On November 27-29, 2012, the National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Principal Investigator Meeting was held. The SaTC program is NSF’s flagship for cybersecurity research. NSF program officers for SaTC, wrote an blog post on the event found here.
The purpose of the NSF SaTC meeting was to build the community of PIs, encouraging them to interact and find new areas for research and collaboration, as well as to identify new areas for future NSF investment. It was not intended for PIs to give technical talks, but there were several events designed to encourage multidisciplinary collaboration and exploration of new research areas. Attendees also received copies of Control Alt Hack, a new game designed to teach cybersecurity concepts.
“The event opened with welcoming remarks from Dr. Subra Suresh (director of NSF) and Dr. Farnam Jahanian (assistant director of NSF for Computer and Information Science and Engineering), who spoke about the NSF mission and the importance of SaTC.
Dr. Eric Grosse (VP of security engineering at Google) spoke about what keeps him up at night, and where he would like to see more research. He noted that Google’s goal is to get security for home users to the same (imperfect) level as corporate users. He also sees protecting individuals from government snooping as a key requirement. His key worries are malware (mostly on client machines), authentication (users lose their credentials and use common passwords), network security (including certificate authority issues), product vulnerabilities (which are getting better but still have a long way to go), and economic crimes. He noted hardware and software supply chain risks and issues with systems being constantly updated, noting that fuzz testing is (unfortunately) still a very effective way to find problems. [NSF funds research in all of these areas, and is co-sponsoring an upcoming workshop on hardware supply chain issues.] Five years ago, XSS was the most common vulnerability, and today it still is. A browser rollback feature – i.e., after you visit a bad site and realize it, you can click a button to undo the damage – is still a wish. (Of course, undo isn’t possible if information is stolen, since it can’t be “un-stolen.”) In response to a question, he said that collaboration with Google is possible on smaller products, but not likely with Chrome or Gmail, at least to start.”
Click here to view the agenda and slides for the NSF event: http://cps-vo.org/group/satc/program.