All security systems can be compromised.
The stark warning has been quietly presented for years in cybersecurity conferences and tucked away in slides by government officials.
But that same idea has also led to tens of millions of dollars in investment in cyber deception methods, ones that trick attackers into believing that they have compromised a computer network. Yet, despite the Pentagon funding, defense researchers, the intelligence community and experts say that cyber deception capabilities are struggling to gain traction within the department.
“The military does a better job than most, but it’s still just not adequate,” Scott DeLoach, head of the computer science department at Kansas State University, told Fifth Domain.
“Deception can be a lot of different things. It’s anything that makes it more difficult for an attacker to figure out what your system really looks like.”
The Army Cyber Center of Excellence said in an Aug. 27 agency announcement that it is testing cyberspace deception abilities “that could be employed to provide early warning, false information, confuse, delay or otherwise impede cyberattackers." The army added that by using a sensor-based artificial intelligence that “learns the network architecture and associated behaviors,” it wanted to “block, neutralize, deceive, (and) redirect cyberattacks.”
A summary of the announcement emphasized autonomous equipment for defensive cyber capabilities.
It is not the first time the military has invested in technology meant to trick cyberattackers.
For more than six years, the Defense Advanced Research Projects Agency invested in a program that protected cyber systems by camouflaging, concealing, and deceiving attackers. The idea was for “infrastructure and other enterprise resources such as switches, servers, and storage (to) be virtually replicated to confound enemy targeting. Decoy file systems could confuse attackers thereby greatly decreasing their odds for success.”
The DARPA cyber deception project received $15 million in 2013, but the program appears to have lost funding in 2014. Yet the project does not appear to be unique. It was part a larger network of intelligence, military and security of projects that had a “moving target theme” that could "continually shift and change over time.”
Trapx Security, a firm that uses software to deceive attackers, says that roughly 10 percent of “enterprises" will use cyber deception tools and tactics by 2018.
Still, military researchers say implementation of deceptive technologies has lagged.
“Throughout history the military has employed deception as a counter-intelligence mechanism, but thus far it has been minimally employed for tactics and strategies in cyberspace,” said a 2016 paper in the Journal of Security and Information Systems by Air Force researchers Dave Climek, Anthony Macera and Walt Tirenin. “Modern day military planners need a capability that goes beyond the current state-of-the art in cyber deception.”
The intelligence community has acknowedged that the idea is still in its nascent stages. In 2016, IARPA, the intelligence research arm of the U.S. government, said that “many techniques lack rigorous experimental measures of effectiveness, information is insufficient to determine how defensive deception changes attacker behavior or how deception increases the likeliness of early detection of a cyberattack.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.