They have been hacked, tricked and stolen from. Now the message is clear -- no more.
The Navy is looking to support research in 36 areas that can help protect weapons systems from cyberattacks, Naval Air Systems Command said in a Jan. 7 update to a broad agency announcement.
“Its not necessarily cutting edge research, but it is the first step in cybersecurity quality control that should have already been done for mission systems,” said Bryson Bort, the founder and CEO of Scythe, a cybersecurity platform.
The Navy had admitted as much.
Research into protecting the department’s weapons comes amid reports that the American military suffers from sustained cyberattacks. In December, an Inspector General report found that some in the Pentagon were not taking basic cybersecurity steps to protect its ballistic missile system. Although the Pentagon’s weapons are worth roughly $1.66 trillion, an October report from the Government Accountability Office found that “nearly all” American missiles, jets, ships and lethal equipment in development are vulnerable to cyberattacks.
The announcement comes after Congress has mandated the Pentagon address its cyber vulnerabilities.
Three of the research areas the Navy is interested are commonly described as the pillars of strong cybersecurity, no matter the institution. They include:
In an effort to confuse attackers, the Navy wants to research “dynamic reconfiguration.” The National Institute of Standards and Technology defines the term as “changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways.”
"Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises,” NIST officials wrote.
Research by the University of Maryland’s Christian Johnson found that pairing predictive analytics with dynamic reconfiguration tactics, the new approach can lead to the "successful development of learning models that identify specific classes of malware such as ransomware,” Johnson wrote in a paper for the RSA conference.
Experts have long used strategies of physical war in digital battles, including with the use of denial and deception tactics. The Navy wants to boost understanding of this area to better secure its weapons systems.
In 2015, researchers at MITRE, which conducts federally funded research, advocated for a 10-step process for planning and executing deception operations.
“Leveraging classical denial and deception techniques to understand the specifics of adversary attacks enables an organization to build an active, threat-based cyber defense,” a team of researchers wrote.
But the Intelligence Advanced Research Project Activity, the intelligence community’s research arm, says that the use of deceptive software and hardware in cybersecurity is still in its infancy.
“Many techniques lack rigorous experimental measures of effectiveness,” the organization said, adding that “information is insufficient to determine how defensive deception changes attacker behavior.”
If there was a common denominator of the federal government’s investment in cybersecurity it is the use or artificial intelligence.
The Navy has embraced artificial intelligence since its Task Force Cyber Awakening project in 2015.
“We see that the more we automate our networks and the more we use machines to do the heavy lifting, the better. Our brains do not have the intellectual capacity to process all of that information,” Rear Adm. Danelle Barrett, Navy Cyber Security Division Director, told Defense Systems, a trade publication, in a 2017 interview.
More than half of the challenges and research opportunities announced by IARPA in 2018 involved machine learning, according to an analysis by Fifth Domain.
Cyber Command has embraced the technology in a short time period, Capt. Ed Devinney, director of corporate partnerships at the body, said during the November Cyber Con conference hosted by Fifth Domain.
“If you talked to anyone at the command two or three years ago about a system that would be all autonomous, you probably wouldn’t get much traction. But I think there is a growing understanding and consensus that we need to operate at machine speed, especially when talking about active defense of the network,” Devinney said.
He said that everyone likes to use the phrases “artificial intelligence” and “machine learning,” however “there aren’t that many people who do AI very well.”