Constellation Aligns Stars for Cyber Tech Transition

Under the Constellation program, the Defense Advanced Research Projects Agency (DARPA) and U.S. Cyber Command are creating a shortcut for delivering cyber technologies from the laboratory to the cyber battlefield. The program is designed to speed the adoption of new capabilities, improving cybersecurity for the command, the Defense Department and ultimately, the nation.

DARPA and Cyber Command announced the initiation of the Constellation pilot project in November. “In the research and development community, the ‘Valley of Death’ is a metaphor commonly used to describe the most difficult phase of transitioning a prototype to an operational capability,” according to a written announcement. “Fostering an agile-style pipeline from research to operations becomes essential to addressing the challenges the Department of Defense faces when developing software systems, such as rapidly evolving technology and acceptance and usability for both expert and non-expert providers.”

Officials with both organizations spent several months since laying the groundwork, putting in place the contractual framework and paperwork, identifying key players and points of contact, and deciding on three initial pilot projects with relatively mature technologies. One of those pilots is too operationally sensitive for officials to discuss openly. “One of the things that’s unique with Constellation is it’s not just unclassified programs or unclassified efforts. So, of course, there are going to be some sensitivities with a variety of products,” explained Joshua Wick, a public affairs official with U.S. Cyber Command.  

Of the two pilot projects that can be openly discussed, the first is a long-range effort that will run the entire four-or-five-year duration of the initial Constellation tranche. It focuses on systems engineering and identifying best practices and understanding what does and doesn’t work, explained Tejas Patel, DARPA’s Constellation program manager.

The third pilot focuses specifically on capabilities developed under two DARPA programs: Cyber Hunting at Scale (CHASE) and Enhanced Attribution.

The CHASE program, which Patel also manages, seeks to develop automated tools to detect and characterize novel attack vectors, collect the proper contextual data and disseminate protective measures both within and across enterprises. CHASE aims to prototype components that enable network owners to reconfigure sensors and propagate protective measures at machine speed with appropriate levels of human supervision, according to DARPA’s CHASE website.

Enhanced Attribution aims to improve the ability to identify cyber adversaries and publicly reveal their actions without damaging sources and methods. The program develops techniques and tools for generating operationally and tactically relevant information about concurrent independent malicious cyber campaigns, each involving several operators, and the means to share that information with multiple parties, the program’s website says.

One capability of particular interest narrows down the hundreds of thousands of cyber alerts received daily. “A lot of the current, existing technologies aren’t good or don’t have the intuition to disambiguate something that is benign and expected versus something malicious, so it pops off [an alert] to the security operations center to make a determination, and oftentimes this can be on the order of thousands and thousands of these alerts over a 24-hour period,” Patel said. “It really gets monotonous and mind-numbing, and you could imagine if you have to click ‘yes’ or ‘no’ to thousands of these in a given day, you might slip,” Patel suggested.

The system highlights the most concerning incidents for operators to assess more closely. DARPA tested the system using a red team acting as cyber adversaries attacking a network. “All of the malicious activity this red team was emulating happened in the top 25 results out of something like—I’ll say something like 600,000 alerts—that the team would have had to look at. So, we have some confidence that this is going to work,” Patel reported. “What we can do with Constellation now is take that science and technology capability, do all the necessary steps to productize it and mature it so that it’s running in the already existing platforms with our security operation centers within Cyber Command and service cyber components.”

Patel participated in a tag team SIGNAL Media interview with Adam Lucht, Rapid Development and Innovation Division chief within U.S. Cyber Command’s J9, which is the acquisition and technology directorate.

Lucht outlined Cyber Command’s role in the program. “DARPA could do all of this great research in a lab environment with simulated users and red teams, but ultimately, the benefit through the Constellation relationship is that Cyber Command can provide direct access to our defensive forces, provide actual defensive data from Department of Defense networks and use these tools actively to defend our networks and provide that feedback directly back to DARPA so that they can make the tool better.”

Lucht added that artificial intelligence (AI) and machine learning (ML) solutions will be “critically important” to protect Defense Department networks. “They’re going to play a role in rapidly detecting vulnerabilities and patching. We have to have these AI/ML-enabled capabilities to take hundreds of thousands of alerts and narrow them down to the few that our defensive teams need to focus on.”

Previously, someone wanting to transition technology from the lab to the operational community might not know whether to approach Cyber Command, the cyber components within the military services or particular program managers. “At a very high level, it’s pretty easy. There’s DARPA, and there’s Cyber Command. You should just talk to each other. But it’s actually a much more complicated structure,” Patel offered.

Although DARPA and U.S. Cyber Command are the major players, others will be included. “Constellation is going to be a collection of pilots where we want to test out some of the capabilities and show viability in an operational warfighting platform,” Patel added. “We have DARPA at the table. We have Cyber Command at the table. We’re going to have a service cyber component, so an example of that might be Army Cyber Command, at the table. And we’re also going to have the particular vendors at the table.”

In a separate interview, Steven Rehn, Army Cyber Command chief technology officer, confirmed the command is actively participating in the Constellation effort. “DARPA has a direct relationship with [U.S.] Cyber Command. Depending on what the opportunity is within Constellation, they work with us. So, we work through [U.S.] Cyber Command to support Constellation.”

Lucht added that the goal for the U.S. Cyber Command J9 is to build an “innovation ecosystem” including multiple research partners. “That includes DARPA, but it also includes other science and technology labs. That includes the service research labs, our FFRDC [federally funded research and development center] partners, our university partners. We started with DARPA, and we view Constellation as a method to figure the process out.”

Historically, innovation from the science and technology community has involved long-term research and resulted in technology with a readiness level too low to transition easily to operational forces. “Which is why Constellation is so important to us as a pilot to help us understand how to shorten that, that Valley of Death and actually get technology from the science and technology organization in the hands of our operational forces,” Lucht said.

Patel illustrated the traditional process in simple terms. “It’s been the fact that DARPA runs some science and technology programs. We have some contracts, we do some work, and then oftentimes—I’m being a little bit reductionist here—but we throw some technology that works in a lab over the fence to Cyber Command and say, ‘We’ve shown it works, parenthesis, in a lab environment. You guys gotta make it work in the real world.’”  

And while that may work from a science and technology perspective, it doesn’t always make sense for operational forces, he added. “So [Constellation is] an opportunity for there to be an alignment in everybody’s understanding of the problem space. From there is an opportunity now to actually move out as a true group in unison.”

The Constellation program may also serve as a model for other government departments and agencies to partner with other research laboratories. “There will be specific implementation details that are different for each of them because every relationship is a snowflake. But I have talked to governmental organizations outside the Department of Defense in a lot of detail of the nuances of how Constellation is being set up between us and Cyber Command, and by and large the response has been pretty good and pretty excited,” Patel revealed. “It’s certainly not my place to talk about what other organizations are going to do, but I would wager that similar efforts will pop up at some point in other organizations.”

While military networks will be the initial Constellation beneficiaries, Lucht asserted that the program will ultimately improve cybersecurity for the nation, including government, industry and critical infrastructure. “Constellation is just the beginning. We’re building an ecosystem of what we like to call innovation providers. At the end of the day, Cyber Command has a duty to defend Department of Defense networks, but if we can transition defensive technologies to industry for them to license and build their own products based on that technology, it collectively raises the cybersecurity posture of the entire country. It makes us all collectively better.”

Wick, the U.S. Cyber Command public affairs official, emphasized the point. “What they’re doing is they’re sharing that with an industry partner and then those Microsofts of the world, those Apples of the world, those Oracles of the world, are able to harden their networks, harden their software, harden their products, and then push that out to a wider audience. So, it’s not just about our defense mission—that’s one key part of it—but it’s also about ensuring that the nation, as a whole, is resilient and defended.”