The CISA Future Forward Series: Analysis and Findings of Recent Technology Assessments

The CISA Future Forward Series: Analysis and Findings of Recent Technology Assessments

Show Video

good afternoon everyone well welcome to febru February's edition of CIS Future 4 Series which is being hosted by CIS office of Chief acquisition executive OA my name is Monique Park CIS industry engagement coordinator before we get started I would like to provide some guidance uh guidelines and information to make uh the event run smoothly for everyone please note that all information shared inist of future forward events regarding posessive future capability needs or requirements requirements is solely for informational purposes the presentations and discussions in any way expressed or implied obligate do not obligate the government to purchase or otherwise acquire this items or Services discussed the government is not bound or obligated in any way to give any special consideration to any organization on future contracts resulting from the communication today's future forward event is being recorded the use of the Microsoft teams webinar recording is approved for information sharing only misuse of the recording and transcription without the approval of sisa is prohibited by participating in today's future forward you consent to the recording and sub subsequent rebroadcast of an interaction please check out Sis's YouTube channel to watch our future forward and other engagement video event videos as well as many informative videos on is Mission note if you disagree with our recording disclaimer statement you may upt out a viewing or participate in today's event also uh before signing off from today's event please take a minute to complete our short survey the survey link will be provided throughout and again at the end of this presentation on the screen now is our agenda for the day um for this afternoon we have opening remarks from Christian van Ginder deputy chief acquisition executive of business Operations Division we are joined by today's presenter Dr Garfield Jones associate chief of strategic technology office at the office of strategy policy and plans Dr Jones will provide an introduction to the research and devel development compendium investigations led by his team uh we have a lot of information to cover this afternoon so in order to maximize our time together we will not be taking any questions from the audience at the end of presentations if you miss miss any part of today's presentation please check out uh s YouTube channel at our later time for um this video recording also today's presentation slides will be provided via email from our industry engagement uh program mailbox as well as by posting on sam.gov announcement Amendment uh now that we have gone through all the housekeeping for the day on to the good part I am pleased to introduce Mr Christian van Ginder this is Deputy Chief acquisition executive for his opening remarks thank you moonique and welcome everybody thank you for taking the time out of your day to attend our event uh we deeply appreciate it and hope you lean quite a bit of information from our speaker today before I hand it off to our our speaker I would like to tell you just a little bit about the office of the chief acquisition executive and our role here so um we are comprised of three subdivisions one of them is our chief of Contracting Office another being our acquisition governance office and then of course uh business operations which is the the subdivision I am over so uh given our POS position here at sis sisa we have been tasked with also spearheading sisa's engagement efforts as you can see on the slide here there's a number of things that we've done to further push forward our efforts in engaging with industry in in our our technology communities um we've introduced a host of one-on-one meetings that we hold weekly where a vendor or an industry um representative can come in and speak directly to us uh in a Clos setting for approximately 30 minutes we hold about four of those every week we also have Industry Group events that we attend uh we will send representatives there to speak on panels or just be there in attendance to answer questions uh we have our Contracting Office or excuse me chief of Contracting Office industry days where they talk about pre-award and contract specific in information for those who are uh looking to engage with us on that front and then of course today the future forward series uh you will see what that's like if you haven't attended our previous um and then various con conferences and events and we are looking into reverse industry days at some point in the future so that's just a Lowdown on who we are and what we do and what we're how we are attempting to expand our Outreach to Industry so we can get the best information from you uh which will ultimately help us execute our mission with that I'd like to now introduce our speaker uh Dr Garfield S Jones uh Dr Jones is the associate chief of technology for the cyber security and infrastructure Security Agency Dr Jones is responsible for developing the strategy and providing guidance on the use of innovative and Leading Edge technology across CA this includes articulating and documenting the future technology Vision to achieve the organization's missions objectives and goals Dr Jones holds a doctor of Engineering in industrial and systems engineering with a concentration in machine learning and artificial intelligence he serves as a professor at two universities teaching computer science and systems engineering Dr Jones has also filed a patent regarding the use of probabilistic neural network for vulnerabilities risk calculation of a text document so please join me in welcoming Dr Jones Dr Jones the floor is yours thank you thank you uh appreciate that uh that long introduction hopefully we didn't put anyone to sleep and uh you guys are wide awake for uh this this presentation so uh thank you uh all for for coming um this is the introduction to uh the research and development compendium investigations which uh as part of the Strategic technology team um we looked at various technologies that could help uh the uh divisions that are within sisa so we looked at their research gaps we looked at the emerging Technologies we looked at what what areas of cyber could really um help out here so uh that's kind of the the the purpose and the the background of of the compendia we we really um tried to make sure that we uh touched on every technology that has um you know cyber involved but so that we don't uh go for four hours we uh we cut it down to to some selected topics that we thought were um high value to to siza and it and its Partners so um next slide please yeah so as as I was saying the purpose of this compendium is to basically research the topics that are are relevant to sza programs uh we have some strong current uh some strong Focus areas that we we look at we're going to go over those that that tie into our goals and our strategic alignment with um with siza and and the agencies that we we support so uh we're also going to this this compendium is also here to inform form and suggest possible courses of action so you will see uh in in each of the topic areas basically a call to action and then we will at towards the end we will reach out to to we hope that you and and uh siza can can work together to um kind of uh you know get these topics under control and and get some and get these gaps filled next slide please so let's talk about these uh these areas so we have about 19 uh technology assessments that we went through those were uh those we went pretty in depth the actual compendium is about 100 pages so it's it's pretty in depth and uh what you're what you're going to see is is a snapshot of things that that we looked at and here you'll see where we basically set out the the importance and the urgency uh as as our as our metrics to to see how these Technologies relate to to us and and the the agencies around um as you can see the high uh import ones are you know of course pqc artificial intelligence you can't do a briefing without mentioning artificial intelligence and we actually married it up with zero trust uh zero trust has been a big technology uh well it's been a big kind of buzzword I don't even want to say it's a technology because it's more like a concept in in our estimation and but you'll have various Technologies that's that support it uh another technology here is so software understanding which uh most of you may not be as familiar familiar with but we'll we'll definitely uh dive into it a bit and and give you a bit of understanding pun intended uh large large language models of course you know we're going to talk about that that's probably going to be one of our first slides that we we jump jump into those llms have been have really taken hold uh you know in the last couple years uh they they've been around um you know but I think they've really jumped into the mainstream with with of course Advantage chat GPT and and the various other llms that that we've uh we've seen come come online uh so we'll talk a little bit about that and and how we we intend to address some of the those areas uh The Prompt engineering that's become a big part of how these things are designed uh for for us in on on the government side it's so that we don't let any you know sensitive data out so we'll we'll discuss a little bit about that and of course uh cyberphysical systems uh these are you know they're part of our Our Lives now everything is has got a little bit of cyber in it but uh you know we we have to marry it up with the the physical systems that we're we're we're dealing with um we'll we'll go through actual bit of a case study in in that and and see how it it's related to um what we are doing on the siza side and trying to implement um proper resilience for critical infrastructure and to to tie into that the sacom portion of it satcom and uh cyber security uh that's a you know it's an interesting um topic area one is because I don't think people realize how much goes into how many components are part of satcom and uh satellite Communications and cyber security is such an important part and it's becoming bigger and bigger uh as as we uh as we do more investigations into into this and we see how many areas uh possibly have weaknesses or vulnerabilities that that um that we need to look at and the last two are synthetic data and web 3 uh synthetic data um we'll we'll talk a little bit more about as as we go into the slides and web 3 and blockchains uh you know I think it was it it it is of of high importance um well we have it scored as medium importance but High urgency because these technologies that are associated with web 3 and blockchains are really starting to come online and we really need to make sure that we're we're getting hold of them all right next slide please so the relevance of these topics that we're talking about in the compendium as I said we had 19 but we we cut it down um tried to relate uh all the all the topics to uh as you see the relevance to S of cyber security strategic plan goals so we have a strategic plan that was released to the public um and it's it's basically uh you know it it align it has goals written to it so we see goal one address immediate threats so we we looked at it and we saw that five of our 19 Technologies actually tie in with goal one goal two we have the majority of our Technologies hardened the terrain everything that we just about everything that we talk about in in the compendium is related to hardening the terrain uh the Cyber landscape so that we don't have um you know adversaries uh taking over our our pipelines or you know attacking us and making sure that that it's it's difficult for them to to gain entry within our our systems and the last last goal that we have goal three Drive security at scale uh that security is is what we're all about it's is a you know we're we're trying to um secure the critical infrastructure reduce the risk of of adversarial adversarial attacks so just about every technology that we we uh we investigate um relates to these um relates to this last and final goal and as you look across the the Strategic Focus areas where esom where software billing materials and uh software uh supply chain or risk management the scrm we had a couple Technologies aligned with that um the vulnerability management of course uh that's that's one of our um Sor divisions uh subdivisions Within Sia that uh does so much great work in um trying to get ahead of all the vulnerabilities that are that are out there we're we're trying to help them out as well of course ZTA as you all know um zero trust uh architecture uh s has released their updated uh model for zero trust uh I think that was released sometime last year uh maybe middle of last year if I'm if I'm correct but don't quote me on that uh but it's it's definitely one of those techn one of those areas and and like I said it's not necessarily technology is the concept so uh we we saw that about five of our Technologies aligned AI security is another area that we're looking at right um so artificial intelligence and you know this is really to support the um AEO that recently came out uh in in late 20 23 uh that that really talked about you know privacy securing Ai and and various other trustworthy AI things like that so we of course we we had to look at technologies that really support that uh we thread analysis um our thread hunting team and and Analysis team that's that's where uh you there there are sub division with that that um that we look at and and try to assist with these these various Technologies and unless you've been under a rock or live in the Shell you've heard about it if you've heard about siza you've heard about secure by Design and secure by default uh secure by Design is is is probably uh one of I I would say one of the most important programs that we we are looking at U you know developing that that um software or any anything that you you design you should design with security and uh in mind so I think this is one of those where uh a a fair amount of our Technologies um really point to so this is these are our main focus areas if you're if you're interested those are the areas that that the compendium as a whole really pointed to next slide please again the research highlights um here so our first um topic area I would say is is probably one of the more important areas and again um this uh you know looking at large language models uh you with the advented chat GPT I mean they've been around for a while as you can see on the chart here um the the llms they they've been around since before chat GPT came online I mean if you look at basically an llm but it's it's not as um robust of course as as chat gbt but it does have its its um its its issues as well uh you know I don't I the hallucination problem is probably not as prevalent in um chat in Sur as it is in the other llms that that came online because of the models that that are being used uh so in in terms of how this relates to the government and what the government is trying to do with this the the government at at some point maybe we need to embrace this and and know that it's coming it's a storm it's here we've got to we've got to um embrace it we've got to be able to to use it and and control it they are fairly useful they they have um they have their their issues and and they're they're pretty prevalent pretty public about uh what their issues are uh those those hallucinations are are one the other part that really concerns the government side of it is the uh as as the statement says there on the the Privacy the bias and the ethical concerns that go along with it right we have to be careful of um the bias that that are within the model so when when these models are developed again TI tying back to our secure body design um you know we have to make sure that they don't have um they don't let Privacy Information out uh about you know users or they don't have um bias built in where they they can only uh give answers regarding uh certain um uh you know ethnic groups and and so on so we we have to really be careful of that the other part of it is how do we use it how do we how do we how can the government really use this um you know we we deal in sensitive data we deal with trust of of of other agencies and and and we're trusted we're a trusted agent of of of data so we have to be careful when we ask you know um large language models or or share large language models any kind of information that we have within our data set that becomes part of that large language model and now can be actually used against us so you know I always say that um it it's it's one of those that uh that you can you can you can use and um yeah as as far as the the the large language models and um getting some some uh some some messages so I I want to make sure I lost my train of thought there for a second but um we want to make sure that we can use these these uh these models in in the right way and and make sure that we don't have any kind of uh leakage of of information so yeah so uh I and and some folks are pointing out that that Suri is um is is a program yes but in in terms of How It's in terms of how it's built there there there is some modeling to to to it as well and and how uh you you ask it and and how it responds so it is you could say it's not a large language model that is similar to what we have today but you can you can also say that it might have been as as this points out in it um part of of that as part of the uh releases in um the announced by by year here so I think there's there's some you know there there's some some uh fine-tuning that we can do to to our our uh our definition of this but we can um we we definitely know that large language models should be use they can be a problem and we need to control them next slide please prompt engineering so as I kind of touched on this a little bit The Prompt engineering part of this is when when we ask a when we ask a large language model for information one we have to ask it in the correct way uh you have to ask the because if you don't ask the the right question or you don't ask it in the right way you might get and you might get a different answer and and you might get the wrong answer so depending on your prompts and designing the prompts so that's that's one way that we have to look at at prompt engineering the other way is is the security of it right you we've got to be careful as on on the government side so we need to learn how to design our props so that we can have better um a better idea if we're letting out too much sensitive information this is why on the the first the key findings on there prompt engineering can have an impact on AI security we are making sure that when we design a prompt um that we don't uh let too much information out so uh as as you as you see even on the second bullet poorly engineered prompts uh return bad information and reduce the value of llms so you ask the wrong question you get the wrong answer uh we may think it's a right question but again you've got to you've got to design that prompt um so that that we know and and this comes with training and this comes with use uh so we need to to get good training we need to get adequate training to our users so that they understand not to um to to design prompts that that are necessarily um let out too much information with that so again here we're looking at at at the real full design of of prompt engineering to to make sure that we we get the right information and the right security behind it next slide please so cyberphysical systems I we we talked about this and and again if you haven't if you if you've been around for a little bit you you know about the colonial pipeline um so this was a was a big issue I couldn't even mow my long because the gas was was was uh we couldn't get gas and you know I had I had I'm telling you HOA was after me it was you know it was after everyone cuz we were we were on we all had some long grass and everything else because we weren't trying to to to go to the gas station so it it was I know it's a it's a little bit of an exaggeration but I'm just I this is how important um you know our cyber physical systems are right uh my lawn's important to me I gotta you know it's got to look good you know I like I like it nice and cut you know making sure it's know not like my hair but um pretty close um so the colonial pipeline it it is it it one of those reminders that we need to have resiliency built into our our critical infrastructure if and this is more of a policy this is more of help with that we need with developing policy to enable resilience um we we saw in our investigation that there wasn't a very coordinated effort I mean the as since a compendium has been published well I since we've written a compendium we've seen uh different uh you know joint bodies start to come together and and work on this but we still need um very you know very pointed policy requirements for this we need standards set in federal policy Federal standards we need some R&D investment as far as how uh a a cyber physical system will be resilient and this this may be uh when we're looking at digital twins you know things like that simulation so they're they're uh you know tangential technologies that can help you know enable this this more uh resilient cyber um physical uh system you know realm so we got to really be it it's policy standards um R&D uh of course the R&D tools that can really and and you know developing a a a joint and collaborative body so that everybody is on the same sheet of music when it comes to to cyberphysical systems this is a really important I I don't want to understate this at all which I don't think I'm I'm doing but we we have to understand how important this is to to our environment and this is one of the the core goals with uh s is that we protect and reduce the risk to critical infrastructure and um to include cyber physical systems next slide satcom so satcom is is is an interesting Beast right so I didn't really realize I the I I guess I knew for a while but I didn't when once we started doing this investigation we started getting uh invites to certain groups uh you know I E and everything else um there is a lot behind this and it is a massive undertaking uh as you can see where we we look at the the traditional satcom architecture it's it and and the majority of of uh systems run on that is we have a lot of uh you know the the end users have a a a a a lot of um devices already we have to protect our satellites we have to protect the ground we have to protect the the satellites we have to protect any vehicles that that may be associated with that any of the messages that we we look at and as the as the satellite system ages we we're we're starting to see um you know it's it's it's a lot with our our our IC as well you know um there there may be some agent that that's in there and these are these are old programming um issues that that may lead to vulnerability so we see that there's a lot of of uh issues that that come from the the satcom architecture uh you we really need to improve the cyber security that operate and control these Services um you know especially in in in in the spaces that that when we're talking about the different assets that belong to the the actual satellite system um so siza is currently working with satcom operators and and and we encourage that we we work with with more satcom operators and to understand not only the the cyber security aspect of it um but the the physical security aspect of it as well so there's because that is part of our our um our our mission saving as well as is is looking at physical and and um cyber security and trying to reduce our risk so this is a very important piece that that we're looking at we have um you know the the the integration of of of several different um I guess you could say uh you know operators or or um manufacturers and we're we're we're looking at that and and there's integration points where there could be vulnerabilities there and how things are are talking to each other and and opportunities for attack so we we are looking to make sure that we don't um forget about these areas that that we use all the time I know I lost my my um my uh my cellular phone service my mobile service uh the last week and you know I was stuck trying to get a Uber in the morning I and and that could have been a problem it was a little cold even though I was in North Carolina it was a little cold and so those are things that we we look at and we say oh wow you know these are how although it wasn't an attack it was still an area that that I thought oh wow if this ever happens you know people are really stuck and people are really uh it could really affect um the the nation as a whole next slide pqc so this is uh this is I I could I guess you could say this is my baby I I I love this topic um I love talking about it I could probably go on and on but I know um you Mo'Nique and and the rest of the crew would would probably um yank me off but uh pqc so if you're not aware um there is some real danger coming out in in the next few years um just what it is is you know quantum computers they're they're a different they're different than the classical computers they run on cubits right and and quantum computers because they run on cubits um they're they're it's more of a probabilistic uh uh you know um than than deterministic so with with classical you can have one or zero right uh we all know about that right the the bit is one or zero in in Quantum Computing it could be one and zero right so and it could be any anywhere in between so there's lots of opportunity to actually find it you know the the one and zero it's a it's an endgate it's not it's not necessarily or gate right so it's it's the the and gate it means you know that that superposition that where you can EXA can have that um that one and zero at the same time so it's called superposition what Quantum Compu what that enables quantum computers to do with the um is to be able to search or um Factor uh you know numbers very quickly as we all know the P pki the um public key encryption right or public key infrastructure is is built on on on factoring right so if you're able to design a machine which is a cryptographically relevant quantum computer a CR QC to um to be able to uh break the the pki I mean you can basically get all the information that you want that's going over the the public infrastructure that's an issue Peter Shore who uh developed uh this this algorithm called Shore's algorithm in in about 1990 1994 uh Circa 1994 this algorithm if if you put the shores algorithm on a quantum computer right you're going to be able to get an exponential speed up on on a CQC you're going to get an exponential speed up which which this is showing to to be able to to break the the factoring on a on a um on a regarding pki so that's where we have to now design things that uh we have to design technology we have to design um algorithms n is working on these algorithms to to um these Quantum resistant algorithms to put them in place so that we don't have this this issue of you know once a quantum computer is it comes online that we uh that they're able to to break our our encryption we have the problem now of harvest now and decrypt later so Harvest now and decrypt later is we're harvesting all this information uh you know our adversaries are harvesting the information now but once a quantum computer comes online they're able to to decrypt it and and and and you know get all our information so it it's a real issue that we have to embrace and and and start worrying about how we're going to approach the not only the you know the the inventory of our systems of our of our of our critical systems the the information that we're we're sending out um all the data that that's behind it so all the data we need to make sure that we we we know how long the data is going to how long that the data needs to be around and we we have to make sure that we we're we're developing tools to help us with with system inventory data life cycle and education I mean those are like the three that I can I can pull from the um the uh memo that that was the OM memo that was sent out outlining all the the uh the the areas that we need to cover but those are the three main issues that we're looking at to to to Really um to really address this problem because we we need an automated inventory we need um you know automated data life cycle uh you know tool and then we need education on this piece of uh technology to to um really help us we're we're working with standards uh internationally because once you have a a a Quantum um computer right it may not always be able to because we're going to still have some classical computers around so there may be some kind of uh hybrid environment where we have the the the classical and the quantum all right and if you have the classical and Quantum they may not be able to talk to each other so we're going to have that time when the algorithms are released from this and and some of the vendors uh you know Implement those and they're able to to to work on on one side but they're not able to talk to the classical computers which some of the areas like like IC may still have it but we need to be able to talk to to to our IC um and and you know other devices that that may still be on the classical side because we don't know how how many resources are going to be needed to support those those Quantum algorithms so um just I'm going to turn it over to uh Pat Manley just to kind of talk a little bit about um the standards some of the standards bodies that we're working with uh right now thanks Gary um I'll make a quick plug here for some of the work that we're doing in standards um obviously very important uh just so everybody knows I'm Pat Manley I'm one of Gary's Branch Chiefs in the Strategic Tech subdivision of uh office of strategy policy and plans and within the last four to six months or so I've been tasked to figure out the standards coordination and development efforts for sisa uh we'll make a plug for for those on the line today that there is a national strategy for standards around critical and emerging Tech the White House released that uh about last May June and so we've been working very closely with nist pqc being one of the areas but um really trying to formulate a standard strategy where we're focusing internally where our technical priorities are Gary's walking through quite a few different technology areas here today we're trying to identify ways in which we can build and bake in resilience in those technologies that underpin all of critical infrastructure across the country and you know Gary highlighted a few with the colonial pipeline you know those things that can make a real impact on our day-to-day life and so leveraging the standards ecosystem we believe is a good uh opportunity for us to partner with like-minded countries and partners and like-minded agencies to really Advance Security through standards development uh ensuring that there's interoperability at the core as as um Gary just mentioned with pqc uh we're really starting to think through where we need to focus where we need to align our efforts uh not only with the inter agency but also with our International partners and key to standards and I'll make a kind of an early call to action before Gary does at the end is working with industry as as many of you know standards it's an industry-driven process here in the US and so we want to ensure that you know these technology areas uh we're really trying to leverage the standards ecosystem to ensure security to ensure interoperability and to ensure that we are addressing some of those more strategic risks from nation state adversaries and the uh that are really trying to influence those bodies whether it be the itu i e 3gpp or the ietf we're trying to really focus in on having a unified approach to standards development uh as a USG and and with industry so that's my my plug I don't want to take too much of uh of Gary's air time here but uh just know that this is something that we're really thinking about across the board with nist uh and really would would welcome participation and inputs from industry uh as we're really kind of laying out and focusing on the implementation of that National strategy so uh I'll stop there Gary hopefully that's uh that's helpful happy to happy to to follow up with questions as you guys sent them in at the end of this yeah thanks thanks Pat um and and just so that uh and Pat mentioned the questions and just so that I answered one of the questions I know what pqc uh when are we going to get a quantum computer I have no idea okay so let's just put that out there right now um our our planning as a as an agency and what we what we recommend to other agencies is is based off of 2030 right the that's where our planning is and and we're looking at that and just one more thing on on um on pqc uh so there is another algorithm that that's not really talked about but it it does um I I feel like folks kind of forget it but Grover's algorithm is the other algorithm that that is of of uh not immediate danger because it's not something that that can be run it it needs a lot more resources to be run than Shores algorithm on a quantum computer but that is a search algorithm which basically can can search search through information and and can um can be a real problem area as well so uh that's that's more the the search algorithm and and Shore is more the factoring algorithm that can can basically destroy pki and uh you know issues with digital signatures and and and all the above so I just want to make sure that you know everyone understands that all right next slide please all right uh getting towards the end here uh so artificial intelligence for zero trust uh zero trust is is is one of the areas that the scissor is heavily uh pushing um as you know we we had the zero trust model uh pushed out recently um but well an update to zero trust model pushed out recently uh Sean uh Conley and John Sims are always doing a great job with that uh but here we're we it it has about um five five pillars I think the the szm model has six but the the N 80027 has five um if if I I'm pretty sure I might have that that switched around but we really looked in on um on three key uh pillars here and then the identity the network and the um data Inventory management piece and that's where we really feel like um artificial intelligence and uh machine learning can really assist as you see uh we we have kind of a logical uh components that are in AIM ml functions as you can see the Iams over there that that's that's where we would we would have um some some AI functions there um and then uh the PDP which is the policy decision point we look at you know where where to put the the um AI machine learning um to to really understand the the to really see the user behavior and and really look at pattern recognition there because that's that's basically what you know AI machine learning can can look at is is it it really began with that whole pattern recognition on part of it so uh I think that's that's one of the areas that we we saw that could could really benefit from um artificial intelligence and machine learning um the P of course the network um uh you know monitoring and and network uh filtering that's that's that's another area we saw another pillar that we saw would be would be uh effective for um for uh artificial intelligence and and machine learning that we can look at and and it's very much pattern recognition and things like that when where it could look at at anomalies on the on the data side and and this is uh that is their classification algorithms in machine learning that can that can help with the the classifying the the the looking at around again at at patterns and um of course the tagging and be able to put the data where it should be so that we can get it uh tied up with the with the right users um getting them the right access so that that's kind of where we we saw um artificial intelligence and and zero trust really starting to bond next slide please so the zero trust architecture as as I was talking about um you know if you if you look at it here we our our research question was um what is the availability of the technology to implement the various facets of of uh zero trust architecture so I I I don't think there's a one you know one technology is going to do every single thing but it's going to have to be a you know uh you know a marriage of of several Technologies and I'm not talking you know one of those marriages and then divorce but marriage that can last for for a while and and work out its issues uh but you have um you know the data and the device part of it here and uh that's you know the to talk about where we're we're looking at at zero trust it I I haven't i' I've seen it implemented in in in various pillars right but I haven't seen the the whole thing and and and I think that's that's one of those areas that we really need to to look at at how to to Really concentrate on on on certain pillars and and kind of move it up all at the same time because we we have expertise in in one pillar and we have expertise in another pillar and you know everybody's trying to push their their their their Wares but we've go to we've got to make sure that we can talk to each other and that's what zero trust is is is is just being able to have that that um collaboration of Technologies and be able to um keep that those those adversaries and out well I guess zero trust assumes that the adversaries already in but we're we're saying that you know making sure the adversary does not get to the the data that's important to us so be able to to implement those those uh those identity issues the the right identity uh structure the right data structure and things and and so on so that we don't have the um the you know the attacks or or the exfiltration of data um going on so this is this has really been a big um push for siza for from the especially when considering zero trust next slide please software understanding so software understanding is is one of those areas you're probably not as familiar with um I wasn't as familiar with it as as uh as I probably should have been but um when it was explained to me I I was like well it it didn't make sense at first but then I I started to investigate it a little bit more and and what it is is that you know a lot of times we install software and we push a button and we install the software and we trust that the software is is is good and we we've been installing software for as you can see on there for quite a while on the on the graph and at first we understood exactly what we were we were installing but as as the software got more and more complex it it be it became less and less where we were actually you know understanding the software where we we're actually saying well this software may have a back door to this and it might have all these other issues and we knew exactly what the software did um and doesn't do and those are the things that's why we're talking about software understanding um there's a gap between what is considered um so complex software that is running on on government systems and the the folks that actually understand that software so that's where we're looking at this at at at this various Gap here is that how can we close that Gap to uh where we understand exactly what we're we're running we understand what its capabilities truly are understand you know if we what can be be um uh tied back to to any any uh you know adversarial uh issues that that we may have so we we're we're trying to to get a a deeper understanding of that software in um for for every aspect of of of what we're doing and and that that's going to take some time and and you see the the Gap widened over over time significantly um now we've got to kind of turn that on its head and and kind of close that Gap slowly but surely and and be able to understand this really ties into our secure by Design as well where um our secure by Design initiative where we're looking at what is how can we make sure that there's not vulnerabilities uh happening in our in our um software that we're installing and uh making sure that the industry is putting the right um you know guard rails in so that we don't install things that could be harmful to uh critical infrastructure or uh s ability to actually perform any kind of mission next slide please all right synthetic data um so we kicked off a a actual uh uh SV uh Silicon Valley Innovation program uh for for our synthetic data we're trying to use this we have a whole lot of data I mean you know like uh you know I would say something but it's it's it's an open audience so it it's uh we've got a lot of data right and and we can't really share it right we can't get all the analysis in there so synthetic data is is a good um privacy enhancing technology that we're looking at to be able to try to uh enhance our information sharing and and be able to send this out to uh various um you know uh analysis and Industry and academic groups so that we can see a better insight into to what's going on I mean we can only do so much and then we have you know um the this platform that we're standing up is cyber analytic uh platform for machine learning capm um where we have a a gov gov Cloud side and a commercial Cloud side called the gov cloud is Aid and the commercial cloud is Maple and we we can't necessarily share the data on between the two but there's so many tools that we can look at for for analysis that sometimes can't be put on the government side but um can be done on the commercial side but the use of synthetic data to to kind of uh help that privacy um and and and security of the data will will will kind of may help to uh to kind of facilitate more analysis from different parts of Industry um in Academia and and various uh agencies as well next slide please uh last one here is a web 3 web 3 I guess there is a web 3.0 and web 3 um I didn't know that there was a difference until I I did this but our web three is you know the the the blockchain um so I think uh web three is is one of those areas that we're seeing a lot of Technologies coming coming out on it and again this is one of those areas that you know how how can we make sure that these these critical infrastructure operators and um you know the the federal state and local uh tribal territories are are better understand and how to use these blockchains because blockchains can actually be helpful I I wasn't a big endorser of blockchains but I I I feel like if there's a certain amount of trust between certain agencies there there might be it might facilitate uh information sharing and and things like that but you know there are cyber risks with this um you know what what new Cyber risks uh it uh do these Technologies introduce to unsus unsuspecting new users and that's that's our um that's our research question for this one right um so we we are looking at at these Technologies and and making sure that they they although they do bring advantages they are going to bring um some some issues that we need to to look at because the the information sharing the trust that that trust you know especially in the blockchain you know you got to make sure you're you're letting the right people in it's like you know the circle of trust or Circle of Love or whatever you want to call it um or a family you know you got you always got that family member that you know you got a little little issue or something like that so you got to be careful when that that family member kind of goes a little rogue or wants to to um I I see some people have the one of those family members too um but you you you have to be careful with that and and make sure that that you're monitoring those people within the blockchain and and you you establish that trust and you um and of course you know this kind of ties back into to that zero trust where you might be able to use trust algorithms to to be able to to look at at these um at these blockchains as as we go through them so the new technologies that are coming out the trust between them um the the Trust In establishing the blockchains can can really uh be be part of this as you see see there's there's various aspects of that that blockchain and there's various aspects that can actually um end up uh being a a risk so uh just just really want to call you guys to to everyone out there um all the industry folks any academics that are on the line really want to call you guys to to make sure that that you're you you try to work with us on this um I think I'm going to hand it over to Monique to um let you know exactly who um to contact I think I have one more slide after this but um like I said exactly who to contact on there that s industry uh engagement at tsa.dhs.gov um we we're going we are constantly adding to the compendium so please um let us uh know if there's any other um you know Technologies or anything like that you want us to investigate and you think that we should be aware of because this is this is a a you know a marriage and as I said let's hope we we don't want that we want one of those that that last forever right um but we we need to work together and make sure that we we get hold of these Technologies and and protect the the um the infrastructure and and uh the nation as a whole so thank you and I'm gonna hand it over to Monique thank you Dr Jones and path for informative presentation um and yes please if you have any um additional technology information that you like to share with us please email us at sisa industry engagement sis. dhs.gov um and uh please go continue to check out doing business with sisa cisa.gov

website for information regarding additional upcoming Future 4 Series and as always vendors are encouraged to check and monitor the DS acquisition planning forecast system which provides high level information regarding S as upcoming competitive requirements and uh send apfs inquiries via email to apfs - inquiries at c. dhs.gov uh before signing off we would very much uh uh like your opinion on on how we did uh please click on the survey link for a short survey it takes less than a minute uh so your feedback is very welcome and appreciated to ensure that we continue to provide high quality and valuable events so we hope you found today's event uh session informative please join us next month as we continue to dive into what sisa is working on and thank you have a nice day

2024-04-10 10:47

Show Video

Other news