Tornadoes have warnings; the flu season gets a prediction; even government unrest can be spotted before tempers flare — so why can’t cyber attacks be spotted before they strike?
Researchers at the Intelligence Advanced Research Projects Activity (IARPA) are working to change that why to a when, according to its director Jason Matheny.
“One of our country’s most important problems to solve is how can we improve situational awareness in cyber defense before the events occur, rather than after events occur,” Matheny told Federal News Radio’s Federal Drive with Tom Temin. “The reason that we’re in principle able to forecast the attacks is because attacks don’t happen out of the blue. There’s planning, there’s reconnaissance, there’s site testing by cyber attackers. Those things are detectable.”
Currently cyber attacks are detected weeks and months after they’ve happened, Matheny said, but the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program aims to identify indicators of a pending attack.
“Some are chatter by the attackers themselves, web search queries that they run when mapping networks, as well as the black market prices of, say, zero day exploits that are used in cyber attacks,” Matheny said. “Many of those are actually hard to cover up. People leave sort of digital exhaust when they’re performing actions like this against a site.”
Matheny said IARPA is in the midst of reviewing proposals on how to forecast cyber attacks using publicly available data and what he called “machine learning approaches,” similar to the system used by IARPA’s 4-year-old Open Source Indicators program.
Using publicly available data on social media sites, news feeds, Web search queries and posted video streams, observers can forecast events before they happen, Matheny said.
“When people get sick they might cancel their dinner dates, they might cancel their flight plans, they might do web search queries for their symptoms,” Matheny said. “Same for political unrest. When people are feeling aggravated against a political leader they might edit the Wikipedia page of that leader, might express on social media frustration or lack of trust in the government. So these are things that are really helpful in order to improve our ability to understand events overseas, especially ones that might affect U.S. travelers, U.S. embassy staff.”
This research relies heavily on automated machine learning approaches, Matheny said. This is when computers make sense of large volumes of data without requiring human analysis.
“What we’re finding is that the machine learning approaches that we’ve developed, and that our researchers who we fund develop, really are able to make sense of these large volumes of data in ways we had previously not thought possible,” Matheny said. “CAUSE is another program in which we expect those kinds of breakthroughs to be possible now in a new domain within cyber defense, which … is an area where we need vast improvement.”
The hope, Matheny said, would be to deter attacks against federal agencies, critical infrastructures and even private entities.
Matheny said the proposals chosen for funding will then engage in a research tournament, to “see who can forecast events soonest with the highest accuracy. We keep score, we act as the referee.”
“This is a sort of full contact sport for research here,” Matheny said. “We have research program managers who really act as collaborators with our research teams, and we have an unusual degree of engagement with the researchers within universities, colleges and industry in giving them the resources they need to solve our hardest problems. So we’re expecting the very best from CAUSE.”
21.5 million people impacted by breach of OPM’s background investigation databases