U.S. Cyber Command wants to expand the use of artificial intelligence and machine learning, and to do so, it’s kicked off a broader survey of machine learning requirements across the Defense Department. It’s working with the Defense Innovation Unit, the new Chief Digital and Artificial Intelligence Office and the Defense Advanced Research Project Agency to do that.
The idea is to determine priorities for greater investment in the near future.
Dave Frederick, CYBERCOM’s executive director, said DoD already integrates basic machine learning applications and commercially available products that incorporate machine learning in its cyber defense mission. And he hopes to have a better idea of what’s still needed in terms of machine learning this fall. But he did offer one example of the new directions CYBERCOM wants to explore: synthetic users.
“Our offensive cyber operators, the way they get ready for a mission is we set up a simulated network that is supposed to emulate the adversary environment as much as possible. Just setting up a static network isn’t sufficient in terms of realism, because on a real network, you’ve got system administrators, you have users, you’ve got a lot of people using computers, and some of them may notice that something’s odd, and tip off to their [system administrator], or tip off their security operations center, and take action,” Frederick said on June 14 during the Defense One Tech Summit. “And so to elevate our game in training and mission rehearsal, we want to see if we can develop, in partnership with industry, some abilities to emulate the actual presence of people operating the network, to where we’re not just looking at routers and switches and software packages. But we’re also dealing with this uncertainty that can be introduced, when you have a system administrator who happens to notice, ‘hey, this just doesn’t look right to me, I’m going to investigate this a bit,’ which could throw us off our game. And so that’s just one of many examples that the team is doing pretty early in the survey work right now.”
Frederick said continuous monitoring is another area CYBERCOM is looking at, which aligns pretty well with industry priorities, as well as detecting misinformation. Meanwhile, he said, CYBERCOM will be looking to partner with DARPA for innovation in offensive capabilities.
One thing Frederick is counting on machine learning to help with is taking some of the load off of cyber analysts and defenders. He said CYBERCOM is exploring one such way, involving tools that would allow defenders to compare suspicious activity against massive databases of known malware. That way, if the defenders aren’t sure whether what they’re looking at is malicious, they can confirm much more quickly. And if there’s not an exact match, the algorithm can also help determine with a fair amount of confidence whether it might be a new variant.
“So that’s an important example; it just takes work off the protection teams, it allows a more junior operators to be more effective in their mission,” Frederick said. “So not everybody has to be master level, because they can use these tools to help them in their job.”
That’s why Frederick wants to begin including more machine learning tools in training for cyber operators. Not only do they need to know how to use these tools to get the maximum effect out of them, but they also need to be able to recognize their limitations. The algorithms can only do so much; they only process data, albeit much faster than humans can. But human judgement is still required to evaluate and implement the insights machine learning produces. So that needs to become a basic part of cybersecurity training.
That will also require improving DoD’s talent pipeline for cybersecurity and machine learning. Toward that end, Frederick said CYBERCOM launched an academic engagement network about six months ago, which is starting to pay dividends. He said the network is closing in on 100-member universities. That’s helping with student outreach; Frederick said students outside of universities with strong ties to the military rarely considered DoD as a potential career option, and often didn’t know DoD employed civilians.
CYBERCOM is also leveraging the network to innovation in the area of unclassified threat analysis.
“There’s so much information available at the unclassified level, that we want to work with students on research projects on that topic,” Frederick said. “And we’re also trying to encourage student research and faculty research on our hard innovation problems. So this fall, we’ll be sponsoring at least 10 student research projects focused on our innovation problems. We’ll be launching that in August, advertising it out, and going through the process there.”
And the network is also facilitating two way education opportunities between DoD and academia. Frederick said two professors from partner universities have spoken to the CYBERCOM workforce about both the technical and disinformation aspects of election security, which is one of CYBERCOM’s mandates. Frederick said the CYBERCOM workforce asked to be educated about those topics.
And a CYBERCOM expert has already held a talk at one university on the subject of zero trust. And next week CYBERCOM will be participating in a faculty workshop at the University of Cincinnati on the topic of persistent engagement strategy.
“We’re trying to help scholars that look at cyber strategy and policy and at the technical side of cyber have a better understanding of persistent engagement, and the defend forward strategy, some of the core aspects of how CYBERCOM fits into DoD in an integrated deterrence effort,” Frederick said.
Daisy Thornton is Federal News Network’s digital managing editor. In addition to her editing responsibilities, she covers federal management, workforce and technology issues. She is also the commentary editor; email her your letters to the editor and pitches for contributed bylines.