“With all the new technologies, strategies and artificial intelligence being employed by both security pros and threat actors, one thing remains constant: us. We are the Human Element within cybersecurity. That’s what joins us together. For some of us, it’s a higher calling that brought us to this profession. For others, it’s a gradual realization that the actions we take can affect every aspect of humanity. We’re the ones on the front lines, protecting not just data, but our most vulnerable people and every aspect of our lives—from election hacking to the weaponization of social media. We’re the ones making the hard decisions about privacy…ethics…usability…responsibility. And how to ensure doors remain open for everyone. The goal of RSA Conference is to help the industry mature while preparing individuals to grow into their roles as defenders of the world. When we recognize that cybersecurity is, fundamentally, about people protecting people, the world becomes a better, more secure place.” RSA 2020 San Francisco
A Conversation with the Cryptomathic: Whitfield Diffie
The Superintendent’s Journal met with the Father of Modern Day Cryptography, Whitfield Diffie who gave an opening keynote on a panel at the world’s most senior security conference. In the panel at the 2020 RSA included Arvind Narayanan (Princeton University), Tal Rabin (Algorand Foundation), Zulfikar Ramzan (RSA), Ronald Rivest (Massachusetts Institute of Technology) and Adi Shamir (The Weizmann Institute, Israel). have consulted with Diffie over the years on the future of school security and safety. From the conversation, Superintendents should understand that cyberspace in schools is a complex ecosystem that involves computer hardware, software, networks, data, people, and integration with the physical world. Education institutions such as school districts’ overwhelming reliance on this complex cyberspace has exposed its fragility and vulnerabilities that defy existing cyber-defense measures: schools, corporations, agencies, national infrastructure, and individuals continue to suffer cyber-attacks. For schools to achieve cybersecurity while protecting the privacy of individuals, administrators are required not only to understand the technical weaknesses of components of a system and how they can be addressed, but also understand the human-centric aspects of secure cyber systems. Examining the fundamentals of security and privacy from many different perspectives can, in turn, lead to fundamentally new ways to design, build, and operate cyber systems, protect existing infrastructure, and motivate and educate school districts about security and privacy.
The goals of the Superintendent Journal and Gratus Labs program are aligned with the National Science and Technology Council’s (NSTC) Federal Cybersecurity Research and Development Strategic Plan (RDSP) and National Privacy Research Strategy (NPRS) to protect and preserve the growing social and economic benefits of cyber systems while ensuring security and privacy. Gratus Labs has identified six areas critical to successful cybersecurity research and development in schools: (1) scientific foundations; (2) risk management; (3) human aspects; (4) transitioning successful research into practice; (5) workforce development; and (6) enhancing the research infrastructure. Gratus Labs Inc, which provides training and development for corporations and school districts identifies a framework for privacy research, anchored in characterizing privacy expectations, understanding privacy violations, engineering privacy-protecting systems, and recovering from privacy violations. In alignment with the objectives in both strategic plans, the program takes an interdisciplinary, comprehensive and holistic approach to cybersecurity research, development, and education, and encourages the transition of promising research ideas into practice.
At the RSA Conference in San Francisco, new as well as established corporations have been identified by the Journal that will partner with Gratus Labs to provide the following support and training.
- Authentication and Biometrics: Topics of interest include continuous authentication methods, remote authentication, multi-factor authentication, geolocation authentication, password-based methods, device technology, mobile authentication, identity and credential management, verifiers, robustness of authentication, and reverse engineering of electronic authentication credentials. Biometric authentication methods are also of interest. However, such methods that are based on characteristics of the human body (such as physiological, neurological, and behavioral) must exhibit rich entropy for strong security guarantees and be evaluated in the context of properly defined attack models.
- Cryptography, Applied and Theory: Topics of interest include all applications of cryptography, especially in networks, cloud computing, electronic commerce, or in any other real-world setting. Symmetric and asymmetric encryption methods such as attribute-based encryption, functional encryption, fully homomorphic encryption, program obfuscation, information theoretic security, steganography, cryptanalysis and post-quantum cryptography are also of interest. Research on side channel and leakage resilience, memory-hard functions, verifiable computation, non-malleable codes, computer-aided cryptographic proofs, and digital currencies are also in scope, as is secure multiparty computation (including querying and machine learning over distributed datasets), particularly when there are clear contributions toward the cryptographic aspects of the problem.
- Cyber-Physical Systems (CPS): Topics of interest include research on security and privacy of cyber-physical systems that integrate sensing, computation, control, and networking into physical objects and infrastructure, connecting them to other systems, to users, and to each other. Systems of interest may or may not include humans in the loop. Also of interest are techniques for leveraging fundamental physical properties to improve security or privacy; system vulnerabilities and mitigations; system models; measuring and assessing security or privacy characteristics of systems; as well as human usability of system protection mechanisms.
- Data Science, Machine Learning (ML), and Artificial Intelligence (AI): Topics of interest include advances in techniques and tools for modeling, analysis and visualization of data and metadata to predict, detect, and mitigate security and privacy risks. This includes advances in secure and/or privacy-aware infrastructure for data science, including dataset management, provenance, validation, and linking; secure and privacy-preserving methods for publishing actual or synthetic datasets including but not limited to differential privacy; and methods for retrieval, querying, and text and network analysis over datasets that effectively trade off security, privacy, and utility. It also includes robustness and risks of the methods themselves, including adversarial ML threats in model training (e.g., data poisoning), deployment (e.g., adversarial instances), and reuse; privacy risks including model inversion (of both model structure and underlying data) and risks to individuals such as attribute inference, re-identification, and de-anonymization; and forensic and formal methods for analyzing, auditing, and verifying security and privacy-related aspects of individual classification decisions, datasets, models, and algorithms with AI components. Also of interest is the intersection of data science, ML, and AI with human users in SaTC contexts, including privacy and security considerations around human-in-the-loop modeling; considering risks and exploitability around increasing transparency and explainability of models and AI-based algorithms; and aspects of fairness, bias, and related concepts around trustworthy algorithms that lead to unequal or exploitable security and privacy protection among users.
Corporations and School Districts can get more information by completing the contact form at https://www.gratuslabs.com/