The Homeland Security Department is putting up almost $100 million to fund the next generation of cybersecurity technologies.
DHS issued a Broad Agency Announcement (BAA), along with the first four specific cyber areas it wants industry, academia and others to tell them what is the art of the possible.
Doug Maughan, the director of the Science and Technology Directorate’s cybersecurity division, said the BAA is his office’s primary vehicle to fund research and development over the next three to five years.
DHS S&T put out its last BAA in 2011, with the plan to issue calls for technologies until it reaches its $95 million funding cap.
The first call for R&D focuses on four areas:
Data privacy: Maughan said this is looking for technologies to support DHS and its components for federated search, secure messaging, compliance with federal directives and mobile integration.
“Privacy and security go hand-in-hand. In this case, we are specifically focused on privacy,” he said. “Some of the requirements included the recent President’s Council of Advisors on Science and Technology report on privacy and suggesting that more privacy research should be done across government, and there have been certain documents and things that have been released recently, and there’s a lot more activity around privacy coming up, as well.”
Denial of Service: This solicitation focused on looking at the measurement of Denial of Service technologies. Maughan said a best practice or standard called Best Common Practice (BCP) 38 has been out for more than 15 years, but it’s not being widely used. Under the BAA, the goal is to develop metrics for how the government is implementing BCP 38.
“We know why it hasn’t happened. Tt’s an economics issue. It costs Internet Service Providers money, because they have to put in new technology. They have to manage and monitor this,” he said. “We are moving through a process where we are going to have policy coming out to push the government to deploy it and buy services from ISPs who deploy it. It will be similar to what we did previously with the Domain Name System Security model, where industry followed the government’s lead for adoption and deployment. We are trying to get ahead of that by funding technologies to help us measure that as we push it forward.”
Additionally, DHS S&T is looking for new technologies to help those under a cyber attack and their Internet provider to more easily collaborate to mitigate, stop and recover from the DoS.
The third area is about developing new technologies to stop DoS attacks.
“There hasn’t been much funded in the last 15 years in new technologies for defenses against Denial of Service,” Maughan said. “One can argue, people have been fixing the DoS problem by adding more bandwidth and servers, but not really trying to address some of the core technology problems. We like to use the number that five years ago, an average DoS was 40 gigabytes a second. Today, it’s 400GB a second. In five years from now, if it’s 4 terabytes a second, we are not sure you can just continue to add bandwidth and add more machines. Let’s go back — we haven’t done this in 15 years — and look at some core innovations that might be helpful in building new technologies.”
Mobile security: Maughan said the goal of this solicitation is to add new capabilities on top of commercial devices and other technologies, in order to improve their security. He said the goal also is to develop tools to improve the government’s understanding of the security of mobile apps.
“We can talk about hardware and firmware, more secure capabilities there, add-ons to existing operating systems on these mobile platforms Android and iOS, as well as the application space,” he said. “It really is trying to add more functionality so the government can more easily and more securely jump into the mobile space.”
Cyber and physical system security integration: This solicitation brings in the latest buzz word, “The Internet of Things,” where more and more devices are interconnected through the Web. Maughan said the manufacturers of many of these devices are not building security on the front end, making them susceptible to cyber attacks.
“What we are really trying to do here is trying to get ahead of the curve and work with the community that’s building these standards and devices and build new security capabilities in, as part of the design process,” he said. “Our focus primarily is in the emergency responder space, transportation and health care — all of which are issues that DHS has a significant concern with.”
Maughan said DHS S&T held industry days earlier this week for all four solicitations, and the response has been good. He said DHS is starting out with $40 million to $45 million to spread across these four solicitations.
Over the next nine months, S&T will review white papers based on the solicitations, which are due July 22. Then full proposals are due in late September/October, and then DHS S&T plans to make awards by the end of March.
“I’d tell them to think about the areas, think about technical solutions. We are looking for things that are new, that will add security into existing capabilities,” he said. “In the end, it’s all about transition and making sure we are not funding research that ends up on the shelf. We want things that can be transitioned, commercialized and made available, and they have to think about that as they put their proposals together.”
Building on previous success
When S&T set up its previous BAA in 2011, it received 1,000 white papers and 220 proposals, and it awarded 36 contracts across 14 cybersecurity focus areas.
“In the cybersecurity world today, it’s more and more important to see results in the more and more near term. Gone are the days of large five-year research programs. We need some deliverables in six to 12 months. We need to demonstrate that we are headed toward capability that can be used,” he said. “At the same time, we do realize there is still some research that needs to be done. So we still have the model for two and three year efforts, such as by the time we do the three years, we hope to have a product at the end.”