Understanding that cyberspace had become a warfighting domain, DARPA initiated the Plan X program in late 2012 to create a mission command system on which the military can plan, conduct, and assess cyberwarfare in a manner similar to kinetic warfare. DARPA coordinated closely with multiple DOD cyber stakeholders, most notably U.S. Army Cyber Command (ARCYBER), to develop the Plan X prototype system. In 2017, according to an article posted on the U.S. Army website by ARCYBER, “Plan X is a battle command system for cyberspace operations which possesses technology that firmly places our forces at significant advantage in cyberspace.”10
The DARPA Cyber Colloquium was a bright signal to the broad U.S. cyber R&D community that DARPA would bring its unique project-centric approach to the development of future cyber capabilities, both defensive and offensive.
Recognizing the need to engage cyber attackers at machine speed rather than human speed, DARPA created and executed the Cyber Grand Challenge (CGC) program to automate the process of finding, fixing, and exploiting software vulnerabilities. CGC featured a capture-the-flag-style competition in which so-called Cyber Reasoning Systems devised by the CGC teams competed to find and patch flawed code and to prove the inefficacy of opponents’ defenses. The Cyber Reasoning Systems were put to the test at DARPA’s CGC Final Event – the world’s first automated hacking tournament – in front of the DEF CON conference in Las Vegas on Aug. 4, 2016. All of the seven CGC Cyber Reasoning Systems competing in the finals succeeded in automatically identifying and fixing software flaws, sometimes within seconds of the introduction of the software by the competition organizers.
U.S. commercial and government networks are subject to nearly continuous cyber attack. DARPA is developing automated, scalable algorithms that identify anomalous behavior in networks indicative of these threats and the security compromises that can result. These methods triage events, classify known threats, and identify novel threats to dynamically detect attacks. DARPA is also tackling the challenge of real-time monitoring and defense of even the largest enterprise networks such as those in the DOD.
Vulnerabilities in the cyber domain are only increasing. Consumer imaging products, such as smartphones, have become ubiquitous, and it is estimated that about 2 billion images and videos are uploaded to social media every day. At the same time, a growing proportion of this visual media has been manipulated. Many manipulations are benign, performed for fun or for artistic value, but some are for adversarial purposes, such as propaganda or disinformation campaigns. The forensic tools that are available today for detecting manipulation lack robustness and scalability and address only some aspects of media authentication; an end-to-end platform to perform a complete and automated forensic analysis does not exist. DARPA is leveling the playing field, which currently favors the image manipulator, by developing technologies for the automated assessment of the integrity of an image or video11.
Vision of Cyber Future
Deterrence of any attack depends on several factors, most importantly the adversary’s estimate of their probability of successful attack and the anticipated benefits, and the adversary’s estimate for costs that will result from the response. It is prudent to assume that potential adversaries work to refine these estimates by probing our defenses and observing our offensive capabilities. In cases where deterrence is reliable, that is, where the costs to the adversary are likely to exceed the benefits, we may find it advantageous to assist the adversary in estimating these probabilities. We might achieve this by way of, for example, a demonstration of offensive capability. In cases where deterrence is not reliable, that is, where the probability that the benefits outweigh the costs is high enough that an adversary might rationally contemplate proceeding with an attack, it will be advantageous to hinder the adversary’s ability to estimate these probabilities.
Deterrence in the cyber domain is proving to be even more complex than in the traditional warfighting domains due in large part to the following three factors:
- An exponentially growing domestic attack surface: Our modern society depends on information and information systems, and information technology (IT) is deeply embedded in critical infrastructure, commercial services, cyber-physical systems, and other components of the constructed landscape. Our dependence on IT and the cyber domain is growing exponentially both in terms of scale (i.e., number of users/hosts, number of networks and network nodes, volume of storage) and in terms of the complexity of the applications (e.g., self-driving cars and other autonomous systems). Few of these systems are resilient to cyber attack, and so they present an inviting attack surface for potential adversaries. Metaphorically, we have built for ourselves a “cyber glass house” at which adversaries may freely cast stones, and we want our house to be resilient against these attacks. The way we construct our cyber structures, therefore, plays a foundational role in determining how resilient these structures will be amidst those who will throw stones.
- Lack of visibility and limited intelligence: Many cyber attacks, the so-called advanced persistent threats, remain undiscovered for extended periods, while other attacks have never been conclusively attributed even with significant forensics effort. As a result, it is difficult, if not impossible, to estimate with confidence the cyber capabilities of a potential cyber adversary. Moreover, while defensive cyber technology development is a large and growing commercial activity, offensive cyber technology is typically developed in secret by both nation-states and diverse criminal enterprises; the potential for technological surprise by one or more of these entities cannot be ignored. In the cyber domain, we need far greater visibility into and situational awareness of adversarial activity. We need to know who is throwing stones against our house.
- Empowered adversaries that act with impunity: Software is the ultimate democratic technology. It is proving to be a facile weapon for adversaries ranging from so-called “script kiddies” to peer-nation intelligence agencies. These adversaries are empowered by the ability to re-use readily available malwares, access large-scale computing resources – both legal (commercial cloud) and illicit (botnet) – and hide their activities in the flood of internet communications and transactions. Few cyber attackers ever suffer any consequences, and so they act without restraint.