The U.S. Intelligence Advanced Research Projects Activity (IARPA) has awarded its $11.4 million Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program to BAE Systems.
IARPA’s program brief specified: “IARPA expects performers to identify and extract novel leading signals from both internal and external sensors (both conventional and unconventional) and use them to generate warnings – probabilistic forecasts and/or detections of cyber-attacks. Performers will generate warnings for real cyber-attacks against one or more U.S. industry organizations that have agreed to participate in CAUSE.”
The purpose is to predict, rather than just detect, cyber threats. Organizations will then be able to prepare for an attack rather than be required to respond to an attack.
The CAUSE program will develop “predictive methods that combine existing advanced intrusion detection capabilities with unconventional publicly available data sources, leveraging sources not usually associated with cybersecurity,” BAE announced. “Researchers will seek to identify leading indicators of an attack from vast, noisy external streams of data and then correlate related data from different sources to generate accurate, actionable warnings.”
This is not the first project that has sought to use the power of computers to predict the future. Two existing examples are the International Crisis Early Warning System (ICEWS), maintained by Lockheed Martin; and Global Data on Events Language and Tone (GDELT), developed and maintained by Kalev Leetaru at Georgetown University. In all three examples, ICEWS, GDELT and now CAUSE, the basic premise is to input large amounts of data, process that date, and output predictions based on that data.
Data is clearly key. Success can only happen with the right source data, the right amount of source data, and the correct analytical algorithms. There has been limited success with the earlier predictive systems. “Unfortunately, many of these previous efforts have yet to prove operationally useful,” explains Dr. Andrea Little Limbago, Principal Social Scientist at Endgame. “After almost 40 years of political scientists attempting to automate and forecast these events, the big data frameworks provide some insight, but fail dramatically on reliability and consistency. A key reason for this is because of the old data science dictum, ‘garbage in, garbage out’.”
However, the quality and quantity of data available today outstrips that of just a few years ago. “Most cyber early warning frameworks focus only a specific data stream or a few at most, and they also rarely include human behavior,” continued Limbago. “CAUSE is straying from this paradigm, and is building upon previous automated, open source efforts that leverage social media, traditional news media reports, and other unclassified sources to forecast attacks or instability.”
The ‘social media’ element is of particular concern. Last week, Twitter’s CEO Jack Dorsey described Twitter as the ‘people’s news network’. While this may be true at one level, whether Twitter streams can be sufficiently accurate to provide the basis for reliable predictions remains to be seen. “Following Hurricane Sandy,” comments Limbago, “had first responders used Twitter postings to go to the worst hit spots, they would have gone to only those with electricity, not the ones that had lost all connectivity, which is where emergency efforts would need to be focused.”
This is exactly where CAUSE seeks to differ from earlier approaches. While it will draw data from ‘noisy’ sources such as Twitter, it will seek to correlate that data with more reliable sources before drawing predictive conclusions. Even so, the expected sources will include even less reliable sources than Twitter drawn from the dark web. This concerns Limbago. While they are useful data sources, they “don’t necessarily cross the boundary into reliability, especially at the speed required for cyber early warning and for the coverage required.”
Rebecca Cathey, BAE’s Principal Investigator, explained how it will work. “Our system applies human behavioral, cyber attack, and social theories to publicly available information to develop unconventional sensors of activities indicative of the early stages of an attack. The sensors search for signals including emotional language, sentiment, and topics of conversation. The sensor outputs will be fused together using models seeded with expert knowledge to predict the likelihood of cyber attacks against specific targets. This differs from traditional cyber attack detection, which utilizes conventional sensors running with private data, where the focus is on detection of an ongoing event, rather than prediction. Our sensors will use a wide variety of techniques and algorithms to mine a graphical representation of the data.”
What remains to be seen now is whether there have been sufficient advances in big data acquisition, processing power and advanced analytics to turn a good idea into reliable actions.