Can NASA's Gryphon-X Project Save America?

An anonymous reader writes: The Institute for Critical Infrastructure Technology, which advises both government and industry, has released an unusually fervent paper calling for NASA to push harder for funding for a massive cybersecurity project called Gryphon-X, which it claims has been lost in congressional confusion and administrative bureaucracy. Details are scarce as to how Gryphon-X could prevent cyber-incursions such as AnonSec's attempted drone sabotage in February, or even what new technologies might be on the table, but mentions that a significant new site would be built in Silicon Valley, and would include academic facilities. Extending Gryphon-X's scope far beyond NASA's security to a global role, the authors write that it would contain 'the fusion center, virtualization environment, and cyber-physical capabilities needed to analyze, prepare, and prevent threats like these from harming the nation, its organizations, or its people.'

Answer

[Kohath]

Without knowing anything at all about the project, we can all confidently say the answer is "No".

Re:Answer

No but Donald Trump says he can.

NASA or NSA?

It seems odd that NASA would be this deep into security. NSA, otoh...

Re:NASA or NSA?

[TomR+teh+Pirate]

I thought the same thing. Why is this down-voted?

Sounds a lot like Elon Musk technology

[OpinOnion]

They use virtualization platforms due to lots of paranoia about chinese hackers infiltrating their network supposedly, Particularly for Space-X technology.

Bingo ...

[gstoddart]

'the fusion center, virtualization environment, and cyber-physical capabilities needed to analyze, prepare, and prevent threats like these from harming the nation, its organizations, or its people.'

Buzzword bingo, bitches!!

This just needs a missions statement generator and a set of power point slides, and it'll be ready for vast sums of money to pay for travel junkets and hookers for years.

Re: Bingo ...

Don't get me started on how much it'll improve your ROI and TCO. And something something about minorities...

Re:Bingo ...

The stories I could tell about NASA junkets...

I think I see a typo in the headline

[Chris+Mattern]

Shouldn't it be: "Can NASA's Gryphon-X Projec Have Anything To Do With What NASA is Supposed To Be Doing?"

Re:I think I see a typo in the headline

Considering NASA is supposed to be somewhat of a PR agency, and the NSA isn't even supposed to exist, I think the duty falls very much to NASA to release the consequences of advanced technology to the populace in an unclassified and non-military way.

Re:I think I see a typo in the headline

[pr0fessor]

If Gryphon-X is based on research they did after getting hacked on how to secure their systems and networks... isn't part of their mission to advance technology.

Not that they should be overseeing a project to secure the US's networks but if research they did will help then sure.

Re:I think I see a typo in the headline

[SecurityGuy]

NSA isn't even supposed to exist

That ended decades ago.

I think the duty falls very much to NASA to release the consequences of advanced technology to the populace in an unclassified and non-military way.

I'd say DARPA, if there had to be one such place. As for NASA, if it's not aeronautics or space related, it's not what they're supposed to be doing.

Re:I think I see a typo in the headline

As for NASA, if it's not aeronautics or space related, it's not what they're supposed to be doing.

Could be national, or administrative.

Details are scarce indeed

[Sumus+Semper+Una]

Details are especially scarce when the first link just points back to this article. Who the hell is The Institute for Critical Infrastructure Technology? A cursory Google search reveals that they're a (pending) nonprofit with an interest in pushing for greater cybersecurity policies at the federal level. Great. I've never heard of them, so why do I care what they say about Gryphon-X? And what, exactly, is Gryphon-X proposed to do? Without details I'd be inclined to just assume it's some sort of vague pork barrel project for Silicon Valley that someone slapped NASA's name on. If so, I hope that congress continues to ignore it and moves on.

Re:Details are scarce indeed

Oh come on, we all know that the best way to fix any security problem in a complex network is to simply create an ever more complicated system to protect it. This is CS101.

Re:Details are scarce indeed

[gstoddart]

Yeah, no shit ... there is no TFA ... there's just "some guys want to do some stuff but due to our own ineptitude we failed to provide any relevant links to anything, so talk among yourselves."

Or just use OpenBSD.

If computer security is what you want, then a better option is just to use OpenBSD. Unlike most other software projects, including nearly all Linux distros, the OpenBSD developers put security first. Putting security first has the side effect of making quality and robustness high priorities, too, since they all go hand-in-hand. You can't get one without the others. The OpenBSD devs do strenuous reviews of not only their own code, but that of code developed by other projects. They will even fork other projects when those projects don't live up to the OpenBSD standard of security and quality. LibreSSL is an example of this. So if computer security is what you're after, use OpenBSD. It's the only sensible choice.

Re:Or just use OpenBSD.

[EmeraldBot]

If computer security is what you want, then a better option is just to use OpenBSD. Unlike most other software projects, including nearly all Linux distros, the OpenBSD developers put security first. Putting security first has the side effect of making quality and robustness high priorities, too, since they all go hand-in-hand. You can't get one without the others. The OpenBSD devs do strenuous reviews of not only their own code, but that of code developed by other projects. They will even fork other projects when those projects don't live up to the OpenBSD standard of security and quality. LibreSSL is an example of this. So if computer security is what you're after, use OpenBSD. It's the only sensible choice.

I'm all for the BSDs, as they do have superior code quality compared to Linux + GNU (having written for both, although it's just my subjective opinion). That said, OpenBSD is the one I'm the least a fan of - it has some very useful extra features, and the devs really do put forth the work. However, only on the base, and I can't stress that enough. OpenBSD's base is suprisingly well developed, and you can run a small router or printer manager or something with it, sure. However, as soon as you want more (such as an advanced webserver, a personal workstation, etc.), you start to rely on the ports more, and OpenBSD's tend to lag a little bit, which makes you vulnerable to application exploits. FreeBSD still gives you really strong security, but also a very up to date ports tree, as well as the MAC framework (mandatory access control, which allows you to set fine grained policies). Plus, I don't think OpenBSD has Capsicum (a sandboxing daemon), though it's been a while since I've checked the status on that.

OpenBSD is a fine project, but it's hardly "the only sensible choice". I'd recommend checking out FreeBSD if anyone's interested, and to exercise prudence as always :-)

Re: Or just use OpenBSD.

What are you talking about? Openbsd has a port tree just like FreeBSD. And if I am remembering correctly has just as many and if not the same
ports as each other.

In a word

No

Perhaps they meant to link to this?

https://thestack.com/security/2016/03/23/can-nasas-gryphon-x-project-save-america/

Re: Only One Man

Vote hump! It is hump day...

I had such high hopes for the new management

[DNS-and-BIND]

Well, when the new boss took over, I really thought things would change. He fired the two older idiots that posted crap day in and day out first day on the job. But now, we still get this? "Save America"? For real? Sigh...I had such hopes.

Meet the new boss, same as the old boss.

Re: I had such high hopes for the new management

And you thought things would change. War, war never changes.

WTF? Re:NASA or NSA?

[Geoffrey.landis]

I can't figure out what's going on here. The link goes to https://science.slashdot.org/s...

Why does the link on a slashdot story go to slashdot stories? Isn't there an original somewhere to link to?

water, food, roads, bridges, healthy workforce?

[k6mfw]

I guess these things don't matter much when compared to cyber in regards to threats facing America.

A response

[brennz]

This sounds like a big moneypit for Ames. Furthermore, Ames has not been able to retain their government staff, since they are quickly poached to nearby Silicon Valley.

Most of NASA's critical infrastructure is located on JSC, GSFC, KSC, MSFC and JPL. We'd be much better off utilizing those locations, rather than ARC. Although ARC has proximity to startups, GSFC has proximity to the world's largest concentration of human security talent, along with DISA and NSA being next door. JPL has some great SCADA security talent too, and both JSC and KSC have huge room for physical growth, and lower labor rates. The SCADA infrastructure most pertinent to the health & safety of the U.S. public is actually the NASA-NOAA relationship around data feeds from satellite ground system ICS/SCADA which feeds NOAA's weather forecasting capability, and is directly, and indirectly, the foremost source of information for meteorology.

As far as NASA fixing all SCADA infrastructure this sounds crazy. There are too many separate SCADA/ICS domains that should be handled separately, particularly as IoT grows

I'd prefer not...

[frank_adrian314159]

I'm not sure how expertise in blowing things up slowly translates into expertise in securing computer systems.

Slashdot, home of the no sayers

[frnic]

Gotta love Slashdot now days, it doesn't matter what the story they can always come up with a way to be negative.

Re:Slashdot, home of the no sayers

[frank_adrian314159]

OK, I'll be positive... I'm positive that this is a dumb idea. Besides, how can you help but be negative when all the ideas are stupid?

Re:Slashdot, home of the no sayers

Sorry - what is there to be positive about in this?

The Gryphon-X infrastructure would support a virtual, cloud based, simulation environment. The virtual “cyber range” will facilitate the research, development, testing, and evaluation of cybersecurity solutions under realistic conditions and according to the actual threat environment of the organization. This will be made possible by an extensive catalogue of virtualized physical systems. Essentially, the Gryphon-X systems would support emulated versions of any current and outdated hardware or software network asset, complete with its realworld security flaws. In the environment, researchers can perform accurate penetration testing without harming the device or compromising their own network. Through this capability, participants can identify vulnerabilities and either develop mitigations (patches, mitigating controls, etc.) or monitor where adversaries are likely to enter the network.

As far as I can tell - this is the only new/sparkly idea aside from all the other surreally histronic and overblown done to death buzzword bingo. It's still a horriby insane idea. Only a government agency that lives off infinate money could come up with the asinine idea of even trying to run every piece of outdated hardware and software out there in a virtualized environment - where that even makes sense due to one off or specialized hardware that suffers from hardware/software skew.

It's just totally asinine. Someone who doesn't know much about either hardware or software may find it appealing and think it's a great idea, but those who know better will realize that even if their concept is within the realm of the possible (and I doubt it), they'll be horribly disappointed in the end.

Re:Slashdot, home of the no sayers

Holy hell, my bad - I thought this was actually NASA authorized or ideated in some way. It's apparently just some new think thank that doesn't have a clue and doesn't know any better.

Not sure how I misread that but I apparently did... ouch. Had me thinking that the brain drain of NASA was complete and there wasn't anyone with a higher education there for a minute. lol

Re:Slashdot, home of the no sayers

That's the entire reason stories like this are posted. The world is full of stupid ideas. Anonymously pissing on them from the comfort of my couch let's me forget that my life is an empty and meaningless march towards retirement and eventual death and I will die alone an unloved. Because at least I'm not the wanker making vacuous PowerPoint about cyber-physical capabilities.

Re:Slashdot, home of the no sayers

[khz6955]

@frnic: "Gotta love Slashdot now days, it doesn't matter what the story they can always come up with a way to be negative."

OK, I'll be positive and propose a practical solution. Don't run your critical infrastructure or security apparatus on Intel hardware running Microsoft Windows and connected to the Internet. The current security infestation is largely self inflicted, mainly due to bad design decisions made decades ago.

Re:WTF? Re:NASA or NSA?

[rwise2112]

I can't figure out what's going on here. The link goes to https://science.slashdot.org/s...

Why does the link on a slashdot story go to slashdot stories? Isn't there an original somewhere to link to?

The actual link to the thestack.com is right next to the title. I've seen a few articles linked like this lately.

Re:WTF? Re:NASA or NSA?

[KerberosKing]

Here's the report itself: http://icitech.org/wp-content/...

Not worth the read IMHO, only three generic references, none of which explain anything about Gryphon-X. While I agree that trying to use the same old defenses against an adapting adversary means you will get breached eventually, most organizations are not even properly managing the traditional security controls, much less developing next generation controls. I am skeptical of how well this could be applied widely to protect data, even assuming it is moonshot awesome.

Isn't this

how Skynet got started? A massive cybersecurity effort?

curious...

non linear asymptomatic cryptography based on the math of General Relativity
?

Fuck no

NASA should be focusing on anti-gravity, not NSA agendas (which is probably what this is disguised as)

Space?

[zapadnik]

NASA has lost its way. It no longer has the capability to fly Americans into space, yet it still draws a similar budget to when it was flying Space Shuttles.

Bureaucracies that eat taxpayer dollars without producing anything useful are the real problem America (and the World) faces.

Stop giving bureaucracies more and more and more taxpayer money to do less useful things !

How to prevent cyber-incursions?

[khz6955]

Design your computers with a built-in READ/WRITE switch, such that it is impossible to overwrite the OS with the switch in the OFF position.

Ask Betteridge

[alleycat0]

Once again, Betteridge's law of headlines is appropriate here. https://en.wikipedia.org/wiki/...