The US Defense Advanced Research Projects Agency (DARPA) is creating network isolation and threat-characterization technologies to protect American data, networks and national security.
DARPA’s acting director Steven H. Walker spoke to an audience this morning at 2017 Armed Forces Communications and Electronics Association Defensive Cyber Operations Symposium in Baltimore, noting that the problems the United States faces in the cyber domain have are among the nations most serious.
“Even a combination of the most advanced technology cannot solve the problems America faces in the cyber domain entirely,” he said, and described DARPA’s efforts to “create technologies that protect our data, our networks and our national security when it comes to these threats.”
Walker said DARPA’s security research goals have three focus areas in the cyber security domain -- hardening systems against cyber-attack, operating through cyber-attacks and winning in the cyber domain.
As part of DARPA’s effort to harden systems against attack, the agency ran the Cyber Grand Challenge, or the CGC, in August.
“The CGC was very much in the vein of DARPA’s self-driving car challenges of the last decade, when we challenged the world to do something that had never been done before,” Walker said.
“In this case, [the challenge] was to defend a network and counterattack an adversary's network in a matter of minutes with no human intervention -- only machines playing machines in a game of capture the flag,” he added.
Seven finalist teams took their cyber reasoning systems to Def Con, the international hacker meeting in Las Vegas, and showed their systems’ ability to automatically identify and fix software flaws and maintain their own correct operation while scanning the CGC network to identify and exploit vulnerabilities in the other systems, Walker said.
“This changes the idea of zero-day exploits and causes one to think in terms of zero-second or zero-minute exploits,” the DARPA director said.
After the CGC success the agency is looking for ways to rapidly move the experiment into an operational capability, he added.
“Google and Microsoft are already employing some of these techniques and moving the technology forward,” Walker said, noting that DARPA is transitioning it to other parts of the government.
“You can imagine using it before we deploy a software product to test that software product against many different exploits,” he said, “and using it in sort of a pre-defense way as well.”
To allow operations to continue during cyber-attacks, DARPA is developing technologies to rapidly detect, isolate and characterize cyber-attacks on the electric power grid, Walker said.
“The goal of our program is to, without … security upgrades or utility deployments prior to an attack, use skilled cyber and power engineers to restore power within seven working days after a cyber-attack that overwhelms conventional recovery operations,” he added.
The program is working on anomaly-detection technologies that are sensitive but have low false-alarm rates in a U.S power grid system that’s made up of more than 3,500 different grids, Walker said.
DARPA is also working on network isolation and threat-characterization technologies for cyber systems that include normal information technology and integrated control systems hardware and software, he said.
Plan X is DARPA’s first-generation cyber mission framework tool to help mission commanders, planners and operators collaborate, understand, plan and manage cyber operations in real time against large-scale and dynamic network environments at tactical and strategic levels, Walker said.
Plan X was a DARPA effort to create for the first time a common operating picture for warriors in cyberspace. Related DARPA programs include Enhanced Attribution and the Network Defense Program.
Enhanced Attribution's goal, Walker said, is to make transparent the opaque, malicious cyber-adversary actions and individual cyber-operator attribution by providing visibility into all aspects of malicious cyber actions.
The Network Defense Program “has developed algorithms and data-analysis tools that enable cyber situational awareness for identifying illicit behavior in networks. This is the program that we see now transitioning to U.S. Cyber Command,” he added.
“Where I think we're headed at DARPA in the Winning in the Cyber Domain set of programs is what I loosely referring to as creating a cyber system-of-systems approach,” Walker explained.
“By that I mean taking many of the technology, tools and programs that I've discussed today and putting them together into sort of a national network defense system for cyber security, and potentially a cyber warfare combat system for cyber response,” he said, noting that such a defense system would be voluntary, and domains and specific networks could sign up.
The system, Walker explained, would enable real-time monitoring of hundreds of U.S. internet domains to discover botnets, understand the command-and-control status of servers, correlate adversary probing of U.S. enterprise networks, provide indications and warning of enterprise network compromises and coordinate a national response to adversary activities on U.S. networks and domains.
“The likelihood of an adversary being discovered our networks by such a defensive system, and being able to attribute adverse cyber actions to that adversary, will have a strong deterrent effect on future attackers,” he added.
One gateway to creating such a system is called CHASE, for Cyber Hunting at Scale, Walker said, which will take DARPA’s work on network defense and scale it up to the DoD Information Network, Walker said.
“We're working now with [the Defense Information Systems Agency] and Cybercom on that new program,” he said.