Center for Applied Cybersecurity Research Annual Report FY2021 by Indiana University IT Communications Office

CENTER FOR APPLIED CYBERSECURITY RESEARCH

ANNUAL REPORT FY2021

TABLE OF CONTENTS

FROM THE DIRECTOR

About CACR

Dear friends of the Center for Applied Cybersecurity Research,

The IU cybersecurity community

We will recall 2021 as yet another year with the challenges of COVID-19, hybrid meetings, virtual events, and increasing cybersecurity threats. With these challenges in mind, the CACR team continued to excel, enhancing the practice of cybersecurity for the nation,

2021 highlights

the state of Indiana, and Indiana University. I am happy to present CACR’s 2021 Annual

Leading the nation in cybersecurity

Trusted CI, the Cybersecurity Center of Excellence for the National Science Foundation

Leading Indiana to a more secure future

Report. I include here some examples of CACR’s highlights in this report.

(NSF) led by CACR, has now impacted 547 NSF projects through its webinars, engagements, and other activities. Trusted CI published the Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators. Since its publication, the document has been downloaded more than 1,000 times and is being put into practice at

Leading IU to help drive discovery

some of the nation’s largest research organizations. The CACR-led Research Security Operations Center (ResearchSOC), which builds on the

CACR leadership team, staff, and fellows

IU-led OmniSOC, continued increasing the security of the research community with four NSF major facilities as customers. CACR performed security assessments using the Principles-based Assessment for Cybersecurity Toolkit (PACT) for the HathiTrust Research Center at IU and the NOIRLab NSF major facility. The CACR-led IU team completed its Indiana election security project in early 2021–an effort that trained more than 30 county officials across the state in developing and executing cybersecurity incident response plans and playbooks to provide election cybersecurity training in advance of the 2020 elections, with officials from 32 counties participating. The SecureMyResearch service, helping IU researchers with their cybersecurity

Click here for a fully accessible version of this report.

challenges, achieved rapid service adoption, and is providing support for a quarter of all IU faculty.

CACR organized the Security Speaker Series, with talks co-hosted with the Ostrom Workshop, the Kelley School of Business, the Center of Excellence for Women & Technology, the Maurer School of Law, and the Luddy School of Informatics, Computing, and Engineering. In partnership with WonderLab and IU’s Center for Excellence for Women & Technology respectively, CACR held two virtual Security Matters Cybercamps. One for middle and high school students was attended by 20 students from across five states, and one for non-STEM undergrads was attended by 16 students. This report contains details on these accomplishments and others by CACR’s staff. I am very proud of the professional diversity of our staff, each with unique skills and experiences that contribute to its expertise. I also recognize that collaboration with and support of our many partners, Fellows, and supporters are essential for our success. These include the NSF, NSWC Crane, the Department of Homeland Security, IU OVPR, IU OVPIT, an extensive list of IU schools and partner universities, and IU’s researchers and operational cybersecurity staff. As we look to 2022, we see new challenges and opportunities. I am proud of CACR’s accomplishments and confident that our service and leadership will continue to expand to meet those challenges and take advantage of those opportunities.

CACR Senior Project Manager Kelli Shute, CACR Director Von Welch, Indiana Secretary of State Holli Sullivan, and IU VP for IT and CIO Rob Lowden pose in front of Big Red 200

Von Welch Director, CACR Executive Director for Cybersecurity Innovation Associate Vice President, Information Security Indiana University

ABOUT CACR CACR’s mission is to provide people with the knowledge and skills they need to manage cybersecurity risks in complex, challenging environments where standard cybersecurity practices do not suffice. It does so through a combination of thought leadership, applied research, training and education, operational services, and extensive interdisciplinary collaboration. CACR is Indiana University’s flagship center for cybersecurity, serving as

assessing and negotiating data usage terms. To date, SecureMyResearch has

an integrator for research across the university’s different schools and

reached a resounding 460 researcher engagements in 100 departments.

organizations. CACR is distinctive in addressing cybersecurity from a comprehensive, multidisciplinary perspective. CACR draws on IU’s wide range of scholarly expertise in computer science, informatics, accounting and information systems, criminal justice, law, organizational behavior, and public policy, as well as the extensive practical cybersecurity experience of its operational units. CACR is the only university-level holistic cybersecurity center in the country, integrating legal, policy, economic, and behavioral research, along with operational and technical expertise. Recently CACR has played a larger role in the success of the IU research mission and the OmniSOC endeavor. With the support of the Vice President for Research, CACR launched the SecureMyResearch service in 2020. SecureMyResearch builds on CACR’s expertise in leading the NSF Cybersecurity Center of Excellence to provide bespoke consulting to IU’s research community in addressing the cybersecurity challenges of their research. It also serves as a resource to the Office of Research Administration during the pre-award phase of grants and contracts in

In 2020, CACR Director Von Welch assumed the role of executive director of the OmniSOC. Since then, OmniSOC’s clientele has expanded beyond its founding Big Ten members to include a number of NSF research institutions and small schools across the United States. This expansion was enabled by the addition of CACR’s virtual cybersecurity services to OmniSOC’s intrusion detection capabilities—key capabilities to make for a holistic cybersecurity service for small organizations. CACR continued to be affiliated with the Pervasive Technology Institute (PTI) at Indiana University and welcomed Dr. Beth Plale as its new executive director in the past year. PTI consists of six centers and two labs and focuses on improving the quality of life in the state of Indiana and the world through novel research, innovation, and service delivery in information technology and informatics. CACR collaborates with PTI to bring its operational cybersecurity expertise and broad community connections as competitive advantages to PTI proposals.

Exemplars of CACR work

About the Indiana University cybersecurity community

National

Trusted CI Leadership for the NSF cybersecurity ecosystem ResearchSOC Cybersecurity services for the nation’s greatest research PACT The Principles-based Assessment for Cybersecurity Toolkit for assessing the toughest cybersecurity problems

Indiana University has taken a leadership position addressing difficult cybersecurity challenges through its unique operational, research, academic, and workforce development initiatives. CACR is a proud member of the university’s cybersecurity community, which includes the OmniSOC security operations center for higher education

PATh Advancing the nation’s campuses and science

and research, the CACR-led NSF Cybersecurity Center of

communities by bringing together the Center for High

Excellence (Trusted CI), and Research Security Operations

Throughput Computing and the Open Science Grid

Center (ResearchSOC). These organizations’ information security activities alone deliver about $7.3 million in annual

State

Election security Preparation for e lection officials in all 92 Indiana counties for cybersecurity incidents related to the 2020 general election and beyond Security Matters cybercamps Day camps for K8+ focusing on all things cybersecurity

income—$4.4 million in the form of grant income and $2.9 million from OmniSOC and ResearchSOC services. The impact does not stop there, as the cybersecurity community is also home to invaluable organizations such as the Global Research Network Operations Center (GlobalNOC), Maurer School of Law, Kelley School of Business, Research and Education Networks Information

Indiana University

Executive director for cybersecurity innovation (EDCI)

and Analysis Center (REN-ISAC), the IU University

Leveraging IU’s cybersecurity strengths to address challenges

Information Policy Office, the IU University Information

faced across the nation and expanding the role of CACR

Security Office, the Ostrom Workshop, and the Luddy

SecureMyResearch Reducing the cybersecurity burden on researchers while enhancing research data security at IU

School of Informatics, Computing, and Engineering. It is these programs, and their extensive collaborations, that have made IU an acknowledged “quiet powerhouse”

HIPAA compliance Providing oversight of HIPAA compliance for

in cybersecurity for higher education and research.

OVPIT systems

Led by Rob Lowden, vice president for information

ASSERT: AI-enabled cybersecurity Leading a team evaluating a

technology and CIO, IU operates one of the most advanced

research prototype application (Ahmet Okutan and S. Jay Yang

cyberinfrastructures of any university in the world.

at Rochester Institute of Technology) for IU’s OmniSOC security operations center

leading.iu.edu 5

2021 HIGHLIGHTS

CACR’s SecureMyResearch achieved rapid service adoption and is providing support for a quarter of all IU faculty and counting.

CACR staff provided consulting to researchers in the Office of Research Administration on Department of Defense contracts that involve Controlled Unclassified Information (CUI).

CACR partnered with OmniSOC to introduce virtual cybersecurity services to OmniSOC member institutions.

Along with CyberCorps, CACR awarded an NSF supplement grant that will help IU train the next generation of AI and cybersecurity professionals via the Scholarship for Service program.

Along with Trusted CI, CACR hosted the first public annual NSF Cybersecurity Summit with more than 325 registrants.

The CACR Speaker Series hosted nine sessions with an average attendance of 45.

CACR conducted Principles-based Assessment for Cybersecurity Toolkit assessments for HathiTrust Research Center and NOIRLab.

In partnership with other universities, CACR led a workshop that aimed to produce a multicampus data collection and sharing infrastructure.

KEY NUMBERS

NSF major facilities served by ResearchSOC

in lifetime regional economic impact

researchers in IU research departments

served by SecureMyResearch

in lifetime award dollars

MORE THAN

1,000

downloads of the Trusted CI Framework Implementation Guide 7

LEADING THE NATION IN CYBERSECURITY CACR continued its ongoing leadership in protecting the cybersecurity of more than $8 billion in NSF-funded research. CACR is the lead organization for Trusted CI, in collaboration with the National Center for Supercomputing Applications, the Pittsburgh Supercomputing Center, Lawrence Berkeley National Laboratory (Berkeley Lab), the University of South Alabama, and the University of Wisconsin–Madison. CACR also leads the ResearchSOC, collaborating with the Pittsburgh Supercomputing Center, Duke University, and the University of California San Diego, and has a strong partnership with the OmniSOC, the shared security operations center for higher education and research.

The Vera C. Rubin Observatory, a program of NSF’s NOIRLab, under the lights of the Milky Way. NOIRLab is an early adopter of the Trusted CI Framework. Photo: Rubin Observatory/NSF/AURA/B. Quint

Now in its tenth year of service and third award, Trusted CI has been at the forefront of the NSF research community in building a set of technical, policy, and cultural best practices necessary to ensure the security of that infrastructure and the trustworthy nature of the science it produces. Trusted CI has now impacted 547 NSF projects through its webinars, engagements, and other activities. The Trusted CI Framework is one of the center’s flagship products and is the focus of several initiatives. The Framework sets out a reasonable minimum standard for cybersecurity programs. It consists of 16 “Musts” that represent the baseline for programmatic competency in cybersecurity and focuses on supporting organizational missions, governance, and resources, complementing existing frameworks that have a heavier focus on controls and the technological side of cybersecurity. 2021 was a big year for the Trusted CI Framework.

Framework Implementation Guide Trusted CI published the Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators. The FIG is an audience-specific deep dive for implementing the Framework’s 16 Musts. Since its publication, the document has been downloaded more than 1,000 times. In December, NSF

The TrustedCI Framework is built on four

updated its Research Infrastructure Guide to align with the Framework and directly references the FIG

pillars: Mission alignment, Governance,

as a cybersecurity resource for research infrastructure operators.

Resources, and Controls.

Adopting the Framework Trusted CI published updated tools and templates to help adopters align to the Framework, including a new template for a cybersecurity program strategic plan. Additionally, the center conducted an engagement with NSF’s NOIRLab, an early Framework adopter, focused on aligning to the Framework. Based on the success of this engagement, the center developed a new “cohort” engagement approach, allowing the team to scale Framework adoption and implementation among multiple NSF organizations simultaneously. The Framework and FIG have successfully reached institutions both within and beyond the NSF community, including institutions such as the National Defense University, the U.S. Coast Guard, the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC), the Cybersecurity and Infrastructure Security Agency, and the government of the U.S. Virgin Islands.

View the Trusted CI Annual Report go.iu.edu/4gYx 9

“Based on [CACR’s] recommendations, we have decided to revisit our cybersecurity strategy from the top down. . . . Thanks for all your efforts and in helping us take a different perspective.” Rich Ceci, senior vice president for technology and projects, Port of Virginia

OmniSOC: higher education’s only collaborative multi-state institution security operations center The OmniSOC is the shared security operations center for higher education and research. OmniSOC rapidly delivers only critical, actionable, high-quality alerts 24/7, allowing cybersecurity staff to focus on what’s important, at substantial cost savings, from a trusted leader in the higher education cybersecurity community. As the increasingly challenging demands of the cybersecurity landscape and the shortage of trained personnel have increased, CACR has responded to the community’s needs. In partnership with OmniSOC, CACR has provided virtual cybersecurity teams, ranging from a part-time security engineer to a full cybersecurity staff. OmniSOC member clients range from R1 universities to regional research and education networks to NSF facilities.

PACT: Addressing the toughest cybersecurity problems Principles-based Assessment for Cybersecurity Toolkit (PACT) cybersecurity assessments focus on mission success, not checklist compliance. When conducting a PACT assessment for a partner organization, CACR analyzes the organization as a whole, understanding that cybersecurity can be a burden or an enabler. The team delivers actionable recommendations for operational personnel and lays out strategic priorities for leadership. CACR partners use the assessment reports to guide their cybersecurity activities for years. In 2021, CACR conducted two PACT assessments: an in-depth assessment of cybersecurity programmatics at NOIRLab as well as a programmatic and The Port of Virginia on the Elizabeth River, Norfolk, Virginia

technical assessment of the HathiTrust Research Center.

2021 PACT ASSESSMENTS “Trusted CI has given us a framework, appropriate to our environment, with which to An in-depth assessment of cybersecurity programmatics at the

build our cybersecurity program. It allows us

National Optical-Infrared Astronomy Research Laboratory (NOIRLab), the preeminent U.S. national center for ground-based, nighttime optical and

to do this in a manner that balances scientific

infrared astronomy, using the Trusted CI Framework as the standard.

productivity against organizational risk in a cost effective manner.” John Maclean, NOIRLab director of Center Operations Services

A programmatic and technical assessment of the HathiTrust Research Center (HTRC), a collaborative research center launched jointly by Indiana University and the University of Illinois, along with HathiTrust, to help researchers solve technical challenges face when dealing with massive amounts of digital text.

Methodology The PACT methodology is collaborative and non-invasive. It was developed by CACR subject matter experts for the United States Navy and has been successfully applied in diverse operational environments. The methodology is based heavily on assessments conducted in 13 prior engagements through the NSF Cybersecurity Center of Excellence and the Navy. It has been proven by two congressionally funded, DoD-sponsored pilots, most recently at the Port of Virginia in collaboration with the United States Coast Guard. This latter assessment led to continued engagement with the Coast Guard, including an engagement with Rear Admiral Lower Half John Mauger and

“Kudos to whole CACR team for such a wellorganized report with many thorough analysis and insightful recommendations. HTRC leadership team is totally impressed and deeply grateful. Thank you!” Dr. Yu (Marie) Ma, associate director of Cyberinfrastructure and Operations for HTRC, Indiana University

a presentation to the membership of the MTS-ISAC. CACR has introduced assessment and programmatics work to Cybersecurity and Infrastructure Security Agency personnel and congressional staffers, Senator Braun’s staffers, and numerous DoD and Defense Industrial Base stakeholders.

Inside the Large Hadron Collider, Geneva, Switzerland

ResearchSOC: Delivering cybersecurity services to the nation’s greatest research In 2021, ResearchSOC grew to serve four NSF major

OSG, IRIS-HEP, and PATh

facilities, two of which have

The Open Science Grid (OSG), the Institute for

moved from grant-funded

Research and Innovation in Software for High

service to self-funded service. ResearchSOC has built upon its 24/7 monitoring

Energy Physics (IRIS-HEP), and the Partnership

and threat hunting, managed honeypot, and vulnerability scanning services

to Advance Throughput Computing (PATh) are a

with new capabilities, including incident response support, virtual CISOs,

projects that have turned to CACR to provide a single security team across

Research and development continue for new ways to serve NSF major facilities

the projects while supporting the tight integration of services. PATh brings

and other science organizations throughout 2022 and beyond.

together the Center for High Throughput Computing and the OSG to

Launched in October 2018, ResearchSOC is unique in the world: it is the only organization with the mission to provide operational cybersecurity services to NSFfunded facilities and projects, while at the same time seeking to further research in cybersecurity. Funded by a $5 million award from the NSF, ResearchSOC helps make scientific computing resilient to cyberattacks and capable of supporting trustworthy, productive research. CACR leads this collaborative effort that brings together existing cybersecurity services and expertise from Indiana University, including the OmniSOC and REN-ISAC; Duke University; the Pittsburgh Supercomputing Center; and the University of California San Diego.

set of three closely related research computing

virtual cybersecurity teams, engineering support, and CISO advisory services.

advance the nation’s campuses and science communities through the use of distributed high throughput computing. The OSG facilitates access to distributed high throughput computing for research in the United States and worldwide. IRIS-H EP serves as an active center for software R&D and transforms the operational services required to ensure the success of the Large Hadron Collider.

Custos

Providing research cybersecurity as a service

The Custos project, a collaboration within PTI and led by PTI’s Cyberinfrastructure

Leveraging its experience in providing virtual cybersecurity leadership, expertise,

Integration Research Center (CIRC), provides an innovative integration of

and consulting for scientific research projects, CACR expanded its portfolio

major security capabilities needed by science gateways. These include identity

of research “cybersecurity as a service” clients, providing cybersecurity

management, secrets management for third-party resource integration, and

leadership and consulting services to these projects, with CACR team members

group and sharing management for securely controlling permissions and

serving as the projects’ chief information security officers or as cybersecurity

broader access to the digital object science gateways.

consultants providing input on best practices.

IRIS

Cybersecurity for Leadership (C4L) CACR continued its partnership with Renaissance

Targeted to both non-cybersecurity and cybersecurity leaders, the

Computing Institute (RENCI) on the Integrity

Cybersecurity for Leadership (C4L) curriculum begins with a half-day

Introspection for Scientific Workflows (IRIS)

bootcamp that provides practical tools to help organizational leaders play

project. IRIS automatically detects, diagnoses,

an effective role in cybersecurity oversight.

and pinpoints the source of unintentional integrity anomalies in scientific workflows executing on distributed computing infrastructure. CACR is supporting IRIS through expert guidance on cybersecurity and privacy challenges. RENCI is a partnership between the University of North Carolina–Chapel Hill, Duke University, and the city of Durham, North Carolina. RENCI leads a project allowing scientists to share and analyze data across institutional boundaries. The three-year project was funded by a $3 million NSF grant.

ImPACT CACR is contributing its cybersecurity expertise to a three-year, $3 million project funded by the NSF. The Infrastructure for Privacy-assured CompuTations (ImPACT) project, led by RENCI, will allow researchers to focus more fully on science by building a technology infrastructure that supports best practices in moving data, managing data ensuring security, and preserving privacy.

Drawn from years of experience across multiple projects, the C4L Bootcamp focuses on key cybersecurity program enablers of mission alignment, governance, resourcing, and controls based on the Trusted CI Framework. The training includes explicit detail on what leaders must do (and avoid) to evolve the cybersecurity program and organization’s culture. Additionally, the training introduces organizations to CACR’s Information Security Practice Principles as a tool to assist leaders with decision making, communication, and strategy. In 2020, CACR piloted C4L with the U.S. Virgin Islands. In early 2021, the team conducted a second and final pilot with Look Listen, a marketing firm. Additionally, CACR advertised C4L to a broad range of stakeholders through presentations, briefings, and announcements coordinated with IU’s AVP for Business Partnerships. In November—through the Indiana Economic Development Corp (IEDC) and Chief Executive Group—Craig Jackson and Scott Russell presented a portion of the C4L Bootcamp as a masterclass for smart manufacturing executives.

Facilitating AI for cybersecurity research CACR led a team piloting evaluation of a research prototype application designed to highlight collections of indicators, such as alerts, which represent attacker behavior during different types of cyberattacks, including novel attacker behavior. The ASSERT application, a collaboration with Ahmet Okutan and S. Jay Yang at Rochester Institute of Technology, uses theoretical-based measures to perform unsupervised learning from intrusion alerts across platforms. Over time, the system learns to build attack models, which may prove valuable for identifying attacks, determining their potential impact, and predicting future attacker behaviors. CACR worked closely with OmniSOC to validate the methodology and test the research prototype for use at OmniSOC for applicability to SOC workflows. The project used only data OmniSOC aggregated from IU as an exploration of machine learning approaches.

Leading the national conversation CACR continued its leadership role in providing forums to further the exchange of knowledge and ideas through hosting/co-hosting or conducting workshops at key community events. Even though 2021 continued with a strong virtual emphasis due to the pandemic, attendance and participation remained strong.

NSF Summit on Cybersecurity and Cyberinfrastructure In its role as the lead organization for Trusted CI, CACR hosted a virtual version of the annual NSF Cybersecurity Summit. Opened up to the public for the first time, the summit drew more than 325 registrants.

OmniSOC Lead Security Engineer Han Thazin Tun and CACR Principal Security Analyst Emily Adams represent IU at Women in Cybersecurity 2021 in Denver, Colorado

Engaging with Women in Cybersecurity (WiCyS) Led by CACR, Indiana University became a strategic partner of Women in Cybersecurity (WiCyS) in 2021 as part of its efforts to drive inclusion and diversity in the cybersecurity workforce. The strategic partnership augments IU’s ongoing support of the WiCyS annual conference, activities collectively supported by CACR, OVPIT, the Luddy School of Informatics, Computing, and Engineering, OmniSOC, the REN-ISAC, and the local IU WiCyS Student Chapter.

CISE Community Research Infrastructure Workshop In collaboration with colleagues at University of Virginia and George Washington University and with funding from the National Science Foundation, CACR co-led a workshop exploring how multi-campus data collection and sharing infrastructure could enable research by machinelearning cybersecurity and privacy researchers. This workshop explored use cases, sustainability and privacy, and operational cybersecurity concerns.

Trusted CI at PEARC21 participation Members of Trusted CI virtually presented a workshop on trustworthy scientific cyberinfrastructure and led a tutorial on security log analysis at the Practice and Experience in Advanced Research Computing (PEARC) conference.

Cybersecurity engagement in a research environment workshop In December, ResearchSOC held a free workshop addressing the challenges of providing cybersecurity for research projects in higher education. The “Cybersecurity Engagement in a Research Environment” workshop was led by CACR’s partners at the University of California San Diego. It was a training and development opportunity for researcher-facing cybersecurity professionals who are responsible for applying standard security operations to the heterogeneous research ecosystem to develop research-specific cybersecurity approaches at their home institutions. Forty higher education security professionals attended the three-day virtual event.

Trusted CI webinars In 2021, Trusted CI hosted 11 talks with 449 total attendees and more than 777 total views. In May, Trusted CI announced a podcast version of its webinar series that is now available on most podcast applications.

ResearchSOC webinars Throughout the year, ResearchSOC sponsored five webinars addressing key cybersecurity operational issues such as Framework implementation, vulnerability management, STINGAR and threat intelligence, Google Drive security, and ransomware.

Top: Michelle Mazurek participates in a Trusted CI webinar, “Investigating Secure Development In Practice: A Human-Centered Perspective.” Bottom: Ken Goodwin discusses vulnerability management during a ResearchSOC webinar.

LEADING INDIANA TO A MORE SECURE FUTURE In 2021, CACR continued to increase engagement and bring value to the Hoosier state. Introduced in Indiana’s Executive Council on Cybersecurity’s State of Cyber Report, CACR initiatives proved to be an integral piece in advancing the state’s leadership in cybersecurity. CACR is also a driver for economic growth in South Central Indiana and contributes to southeast Indiana’s job growth, both directly and indirectly.

Downtown Indianapolis along the White River

Securing the Hoosier vote The CACR-led IU team completed its election security project in early 2021–an effort that trained more than 30 county officials in developing and executing cybersecurity incident response plans and playbooks. Over the course of this initiative, the team disseminated materials and held bootcamps around the state for developing incident response plans. They also conducted training on media interaction. The effort was in collaboration with the Indiana Secretary of State and included students through the IU Cybersecurity Clinic.

Partnering with Indiana Economic Development Corp (IEDC) Indiana businesses are struggling with cybersecurity, and business leaders need sufficient cybersecurity knowledge to make sound decisions regarding cybersecurity priorities and investment. Through the IEDC and Chief Executive Group, CACR presented masterclasses for business leaders in 2021 and will continue to provide training specifically aimed at helping senior executives understand fundamental cybersecurity concepts, so that they can communicate, strategize, and make decisions.

CACR and NSWC Crane: An ongoing partnership CACR and NSWC Crane continue to work to improve capabilities in areas such as software assurance and trusted artificial intelligence. CACR established a working relationship with Crane’s new liaison to Indiana University, Alison Smith. In October, Program Director Craig Jackson presented a well-received session titled “Practical Cybersecurity” to the Department of Defense and Defense Industrial Base stakeholders. This presentation introduced CACR’s PACT assessments and C4L training.

Conducting Security Matters Cybercamps In June 2021 and in partnership with Wonderlab in Bloomington, Indiana, CACR held a virtual Security Matters Cybercamp for middle and high school students. The five-day camp session topics included network security, cryptography, data forensics, website vulnerabilities, and more and was attended

Top: The CACR-led IU team completed its election security project in early 2021 Bottom: An in-person Security Matters Cybercamp from a previous year

by 20 students from across 5 states. CACR also co-hosted a one-day in-person and virtual Security Collaboration Matters Cybercamp for college students with Indiana University’s Center of Excellence for Women & Technology.

LEADING IU TO HELP DRIVE DISCOVERY 2021 saw CACR providing new opportunities and facilitating key projects to further the university’s research mission while serving as a key force in achieving IU’s strategic objectives. SecureMyResearch’s rapid impact Securing research data has grown to be a major challenge for IU researchers and departments, especially meeting new and stricter regulatory cybersecurity requirements in grants, contracts, and data use agreements. To help researchers and other stakeholders who support research, in August 2020 IU launched SecureMyResearch, a service co-sponsored by the Offices of the Vice President for Information Technology (OVPIT) and the Vice President for Research (OVPR). SecureMyResearch marks the culmination of a decade-long effort that began with aligning IU’s research systems with HIPAA for biomedical research and leveraging them to create solutions for researchers. The service now plays a vital role in securing IU’s creative and research data. SecureMyResearch began with a vision to accelerate research at IU by reducing the cybersecurity and compliance burden on researchers. Metrics and testimonials from numerous engagements in 2021 show that this vision is now a reality. Securing research data is critical for IU researchers

2021 HIGHLIGHTS

Handled 211 service tickets covering nearly every research scenario.

Facilitated more than $130 million in sponsored research.

Invited to join the Social Sciences Research Commons (SSRC).

Achieved rapid service adoption. Assisted 460 researchers (equivalent to roughly 25% of all IU faculty) in 100 departments (70% of all IU academic departments and centers).

Became an integral resource for the Neurosurgery Clinical Research Services (NCRS).

Invited to be a key component in research software risk assessment for IRB submissions.

Became a critical resource for the Office of the Vice President for Research in resolving cybersecurity terms in grants, contracts, and data use agreements.

Helped researchers negotiate highly challenging Dept. of Defense (DOD) contract terms and conditions.

Expanded coverage beyond traditional, compliance-driven cybersecurity to areas such as physics, computer science, earth and atmospheric sciences, and social sciences. Performed outreach by preemptively reaching out to faculty and staff and giving presentations at faculty meetings and in departments. Provided holistic support by securing entire research workflows.

Established long-term relationships with more than 20 IU stakeholders that support research:

The Impact of SecureMyResearch “Reaching a landmark 460 researcher engagements in 100 departments in 2021 far exceeded our initial expectations, but it was just the tip of the iceberg. We ended up not only resolving individual issues but also establishing long-term relationships. Once researchers worked with us, they came back repeatedly when they encountered issues. We also became integrated into their research workflows, fulfilling another service hope. Our goal for 2022 is to continue the growth trend and serve even more researchers and increase collaborations with research support centers on campus.” Anurag Shankar, manager of the SecureMyResearch service at CACR

Anurag Shankar

“Thank you very much for helping us to navigate the challenges from the cybersecurity requirements presented in a site agreement between IU and two partners. I honestly don’t know how we would have resolved this matter without the service you offered.”

“I want to thank you again for your time and expertise with providing us with information about how best to ensure security for clinical and teaching encounters during the continued challenges of COVID. The suggestions and clarifications you provided were really helpful.”

Carolyn York, administrator, Neurosurgery Clinical Research Services, IU School of Medicine (IUSM)

Emily Delbridge, professor, Dept. of Family Medicine, IUSM

“Your help in relation to [our] study will have a cascading effect of making it possible to enable enterprise-level backups for our secure server, which hosts other research projects as well.” Emily Meanwell, clinical associate professor, Dept. of Sociology, and director, Social Science Research

“I would have been hopelessly lost without the assistance from you and your colleagues; and this comes from a reasonably tech savvy hard-core computer programmer.” Nicholas Port, associate professor, School of Optometry, IU Bloomington

Commons, IU Bloomington

“SecureMyResearch has been an invaluable resource for Research Contracting in ORA. We have utilized their expertise on a regular basis. We are receiving more and more contracts–both funded projects and data use agreements–that incorporate various third-party cybersecurity requirements, and the team is always available and willing to help us to think through the projects and find a way to comply.”

“The HIPAA office at IU would like it known that over the last year, SecureMyResearch has been pivotal in increasing the security posture of research at IU. The HIPAA office frequently refers researchers to the SecureMyResearch consulting services.” Jason Bozarth, university HIPAA security officer

Katie Morris, director of research contracting, IU Office of Research Administration (ORA) 21

2021 CACR SPEAKER SERIES Enabling secure health and defense research CACR provided consulting to researchers and the Office of Research Administration on Department of Defense contracts that involve Controlled Unclassified Information (CUI) and DFARS 252.204-7012 and CMMC regulatory requirements. Additionally, CACR oversees HIPAA compliance for IU’s central research and enterprise systems. CACR continued working and improving numerous UITS systems, using a rigorous institutional approval process CACR helped to develop. The process leverages the NIST Risk Management Framework (RMF) and NIST 800-53 controls for comprehensivness and provides a single, reusable process for HIPAA and FISMA. CACR continued to facilitate the HIPAA compliance effort for UITS.

Continuing to meet the challenges of the pandemic Challenges continue to persist with the pandemic, and university group meetings that are conducted online are still subject to Zoombombing (a crude practice that disrupts and maliciously interferes with a Zoom meeting). CACR led a collaborative outreach effort in response to multiple high-profile Zoombombing incidents at IU, providing proactive training for groups hosting publicly posted meetings. Direct outreach was provided to 21 groups at IU, including student groups and schools/departments. Efforts this year focused on providing consultation, training, and resources to Student Affairs offices and departmental Zoom support personnel at all IU campuses. This allowed for training and resources to be directly supplied at points-of-origin to student groups which are common targets of Zoombombing attacks.

Providing for-credit opportunities for Maurer students Initiated in 2018 as a collaboration between CACR and the IU Maurer School of Law, the CACRMaurer Student Affiliates program provides law students pursuing the Maurer Cybersecurity Certificate opportunities to work with CACR’s legal experts for a semester, receiving one credit. The students’ research topics impact cybersecurity and/or privacy law and develop deliverables (e.g., memos, whitepapers, presentations). Topics have included the California Consumer Privacy Act (CCPA); export control law as applied to research science; and privacy concerns relating to artificial intelligence.

The Speaker Series brings cybersecurity experts from across the nation to present their current research and real-world experiences to IU faculty, staff, and students. This year’s series continued virtually, and average attendance held firm at 45 attendees. These presentations can yield some exciting collaborations that bring together faculty researchers, students, and even professionals from the private sector. The Speaker Series exposes IU faculty and students to a variety of applied cybersecurity challenges and collaboration opportunities.

Co-hosts for the 2021 Speaker Series included: Hamilton Lugar School of Global and International Studies: Feb. 25, Sept. 2; Luddy School of Informatics, Computing, and Engineering: Feb. 25, April 8, Sept. 2; Kelley School of Business: March 25; Maurer School of Law: Oct. 21; Ostrom Workshop: Nov. 11

CACR LEADERSHIP TEAM, STAFF, AND FELLOWS CACR’s chief asset is its knowledgeable and dedicated

Administrative Director

administration, staff, fellows, and students. CACR prides

more than two decades of

itself on the professional diversity of its staff, each

Leslee Bohland has experience in management and accounting.

with unique skills and experiences that contribute to its expertise. CACR staff is made up of people from all disciplines, including computer science, informatics, accounting and information systems, criminal justice, law, organizational behavior, and public policy.

CACR Director, IU Executive

Program Director Craig

Director for Cybersecurity

Jackson focuses on

Innovation, and Associate

information security program

Vice President for Information

development and governance,

Security Von Welch has more

cybersecurity assessment

than a decade of experience

design and conduct, legal

developing, deploying, and

and regulatory impact on

providing cybersecurity for

information security and

private and public sector

cyber resilience, evidence-

high performance computing

based security, and innovative

and distributed computing

defenses.

systems.

Chief Security Analyst

Senior Security Analyst

Mark Krenz focuses on

Anurag Shankar provides

cybersecurity operations,

leadership in regulatory

research, and education. He

compliance (HIPAA, FISMA,

has more than two decades

and DFARS) and cybersecurity

of experience in system and

risk management. He has over

network administration and

two decades of experience in

serves as the CISO for the

providing research computing

ResearchSOC and deputy

services and building HIPAA-

CISO of Trusted CI.

compliant solutions for biomedical researchers.

Senior Project Manager Kelli

Chief Security Analyst Susan

Shute serves as executive

Sons focuses on secure

director of Trusted CI and

software engineering, ICS/

supports ResearchSOC and

SCADA security, operational

CACR’s election security

security practice for

engagement with the state of

research and development

Indiana. She has more than 15

organizations, and security

years of experience leading

for legacy technologies in

project teams, primarily in the

high-stakes applications. She

private sector.

serves as deputy director of the ResearchSOC.

CACR staff

Trusted CI Fellows 2021

CACR staff help manage the daily operations of the center. CACR staff

The Trusted CI Fellows program empowers members of the scientific

includes administrative, management, and external relations support, as well

community with basic knowledge of cybersecurity and the understanding of

as security and policy analysts.

Trusted CI’s services, and then has them serve as cybersecurity liaisons to their respective communities.

Ishan Abhinit

Asst. Deputy-CISO & Senior Security Analyst

Emily K. Adams

Principal Security Analyst

Dr. Elie Alhajjar

Army Cyber Institute

Brian Chase

Security Analyst

Michael Kyle

University of Delaware

Diana Cimmer

Events & Communications Manager

Deb McCaffrey

Michigan Medicine

Adrian Crenshaw

Senior Security Analyst

Amiya Maji

Purdue University

Austin Cushenberry

IT Support Specialist

Shuyuan Metcalf

Florida State University

Josh Drake

Senior Security Analyst

Matthew Peterson

Oregon State University

Will Drake

Senior Security Analyst (CACR CISO)

Mauricio Tavares

FABRIC and FAB

Tom Edelberg

Research Associate

Richard Wagner

University of California San Diego

Aditya Kanuparthi

IT Support Specialist

Ryan Kiser

Senior Security Analyst

Tori Richardson

Senior Administrative Assistant

Ranson Ricks

Senior Project Manager

Scott Russell

Senior Policy Analyst

Mike Simpson

Principal Security Analyst

Todd Stone

Business Development Director

Fellows and key liaisons

Explore the IU Cybersecurity Community

CACR has more than a dozen Fellows. Each one brings unique insights and

IU Office of the Associate Vice President for Information Security

connections to the center, allowing it to capitalize on the interdisciplinary strengths of IU and the broader community. Fellows represent a wide range of perspectives that include law, policy, ethics, and informatics. Mark Bruhn

IU former Associate Vice President for Assurance and Public Safety

L. Jean Camp

IU Luddy School of Informatics, Computing, and Engineering

Fred H. Cate

IU Maurer School of Law

Damir Cavar

IU College of Arts and Sciences, Department of Linguistics

Robert Cowles

Brightlite Information Security

Rachel Dockery

IU Maurer School of Law

Arjan Durressi

Department of Computer and Information Science, IUPUI

David P. Fidler

IU Maurer School of Law

Grayson Harbour

Faegre Baker Daniels LLP, Indianapolis

Daniel Hickey

IU School of Education

Apu Kapadia

IU Luddy School of Informatics, Computing, and Engineering

Asaf Lubin

IU Maurer School of Law

Nicholas Multari

Pacific Northwest National Lab, Washington

Steven Myers

Formerly of IU Luddy School of Informatics, Computing, and Engineering

Scott Orr

School of Engineering and Technology, IUPUI

Sagar Samtani

IU Kelley School of Business

Scott J. Shackelford

IU Kelley School of Business

Robert Templeman

Naval Surface Warfare Center Crane

Joseph Tomain

IU Maurer School of Law

XiaoFeng Wang

IU Luddy School of Informatics, Computing, and Engineering

Xukai Zou

Department of Computer and Information Science, IUPUI

informationsecurity.iu.edu GlobalNOC globalnoc.iu.edu Hamilton Lugar School of Global and International Studies hls.indiana.edu IU Cybersecurity Risk Management Program cyberrisk.iu.edu Kelley School of Business kelley.iu.edu Luddy School of Informatics, Computing, and Engineering luddy.indiana.edu Maurer School of Law law.indiana.edu OmniSOC omnisoc.iu.edu Ostrom Workshop ostromworkshop.indiana.edu REN-ISAC ren-isac.net

leading.iu.edu 27

2719 E. Tenth Street, Suite 231, Bloomington, IN 47408 (812) 856-0458 | cacr@iu.edu

cacr.iu.edu Primary support for CACR comes from the IU Office of the Vice President for Information Technology, the IU Office of the Vice President for Research, and the National Science Foundation. Additional support for activities in this report was provided by the Indiana Secretary of State, the Regenstrief Institute, and HathiTrust Research Center. We also acknowledge and thank the many organizations who support CACR through contracts and sub-awards.