Archive for December, 2010

JASON report on the Science of Cyber-Security

Monday, December 20th, 2010

The DoD-sponsored JASON study group was asked to consider the question of whether there is a ‘science’ to cyber-security or if it is fundamentally empirical. They released an 88-page report last month, Science of Cyber-Security with the following abstract:

“JASON was requested by the DoD to examine the theory and practice of cyber-security, and evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach, identify what is needed in creating a science of cyber-security, and recommend specific ways in which scientific methods can be applied. Our study identified several sub-?elds of computer science that are specifically relevant and also provides some recommendations on further developing the science of cyber-security.”

The report discusses to general technical approaches to putting cyber-security on a scientific foundation. The first is based on the standard collection of frameworks and tools grounded in logic and mathematics such as cryptography, game theory, model checking and software verification. The second is grounding cyber-security on a model based on an analog to immunology in biological systems.

It concludes with some observations, recommendations and responses to nine questions that were included in their charge. One interesting observation is that cyber-security, unlike the physical sciences, involves adversaries, so its foundation will use many different tools and methods. A recommendation is that the government establish cyber-security research centers in universities and other research organizations with a “long time horizon and periodic reviews of accomplishments”.

Tech Council of MD CyberMaryland Forum, Wed AM 12/08/2010

Friday, December 3rd, 2010

The Tech Council of Maryland is the state’s largest technology trade association and has more than 500 members. It is sponsoring a series of meetings on cyber security:

“Understanding that the conversation about cyber security needs to continue among all stakeholders, the Tech Council of Maryland is moving its CyberMaryland Forum throughout the state. The Forum is open to anyone with an interest in the cyber security industry.”

The next CyberMaryland Form meeting will be held this coming Wednesday morning at UMBC:

“The next meeting of the CyberMaryland Forum will be held on Wednesday December 8, 2010 from 8:30 to 11:30 am at the University of Maryland, Baltimore County. Our content will cover the latest developments in the state’s initiative to be the “Epicenter for Information Security and Innovation”, the development of the UMBC/Northrop Grumman Cyber Incubator program to help grow fledgling cyber security companies and other hot topics in the cyber security industry. To learn more about the CyberMaryland Forum, contact Mark Glazer at 240-243-4045 or

The Tech council encourages UMBC faculty, staff and students to participate and is waiving the registration fee for the UMBC community. The meeting will be held in the main conference room at UMBC’s South Campus Technology Center at 1450 South Rolling Road.

FTC proposes a do not track privacy mechanism

Wednesday, December 1st, 2010

Today the FTC released a preliminary staff report that proposes a “do not track” mechanism allowing consumers to opt out of data collection on online searching and browsing activities. The FTC report says that industry self-regulation efforts on privacy have been “too slow, and up to now have failed to provide adequate and meaningful protection.”

“To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Such protections include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. … Second, the report states, consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. … One method of simplified choice the FTC staff recommends is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. Consumers and industry both support increased transparency and choice for this largely invisible practice. The Commission recommends a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The most practical method would probably involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads.”

The full text of the 120-page report, Protecting Consumer Privacy in an Era of Rapid Change — a proposed framework ofr businesses and policymakers is available online.