurity:
- Ned Nadina, CEO of Denilson, introduced his company's secure mobile point-of-sale solution for retail enterprises, stressing that a financial technology company needs cybersecurity from day one. Denilson's solution enables credit card payments through the user's mobile hardware, thereby replacing the need for payment terminals.
- Arthur Low, CEO of Crack Semiconductor, described a lead project through which his company is collaborating. The project, titled Nebular Trusted Provisioning, seeks to develop high-end protection and authentication for intellectual property relating to microchip design software and tools.
- Michael Thomas, VP of Engineering at Bedarra Research Labs, described Ivy, which is Bedarra's interactive analytics research environment. It is "an open, interoperable, and extensible platform that combines powerful server-side analytic processing with modern web-based user interfaces for query and visualization". It enables specialists to build customized test suites to allow domain experts to easily and collaboratively explore, analyze, and visualize large datasets using commodity hardware.
This report was written by Chris McPhee