DISA Harnesses AI to Boost Cyber Defense
DISA is relying on artificial intelligence resources from DOD's Joint Artificial Intelligence Center and industry in some new efforts.
The Defense Information Systems Agency, known as DISA, is expanding its artificial intelligence (AI) efforts through a research agreement and a new pilot program. While both efforts are in the beginning stages, the agency is considering how to possibly apply the so-called AI capabilities to network defense—among other areas the agency is separately pursuing—as it conducts its daily 24/7 mission of protecting the Department of Defense Information Network, or DODIN.
The agency entered into a Cooperative Research and Development Agreement, or CRADA, with Vienna, Virginia-based software company NT Concepts to apply machine learning (ML) to defensive cyber operations.
“The focus of the CRADA is to evaluate NT Concepts’ Machine Learning Operations (MLOPs) life cycle to methodically identify candidate state-of-the-industry machine learning technologies,” explained Roy Hendrix, Global Change and Configuration Branch chief at DISA’s Enterprise Engineering and Governance Directorate. “The goal is to determine how these technologies can be employed to deliver operational insights and strengthen DODIN cyber defense mechanisms.”
Stuart Timerman, former director of DISA’s Development and Business Center, signed the agreement with the company in May. Hendrix, who is the principal investigator on the CRADA, had championed its preparations over the last year—along with Quanita Bost, DISA’s CRADA manager—helping to scope the three-year effort and define possible use cases.
“The [plan for the] first of several use cases is to automate, better utilize cyber analyst time, harness data as a strategic asset and avoid the ‘needle-in-a-haystack’ problem,” Hendrix said. “We want to tap data sources once, leverage AI/ML computing capabilities to automate data pipelines, and use them for both performance and cybersecurity. The data will provide valuable insights into correlating events and are considered to be on the same side of the coin—not the opposite.”
“NT Concepts is pleased to collaborate with DISA on this mission-critical defensive cyber operations AI/ML pilot,” added Darin Powers, president and chief operating of NT Concepts. “Our goal is to provide DISA’s defensive cyber analysts with tools that increase the security of DoD Networks.”
Moreover, the CRADA effort will contribute to the agency’s employment of zero-trust architecture. DISA has spent the last year and a half focusing on zero trust, releasing in December an updated reference architecture developed with the National Security Agency, the Department of Defense (DoD) chief information officer and others. The construct is meant to ensure the identification and authentication of all users and devices connecting to the DODIN, which will bring more security, flexibility, enhanced device use and faster data access for DoD warfighters. CRADA’s examination will possibly provide insights into how ML capabilities can aid the defense of the DODIN in conjunction with zero trust.
“The end state goal is to drive DISA towards true zero trust [architecture] using data-driven decision making,” Hendrix noted.
In addition, DISA is embarking on a new pilot program to evaluate other AI/ML components that can be applied to cybersecurity. In its initial stages, the new pilot at DISA’s Emerging Technology Directorate is meant to apply AI/ML capabilities to detect cyber anomalies and adverse activity, and offer incident response guidance, stated Deepak Seth, chief engineer, who is the technical lead for the directorate’s pilot.
The pilot team is beginning with some exploratory data analysis to see where exactly to apply the algorithms, he shared. Seth expects the effort to run over the next six-to-nine months.
“We are in the early stages of exploring AI,” explained Seth in an interview with SIGNAL Magazine. “We're trying to apply AI primarily towards cyber event detection and incident response, which traditionally have been manual activities for our analysts,” he said. “Today, the analysts have to basically comb through a tremendous volume of cyber sensor data. It is very time-consuming and often riddled with false positives. So, we are trying to see if AI can really provide us with some additional breakthrough capabilities in the area of cyber defense.”
Regarding the consideration of the AI-related cyber incident response capabilities, the pilot team will examine historic cyber data sets to see if the solutions can deliver the same type of responses that humans provide. “What can the machine tell us?,” he asked. “[With] any of the AI models or algorithms that are trained on historic DISA data, can we use those to make some kind of predictions that we can use to assist analysts in incident response and investigations?”
For the necessary AI-related infrastructure, the agency is turning to the DoD’s Joint Artificial Intelligence Center, known as JAIC, to provide the key components, including the Joint Common Foundation (JCF), a cloud-based platform, other tools and expertise, Seth said.
“To be able to do AI, we needed an AI development environment or an AI platform,” he offered. “One of the decisions we made early on was that instead of building our own environment or AI development platform, we would utilize the JAIC’s Joint Common Foundation. So, we're working with them to leverage their cloud-based infrastructure, their data science tools and services. We want to be able to use the joint foundation for doing our AI development and then create a capability, deploy it inside DISA and apply it to the data being collected from the big data platforms. We’ve got the initial building blocks that we need.”
The JAIC, led by Lt. Gen. Michael Groen, USMC, is now under the authority of the deputy secretary of defense, aiding DoD’s effort to be “AI ready” by 2025 and elevating the access to the tools and processes to reinforce AI priorities.
DISA and JAIC have worked closely over the last two years building their relationship, according to both parties. “The JAIC and DISA partnership is a strong one,” Gen. Groen emphasized. “DISA is leveraging the JAIC's Joint Common Foundation and its DevSecOps [development security operations] environment to build and train their models and is advancing network intrusion detection through the creation of labeled datasets. Additionally, the JAIC has been developing, testing and piloting a platform for cyber data normalization and analytics orchestration that enables scalable analytics at near real-time speeds. It allows for reusing existing capabilities developed by the cyber community, academia, or acquired from the commercial sector. Keeping our data, algorithms architecture and interfaces protected is an absolute priority for the whole team. We are focused on mission assurance and mission accomplishment.”
Gen. Groen confirmed that the JCF reached Initial Operating Capability in March 2021 and its use has quickly grown. “We have over a hundred users and several major AI projects on board,” the general noted. “As a relatively new capability for the DoD, early adopter partnerships and projects such as DISA's Emerging Technologies pilot program are perfect for maturing our development environment. The JCF provides great capabilities to DISA developers, and benefits from feedback from data scientists, AI engineers and end users to make our services better. DISA and JAIC are on this journey of transformation together."
“The JCF actually gives us a number of benefits,” Seth continued. “Instead of actually building our own environment, we're able to take advantage of all the tools available in the JCF. We are also able to take advantage of all the security controls. All these combined capabilities significantly reduce the time it takes for our data scientists and our engineers at DISA to deploy and operationalize AI capabilities.”
In addition to the Operations Directorate Group, the Cyber Development Directorate and the Risk Management Executive for data protection may also be develop possible use cases for the pilot’s evaluation, a DISA spokesperson confirmed.
“Through AI, we can detect and discern any malicious behavior much more efficiently compared to traditional approaches, and it can be done at greater speeds and greater accuracy than humans can,” Seth concluded. “And so, what we're hoping through this pilot is that we will be able to prove out some of these benefits.”
You may also be interested in: