October 19, 2012

U-M Rackham Auditorium

Video and Materials


8:40–9:30 a.m.

Prepping the Battlefield
U.S. Representative Mike Rogers (MI-08)

9:30–10:20 a.m.

What Remains To Be Done in Cyber Security
​Joe St. Sauver

10:20–10:30 a.m.


10:30–11:20 a.m.

Governing Cyber Crime, Cyber Terrorism and Cyber Conflict
Catherine Lotrionte

11:20 a.m.–12:10 p.m.

The Michigan Cyber Range
William J. (Joe) Adams

12:10–1:30 p.m.

Lunch on your own
There are numerous restaurants within in walking distance of Rackham Auditorium

1:30–2:20 p.m.

Chasing APT
​Joe Stewart

2:20–3:30 p.m.

Reputation Based Detection of Socially Engineered Malware
Niels Provos
This presentation will not be part of the SUMIT_2012 webcast

3:30–4:20 p.m.

Can you hear me now? Law enforcement surveillance of Internet and mobile communications
Christopher Soghoian


U.S. Representative Mike Rogers

U.S. Representative Mike Rogers

U.S. Congress (MI-08)

Prepping the Battlefield

Mike's leadership positions, experience and legislative record enable him to effectively advocate for the citizens of Michigan's Eighth Congressional District and work to make America a better place.

In 2011, Mike was appointed as Chairman of the House Intelligence Committee and is a national leader on national security policy. In the 112th Congress, he authored three bipartisan intelligence authorization bills which were signed into law, and wrote the leading cyber security bill to protect American innovation and the jobs that come with it from cyber predators. Mike believes that national security issues should be bipartisan or even nonpartisan. Washington Post columnist David Ignatius wrote that the Intelligence Committee Mike chairs was "a rare example of bipartisanship."

As a member of the powerful Energy and Commerce panel, Mike works to strengthen Michigan's economy. He has been a leader in efforts to adopt an "all of the above" energy policy to end America's dangerous dependence on foreign oil, create jobs, crack down on wasteful spending and repeal the new health care law, including sponsoring a bill that would allow everyone who wants to opt out of the law to do so.

During his time in Congress, Mike has written several bipartisan measures which were signed into law, including legislation to: make education savings accounts tax free at the federal level; support families of law enforcement officers killed in the line of duty; protect America from biological or chemical attacks; expand research into chronic pain; combat counterfeit prescription drugs; protect military funerals; improve the efficiency of computer servers; and hire more "trade enforcement cops" to crack down on the illegal trading practices of countries like China. In the 112th Congress, Mike has also authored bipartisan measures to strengthen pediatric drug research and make medical devices safer for children.

A 1985 graduate of Adrian College, Mike was a commissioned officer in the U.S. Army through the Reserve Officers' Training Corps at the University of Michigan, then served as an FBI special agent before being elected to the Michigan Senate in 1995. Mike has served Michigan's Eighth Congressional District in Congress since 2001.

Mike is married, has a daughter and a son and is a regular face on national television and in print.

Joe St. Sauver

Joe St. Sauver


What Remains To Be Done in Cyber Security

Marie Curie, the first woman to be awarded a Nobel Prize, is said to have written (in an 1894 letter to her brother), "One never notices what has been done; one can only see what remains to be done." In this talk, we'll go through a bit of what has already been done in cyber security, and outline some of what still remains to be done.

For example, if cyber security is to be considered a scientific discipline, and bots are core to threats such as distributed denial of service attacks and spam, isn't it a bit surprising that we really have no solid measurements when it comes to the percentage of hosts that are botted, either here in the United States or in other countries abroad?

And just by way of one more example, why is it, after all these years, that we're still relying on plain old passwords for authentication, even though they're painfully inadequate and multiple superior alternatives exist?

For a field that some might like to call mature, a surprising amount of very fundamental practical security work remains to be done. We'll outline some of the successes we can collectively build on, and then highlight some of the work that remains to be tackled—perhaps with your help!  

Joe St Sauver, Ph.D., serves as manager for Internet2 Security Programs and the InCommon SSL/TLS and PKI Certificate Programs under contract through the University of Oregon. He is also a senior technical advisor to MAAWG, the Messaging Anti-Abuse Working Group, among other industry roles.

He routinely presents on cyber security and abuse-related issues at national and international events, including recent topics on cloud security strategies; DNS filtering and blocking; SSL/TLS and PKI-related security considerations; malware analysis; IPv6 and security; securing DNS and DNSSEC; fastflux web hosting; cyber war, cyber terrorism and cyber espionage; the insider threat; psychological decision-making heuristics and their impact on anti-spam activities; the compatibility of security and privacy; cyberinfrastructure architectures, security and advanced applications; and spam, domain names and registrars. Some of St Sauver's publicly available talks are linked from his university web page

Catherine Lotrionte

Catherine Lotrionte

Georgetown University

Governing cyber crime, cyber terrorism and cyber conflict

  • Governing cyber crime, cyber terrorism and cyber conflict
    • The primary means through which states have attempted to resolve the dilemma of cyber crime is through criminal laws. The most uncooperative states, however, have been unwilling to enact domestic criminal laws outlawing cyber attacks or have failed to prosecute those who have violated the laws.
      • Scott Shackelford and Richard Andres found that "some nations are weary of developing advanced transparent tracing techniques since this would hamper the activities of militias and intelligence agencies."
    • As with international terrorism, states that fail to take the initiative to prevent cybercrime and cyber-attacks can be held responsible for any breach to international peace and security caused by resulting cyber operations. It may not be realistic, however, to expect states to be able to completely prevent cyber attacks by non-state actors within their territory from ever occurring.
    • The state responsibility norm has developed since 9/11 such that a state may be found to have breached its duties not only through affirmative efforts, but also through what it failed to do to prevent the threat from materializing.
  • Update the direction of current government and legal community efforts
    • NATO has taken the first step toward making cyber conflict an international effort by opening the Cooperative Cyber Defence Center of Excellence in 2008 in Estonia.
    • On March 28, 2012, the European Commission proposed to establish a European Cybercrime Centre.
    • Informal agreements to classify certain civilian targets as off-limits, but no hard treaties as yet exist. Russia, China, and the United States have begun to sit down and discuss target applicability in limited ways.
  • Forecast the development of these critical issues
    • While the United States has begun the process of articulating and promulgating of the norm of state responsibility, these steps are not sufficient to ensure changed behavior by states. Nevertheless, if the United States champions the norm, its status as a major stakeholder in cybersecurity will increase the likelihood of its dissemination and internalization by other states.
      • If states like the United States offer technical, investigative or financial assistance to other states that lack the domestic resources to undertake investigations, it will be easier for some states to comply with the norm. This in turn will further the chances for the norm's cultivation. As states like Russia and China engage diplomatically on the topic of state responsibility in the cyber domain, it may be possible to generate enough traction for other states to buy into the norm.
  • How to apply traditional notions of the law of war in the cyber realm
    • Proportionality, a key issue in defining a state's right to self-defense, is very difficult to judge in cyber operations. At what level does a cyber operation, such as a covert action, transcend from merely an unlawful use of force into a use of force that legitimates Article 51 self-defense?
    • Cyber espionage and cyber-attacks are completely distinct operations in both policy and international law.
      • Cyber espionage operations, embodied by intelligence gathering activities such as the newly reported Flame malware, are not generally considered to violate Article 2(4) or to prompt Article 51 retaliation rights. Cyber attacks, however, can in some cases be considered to do both.
  • International law has to treat the emergence of technological advances
    • In light of recent attributions of Stuxnet and Flame to the United States, the issue of self-defense to cyber operations, and how Article 2(4) and Article 51 apply to cyber operations, is becoming increasingly pertinent.
    • By building up normative frameworks, for example the state responsibility norm, it will be easier to develop substantive international law with which states actually comply.
  • Important treaties and legal plans of action—What will be most influential?
    • Creating a legal regime in cyberspace will be a challenge given the limited capabilities for attribution, the lack of ability to have significant oversight, and the material power of those that are actively harboring and supporting hacker activity. Beginning with the norm of state responsibility and endorsing a standard for attribution to the state for private actors based upon the actions of the state, however, offers hope for a normative framework to diplomatically engage states harboring hackers.

 Professor Catherine Lotrionte is the Executive Director of the Institute for Law, Science and Global Security and Visiting Assistant Professor of Government and Foreign Service at Georgetown University. Professor Lotrionte teaches courses on national security law, U.S. intelligence law, and international law. In addition to teaching, Professor Lotrionte coordinates research projects and events for the Institute for Law, Science and Global Security at Georgetown. She is the Institute Liaison for the Program on Nonproliferation Policy and Law, funded by the Defense Threat Reduction Agency, in cooperation with the Monterey Institute for International Studies' James Martin Center for Nonproliferation Studies. Professor Lotrionte is also the Director of the Cybersecurity Project in partnership with Lawrence Livermore National Laboratory. Professor Lotrionte and the Institute focus on the role of international and domestic law in recent and upcoming developments in cyber technology and cyber threats.

In 2002 she was appointed by General Brent Scowcroft to be Counsel to the President's Foreign Intelligence Advisory Board at the White House, a position she held until 2006. In 2002 she served as a legal counsel for the Joint Inquiry Committee of the Senate Select Committee on Intelligence. Prior to that, Professor Lotrionte was Assistant General Counsel with the Office of General Counsel at the Central Intelligence Agency, where she provided legal advice relating to foreign intelligence and counterintelligence activities, international terrorism, narcotics trafficking, organized crime, money laundering, espionage, and security matters. Before working in the Office of General Counsel at the Central Intelligence Agency, Professor Lotrionte served in the U.S. Department of Justice. Professor Lotrionte earned her Ph.D. from Georgetown University and her J.D. from New York University and is the author of numerous publications, including a forthcoming book concerning U.S. national security law in the post-Cold War era. She is a life member of the Council on Foreign Relations. 

William J. (Joe) Adams

William J. (Joe) Adams

Merit Network, Inc.

The Michigan Cyber Range

In July 2012, the Director of the National Security Agency said that there had been a 17-fold increase in cyber incidents at American Infrastructure companies between 2009 and 2011. While media reporting of these incidents has made their occurrence and impact well known, what is rarely highlighted is that the people responding to these events are America's civilian workforce—not the Federal Government, not the Department of Defense. Just like in the days of colonial America, our first line of defense is our citizenry.

Training users across the broad spectrum of technical interests and skills requires a Crawl, Walk, Run approach. Merit Network, Inc. has initiated a program to develop the Michigan Cyber Range, an unclassified shared resource that will decrease the cost and increase the accessibility of cybersecurity training. The Michigan Cyber Range is a state of the art facility that provides a secure, "live fire" cybersecurity training environment for IT staffs, researchers, and students. Connected to Merit's robust infrastructure, the Cyber Range enables courses, exercises, and research to be conducted throughout the US and Canada using thinking, adaptive adversaries. 

Dr. Adams recently joined Merit Network, Inc. after a 26 year career in the US Army. During his time in as a Signal Corps officer, he served as an Associate Professor and Senior Research Scientist at the US Military Academy and, most recently, as the Chief Information Officer of the National Defense University. He retired as a Colonel and came to work for Merit as the Executive Director of Research and Cyber Security, focusing on developing the Michigan Cyber Range and expanding Merit's network research program. He has a Ph.D. in computer engineering from Virginia Polytechnic Institute and State University (Virginia Tech), MSc degrees from the Army War College and University of Arkansas as well as a BSc in computer engineering from Syracuse University.

Joe Stewart

Joe Stewart

Dell SecureWorks

Chasing APT

APT (Advanced Persistent Threat) is a common buzzword in the media and at security conferences, but it isn't just hype—cyber-espionage activity is widespread and growing. In this presentation, I will highlight some recent investigations by the Dell SecureWorks Counter Threat Unit into cyber-espionage attacks coming out of China, targeting government and industry of multiple countries. Additionally, I will provide insight into some of the ways the Dell SecureWorks Counter Threat Unit discovers, tracks and attributes cyber-espionage activity. 

Joe Stewart is the Director of Malware Research for Dell SecureWorks Counter Threat Unit℠ research team. As a leading expert on malware and Internet threats, he is a frequent commentator on security issues for leading media outlets such as The New York Times, MSNBC, Washington Post, USA Today and others. Stewart has presented his security research at many conferences such as RSA, Black Hat, DEFCON, ShmooCon, RECON, Netsec, Hacker Halted USA, Air Force Cyber Space Symposium, AGORA, the Anti-Phishing Working Group, and many international ones, including CERT-EE Conference (Estonia), DeepSec 2008 (Austria), KAIST International Workshop on DDoS Attacks and Defenses (Korea), CFI-CIRT 7th annual IT Security Professional Development Day (Canada), and AusCERT2010 (Australia).

Niels Provos

Niels Provos


Reputation Based Detection of Socially Engineered Malware

Despite recent progress in browser security, the web is still a prevalent source of malware. As the increased security of browsers has made it more challenging to deliver malware by exploiting vulnerabilities, adversaries have turned their attention to social engineering as another vector of distributing malware. Instead of employing exploits, adversaries attempt to deceive users into downloading malware. Social engineering poses different detection challenges as the lack of exploits makes it harder to detect. Other detection approaches such as blacklisting are made less effective by the adversary's ability to quickly change hosting domains.

In this talk, we present a reputation-based approach to protect users from socially engineered malware. Instead of relying solely on blacklists or whitelists, we bridge the gap by making use of a server-based reputation system that predicts the likelihood that a binary is going to be malicious without requiring access to the binary content. This service currently protects millions of Google Chrome users against malware downloads. We present some interesting insights from our production deployment.

Niels Provos is a Principal Engineer in Google's Infrastructure Security group. His areas of interest include malware and web security as well as computer and network security. In 2003 he received a Ph.D. from the University of Michigan, where he studied experimental and theoretical aspects of computer and network security at the Center of Information Technology Integration. When not working with computers, he forges steel into swords. 

Christopher Soghoian

Christopher Soghoian

American Civil Liberties Union (ACLU)

Can you hear me now? Law enforcement surveillance of Internet and mobile communications

Telecommunications carriers and service providers now play an essential role in facilitating modern surveillance by law enforcement agencies. The police merely select the individuals to be monitored, while the actual surveillance is performed by third parties: often the same email providers, search engines and telephone companies to whom consumers have entrusted their private data.

Although assisting Big Brother has become a routine part of business, the true scale of law enforcement surveillance has long been shielded from the general public, Congress, and the courts. However, recent disclosures by wireless communications carriers reveal that the companies now receive approximately one and a half million requests from U.S. law enforcement agencies per year.

When automated, industrial-scale surveillance is increasingly the norm, is communications privacy a thing of the past? For those of us who'd like to keep our private information out of government databases, what options exist, and which tools and services are the best? 

Christopher Soghoian is a privacy researcher and activist, working at the intersection of technology, law and policy.

He is a Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union in Washington, D.C. He is also a Visiting Fellow at Yale Law School's Information Society Project and a Fellow at the Center for Applied Cybersecurity Research at Indiana University.

Soghoian completed his Ph.D. at Indiana University in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers. In order to gather data, he has made extensive use of the Freedom of Information Act, sued the Department of Justice pro se, and used several other investigative research methods. His research has appeared in publications including the Berkeley Technology Law Journal and been cited by several federal courts, including the 9th Circuit Court of Appeals.

Between 2009-2010, he was the first ever in-house technologist at the Federal Trade Commission's Division of Privacy and Identity Protection, where he worked on investigations of Facebook, Twitter, MySpace, and Netflix. Prior to joining the FTC, he co-created the Do Not Track privacy anti-tracking mechanism now adopted by all of the major web browsers.

He is a TEDGlobal 2012 Fellow, was an Open Society Foundations Fellow between 2011-2012, and was a Student Fellow at the Berkman Center for Internet & Society at Harvard University between 2008-2009.