Enable breadcrumbs token at /includes/pageheader.html.twig

Defense Researchers Developing National Cyber Test Range

In a few years’ time, a dedicated simulation zone will allow security application testing to occur under real-world conditions. Researchers will be able to create and evaluate network architectures rapidly using a variety of pressures, from high operational demand to aggressive cyberattack, and then to develop responses based on the collected data. Planned to be highly automated, the testing zone will simulate a range of user and network behaviors, allowing researchers to understand better how cybersecurity and situational awareness tools function in complex environments.

The National Cyber Range (NCR) will allow researchers to test network architectures and software under real-world conditions. The range will also provide scientists with a single place to conduct research into cyber systems.

New environment could push cybertesting ahead by a quantum leap.

In response to the increasing number and sophistication of cyberattacks affecting U.S. government and defense cyber infrastructures, the Bush administration signed the Comprehensive National Cyber Initiative (CNCI) in 2008. The CNCI requires the creation of a dedicated testbed to verify security systems and to share research data with the information technology and security communities to improve national security.

These requirements resulted in the National Cyber Range (NCR) program. Managed by the Defense Advanced Research Projects Agency (DARPA), the range will serve several purposes: assess information assurance and survivability tools in a network environment; replicate large, complex, heterogeneous networks; enable multiple, independent, simultaneous experiments on the same infrastructure; and apply the scientific method for rigorous cybertesting. It will offer scientists a single place to conduct comprehensive research on cybersystems, something that currently is lacking, explains NCR program manager Dr. Michael VanPutte. “Like any area of interest, such as biology or physics, you need a microscope, a particle accelerator or some kind of system to test and measure how effective you are in that field. We need the same thing in cyber, and we don’t have that.” VanPutte explains that currently no one place exists to test solutions in a realistic environment or to be able to obtain a realistic assessment of how good a system is.

VanPutte says that current technology developments in cybersecurity have been incremental rather than revolutionary. Because testbed results are based on the need to test other programs, little research has been conducted to improve testbeds specifically. “We have very manual, very time-intensive processes that take a lot of money and time to set up a test. What we’re trying to do is revolutionize the state of the art of cybertesting itself,” he maintains.

A revolution in virtual testing would greatly improve and increase researchers’ ability to produce solutions and deploy them more quickly. The goal of the NCR is to move testing ahead by a quantum leap. But to achieve this goal, VanPutte notes that a number of technical areas must be addressed.

Besides creating the facility and its physical infrastructure, technical challenges include the ability to control all system resources automatically and to assign them across multiple tests and security levels. Another step is to develop an automated method that allows researchers conducting tests to configure the evaluations, run them, collect results, reset them and sanitize the results.

One key feature behind the range’s functionality is automation, which VanPutte believes will be a graphical user interface allowing test directors to use a drag-and-drop feature to quickly lay out a network architecture, its hosts, system latency, environmental characteristics and, if required, the type of red team. After this infrastructure is created, it can be tested immediately. This would be a dramatic change from the current situation, where it can take weeks and months to build architectures, he says.

Besides quick construction and testing time, the NCR will enable systems to be tested to failure, and then reset and tested again. Through an automated set-up process, researchers can work quickly through a number of scenarios, allowing a variety of potential new architectures to be developed to address a threat. Although it could be used to test existing tools and processes, VanPutte maintains that the NCR’s primary focus is on research and development. The range is designed to test both classified and unclassified networks and software.

Another area of cyberdefense that the NCR might help develop is cyber situational awareness. VanPutte explains that situational awareness tools can be brought into the test range and tested to compare their performance. One example would be to conduct blind testing to demonstrate how one tool performs better than another. The results then could be provided back to the user and to research communities. The NCR also could allow users to change where sensors are located in the network, which would affect the situational awareness of an application.

The NCR also will have the ability to slow down or accelerate tests and simulations. “We want to speed up and slow down test time, so we can greatly reduce the time necessary to do a test, or to do some tests that just aren’t possible today,” VanPutte explains. By playing out a cybersecurity test in slow motion, researchers could watch a system boot up and observe how different processes interact across a network.

Another use of run time control would be to allow a network to operate at normal speed, but to slow down its constituent computers, which would allow more traffic to run on the network. “You can test network bandwidth that isn’t available today. In the future we will have bandwidths that are tremendously faster than we have today, and we need to look at how we will secure, defend and monitor them,” he says.

The NCR will test and assess the growing complexity of networks. As networks become more sophisticated, they begin to resemble biological systems in the ways they react to changes in their operating environment. By affecting the speeds of different network processes, researchers will have a better understanding of how anomalies occur in advanced systems.

Besides enhanced modeling and simulation tools, the NCR also will feature a robust red teaming capability to test systems aggressively. When a system is brought in for testing, a skilled team of experts will assess its security by actively trying to breach its defenses.

Researchers also are developing automated “humans” that will populate the range. These virtual people will test network security and functionality by realistically conducting common activities such as opening e-mail and running applications. “You will have automated ‘bots’ that are trying to get work done while you’re trying to test the security. So you’ll be able to quantitatively measure their effectiveness at work and at the same time, your effectiveness at keeping the bad guys out of your network,” VanPutte explains.

When the NCR is completed, DARPA will transfer its administration to another organization. “DARPA won’t run the range. We’ll develop it, and at a certain phase, we’ll transition it—just like we do for all of our programs—to an operational partner who will operate the range,” VanPutte says. How the simulation space is operated, and whether it will host collaborative exercises, will be up to the partner. He notes, however, that DARPA is bringing the network security and cyber research community together to develop and plan these processes. But the actual operation of the NCR will be up to the transition partner, he adds.

VanPutte says that DARPA did not specify what the final shape of the architecture should be, so it has not been determined. It will be up to the competing contractors to decide whether the NCR will be a bricks-and-mortar facility or a distributed federation of networks located around the nation. “It’s really up to them to do the analysis and come up with what they believe is the best architecture for us,” he says.

VanPutte notes that DARPA did not specify that the NCR be a single building or a group of buildings or a virtual network, but he states that it may be more economical for the range to link government organizations and resources rather than to reproduce them totally.

The range also can be used as a research tool to study and understand better how complex networks operate. The final decision for what type of research the NCR will undertake will reside with the currently undetermined organization that will administer the range.

The NCR will not address specific national cyber challenges. “We’re not going to solve the cybersecurity challenges. The cyber range is an environment for other researchers to come and test their solutions,” VanPutte maintains. DARPA, the CNCI and other government agencies are responsible for specifically addressing cybersecurity issues, while the range is where they are brought for testing.

A broad agency announcement soliciting ideas for the NCR was released in May 2008. A workshop was held in June 2008, and the performing firms were contracted this January. The NCR is currently in Phase 1, which will lead to an evaluation and competitive award this summer. Phase 2, which consists of prototyping, is scheduled to begin this fall. The second phase will last roughly 15 months, followed by another award that will most likely leave one contracting firm. Phase 3 will involve the actual construction of the NCR, which VanPutte expects to take about 24 months. The range is scheduled to be operational by the 2011-2012 time period, although he notes that the competing firms can bid for an earlier operational launch date.

Web Resource
DARPA: www.darpa.mil