IU Center for Applied Cybersecurity Research - 2020 CACR annual report by Indiana University IT Communications Office

2020 CACR ANNUAL REPORT January 1–December 31, 2020

Cybersecurity leadership in a time of COVID

FROM THE DIRECTOR Dear friends of the Center for Applied Cybersecurity Research, When we think back on 2020, we will recall it as the year of COVID-19, working from home, masks and hand sanitizer, and countless Zoom meetings. We will also recall it as a year in which the cybersecurity threat to research and education escalated dramatically. In May, the Wall Street Journal quoted the FBI and the Cybersecurity and Infrastructure Security Agency—the cyber wing of the Department of Homeland Security—that Chinese state actors were targeting American universities and pharmaceutical and other health-care firms in a bid to steal intellectual property related to coronavirus treatments and vaccines, and that the intrusions may be jeopardizing progress on medical research. Ransomware attacks also stalked higher education and research with at least 30 colleges and school districts becoming victims in the first five months of 2020.

TABLE OF CONTENTS

Known ransom payments exceeded $3.1M, and in June, the University of California

4 About CACR

Against the backdrop of the global pandemic and its new rules, limitations,

5 The IU cybersecurity community

San Francisco School of Medicine paid a $1.14M ransom.

and threats, the CACR team and the organizations it leads continued to excel, progressing the work of enhancing cybersecurity for the nation, the state of Indiana, and Indiana University. Trusted CI pivoted to provide needed information on reducing the risk of ransomware attacks, held a COVID-19 issue-centric

6 2020 highlights 8 Leading the nation in cybersecurity

town hall, and offered priority support to projects supporting COVID-19-related research. The Research Security Operations Center (ResearchSOC) began onboarding three National Science Foundation (NSF) major facilities. The Principles-based Assessment for Cybersecurity Toolkit (PACT) team delivered their cybersecurity assessment in collaboration with Naval Surface Warfare

14 Leading Indiana to a more secure future

Center, Crane Division (NSWC Crane) and U.S. Coast Guard to the Virginia

16 Leading IU to help drive discovery

election cybersecurity training in advance of the 2020 elections, with officials

20 CACR leadership team, staff, and fellows

International Gateway terminal. The state of Indiana engaged CACR to provide from 32 counties participating. The newly launched SecureMyResearch team engaged over 90 IU research projects, while CACR staff led outreach efforts to IU students, faculty, and staff to combat Zoombombing.

CACR staff and UITS employees worked hard to meet this year’s challenges and provide crucial cybersecurity support for the nation, state of Indiana, and Indiana University.

CACR’s work also continued to catalyze collaborations across IU. Most notably,

IU OVPIT, an extensive list of partner universities, and IU’s researchers and

CACR facilitated IU obtaining a $2.25M CyberCorps Scholarship for Service

operational cybersecurity staff.

award, a collaboration between the Luddy School of Informatics, Computing, and Engineering; University Information Technology Services (UITS); Kelley School

I cannot speak highly enough about the members of CACR’s staff. They

of Business; and Maurer School of Law. The award will provide students with

delivered results that would be remarkable in ordinary times; during this year,

internship opportunities in CACR, UITS Information Security, and the OmniSOC.

their performance was simply extraordinary.

Other collaboration examples abound. The ResearchSOC award pulls together IU operational cybersecurity expertise with faculty from the Luddy School.

As we look to 2021 and beyond, we see a changed world with new challenges

The PACT project draws on expertise from the IU School of Education. CACR’s

and new opportunities. I am proud of CACR’s accomplishments and confident

collaboration with the Maurer School exposes law students to legal issues in

that our service and leadership will meet those challenges and take advantage

the cybersecurity domain. The new SecureMyResearch project, supported

of those opportunities, and so present our 2020 Annual Report.

jointly by the IU Office of the Vice President for Information Technology (OVPIT) and the IU Office of the Vice President for Research (OVPR), catalyzes research with cybersecurity and compliance requirements across IU. The CACR Fellows program reaches across five IU schools, IUPUI, and beyond.

Von Welch Director, CACR

In this challenging year, we relied on the collaboration and support of our

Executive Director for Cybersecurity Innovation

many partners, Fellows, and supporters for our success. These include the

Associate Vice President, Information Security

NSF, NSWC Crane, the Department of Homeland Security, IU OVPR,

Indiana University

ABOUT CACR

CACR’s mission is to provide people with the knowledge and skills they need to manage cybersecurity risks in complex, challenging environments where standard cybersecurity practices do not suffice. It does so through a combination of thought leadership, applied research, training and education, operational services, and extensive interdisciplinary collaboration.

Founded in 2003, CACR is Indiana University’s flagship center for cybersecurity, serving as an integrator for research across the university’s different schools and organizations. CACR is distinctive in addressing cybersecurity from a comprehensive, multidisciplinary perspective. CACR draws on IU’s wide range of scholarly expertise in computer science, informatics, accounting and information systems, criminal justice, law, organizational behavior, and public policy, as well as the extensive practical cybersecurity experience of its operational units. CACR is the only university-level center in the country that involves legal, policy, economic, and behavioral research, along with operational and technical expertise. CACR is a research center affiliated with the Pervasive Technology Institute (PTI) at Indiana University. PTI consists of seven centers and two labs and focuses on improving the quality of life in the state of Indiana and the world through novel research, innovation, and service delivery in information technology and informatics.

Exemplars of CACR work

National National

Trusted CI Leadership for the NSF cybersecurity ecosystem Trusted CI Leadership for the NSF cybersecurity ecosystem ResearchSOC Cybersecurity services for the nation’s greatest research ResearchSOC Cybersecurity services for the nation’s researchAssessment PACT The greatest Principles-based for Cybersecurity Toolkit for assessing PACTthe The Principles-based Assessment toughest cybersecurity problems for Cybersecurity Toolkit for assessing PATh Advancing the nation’s campuses the toughest cybersecurity problems and science communities by bringing the Center for High Throughput PAThtogether Advancing the nation’s campuses Computing and the Open Science Grid and science communities by bringing together the Center for High Throughput Computing and the Open Science Grid

E e f 2

S f

THE IU CYBERSECURITY COMMUNITY IU has taken a leadership role addressing difficult cybersecurity challenges through its unique operational, research, academic, and workforce development initiatives. CACR is a proud member of the university’s cybersecurity community, which includes:

State State State Election security Preparation for for Election security Preparation

Indiana University Indiana University Indiana University Executive director forfor cybersecurity innovation Executive director cybersecurity innovation

election officials in all Indiana counties election officials in 92 all 92 Indiana counties Election security Preparation forrelated for for cybersecurity incidents related to the cybersecurity incidents to the election officials inelection allelection 92 Indiana counties 2020 general andand beyond 2020 general beyond for cybersecurity incidents related to the 2020Security general election and beyond DayDay Matters cybercamps camps Security Matters cybercamps camps for for K8+ focusing on on all things cybersecurity K8+ focusing all things cybersecurity Security Matters cybercamps Day camps for K8+ focusing on all things cybersecurity

(EDCI) Leveraging IU’sIU’s cybersecurity strengths (EDCI) Leveraging cybersecurity strengths to Executive director for cybersecurity innovation to address challenges faced nation address challenges faced across across the the nation and and (EDCI) Leveraging cybersecurity strengths to expanding thethe roleIU’s of CACR expanding role of CACR address challenges faced across the nation and expanding the role of CACR SecureMyResearch Reducing thethe cybersecurity SecureMyResearch Reducing cybersecurity burden on on researchers while enhancing research burden researchers while enhancing research SecureMyResearch Reducing the cybersecurity data security at IU data security at IU burden on researchers while enhancing research HIPAA compliance Providing oversight of HIPAA data security at IU HIPAA compliance Providing oversight of HIPAA compliance for for OVPIT systems compliance OVPIT systems HIPAA compliance Providing oversight of HIPAA ASSERT: AI-enabled cybersecurity Leading a Yang/RIT) ASSERT: cybersecurity (S. Jay compliance forAI-enabled OVPIT systems team evaluating a research prototype application Leading a team evaluating a research prototype (Ahmet Okutan and S.OmniSOC Jay Yang at Rochester application for IU's security operations center ASSERT: AI-enabled cybersecurity (S. Jay Yang/RIT) Institute of Technology) IU's OmniSOC security Leading a team evaluatingfor a research prototype operations application forcenter. IU's OmniSOC security operations center

• • • • • • • • • • •

OmniSOC GlobalNOC Trusted CI ResearchSOC REN-ISAC Luddy School of Informatics, Computing, and Engineering Kelley School of Business Maurer School of Law Ostrom Workshop University Information Policy Office University Information Security Office

It is these programs, and their extensive collaborations, that have made IU an acknowledged “quiet powerhouse” in cybersecurity for higher education and research. Led by Rob Lowden, vice president for information technology and CIO, IU operates one of the most advanced cyberinfrastructures of any university in the world.

KEY NUMBERS

$93.9M in lifetime regional economic impact $44.7M in lifetime award dollars $82.5M in NSF research utilizing CACR Research Cybersecurity as a Service $31M / 90 projects in IU research engaged by SecureMyResearch 43 IU groups provided Zoombombing prevention consultation 32 Indiana county officials trained in election security 3 NSF major facilities onboarded to ResearchSOC 5

2020 HIGHLIGHTS 1

Trusted CI offered priority support to COVID-19 science projects, produced blog posts relevant to working from home and increased Zoom use, and hosted a virtual town hall to discuss the pandemic’s impact on the NSF community.

ResearchSOC onboarded three NSF facilities: the National Radio Astronomy Observatory, GAGE/UNAVCO, and the Gemini Observatory.

CACR led anti-Zoombombing outreach efforts to IU student groups and faculty.

SecureMyResearch engaged 90 research projects, providing consulting and ready-made cybersecurity solutions to accelerate research.

The PACT team completed a cybersecurity assessment with NSWC Crane and the U.S. Coast Guard of the Virginia International Gateway terminal.

8 9 8

CACR Director and IU Executive Director for Cybersecurity Innovation Von Welch was appointed acting associate vice president for Information Security (now permanent) and executive director of the OmniSOC.

CACR led an IU team of cybersecurity professionals in training Indiana county election officials to secure the 2020 election (image from December 2019). CACR supported the cybersecurity community’s virtual conference efforts by sponsoring online “booths” at key conferences. CACR was selected to provide a team to secure a $22.5M NSF initiative to advance distributed high throughput computing (dHTC) as part of the Partnership to Advance Throughput Computing (PATh). CACR launched two new initiatives: Virtual Cybersecurity Services and Executive Education Cybersecurity for Leaders (C4L).

LEADING THE NATION LEADING THE NATION IN CYBERSECURITY IN CYBERSECURITY CACR continued its ongoing leadership in protecting the cybersecurity of more than $7B in NSF-funded research. CACR is the lead organization for Trusted CI, in collaboration with the National Center for Supercomputing Applications, the Pittsburgh Supercomputing Center, Internet2, Lawrence Berkeley National Laboratory (Berkeley Lab), and the University of Wisconsin–Madison. CACR also leads the ResearchSOC, collaborating with the Pittsburgh Supercomputing Center, Duke University, and the University of California San Diego.

Trusted CI: The NSF Cybersecurity Center of Excellence Now in its eighth year of service, Trusted CI has been at the forefront of the NSF research community in building a set of technical, policy, and cultural best practices necessary to ensure the security of that infrastructure and ensure the trustworthy nature of the science it produces. Trusted CI has now impacted over 400 NSF projects through its webinars, engagements, and other activities. In 2020, CACR’s Kelli Shute accepted the role of Trusted CI executive director to ensure CACR’s broad team of experts continues to move forward in an effective and coordinated manner.

View the Trusted CI Annual Report at:

go.iu.edu/3wcH Trusted CI has impacted NSF projects across the nation.

NSF Cybersecurity Summit: Promoting collaboration to improve cybersecurity As the lead organization for Trusted CI, CACR hosted a virtual version of the annual NSF Cybersecurity Summit. Two hundred and eighty-seven individuals attended, representing 142 NSF projects and 16 of the 20 NSF Large Facilities. The total attendance includes a significant increase in student participation, with 27 students attending, up from 10 in 2019. The NSF summit promoted a platform where communities interested in supporting NSF science projects collaborated to address core cybersecurity challenges. In 2020, Kate Starbird, assistant professor of human centered design and engineering, University of Washington, presented the keynote speech, “Disinformation During Crisis Events: The Perfect Storm of COVID-19 and the 2020 Election.”

PACT: Addressing the most demanding environments The Principles-based Assessment for Cybersecurity Toolkit (PACT) is a tool for assessing the toughest cybersecurity problems. CACR chief policy analysts developed the tool in collaboration with NSWC Crane. As a naval installation, Crane uses technologies that many would consider atypical, and which require custom cybersecurity solutions. Such was the case with the Virginia International Gateway terminal, a high-throughput, high-automation facility. The PACT team delivered their final report for the engagement with the Virginia International Gateway in 2020. In collaboration with the United States Coast Guard, the team incorporated Lieutenant Commander Michael DeVolld, Coast Guard Cyber Command, into the assessment team and received report feedback from eight offices. The team also used encrypted video teleconferences, the Federal Risk and Authorization Management Program cloud environment, and on-site meetings to facilitate discovery.

ResearchSOC: Delivering cybersecurity services to the nation’s greatest research

PACT team at Virginia International Gateway (VIG) terminal before the pandemic

In 2020, ResearchSOC was fully engaged in onboarding its first clients,

Concluding the SWAMP engagement

the National Radio Astronomy Observatory (NRAO), the Geodetic

In 2020, CACR concluded its work with the Morgridge Institute for Research and

Facility for the Advancement of Geoscience (GAGE) facility, and the

the University of Wisconsin on the Software Assurance Marketplace (SWAMP).

Gemini Observatory. The developing relationship has led to agreement

Funded by the Department of Homeland Security, the SWAMP project was

for a CISO advisory for NRAO and exploration of virtual cybersecurity

built and executed on the foundation of a commitment to the goal of promoting

teams for two others.

effectiveness and adoption of software assurance. The project pioneered the concept of “continuous software assurance” and followed a multipronged approach

Launched in October 2018, ResearchSOC is unique in the world—it is the only

to create an open source, portable, continuous assurance platform that addressed

organization with the mission to provide operational cybersecurity services

the needs of an evolving ecosystem of software assurance practices. Targeting

to NSF-funded facilities and projects, while at the same time seeking to

software developers, tool developers, educators and researchers, the project created

further research in cybersecurity. Funded by a $5M award from the NSF,

an open platform that demonstrated the power of continuous software assurance.

ResearchSOC helps make scientific computing resilient to cyberattacks

The SWAMP public facility and SWAMP-in-the-Box software provided a working

and capable of supporting trustworthy, productive research. CACR leads

blueprint for the architecture and functionality of a continuous assurance capability

this collaborative effort that brings together existing cybersecurity services

with the ability to be fully integrated into the software development life cycle. The

and expertise from Indiana University, including the OmniSOC and the

SWAMP project brought the power of hands-on, continuous software assurance to

Research and Education Networks Information Sharing and Analysis

individual developers, small development groups, classrooms, and training sessions

Center (REN-ISAC); Duke University; the Pittsburgh Supercomputing

that would not have otherwise been able to access such resources without being in

Center; and the University of California San Diego.

large organizations with well-established software assurance programs.

ResearchSOC clients GAGE facility, NRAO, and Gemini Observatory

Providing research cybersecurity as a service

OSG, IRIS-HEP, and PATh

Leveraging its experience in providing virtual cybersecurity leadership,

The Open Science Grid (OSG), the Institute for Research and Innovation in

expertise, and consulting for scientific research projects, CACR expanded

Software for High Energy Physics (IRIS-HEP), and the Partnership to Advance

its portfolio of research “cybersecurity as a service” clients. CACR provided

Throughput computing (PATh) are a set of three closely related research

cybersecurity leadership and consulting services to the following projects by

computing projects that have turned to CACR to provide a single security team

serving as the projects’ chief information security officers or as cybersecurity

across the projects to protect their security while supporting the tight integration

consultants providing input on best practices.

of services. PATh brings together the Center for High Throughput Computing and the OSG to advance the nation’s campuses and science communities through

Custos

the use of distributed high throughput computing. The OSG facilitates access to

The Custos project, a collaboration within PTI and led by PTI’s

distributed high throughput computing for research in the U.S. and worldwide.

Cyberinfrastructure Integration Research Center (CIRC), provides an

IRIS-HEP serves as an active center for software R&D and transforms the

innovative integration of major security capabilities needed by science gateways.

operational services required to ensure the success of the Large Hadron Collider.

These include identity management, secrets management for third-party resource integration, and group and sharing management for securely controlling permissions and broader access to the digital object science gateways.

IRIS (RENCI) CACR continued its partnership with RENCI on the Integrity Introspection for Scientific Workflows (IRIS) project. IRIS automatically detects, diagnoses, and

ImPACT

pinpoints the source of unintentional integrity anomalies in scientific workflows

CACR is contributing its cybersecurity expertise to a three-year, $3M project

executing on distributed computing infrastructure. CACR is supporting IRIS

funded by the NSF. The Infrastructure for Privacy-assured CompuTations

through expert guidance on cybersecurity and privacy challenges. RENCI

(ImPACT) project, led by the Renaissance Computing Institute (RENCI),

is a partnership between the University of North Carolina–Chapel Hill,

will allow researchers to focus more fully on science by building a technology

Duke University, and the city of Durham, N.C. RENCI leads a project allowing

infrastructure that supports best practices in moving data, managing data,

scientists to share and analyze data across institutional boundaries. The three-

ensuring security, and preserving privacy.

year project was funded by a $3M NSF grant.

Facilitating the development of a cyberinfrastructure CoE

Piloting C4L

Building on its expertise leading the NSF Cybersecurity Center of Excellence,

Drawn from years of experience across multiple projects, the Cybersecurity

CACR is part of a team awarded a $3M grant to conduct a pilot study for

for Leadership (C4L) initiative is an executive education program designed

a potential Cyberinfrastructure Center of Excellence (CoE). The goal of

to provide senior leaders with both an executive-level understanding of

this pilot program is to develop a model for a full CoE that will serve the NSF

cybersecurity and a usable framework for evaluating and managing their

community in developing and operating the software and hardware systems

cybersecurity challenges. The program was piloted with officials from the

critical to the nation’s research.

United States Virgin Islands in late 2020 with feedback being incorporated

During 2020, the pilot team primarily worked with the National Ecological Observatory Network (NEON), an NSF major facility tracking ecological changes across North America. The pilot’s objective during this time was to make improvements to NEON’s operational cyberinfrastructure that would enable NEON to better serve the needs of the environmental research community. As a part of this broader effort, CACR staff assisted NEON in successfully developing and integrating a federated identity management solution for the portal, which is used by researchers to access the data collected by the various ground stations and sensor networks operated by NEON. Lessons learned during this effort will inform future work carried out by the pilot to help NSF projects solve cyberinfrastructure problems.

into 2021 planning.

Facilitating AI for cybersecurity research CACR led a team piloting evaluation of a research prototype application designed to highlight collections of indicators, such as alerts, which represent attacker behavior during different types of cyberattacks, including novel attacker behavior. The ASSERT application, a collaboration with Ahmet Okutan and S. Jay Yang at Rochester Institute of Technology, uses theoretical-based measures to perform unsupervised learning from intrusion alerts across platforms. Over time, the system learns to build attack models, which may prove valuable for identifying attacks, determining their potential impact, and predicting future attacker behaviors. CACR worked closely with OmniSOC to validate the methodology and test the research prototype for use at OmniSOC

Images above from left to right: Trusted CI town hall in March 2020, CI/CS workshop in August 2020, Trusted CI Fellows panel at NSF Cybersecurity Summit in September 2020, panel on cloud computing at CI/CS workshop

for applicability to SOC workflows. The project used only data OmniSOC aggregated from IU as an exploration of machine learning approaches.

Leading the national conversation CACR continued its leadership role in providing forums to further the exchange

The fourth Workshop on Trustworthy Scientific Cyberinfrastructure (TrustedCI@PEARC20)

of knowledge and ideas through hosting/co-hosting or conducting workshops

The Workshop on Trusted Scientific Cyberinfrastructure at PEARC20 provided

at key community events. Even as 2020 saw these events transition to a virtual

an opportunity for sharing experiences, recommendations, and solutions for

format, attendance and participation remained strong.

addressing cybersecurity challenges in research computing. It included a COVID19-focused presentation: “Analysis of attacks targeting remote workers and

NSF Summit on Cybersecurity and Cyberinfrastructure

scientific computing infrastructure during the COVID-19 pandemic at NCSA/

In its role as lead organization for Trusted CI, CACR hosted a virtual version of

UIUC.” Held as part of the virtual PEARC event, the workshop provided a forum

the annual NSF Cybersecurity Summit. There were 287 members in attendance

for information sharing and discussion among a broad range of attendees,

from 142 NSF projects and 16 of 20 NSF Large Facilities, including 27 students.

including cyberinfrastructure operators, developers, and users. The workshop featured six presentations with over 60 professionals attending.

The CI/CS Workshop: The Community Together ResearchSOC also co-sponsored and co-hosted the two-day “Cybersecurity and

Cybersecurity engagement in a research environment workshop

Cyberinfrastructure Workshop: The Community Together” with the Cyberinfra-

In December, ResearchSOC held a free workshop addressing the challenges

structure Center of Excellence Pilot project. Over 200 professionals attended.

of providing cybersecurity for research projects in higher education. The “Cybersecurity Engagement in a Research Environment” workshop was a

Trusted CI webinars

training and development opportunity for researcher-facing cybersecurity

In 2020, Trusted CI hosted nine talks with 245 total attendees across 51 NSF

professionals. These professionals are responsible for applying standard

projects, and over 700 total views.

security operations to the heterogeneous research ecosystem to develop research-specific cybersecurity approaches at their home institutions.

ResearchSOC webinars

Thirty-seven higher education security professionals attended the

Throughout the year, ResearchSOC sponsored six webinars addressing key

three-day virtual event.

cybersecurity operational issues, with over 400 total attendees.

LEADING INDIANA TO A MORE SECURE FUTURE In 2020, CACR continued to increase its engagement with the Hoosier state and the value it brings to it. CACR’s initiatives helped to prepare county election officials to secure the 2020 vote and educate Hoosier youth. CACR is also a driver for economic growth in south central Indiana and contributes to southeast Indiana’s job growth, both directly and indirectly. 14

Bringing resources to the Hoosier state CACR continues to be a leader in bringing financial resources to south central Indiana. Through CACR’s efforts, this year three awards were received or extended, totaling more than $441,000 of direct new grant funds. Additionally, CACR catalyzed and led IU’s successful efforts to secure the $2.25M CyberCorps student scholarship program award. Over its lifetime, CACR has brought more than $44.7M award dollars to the south central Indiana region. While methods of determining local economic impact vary, an IU Kelley School of Business estimate of the “ripple effect” is $2.10 of positive economic impact for every grant dollar spent, thus making CACR’s lifetime impact on the region more than $93.9M. Moreover, the Indiana Business Research Center at the Kelley School estimates that for every new job directly supported, an additional three jobs are created through ripple effects. With CACR’s growth to 22 employees, an estimated 66 new jobs have been created in the Bloomington and south central Indiana area to date.

Securing the Hoosier vote In collaboration with the Indiana secretary of state, CACR led an IU team that trained officials from 32 counties in developing and executing cybersecurity incident response plans and and playbooks for the 2020 general election. The team disseminated materials and held boot camps around the state for developing incident response plans. They also conducted training on media interaction. The effort included students through the IU Cybersecurity Clinic.

CACR and NSWC Crane: An ongoing partnership In 2020, CACR and NSWC Crane continued their ongoing partnership that was recognized with the re-signing of the cooperative research and development agreement (CRADA), a follow-on collaboration between NSWC Crane and CACR. The original agreement was executed in 2016. CACR and NSWC Crane continue to seek opportunities to increase collaboration and improve capabilities in the areas of software assurance and trusted artificial intelligence.

Conducting Security Matters Cybercamps In June 2020 and in partnership with the WonderLab Museum of Science, Health, and Technology in Bloomington, CACR held a virtual Security Matters Cybercamp for middle-school students. The two-day camp’s session topics included network security, cryptography, data forensics, website vulnerabilities, and more. CACR also co-hosted a virtual Security Collaboration Matters Cybercamp for college students with Indiana University’s Center of Excellence for Women & Technology.

Image at right: Security Matters Cybercamp went virtual this summer.

LEADING IU TO HELP DRIVE DISCOVERY 2020 saw CACR providing new opportunities and facilitating key projects to further the university’s research mission while serving as a key force in achieving IU’s strategic objectives.

Fulfilling IU’s strategic plan CACR continued to meet the challenge presented in IU’s Bicentennial Strategic Plan to “facilitate university-industry collaboration by identifying opportunities to work in areas such as cybersecurity with Indiana defenserelated institutions like NSWC Crane and the Indiana National Guard.” The center did so through the growth and maintenance of key partnerships and the completion of key projects, such as the PACT assessment provided to the Port of Virginia.

SecureMyResearch: Safer data, greater breakthroughs The 2020 SecureMyResearch effort provided IU researchers with consulting and resources to help them protect research data and comply with cybersecurity requirements in grants, contracts, and data use agreements. In 2020, SecureMyResearch conducted over 90 engagements, facilitating over $31 million in research projects. Securing research data, especially meeting new, stricter regulatory and other cybersecurity requirements, is becoming a challenge for both IU researchers and campus units that support research. To help them navigate this complex landscape, CACR, University Information Technology Services (UITS) Research Technologies, and Information Security within the IU Office of the Vice President for Information Technology are partnering to reduce the cybersecurity burden on researchers while enabling improved cybersecurity for IU research projects. SecureMyResearch leveraged

SecureMyResearch service website

the combined expertise of IU’s cybersecurity and compliance experts to weave data security and compliance into the institutional fabric, enhancing

Protecting the (virtual) exchange of ideas

both regulated and unregulated data security with a new, workflow-based

Student and faculty group meetings that moved online in response to the

security framework developed by CACR.

pandemic were subject to disruptive, crude, and malicious interference of their Zoom meetings—a practice known as Zoombombing. CACR led a collaborative

Enabling secure health research

outreach effort in response to multiple high-profile Zoombombing incidents at

In 2020, CACR continued to facilitate the HIPAA compliance effort

IU, providing proactive training for groups hosting publicly posted meetings.

for UITS. CACR worked with eight new UITS systems and brought seven

Work was done to publish, consolidate, and update information throughout

to completion, passing a rigorous institutional approval process that

IU on combating Zoombombing. This information was linked to in mass

CACR helped develop. The program leverages the NIST Risk Management

communications and provided directly to groups identified in outreach efforts.

Framework (RMF) and NIST 800-53 controls for comprehensivity and

Direct outreach was provided to 43 groups at IU, including student groups and

provides a single, reusable process for HIPAA and FISMA.

schools/departments.

Leading collaboration across IU CACR’s collaboration within PTI allows it to impact research computing broadly. CACR’s awards continue to build

CACR FELLOWS

collaborations across IU. The ResearchSOC award pulls together IU operational cybersecurity expertise with faculty from the Luddy School of Informatics, Computing, and Engineering. The Scientific Workflow Integrity with Pegasus (SWIP) project draws on Luddy’s cybersecurity expertise. The PACT project draws on the expertise from the School of Education. CACR’s Fellows program reaches across five IU schools, IUPUI, and beyond.

Facilitating new workforce development programs with CyberCorps CACR played a key role in supporting IU’s successful receipt of a $2.25M CyberCorps student scholarship program. CyberCorps is designed to recruit and train the next generation of cybersecurity professionals to meet the needs of federal, state, local, and tribal governments. The program provides scholarships for cybersecurity undergraduate and graduate (MS or PhD) education funded through grants awarded by the NSF. Plans for CACR CyberCorps internship opportunities in 2021 are in development.

Providing for-credit opportunities for Maurer students Initiated in 2018 as a collaboration between CACR and the IU Maurer School of Law, the CACR-Maurer Student Affiliates program provides law students pursuing the Maurer Cybersecurity Certificate opportunities to work with CACR’s legal experts for a semester, receiving one credit. The students’ research topics impact cybersecurity and/or privacy law, and develop deliverables (e.g., memos, whitepapers, presentations). Topics have included: the California Consumer Privacy Act (CCPA); export control law as applied to research science; and privacy concerns relating to artificial intelligence.

TOP: CACR Fellows represent a wide range of perspectives across IU and beyond. BOTTOM: Students at Luddy School of Informatics, Computing, and Engineering during the 2020-21 school year.

2020 CACR SPEAKER SERIES

cacr.iu.edu/events/speaker_series

The CACR Speaker Series brings cybersecurity experts from across the nation to present their current research and real-world experiences to IU faculty, staff, and students. This year’s series continued virtually. These presentations can yield some exciting collaborations that bring together faculty researchers, students, and even professionals from the private sector.

January 30 Bruce Schneier Securing a world of physically capable computers

February 13 Eva Galperin About the Electronic Frontier Foundation

March 5 Rachana Ananthakrishhnan Delivering secure and usable products for the research enterprise

August 27 Kristen Eichensehr The law and politics of cyberattack attribution

September 4 Barbara Simons Voting in the age of COVID-19

October 15 Jens David Ohlin Election interference: International law and the future of democracy

November 5 Duncan Hollis Defending democracies with cybernorms

CACR thanks its partners and co-hosts: Center of Excellence for Women & Technology; Kelley School of Business; Luddy School of Informatics, Computing, and Engineering; Maurer School of Law; and Ostrom Workshop.

AVERAGE ATTENDANCE (live/online)

110 19

CACR LEADERSHIP TEAM, STAFF, AND FELLOWS CACR’s chief asset is its knowledgeable and dedicated administration, staff, fellows, and students. CACR prides itself on the professional diversity of its staff, each with unique skills and experiences that

contribute to its expertise. CACR staff is made up of people from all disciplines, including computer science, informatics, accounting and information systems, criminal justice, law, organizational behavior, and public policy.

CACR LEADERSHIP TEAM CACR Director, IU Executive Director for Cybersecurity Innovation, and Associate Vice President for Information Security Von Welch has more than a decade of experience developing, deploying, and providing cybersecurity for private and public sector high-performance computing and distributed computing systems. Senior Project Manager Kelli Shute serves as executive director of Trusted CI and supports ResearchSOC and CACR’s election security engagement with the state of Indiana. She has more than 15 years of experience leading project teams, primarily in the private sector.

Program Director Craig Jackson focuses on information security program development and governance, cybersecurity assessment design and conduct, legal and regulatory impact on information security and cyber resilience, evidence-based security, and innovative defenses. Administrative Director Leslee Bohland has more than two decades of experience in management and accounting. Chief Security Analyst Susan Sons focuses on secure software engineering, ICS/SCADA security, operational security practice for research and development organizations, and security for legacy technologies in high-stakes applications. She serves as information security officer for Open Science Grid and deputy director of the ResearchSOC. Chief Security Analyst Mark Krenz focuses on cybersecurity operations, research, and education. He has more than two decades of experience in system and network administration and serves as the CISO for the ResearchSOC and deputy CISO of Trusted CI. Senior Security Analyst Anurag Shankar provides leadership in regulatory compliance (HIPAA, FISMA, and DFATS) and cybersecurity risk management. He has over two decades of experience in providing research computing services and building HIPAA-compliant solutions for biomedical researchers.

Images at left: Von Welch (1), Kelli Shute (2), Craig Jackson (3), Leslee Bohland (4), Susan Sons (5), Mark Krenz (6), Anurag Shankar (7)

CACR STAFF

Ishan Abhinit | Senior Security Analyst

CACR staff help manage the daily

Emily K. Adams | Principal Security Analyst | CACR CISO

operations of the center. CACR

Diana Cimmer | Events & Communications Manager

staff includes administrative,

Adrian Crenshaw | Senior Security Analyst

management, and external

Austin Cushenberry | IT Support Specialist

relations support, as well as

Josh Drake | Senior Security Analyst

security and policy analysts.

TRUSTED CI FELLOWS 2019 –20 Trusted CI Fellows empower members of the scientific community with basic knowledge of cybersecurity and the understanding of Trusted CI’s services, and then have them serve as cybersecurity liaisons to their respective communities.

Smriti Bhatt | Texas A&M University-San Antonio Shafaq Chaudhry | University of Central Florida Laura Christopherson | RENCI Tonya Davis | Alabama A&M University Luanzheng “Lenny” Guo | Pacific Northwest National Laboratory Matias Carrsco Kind | National Center for Supercomputing Applications Gabriella Perez | University of Iowa Jerry Perez | University of Texas at Dallas Aunshul Rege | Department of Criminal Justice at Temple University Chrysafis Vogiatzis | North Carolina A&T State University Songjie Wang | University of Missouri S. Jay Yang | Rochester Institute of Technology

FELLOWS AND KEY LIAISONS

Mark Bruhn | IU Assurance and Public Safety (retired)

CACR has more than a dozen

Fred H. Cate | IU Maurer School of Law

Fellows. Each one brings unique

Damir Cavar | IU College of Arts and Sciences, Department of Linguistics

insights and connections to the

Robert Cowles | Brightlite Information Security

center, allowing it to capitalize on

Rachel Dockery | IU Maurer School of Law

the interdisciplinary strengths of

Arjan Durressi | IUPUI Department of Computer and Information Science

IU and the broader community.

David P. Fidler | IU Maurer School of Law

Fellows represent a wide range of

Grayson Harbour | Faegre Baker Daniels LLP, Indianapolis

perspectives, including law, policy,

Daniel Hickey | IU School of Education

ethics, and informatics.

Apu Kapadia | IU Luddy School of Informatics, Computing, and Engineering

L. Jean Camp | IU Luddy School of Informatics, Computing, and Engineering

Asaf Lubin | IU Maurer School of Law Nicholas Multari | Pacific Northwest National Lab, Washington Steven Myers | Formerly of IU Luddy School of Informatics, Computing, and Engineering Scott Orr | IUPUI School of Engineering and Technology Sagar Samtani | IU Kelley School of Business Scott J. Shackelford | IU Kelley School of Business Robert Templeman | Naval Surface Warfare Center, Crane Division Joseph Tomain | IU Maurer School of Law XiaoFeng Wang | IU Luddy School of Informatics, Computing, and Engineering Xukai Zou | IUPUI Department of Computer and Information Science

OTHER IU CYBERSECURITY COMMUNITY MEMBERS

IU Office of the Associate Vice President for Information Security | informationsecurity.iu.edu GlobalNOC | globalnoc.iu.edu Hamilton Lugar School of Global and International Studies | hls.indiana.edu IU Cybersecurity Risk Management Program | cyberrisk.iu.edu Kelley School of Business | kelley.iu.edu Luddy School of Informatics, Computing, and Engineering | luddy.indiana.edu Maurer School of Law | law.indiana.edu OmniSOC | omnisoc.iu.edu Ostrom Workshop | ostromworkshop.indiana.edu REN-ISAC | ren-isac.net

2719 E. Tenth Street, Suite 231, Bloomington, IN 47408 (812) 856-0458 | cacr@iu.edu

cacr.iu.edu CACR is supported at Indiana University by the Office of the Vice President for Information Technology and the Office of the Vice President for Research. CACR is affiliated with the IU Pervasive Technology Institute. Additional support is provided by the National Science Foundation, Department of Defense, Department of Homeland Security, and the Indiana Secretary of State. This report, and all of CACR’s work, is supported by numerous units at Indiana University including the IT Communications Office, the Office of Research Administration, and UITS Finance and Human Resources.