In the wake of Pfc. Bradley Manning's alleged part in Cablegate, the U.S. Army is still reeling from the blow it received from the biggest security breach in its history. Now, not only has the U.S. military drastically increased its monitoring of soldiers, but it's also working with the secretive DARPA agency -- combining new computer software with behavioral science techniques to try and predict when a "good" soldier will "go rogue."
Two years after Cablegate -- in which intelligence analyst Bradley Manning allegedly caused the biggest security breach in the history of the U.S. Army, by passing along to WikiLeaks hundreds of thousands of pages of classified documents -- U.S. military agencies are scrambling to find ways to prevent security breaches before they occur. In an effort to effectively predict "[w]hen a soldier in good mental health becomes homicidal or a government employee abuses access privileges to share classified information," or otherwise becomes an “insider threat,” the military is ramping up plans to monitor and analyze its employees' email, internet, and other network usage. To this end, military agencies are now melding computer software and behavioral science, in an attempt to "look beyond computers to spot the point when a good soldier turns."
Certain government agencies, like the CIA and Pentagon, have already implemented some measures to limit data transfer by employees. But now the military wants to go even further, by finding ways to watch what every soldier is doing -- using software to monitor keystrokes, downloads, file transfers, and web searches on Army computers --- and then detect, record, and report any "abnormal" behavior. Such software could spy on almost any computer activity and identify any time that an employee "searches outside of his or her job description, downloads massive amounts of data from a shared hard drive ... moves the data onto a removable drive," or visits restricted websites. The program could then capture the activity, alert authorities, prevent the user’s access, or feed the person “dummy data” to watch what they do next.
Combining technology and psychology, researchers have been analyzing the behavior of past "malicious insiders" for patterns of behavior before they "acted out." After amassing 700 "insider threat" case studies, Carnegie Mellon’s Software Engineering Institute identified two general profiles of insiders who steal business information. One, the “entitled independent,” is "disgruntled with his job [and] typically exfiltrates his work a month before leaving." The other is an “ambitious leader” who "steals information on entire systems and product lines, sometimes to take to a foreign country, such as China." Commenting on these initiatives, West Point computer science professor Col. Greg Conti stated: “Predictive models are kind of the holy grail. When you see that no one else has done something but bad guys, you can start being predictive.”
Heavily involved in this effort at developing new predictive software models is the Defense Advanced Research Projects Agency (DARPA), which is actively seeking software algorithms to identify and pre-empt "the next Bradley Manning." According to its website, the Army's secretive research agency "was established in 1958 to prevent strategic surprise from negatively impacting U.S. national security and create strategic surprise for U.S. adversaries by maintaining the technological superiority of the U.S. military ... As the DoD’s primary innovation engine, DARPA undertakes projects that ... create lasting revolutionary change." Credited with such technological innovations as GPS, the internet, and stealth technology, DARPA is reportedly working on such projects as: the ArcLight naval missile system that can strike targets nearly anywhere in the world; BigDog, a 4-legged robotic pack mule prototype (trust us, you have to check this out); EATR, a robotic vehicle that can forage for plants to fuel itself; Transformer, a flying armored car; cyborg remote-controlled insects; artificial intelligence software; exoskeltons; and a thought-controlled prosthetic arm; as well as the U.S. military's "insider threat" software research.
One of DARPA's main predictive software projects is Anomaly Detection at Multiple Scales, or ADAMS, launched last year under the agency's Information Innovation office. Using accused Fort Hood shooter Maj. Nidal Hasan as a model, the program searches millions of digital communications, using a unique algorithm, to rank threats. Researchers at the Georgia Institute of Technology have teamed up with DARPA, the Army Research Office, Science Applications International Corporation (SAIC), and other universities in a US$35 million effort to develop new approaches for identifying and pre-empting "insider threats" by analyzing billions of computer logins, keystrokes, emails, text messages, IMs, and file transfers for "unusual" activity. Noting that "There are currently no established techniques for detecting anomalies in data sets of this size at acceptable false positive rates," DARPA states: "The focus is on malevolent insiders that started out as 'good guys.' The specific goal of ADAMS is to detect anomalous behaviors before or shortly after they turn."
Part of ADAMS is the "Proactive Discovery of Insider Threats Using Graph Analysis and Learning" (PRODIGAL) project, which can scan and read approximately a 250,000,000 IMs, texts and emails each day. PRODIGAL scours for emails to unusual recipients, specific words, and files transferred from unexpected servers for changes that may indicate when an employee "goes rogue." The system then ranks the unusual activity and passes along the most "suspicious" events to agents. Processing terabytes of data per day, the new system is designed to aid in analyzing the many thousands of anomalies, or unexplained events, that they may receive on a daily basis. Initially, PRODIGAL is supposed to scan only the communications of military volunteers and people who work in federal agencies. But "[s]ome people say it's one step further toward a police state," commented author and Department of Homeland Security consultant Anthony Howard.
Former L0pht collective hacker Peiter “Mudge” Zatko -- who once told a congressional committee that his group could shut down the internet in 30 minutes -- leads yet another new DARPA project, Cyber Insider Threat (CINDER), which is, as FAS intelligence-policy expert Steven Aftergood states, “a sort of system-wide surveillance of Pentagon networks.” According to an agency job posting, CINDER's goal is to “greatly increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks.” Rather than focusing on individual users, however, CINDER's algorithms are intended to reveal users' “malicious missions,” or patterns of subversive or infiltrative behavior within military networks. Another, private-sector anomaly-detection program is Raytheon’s SureView, software that records any sort of pre-programmed security breach or policy violation and replays the event "like a DVR,” to be viewed by federal agents. Some such "suspicious" events captured by the program might include deliberate IP theft, mobile and internal users "that 'take themselves offline' or use encryption to avoid detection," and “'screen capture” that has been encrypted and saved to a USB drive." Another system, the Einstein project, scans the communications of government employees for keywords and reports "suspicious activity" to the National Security Agency.
These various efforts sync with initiatives by U.S. President Barack Obama, who recently issued an executive order mandating Attorney General Eric Holder and Director of National Intelligence James Clapper to implement an Insider Threat Task Force that would "deter, detect and mitigate insider threats" by protecting classified information and networks and monitoring users. The order also directs individual agencies to establish their own “insider threat programs” to monitor employees for “behavioral changes.” Senior officials from the Department of Defense and the National Security Agency have been tapped to act as a new Executive Agent for Safeguarding Classified Information on Computer Networks in devising technical means for protecting classified information. The Insider Threat Task Force is scheduled to launch in October.
But despite the high-level emphasis on these anomaly-detection programs, some remain unconvinced that DARPA and other government agencies really know what they're looking for. As DARPA itself admitted: "Anomalous behavior could be “comprised of entirely ‘legitimate’ activities.” "All this suggests," commented WIRED journalist Spencer Ackerman, "the blind are still leading the blind when it comes to stopping internal military subversion. It’s far from clear what kind of data — troops’ e-mail? web trails? book orders? — Darpa [sic] would use to ferret out troops who pose a risk to themselves or others. Nor is it clear if any such effort can succeed against a soldier who just snaps."
Cyber-security expert and Green Armor Solutions CEO Joseph Steinberg pointed out that no one even knows whether all of the additional surveillance is effective: "Since there is no real data publicly available to substantiate that any of this technology is preventing terrorist attacks or strengthening our borders from within, [we can't] really say definitively that this technology is doing any good," he said. Moreover, the data mined en masse "can easily be mishandled. Where does it end?" added Howard.