A Competition to Anticipate Cyber Attacks
It seems not a week goes by without another report of cyber criminals making off with hordes of stolen data. In early March, Mandarin Oriental International revealed that its credit card system had been compromised, the latest in a line of global companies that have suffered large, costly security breaches.
Worldwide, the British insurance company Lloyd’s estimates cyber attacks cost the private sector $400 billion a year. It is a symptom of our technological age that today’s smartest and most successful thieves steal numbers instead of cold, hard cash. Given the persistent threat, the private sector is working overtime to guard its data, and it is with data that businesses might enjoy a heads up the next time thieves are about to start picking the digital locks.
The Office for Anticipating Surprise, a part of the U.S. Intelligence Advanced Research Projects Activity (IARPA), has kicked off a competition to develop a system for anticipating cyber attacks. This competition is part of IARPA’s Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program, which seeks to predict and prevent attacks rather than just analyze the aftermath, as many current cyber efforts do. From the agency’s website:
“Anticipated innovations include: methods to manage and extract huge amounts of streaming and batch data, the application and introduction of new and existing features from other disciplines to the cyber domain, and the development of models to generate probabilistic warnings for future cyber events.”
Importantly, these technological innovations are not expected to replace the human element in cybersecurity. CAUSE program manager Rob Rahmer says the goal is “to assist in making sense of the massive amount of information available.” This is the Big Data challenge in a nutshell—we possess vastly more data than we can hope to understand, and the data vaults continue to fill at an exponential rate. Just imagine all the innovations and insights waiting to be uncovered. Rahmer and IARPA are imagining too.
The results of IARPA’s competition could be the cyber equivalent of the National Oceanic and Atmospheric Administration’s (NOAA) post-tropical storm tracking and warning system, which relies on masses of current and historical data to anticipate a storm’s trajectory.
Knowing where and when a devastating storm will come ashore allows residents and communities to prepare accordingly and if necessary - evacuate. This type of data-driven knowledge saves lives.
Like severe weather, cyber attacks can have potentially lethal consequences. An attack on a water treatment plant could deprive entire cities of clean water; an attack on a nuclear power facility could have even more dire effects. Thus, being able to anticipate cyber attacks can save lives as well as their financial holdings.
Beyond cybersecurity, IARPA has numerous other “predictive intelligence” projects. In February 2014, the agency launched Investigating Novel Statistical Techniques to Identify Neurophysiological Correlates of Trustworthiness (INSTINCT), which was focused on using physiological data to predict behavior and assess trustworthiness. (The winners, from BAE System’s Adaptive Reasoning Technologies Group, dubbed their solution Joint Estimation of Deception Intent via Multisource Integration of Neuropsychological Discriminators, or JEDI MIND.) [I guess the Force was with them…]
Meanwhile, IARPA also launched Foresight and Understanding from Scientific Exposition (FUSE), which analyzes a range of data (e.g., academic journals, patent filings) to predict which emerging innovations will mature into world-changing technologies. The agency’s Forecasting Science and Technology Program polls tens of thousands of experts to gauge “accurate forecasts for significant science and technology (S&T) milestones.”
These are inspiring, admirable, and worthwhile projects, but predictive analytics is not a perfect science. NOAA knows this all too well, criticized as it has been for its inaccurate weather forecasts.
Cyber attacks are more difficult still to predict. Hurricanes are unthinking forces of nature. Cyber criminals, however, are adaptive, tactical and inherently strategic. Our cyber adversaries are being innovative too, striving to outthink the growing cybersecurity industry. It is an endless game of cat and mouse, with cyber defenders working to keep up with the evolving threat.
Nevertheless, despite the imperfections, NOAA’s predictive analytics have saved lives, and IARPA’s projects may well do the same. It is a sweet piece of irony that cyber criminals can be undone by the very thing they seek to steal—data.