The US Defense Advanced Research Projects Agency (DARPA) has selected BAE Systems to develop tools that detect and analyse cyber threats.
The company say this is to help protect extremely large enterprise networks. The contract for Phase 1, 2, and 3 of the program is valued at approximately $5.2 million.
BAE say that because most current tools do not offer the scale and processing speed needed to adequately defend enterprise networks, the goal of DARPA’s Cyber-Hunting at Scale (CHASE) program is to develop, demonstrate, and evaluate new, automated cyber-defense tools for use within and across these types of networks.
BAE Systems say their unique solution, which combines advanced machine learning and cyber-attack modeling, intends to address this critical need by automatically detecting and defeating advanced cyber threats that could currently go undetected. The result could be better-defended commercial networks, using existing storage and existing resources. The technology could also be used to help protect government and military networks.
“Today, advanced cyber attacks within many enterprise networks go entirely unnoticed among an overwhelming amount of network data, or they require intensive manual analysis by expert teams,” said Anne Taylor, product line director for the Cyber Technology group at BAE Systems.
“Our technology aims to alleviate resource constraints to actively hunt for cyber threats that evade security measures, enhancing the collective cyber defense of these networks.”
BAE say its efforts on the CHASE program builds on previous company work in real-time, cyber-defense based anomaly detection, evidence-driven decision making, and related techniques for DARPA, the U.S. Army, and the U.S. Navy. The company’s subcontractors and research partners on the program include Digital Operatives, Dr. Ruslan Salakhutdinov from Carnegie Mellon University, and Dr. Farshad Khorrami and team from New York University. BAE Systems’ work for the program will be performed in Arlington, Virginia.
If I’ve understood it properly then this would really nail one of the biggest if not the biggest issue in national cyber security and if it works then we really do need this in the UK.
It’s all very well having a bunch of boffins in GCHQ but if a cyber attack is against our utilities, the NHS, the rail network or any of the many parts of our services and infrastructure that are run by commercial organisations then boffins in GCHQ are about as useful as a chocolate teapot(*) if commercial organisations don’t implement best security practices as defined by IT experts including any advice that GCHQ might give. Look at the NHS disruption in 2017 for instance due to running old versions of Windows – not actually an attack targeted at the NHS but rather collateral damage from the malware spreading but it still could have been prevented from infecting NHS systems if the right defences (up to date versions of windows) were in place and could probably have been blocked even then if something like this works as hoped.
Something like this, provided on such a basis that all critical companies and government institutions install it (free for government and public services and maybe an affordable and possibly tax-deductible stepped charge based on company size for commercial organisations), could ensure that the best available defences were in place without relying on organisations finding the budget to install it and the expertise to run it (the article says it works automatically). In fact, if this isn’t in the project scope already, the installations could also automatically send data back to (in our case) GCHQ so that they could get a better picture of UK-wide attacks in progress and if an installation does come under attack GCHQ could be alerted immediately not only about the attack but with lots of attack details flooding in in real time it could also act as a sort of man-in-the-loop for potentially initiating a counter-attack using GCHQ attack tools that they probably don’t want leaking outside of Cheltenham. In return for this, since GCHQ would have remote access to the security software running at the protected sites, it could also offer the option to manage this software (updates, check it’s still running, etc) on behalf of organisations that don’t have the technical expertise in house to do that.
Then again, maybe GCHQ has some of this stuff under development already, cf. the Diffie-Hellman / Ellis-Cocks-Williamson episode.
(*) This is not a disparaging comment about GCHQ which is a truly world-class capability doing fantastic work on intelligence gathering and analysis that continues to save many lives every year. It’s the cases where it might offer advice to commercial organisations that is then ignored or only partially implemented that is the aspect of the operation where I have the concerns about effectiveness.
Great post.
I can see people hitting the roof though over GCHQ having access! Just look at the fuss over Snowden, Cable Intercepts and rumours of the “Sniffer” packets they are said to have inserted in various locations. You’ll get liberty groups complaining about “back doors”
Who would pay for the equipment? Rich private corporations should be paying themselves for defending their parts of the CNI not money from the intelligence budget.
Part of what we all pay our taxes for is protection against threats like criminals, terrorist groups, hostile foreign powers, etc. Traditionally that things like the police and armed forces, but in a world thats increasingly online, its fair to argue that a portion of our taxes should also be dedicated to protecting our online assets.
Of course, if there are big companies out there not paying their taxes, well… 😉
Thanks Daniele. Good point re potential public backlash but the irony is that a lot of commercial organisations are already potentially giving third parties such as Microsoft, Google and Amazon potential access to critical corporate data. The cloud computing services from the companies just mentioned (which are called Azure, Google Cloud and Amazon Web Services respectively) are possibly the biggest growth area in IT at the moment with many organisations hosting major parts of their corporate IT environments on them. Amazon is the biggest player showing 49% growth in AWS revenue last quarter with AWS accounting for over 55% of Amazon’s total operating profit that quarter i.e. in Q2-2018 what most of us think of as Amazon’s main business, the selling-stuff-online operation, was actually responsible for less than half of Amazon’s total worldwide operating profits! There are countries in the world, e.g. South Africa, where Amazon has no in-country online retail presence but does have a significant in-country AWS presence. Of course logic doesn’t always come into it that much when it comes to public opinion especially when whipped up by less than competent journalism in newspapers with their own agendas.
On the “who would pay for the equipment”, the article actually says “better-defended commercial networks, using existing storage and existing resources” so possibly no significant extra equipment needed except maybe an on-site communication node for handling the interface with GCHQ. If there was extra cost then for places like NHS trusts it would need to be taxpayer funded (since charging the NHS would be taxpayer funded anyway) but for commercial organisations the government could get draconian and make installing this stuff a requirement for certain industries, e.g. for a rail operator to be granted a franchise and presumably there are licenses granted for certain other operators to be able to do things like supply electricity, water etc (but I’m not sure about that, it’s not something I’ve really looked into). Demonstrating that a company has taken the necessary steps to ensure the security of their systems against cyber attack doesn’t seem like an unreasonable requirement to place on companies wanting to operate infrastructure services in the UK especially if specific measures that need to be taken are listed.
Hardware would presumably be required at the GCHQ end as well to analyse threats detected and probably host some of the machine learning algorithms but that would definitely need to be GCHQ/taxpayer funded. It’s the sort of stuff they are almost certainly doing already so it’s as much a service to them & the nation’s defences as it is to the organisations being protected because the more data that can be fed into the detection/learning algorithms the more accurate they can become which I assume is part of GCHQ’s core mission.
Another great post. Love this stuff.i find it all quite fascinating.