Thursday, December 19, 2019

NSF releases JASON report on research security with CUI finding

NSF recently released the JASON report on research security. Quoting Wikipedia, “JASON is an independent group of elite scientists which advises the United States government on matters of science and technology, mostly of a sensitive nature.“

Much of this report focuses on research integrity, that is the “objectivity, honesty, openness, fairness, accountability, and stewardship” of research. For research with confidentiality needs, cybersecurity has a role to play in research integrity, by protecting research such as intellectual property from being unfairly accessed. For open research, cybersecurity still has a large role in assuring data integrity: “
the assurance of the accuracy and consistency of data over its entire life-cycle” which is a small, but critical, part of research integrity and reproducibility.

In that context, this report contains a finding and discussion on CUI and research security:
8. Universities have mechanisms to handle Controlled Unclassified Information (CUI) under existing categories, such as HIPAA, FERPA, Export control, and Title XIII. CUI protection is difficult, but suited to these tasks, however it is ill-suited to the protection of fundamental research areas.

This finding is further discussed in Section 4.2, which concludes with the following statement:
Given the current state of affairs, JASON cannot recommend adoption of a CUI mechanism to secure additional categories of information generated by U.S. universities, beyond those currently covered by applicable laws designed to protect personal information (e.g., HIPAA, GINA, FERPA, Title 13, etc.). Rather, the general principle of creating high walls, i.e., classification, around narrowly defined areas should be adhered to, minimizing conflicts that might adversely affect U.S. open science practices.

A challenge we know many in the community face is internal pressure for all of research cybersecurity to shift to CUI. Trusted CI believes careful consideration is needed to select appropriate cybersecurity based on science mission, and agrees with the JASON report that CUI is not suitable for all research, including a fair amount of NSF-funded research. Trusted CI suggests approaches such as Trusted CI’s Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects and the emerging Trusted CI Framework are better suited.  We hope this report provides valuable input for ongoing discussions some of you may be having.

Wednesday, December 18, 2019

Trusted CI Webinar Series: Planning for 2020, review of 2019

The 2019 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in the next year.

The following topics and speakers have been booked in 2020 so far:
(Webinars are scheduled the 4th Monday of the month at 11am Eastern time.)
  • February 24: FABRIC: Adaptive programmaBle networked Research Infrastructure for Computer science
  • March 23: End-to-End Performance and Security Driven Federated Data-Intensive Workflow Management
  • April 27: Secure Data Architecture: Assured Mission Delivery Network Framework for Secure Scientific Collaboration
  • May 18: The Tommie Science Network
  • June 22: The Engagement and Performance Operations Center (EPOC)
  • August 24:  Researcher Passport
  • October 26: RDP: Enforcing `Security and Privacy Policies to Protect Research Data
  • December: Data Integrity, with Trusted CI
We are in the process of booking the remaining spots.  See our call for presentations for more information.

In case you missed them, here are the webinars from 2019:
  • January: The Research Security Operations Center (ResearchSOC) with Von Welch and RSOC leadership team (Video)(Slides)
  • February: Anticipatory Cyber Defense via Predictive Analytics, Machine Learning and Simulation by Shanchieh (Jay) Yang (Video)(Slides)
  • March: The NSF CC-DNI SecureCloud Project: Autonomic Cybersecurity for Zero Trust Cloud Computing with Casimer DeCusatis (Video)(Slides)
  • April: REED+: A cybersecurity framework for research data at Purdue University with Preston Smith (Video)(Slides)
  • May: Deployable Internet Routing Security with Amir Herzberg (Video)(Slides)
    June: The Trusted CI Framework: Toward Practical, Comprehensive Cybersecurity Programs with the Trusted CI team (Video)(Slides)
  • July: Ancile: Enhancing Privacy for Ubiquitous Computing with Use-Based Policy with Jason Waterman (Video)(Slides)
  • August: Integrity Protection for Scientific Workflow Data: Motivation and Initial Experiences with Anirban Mandal and Mats Rynge (Video)(Slides)
  • September: Jupyter Security at LLNL with Thomas Mendoza (Video)(Slides)
  • October: Trends in Global Privacy: GDPR One Year Later with Scott Russell (Video)(Slides)
  • December: DDoS Defense in Depth for DNS: Project Overview and Early Results with John Heidemann and colleagues (Video)(Slides)
Join CTSC's announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel.

Monday, December 16, 2019

Trusted CI visits US ARF vessels

The United States Academic Research Fleet (ARF) consists of 18 research vessels organized by University-National Oceanographic Laboratory System (UNOLS). These ships belong to different classes of vessels, from large Global Class vessels to smaller Coastal Class vessels. These ships are owned by NSF and the US Navy; and also by operating institutions. As a part of the Trusted CI engagement with ARF, the five member Trusted CI engagement team traveled to various places where the ships were docked to better understand and observe issues that affect the security of their cyberinfrastructure. Since it was not possible for Trusted CI to visit all the 18 ships, the team decided to see one ship from each vessel class and also took advantage of opportunities that coincided with other travel in order to reduce costs. The observations captured by the team during these trips will be used in their final report to ARF and its stakeholders.

R/V Sikuliaq
Date of Visit: 8th Oct’ 2019
Class: Global Class
Owner: NSF
Operating Institution: 

University of Alaska Fairbanks

R/V Robert Gordon Sproul
Date of Visit: 14th Oct’ 2019
Class: Coastal Class
Owner: University of California
Operating Institution: 

Scripps Institution of Oceanography

R/V Neil Armstrong
Date of Visit: 7th Nov’ 2019
Class: Ocean Class
Owner: Navy
Operating Institution:

Woods Hole Oceanographic Institution

R/V Endeavor
Date of Visit: 8th Nov’ 2019
Class: Ocean Class
Owner: NSF
Operating Institution:

University of Rhode Island

The team would like to thank all of the vessels’ captains, crews, operating institutions and ARF staff for facilitating our visit to the ships. These visits have played a major role in helping us to make recommendations to improve the cybersecurity of the fleet.

Monday, December 9, 2019

Trusted CI Incident Response Report 2019-10-02_01

As I discussed during my presentation at the NSF Cybersecurity Summit in October, Trusted CI inadvertently exposed an embargoed engagee report earlier this year. Our first time doing incident response as a project also revealed some weaknesses in our response planning that could have been problematic for a more serious incident.

With the approval of the impacted engagee, we are now making our internal report on the incident and our plans to improve public. Please find the URL to the report at the bottom of this blog post.

The community’s trust in us is paramount and we hope this transparency helps you maintain that trust in us. We welcome questions and suggestions.

Von Welch, Trusted CI Director

Trusted CI Incident Response Report 2019-10-02_01
Available at

Report Summary
A Trusted CI engagement report with the Singularity team at Sylabs was inadvertently published prematurely due to miscommunication within the Trusted CI team. A secondary leak was discovered in the resume of a Trusted CI team member and weaknesses were discovered in the incident response process of Trusted CI. This report describes these events and the steps Trusted CI took in responding. An analysis of those events follows along with a set of planned remediations by Trusted CI to avoid a future incident and strengthen Trusted CI’s incident response processes.