SAN FRANCISCO – The Pentagon’s long-horizon research and development wing is betting it can combine human and computer cyber defenders in a way that adds up to more than the sum of their parts.
The program, from the Defense Advanced Research Projects Agency, is called Computers and Humans Exploring Software Security, or CHESS.
The goal is to mix autonomous and semi-autonomous cybersecurity systems with human cyber experts who can work out some of the abstract problems that computers aren’t as good at solving. Brian Pierce, director of DARPA’s Information Innovation Office, described the program to Nextgov on the sidelines of the RSA Cybersecurity conference in San Francisco Wednesday.
The idea for the program occurred to its director, Dustin Fraze, while watching a cybersecurity contest at the DEF CON hacking conference, Pierce told Nextgov.
The team, dubbed Shellphish, from the University of California, Santa Barbara, had built an autonomous cybersecurity system to compete in DARPA’s Cyber Grand Challenge. Under the rules for that contest, teams’ autonomous systems compete against each other to repel cyberattacks without any human intervention once the starting bell rings.
DEF CON’s Capture the Flag contest, on the other hand, traditionally pits human cyberattackers and defenders against each other without any autonomous systems in the mix. But, because there’s no rule explicitly barring those systems, Shellphish added its “autonomous cyber-creature” Mechanical Phish to the team roster.
“It was intriguing to look at the partitioning of work between what the human hackers can do and what the computers can do,” Pierce said.
While computers outshine humans at spotting vulnerabilities and repelling attacks that mirror basic logic and math problems, humans remain better at problems that follow a more complex set of rules, such as the syntax of a language.
“Humans can look at patterns in a much more abstract and comprehensive way,” Pierce said.
DARPA launched the CHESS program April 3 and held a proposers day for organizations interested in conducting the research on Thursday.
The program reflects one of three main cyber areas DARPA is focusing on, Pierce said.
Broadly, the agency’s goals are to: Make systems more secure and resilient against cyber threats; improve situational awareness in cyberspace, including better attributing cyberattacks; and improving the military’s ability to strike back in cyberspace in a precise, tactical manner that reduces the chance for collateral damage or unintended consequences.
CHESS contributes to that first goal, Pierce said. Other DARPA programs focus on making it cheaper and easier to build software using “formal methods,” a process that applies mathematical proofs to computer code to ensure the code can’t do anything it’s not intended to.
A main program aimed at the second priority is called Enhanced Attribution. The goal, Pierce said, is to combine and analyze public data about internet activity that, in aggregate, makes it easier to attribute cyberattacks to particular attackers.
U.S. officials regularly attribute major cyber incidents. They attributed the 2014 Sony Pictures Entertainment breach, for example, to North Korea and the 2016 Democratic National Committee breach to Russia.
When it makes those attributions, however, the government typically only releases a smattering of evidence to prove its case because it’s wary of exposing intelligence sources and methods – such as NSA spying tools – that produced the attribution. That gives U.S. adversaries a lot of wiggle room to say the U.S. is off base in its conclusions or just making stuff up.
Because the Enhanced Attribution data would all be public already, that would make it much easier to make a public attribution case, Pierce said, and, ideally, deter future attacks.