HotSOS might sound like something in the condiments aisle. But it’s actually an annual event held by the National Security Agency. Hot Topics on Science of Security, its formal name, will be held online next week. For what happens at the event and some of science challenges in security, Federal Drive with Tom Temin checked in with NSA science researcher, Adam Tagert.
Insight by Galvanize: During this webinar Marianne Roth, the chief risk officer of the Consumer Financial Protection Bureau, will provide a deep dive into enterprise risk management at CFPB. Additionally, Dan Zitting, the CEO of Galvanize, will discuss how making better use of data and technology can help federal agencies more rapidly allow decision makers address and mitigate risks.
Tom Temin: Mr. Tagert, good to have you on.
Adam Tagert: It’s great to be here.
Tom Temin: And when you say the science of security, what areas of security are we talking about? Is it mainly cyber?
Adam Tagert: We’re talking cybersecurity, everything dealing with computers, mobile devices, things like that.
Tom Temin: Okay, that’s enough to keep any conference occupied. And when you mentioned the science of security, that’s an unusual term because most people talk about the technology of security. What do you mean by science?
Adam Tagert: Well, with science, we’re talking about what is the reasons we’re doing things with technology, we want to understand the concepts, the theories and the models of how both technology and humans behave in the cyber world. So that way, when we develop a defense, we actually have real confidence that it does what we think it intends to do.
Tom Temin: And what are some of the scientific disciplines? I mean, what are the kinds of people and professions that look at these questions?
Adam Tagert: Okay, so you obviously will think of computer science and electrical engineering. But we also have projects dealing with philosophers who are looking at the what does it mean to be resilient? We also have human behavior, people in psychology trying to understand the human aspects of people’s behavior with cyber. So it’s a very broad discipline across disciplines.
Tom Temin: I was wondering if it also includes the behavior science of people that might be the recipients of cyber attacks, especially phishing attacks? Which, golly, they are really some sophisticated emails coming out these days?
Adam Tagert: Absolutely. That is a key component of dealing with cybersecurity was looking at phishing. We had a project once looking at how different countries peoples responded to phishing, it’s different depending if you’re looking in United States or say India.
Tom Temin: Got it. And I guess it probably varies by age group to some given population.
Adam Tagert: Yeah. The different motivations between older people, there’s definitely lots of senior attacks versus how young people are maybe more cynical when it comes to receiving an email.
Tom Temin: Alright, and tell us a little bit about the conference. Who attends and how does it all work?
Adam Tagert: That’s us, we get attendees from all three — government, academia and industry, which is a great environment for collaboration. We have government people talking about the problems and some of our approaches. And then we have academics that are working on the same problems. And we’re trying to bring everything together. And industry is saying, hey this is how we operate. And this is our challenges, because it’s all different flavors of the same challenge. And one of the great things about HotSOS is we really talk about ongoing research instead of a lot of traditional conferences, where we talk about research that is done, and we’re just publishing it for everyone to look at. HotSOS is about the ongoing, so we actually read draft papers, and we have 45 minute in-depth discussions led by discussants, who in some cases they’re NSA zone researchers who are leading discussions on these important topics. Let me give you one really interesting example. We have a work in progress paper from Towson University, which is in Baltimore. And they’re looking at how election workers, the poll workers deal with cybersecurity. They’ve been working with the state of Maryland on training. And in this study, they’ve done a survey of 2,000 workers in 13 states just to see how they respond to cyber threats and what their perceptions is. And really, hopefully, we can get some better security there.
Tom Temin: And what about some of the hard sciences. I know that quantum computing is a topic in cybersecurity, also dealing with data and processing it in encrypted form, which is very difficult for processors and so on. Are those types of questions also part of this?
Adam Tagert: Absolutely. Dealing with computing the cloud where you want to keep everything encrypted just for your own privacy. You don’t want people to see what data is, is in fact, one of the topics of our keynote from NSA. So our keynote from NSA, Nick Felts ,will be talking about the effort to keep as much as possible encrypted when you’re computing the cloud. So it’s going to be an interesting talk there.
Tom Temin: Now, when this conference was in person, where did it take place?
Adam Tagert: So it rotated around the country. So NSA funds a series of LabLits, which are small virtual labs at universities in the United States, and HotSOS would rotate around them. So sometimes we were in Raleigh, North Carolina with North Carolina State. Other times we’d be in Carnegie Mellon in Pittsburgh. So we would move around the country.
Tom Temin: And now that it has been, I guess this must be your second time in a row virtual, correct?
Adam Tagert: It has. This is the second virtual. Last year we were supposed to be in Lawrence, Kansas, but we ended up being in virtual Lawrence, Kansas.
Tom Temin: Yeah, I don’t know which is better in Lawrence, Kansas. But with respect to attendance, do you find what other conferences find that instead of getting scores or hundreds, you get tens of thousands because anyone can go?
Adam Tagert: Well, one of the benefits is our sponsorship has allowed us to waive registration fees, so anyone can participate for free. Traditional attendance was about 150 people. Last year, we had 430 attendees in the virtual setting. And so far this year, we’re over 550 registered attendees.
Tom Temin: Yeah. So it’s almost tempting to never go back to in person because there’s no lunch to be served, no airplane to be ticketed. But another question I had to with respect to the topics, again, is the security clearance process. And there’s a RAND study just out on maybe ways to update the criteria for security clearance, given the millennial age and the younger people coming in potentially to the federal and contractor workforce. Does the science of security include how do we evaluate people in a way that gives some higher degree of confidence that they can be trusted?
Adam Tagert: So for the science for security program, we don’t actually look at the security aspect of how people are evaluated for clearances, we’re really looking at the cyber aspect. So an expert in those areas would probably have a better idea of how to evaluate somebody.
Tom Temin: Okay, well we’ll just hope the people that get these secrets in their hands can keep them, but that’s a conference of another sort, I guess. And looking to the conference, which is taking place next week, what are the grand challenges? Does it look in those terms at what are the big challenges for cybersecurity in the science realm? What’s the next big frontier?
Adam Tagert: So we’re actually having a discussion on what is the next challenges for the science security for the 2020s. We opened an open call for ideas and we have 45 topics to discuss during the conference on it. Obviously, human behavior aspects of it are going to be a key component of the challenges. How to have resilient computers so that they can continue to operate even after we compromised. Because saying, I received the compromise, I’m going to turn off all my systems and build it over is not a realistic solution. Metrics, how to value of what device or software is more secure than others. And those are just some of the ideas that we have been working on and probably will continue to be working on for the hard challenges.
Tom Temin: And what is involved with attending if someone would like to? Can you just do it online?
Adam Tagert: You can do it online. There are no apps or anything to install, you just go to the NSA website to find the article on HotSOS. Or you can visit the HotSOS website at sos-vo.org.
Tom Temin: Adam Tagert is a security science researcher at the National Security Agency. Thanks so much for joining me.
Adam Tagert: Thank you.