NSA Funds 'Lablets' for Security Research

• By Dian Schaffhauser
• 05/19/14

The National Security Agency (NSA) is funding the creation of four small laboratories on just as many campuses as part of a new initiative to support the development of programs for security research. Recently, the NSA invited nearly 300 institutions to go after funding to develop "lablets," little labs with the express purpose of conducting basic research, building a community and talking up the need for a "science for security" (SoS). Four universities — Carnegie Mellon, North Carolina State, U Illinois at Urbana-Champaign and U Maryland — jumped at the opportunity. Each of the first three schools will receive $2.5 million; U Maryland will receive $4.5 million over three years.

A major goal of the initiative is to create a unified body of knowledge and analytics methods and tools that can serve as the basis of an engineering discipline, curriculum and rigorous design methodologies. The results that come out of the lablets will be documented and distributed via a wiki.

The research to be performed at the lablets will be directed in five areas:

• Scalability and composability;
• Policy-governed secure collaboration;
• Security metrics;
• Resilient architectures; and
• Understanding and accounting for human behavior

Carnegie Mellon's lablet will be directed by William Scherlis, professor and director of the Institute for Software Research. "The point of all this is to build a network of SoS thinking," he said. His group, consisting of 15 faculty members and about 20 post-doctoral researchers, technical staff members and graduate students, will focus on two of the study areas: scalability and composability, and human behavior and usability.

The former will examine large, complex software systems made possible by assembling many separate components. He explained that the "challenge" is to "develop methods to enable the construction of secure systems with known security properties by assembling components, each of which has known quality and security properties," but without having to reanalyze the security properties for the entire system once it's composed.

In the area of human behavior and usability, the researchers will work to develop models of human behavior that enable the design, modeling and analysis of systems with specified security properties to address potential insider threats. Another interest here is to improve support for the people who develop systems and evaluate their security.

North Carolina State will explore analytics with a drilldown into data encryption. That work will be housed at the school's Institute for Next Generation IT Systems.

U Illinois researchers will delve into resiliency, and specifically a system's "demonstrable ability to maintain security properties even during ongoing cyber attacks."

U Maryland will bring together five departments on campus — computer science, electrical and computer engineering, information studies, criminology and mechanical engineering — to study the verification and composition of security properties; conduct experiments on vulnerability exploits; and, like Carnegie Mellon, dive into the topic of human behavior and its impact on security.

"The university's designation as a science of security lablet is a testament to the breadth of our expertise in cybersecurity," said Patrick O'Shea, vice president and chief research officer at U Maryland. "It also speaks to our broader mission of addressing grand scientific and societal challenges by forming innovative transdisciplinary partnerships across multiple departments on campus."

The lablets are expected to draw research help from other institutions and will involve research work already being undertaken by the universities that were awarded contracts.