To-date, cybersecurity has largely been reactionary — stopping infiltrators before they can do too much damage to a system. A new initiative from the Intelligence Advanced Research Projects Agency is trying to get ahead of the next attack by combining traditional security techniques with information culled from unconventional sources to block currently unknown threats.
The Cyberattack Automated Unconventional Sensor Environment (CAUSE) is a framework for coupling known threat indicators — whether internal or through shared information environments — with external information sources such as social media and search engine trends.
Related: Could OPM have prevented the breach?
The goal is to create an automated "probabilistic warning system" to identify new attack vectors as they emerge.
"Cyberattacks evolve in a phased approach," according to a broad agency agreement (BAA) announcing the program, which notes detection usually happens in later phases of an attack. "Observations of earlier attack phases, such as target reconnaissance, planning and delivery, may enable warning of significant cyber events prior to their most damaging phases."
IARPA will be offering funding to foster the development of these systems. The amount of funding released will be determined based on the number of proposals that make it through the first phase of the program, slated to begin in February.
BAA: Cyberattack Automated Unconventional Sensor Environment
One of the biggest challenges in creating an early warning system using outside data sources will be cutting through the noise.
The unconventional sensors — large, freely available data streams that aren't traditionally used for cybersecurity — churn out tons of data on a daily basis, most of it irrelevant to security issues.
Following conventional cybersecurity chatter on Twitter won't be enough. A system will be judged on how it choses sensors and culls out the pertinent information.
"Information extracted from social media has been useful in forecasting non-cyber events and is expected to be useful in the cybersecurity domain as well," the BAA notes. "However, it is expected that an offeror's complete solution will extend its unconventional sensor exploration beyond just social media."
Related: 2014 marked by rise in spear-phishing, social engineering
IARPA suggests looking at sources beyond cyberspace, as well, such as economic trends and cultural shifts.
Developers that make it through this first phase will be granted access to internal threat data maintained by participating companies in a second and third phase. The projects will have to merge the internal and external data sources into a single automated system and run tests against simulated cyberattacks.
The entire process — all three phases — is expected to take three and a half years.
IARPA plans to release multiple funding awards through the BAA, as well as procurement contracts for successful tools. The competition is open to commercial vendors, research and academic institutions, government agencies and federally-funded research and development centers.
Those interested should submit a preliminary proposal to IARPA by Sept. 14.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
