The following is an exclusive Threatpost interview with Samuel Weber, Program Director for the National Science Foundation’s Trustworthy Computing Program. The interview took place on Monday, June 27, 2011 at the RFIDSec 11 Conference on the campus of the University of Massachusetts, Amherst. 

The U.S. government isn’t short on daunting challenges in the arena of information technology and, especially, IT security. Indeed, Uncle Sam has a long list of IT priorities for the coming decade, with physical and IT security at the top. The government needs to rethink its approach to cyber offense and defense in an era where cyberwarfare is already a reality. Beyond that, there is evidence everywhere of the failures of the current, sprawling government and military IT infrastructures.

Somewhere in there, Uncle Sam also needs to look in his crystal ball – predicting what kinds of issues and technologies will matter ten or twenty years hence, and using its vast resources to help encourage research in those areas. That’s where the U.S. National Science Foundation comes in. The independent government agency was founded in 1950 to advance the sciences in the U.S. and promote public health and help support national defense. Today, NSF supports a wide range of basic research in science and engineering, with a budget that was just shy of $7 billion in 2010.  In the arena of cybersecurity, the NSF is lesser known than, say, the U.S. Department of Defense and DARPA. But it still plays a critical role -especially in areas of scientific inquiry where products (and profits) are too remote to interest private investors.

So it was that Samuel Weber, Program Director for NSF’s Trustworthy Computing Program found himself in Massachusetts’ lovely Pioneer Valley attending the first ever RFIDSec conference held in North America and exorting a room containing some of the U.S.’s top researchers and students of security for mobile devices and contactless systems to keep NSF in mind when they go looking for research funding. 

Weber is a former researcher at IBM’s Watson Research Center who joined NSF in 2009 to help direct the Trustworthy Computing Program (which bears no relation to the industry sponsored Trustworthy Computing Group). Over lunch in Northampton, Massachusetts, Weber talked to Threatpost about his agency’s top funding priorities in the years ahead, and why NSF wants to know what makes spammers tick. 

 

Threatpost: Thanks for agreeing to speak with us! There are so many parts of the U.S. government working on cyber security and IT. Could you tell us a bit about the types of activities that NSF funds? 

Sam Weber: The Trustworthy Computing Program (TC) is about seven years old. We fund a total of about 600 researchers. All in the U.S. and all over the place. Our funding goes to everything from research on cryptography to operating systems to human factors, privacy and so on. We’ll look at everything from research on the effectiveness of privacy warnings to pretty theoretical issues.

Threatpost: And what’s your role in the Trustworthy Computing Program? 

Sam Weber: We really try to help out by funding risky, long term work. Part of my job, when we get proposals, is to say: ‘this is a nifty idea,’ but then to evaluate whether the nifty idea is one that’s risky, but with a big benefit if it works out, versus something that is risky, but with a relatively low reward if it works out. We want high risk-high reward projects that, if they work out, will be game changers.

Threatpost: Interesting. Can you give an example of this type of project? 

Sam Weber: If you look at homomorphic encryption, that would be one example. That’s a technology that we’ve funded research on where it may be many years from ever being practical, but we’re excited because has a lot of potential. 

Threatpost: We hear a lot about cuts to funding across federal agencies, including to cuts in funding for basic research. How are things where you are? 

Sam Weber: Well, its important to note that we don’t have a budget yet. Our funding for last year was $55 million, and has been increasing at a reasonble rate. 

Threatpost: Is funding for the Trustworthy Computing Program adequate to the need? 

Sam Weber: (Pauses.) Well…I need to be a bit careful here. But I’d say that the level of funding is reasonable. 

Threatpost: What are NSF and the Trustworthy Computing Program’s top funding priorities right now? What are technologies and areas of research that you consider to be critical to fund?

Sam Weber: We really try to be impartial and balance areas where funding is needed and where we can encourage researchers. I’d say we’re seeing more and more efforts to involve the social sciences. “Human factors” is the traditional computer science term for anything involving users. But when you’re talking about Trustworthy Computing, you immediately get into issues like economics. So we’re funding a lot of work on cybercrime. If you look at spammers, for example, you have to ask ‘what are the economics of sending spam?’ and ‘how are spammers getting paid?’ It turns out that there’s a whole ecosystem of people who we think of as ‘bad guys’ but who don’t think of themselves as bad guys. There are folks who build the (e-mail) lists or build and rent the botnets, or develop (software) exploits or manage the e-mail campaigns. These guys don’t think of themselves as bad guys. They have some rules about what kinds of business they will and won’t do. So, for example, they may say that you have to agree not to hijack computers in their home country, or not use their botnet to distribute child pornography because that crosses their ethical boundaries. So once you start asking those questions, you get to areas where you need people in economics and the social sciences.

Threatpost: Yes. We at Threatpost are writing a lot these days about the important role that social engineering – hacking humans – plays in many high profile attacks. Is that an areas that NSF is looking at also?  

Sam Weber: In general, yes. NSF is interested in all sciences.  That said, you have to look at the individual proposal. 

Threatpost: We’re here at RFIDSec and I couldn’t help but notice that the vast majority of papers being presented – 11 of 12 – were from univerisites outside the US. Is that a concern?

Sam Weber: I’m not sure its a concern. But its one reason we helped sponsor students to come to this conference. We have a limited budget, so we have to pick and choose which workshops we fund and how much. This was one of the conferences that we thought was really worthwhile. In general, NSF is interested in increasing international cooperation in security research. If you  look at the Inco-Trust workshops, what’s clear is the bad guys don’t understand country boundaries, and that researchers are international. NSF is interested in funding U.S. researchers, but they have counterparts in other countries. So we’re looking for easy ways to help our researchers cooperate with their counterparts in Europe.

Threatpost: How so?

Sam Weber: Besides sponsoring workshops, I’m going going personally to meet with counterparts in in Europe and work on setting up ways to co-fund proposals. We’re limited by government rules about what we can fund. So we can’t sponsor someone in the EU, but we can sponsor US citizens to go over there to do research. We can’t directly fund a counterpart in the EU, but where you have two people working together in different countries, we work with agencies in the other country to make sure both researchers get money to make that happen using formal and informal arrangements.

Threatpost: Does NSF find contactless technologies interesting? 
Sam Weber: Yes. Of course. This workshop, in fact, crosses a number of different programs. These researchers could be funded by the Trustworthy Computing program, but just as easily by NSF’s Cyberphysical Systems program. Those are separate programs within NSF, but we will cooperate and some research could be supported by them as well as us. I can say that we’re seeing a lot of different proposals from different places. A number of them are RFID focused. Some are more focused on infrastructure, some on security or CVSS (the Common Vulnerability Scoring System). 

Threatpost: You hear a lot about poor implementations of RFID and other technologies here. Is there a role for government around setting uniform standards for secure implmeentations of wireless and contactless technologies like RFID and NFC? 

Sam Weber: Well, speaking personally but not for NSF, I’d say that there have been efforts by the government to set standards. If you look, for example, at the Common Criteria, that’s an example of governments setting standards around technology. As for whether its in the national interest…? I don’t think, personally speaking, that U.S. researchers gave up on a field of research for reasons of economics. I think its important for a country of this size to sponsor research. An important area right now for investment is Chip and PIN cards. You have companies saying transactions from these cards are legally binding, but it turns out that criminals have been able to take advantage of that and the person who feels the pain is the customer, not the merchant or credit card company. At the very least, the U.S. doesn’t want to be in the business of backing rules that are not supported by the facts.

Categories: Compliance, Cryptography, Government, SMB Security, Social Engineering, Vulnerabilities