Army Gears Up To Battle for Cyber Resilience
ARL research taps existing areas while breaking new ground.
The U.S. Army is attacking defensive cyber operations from the laboratory. It is focusing new research efforts, including autonomous network agents, on ensuring cyber resiliency in the battlespace.
Some of this work builds on related efforts long underway at the Combat Capabilities Development Command Army Research Laboratory (ARL). Other thrusts aim at exploiting capabilities that are within reach but not yet ready to field. Still more are areas of research that have been given greater emphasis reflecting the more urgent need for cyber resilience.
Alexander Kott, chief scientist of the ARL and Army ST—senior research scientist—for cyber resilience, has just begun reshaping ARL research to reflect this new mission. What comes out of the lab could have significant ramifications to the civilian world as well as the military.
“This is a whole world of interesting opportunities,” Kott says.
“Most of the cyber assets and networks in our society are highly vulnerable to a variety of attacks,” he states. These run the gamut from complex assaults to unsophisticated attacks. With so many mobile assets, devices and systems are increasingly vulnerable to cyber attacks. He points out that most assets on which people rely, such as cellphones and tablet devices, are relatively disadvantaged. Many people do not realize that they tend to be in close proximity to cyber adversaries, so it is relatively easy for both parties to achieve some form of contact.
Most of all, people generally are not trained cyber defenders, Kott observes. This applies to both civilian and military personnel.
Kott points out that cyber resilience is especially important for the Army as the service relies on cyber operations to an increasing degree. The Defense Department describes cyber resilience as the ability of systems to resist, absorb and recover or adapt to an adverse occurrence during operation, so accordingly, the Army must be able to continue to carry out its mission when its cyber systems are compromised or under attack. This includes being able to return a system to “a reasonable degree of performance” as soon as possible, he notes.
“Hoping for some kind of a centralized continuous monitoring and defense by a third party is often unrealistic,” Kott observes. “One of the first things a sophisticated cyber attacker will do is disable the ability to communicate reliably with those third-party defenders.” This applies to managed cyber defense services providers, both in the civilian and military worlds, and they are complemented by commercial software suppliers that send upgrades and security patches. “A successful cyber attack would make sure that those third-party remote services will not be easily available to us, or they will be spoofed in some way,” he states.
Moving ahead in cyber resilience will require overcoming two hurdles that double as opportunities. The first is a quantitative one. “We need to learn how to measure cyber resilience,” Kott states. He adds that no engineering discipline ever has achieved any degree of maturity and sophistication without determining how to measure its properties. Yet, no one seems to have any method for measuring or even quantifying cyber resilience. “It will be cyber resilience engineering when we learn how to measure cyber resilience,” he declares. “That means we need rigorous tools that can measure cyber resilience. Only then can we actually improve our cyber resilience.
“Once we have the means for measuring how good our cyber resilience is, we will be able to make much more impactful progress in it,” he warrants.
The second big hurdle facing cyber resilience is the need for autonomous artificially intelligent agents to execute actions for resisting, observing and recovering from cyber compromises, Kott says. He offers that the reliance on human cyber defenders is economically and technically inefficient. This is not to imply that highly intelligent humans are unnecessary for cyber defense, he emphasizes. Rather, people need to be reinforced with greater numbers of autonomous artificial cyber defense agents. Industry is moving in this direction, he notes, albeit “slowly and hesitantly.”
Security orchestration, automation and response (SOAR) technologies are an integrated collection of tools that help human defenders respond in a centralized manner to security compromises. Yet, these are not foolproof, Kott says, adding that a more aggressive move in that direction is necessary. This would include making SOAR tools more intelligent, so they could address unpredictable combinations, and making them available locally on sub-networks.
One ARL effort focuses on tactical autonomous intelligent agents for cyber defense. The overwhelming majority of today’s cyber defense tools are “watchers,” Kott says. If they see an anomaly, they alert the user or network manager to what they see. But as effective and important as these watchers are, they are not “doers,” he points out. They do not engage in the activities that are most important for cyber resilience, leaving that action to the human they’ve just alerted. “This does not bring us cyber resilience,” Kott maintains.
Effective cyber resilience defense tools must be active fighters, not merely watchers, he continues. These active fighters must take independent, intelligent actions to maintain systems’ resilience against compromises. Accordingly, they must have a significant degree of autonomy, via artificial intelligence, to be able to respond rapidly to a compromise. They also must be able to absorb the compromise, and at least partially recover from it—and quickly, Kott adds. The speed necessary for these actions often requires “the absence of human involvement at time scales humans cannot support,” he points out.
This mandates intelligent analysis of risks and ramifications of the actions the agents are trying to take, Kott says. He adds that research into these types of agents is beginning to emerge, but again it is “somewhat hesitant.” This hesitance comes from the inability to guarantee that the actions of an autonomous intelligent cyber defender will not cause undesirable ramifications. “Anyone doing something inevitably takes risks, and there is a risk that the actions of [this type of] agent will do something that we don’t want to happen,” he admits.
These potential ramifications include breaking software, crashing a network or corrupting data. The probability may be low, but it cannot be counted out. For that matter, human cyber defenders can pose the same risk, he points out. This risk must be weighed against the negative consequences from not taking action or from waiting until humans can respond, he adds.
Gaps, challenges and opportunities abound, but Kott notes that the detailed issues facing Army cyber resilience differ from those of the other services. At the ARL, researchers already are working on a number of projects, some of which will be enhanced or strengthened.
One project is the Cyber Collaborative Research Alliance, which comprises government, academia and industry. This alliance aims to create the foundations of cybersecurity science, and it includes cyber resilience. Kott wants to see more work in that direction, including rigorous analysis and design of deception techniques aimed at the cyber attacker. The goal is to make the intruding cyber attacker unproductive, he explains. These deceptions could be linked to physical military deceptions.
Cyber deception is inseparable from physical military deception, Kott continues. This includes electronic warfare and electromagnetic operations, and clever tactics would integrate cyber and electronic warfare.
Another target under development would be the ability to learn how the adversary operates once inside the network. That would allow defensive operations that parry the adversary’s thrusts, Kott notes. This will require building rigorous theory and experimental methods to support this approach to cyber resilience.
The ARL also is working on a project called tactical autonomous active defense. This effort is focusing in particular on defending military vehicles, and Kott offers that some of the ideas emerging from this work are beginning to look like autonomous intelligent agents. The laboratory is starting a multi-university research effort on cyber autonomy, which may include performing sophisticated deception via continuous learning and observation from another perspective.
Some ongoing ARL research already touches upon cyber resilience issues. Multidimensional cyber intrusion detection and analysis has been an area of active research for several years, Kott allows. Network resilience also has been an ARL research focal point for some time.
The ARL has extensive collaborative efforts with academia and industry for research into autonomous agents, and some of this work can be applied to cyber resilience. The laboratory recently awarded $3 million to industry and academia partners for a program on autonomy enterprise—Scalable, Adaptive and Resilient Autonomy, or SARA. This focuses on autonomous mobility, but Kott emphasizes that its research also is important for cyber autonomy. The ARL is seeking input from existing and new industry partners, including international partners, on that topic.
Other cyber resilience efforts link the virtual with the physical. “We believe that the resilience of our computers is inseparable from the resilience of networks,” Kott says. “If we don’t have communications, it is even more difficult to achieve resilience of individual nodes. Therefore, we invest heavily into more resilient [communication] networks, and a major path toward resilience of networks is heterogeneity of these networks using a variety of channels where we can jump from one type of physical channel to another—not just radio frequency, but also other types of channels used in communications,” he states. Intelligent, clever and deceptive switching between those channels would help achieve this goal.
The ARL's Dr. Alexander Kott joins DISA's Maj. Gen. Garrett Yee, USA, and the GAO's Dr. Tim Persons in a webinar on how to achieve cyber resilience nationally. You can view the forum at https://afcea.informz.net/AFCEA/pages/SIGNAL_Webinar_Series