Modernizing Authentication — What It Takes to Transform Secure Access
Get this. DARPA, the Defense Advanced Research Projects Agency, aka the mad-science agency, a secret Pentagon research institute, wants to build a fake Internet in which to play cyber wargames.
Note to Lost fans: dont confuse DARPA and DHARMA (Department of Heuristics And Research on Material Applications), even if the two are similarly secret and mad.
DARPA has at times appeared to be accountable to no one, but it apparently wont get its way over the National Cyber Range (NCR), the plan for a virtual wargames playground. Or at least not this year.
The Senate Armed Services Committee recently recommended a $143.4-million gutting of the mad science agency's budget, including a $10-million hold-back on the NCR project.
The right decision on NCR? Wacky as the project may sound, were not so sure.
DARPAs big disappointment, meanwhile, was one of a couple of recent cases of the Senate or its committees intersecting with gung-ho, but slightly opaque military cyber-initiatives.
Last month, the senior house rubber-stamped Lt. Gen. Keith Alexander as head of the United States Cyber Command, an armed forces sub-unified command set up last year under the U.S. Strategic Command.
The Cyber Command was created to defend vital DoD information networks and prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.
As usual, were not entirely sure what this means, but suspect its military-ese for wage all-out cyber war. We do like the when directed part, though. It suggests the Cyber Command wont just go off half-cocked.
Note to readers: dont confuse Cyber Command and Joint Functional Component Command for Network Warfare, which we wrote about earlier this year and which, hmm, Keith also heads. (Okay, permission to be confused.)
That Keith is also head of the National Security Agency raised some eyebrows in the military/intelligence analyst community (and makes us wonder when he sleeps).
Both Senate interventions underline, one way or another, just how deeply involved the military has become in cyberspace and how seriously the Defense Department takes threats there.
Whether you believe those threats are real and justify the arms race, or are more akin to Iraqi WMDs, this much is certain: everything the military does in cyberspace, or threatens to do, concerns everyone who uses the Internet. Which is to say, everyone.
Or it should concern them.
For purposes of column writing, however, we think the National Cyber Range has tons more potential than a multi-tasking general.
The cyber wargames playground is not a new idea. It first came to light two years ago, but not much has been done on it. (Or maybe it has its hard to tell with an organization as secretive as DARPA.)
Its interesting to note that the Senate Armed Services Committee did not put the kybosh on this project because they thought it was a nutzoid idea. The decision apparently had to do with DARPA not having identified a partner in the military that could apply the results of the research it conducted.
Hello? How about the U.S. Cyber Command? Or the Joint Functional Component Command for Network Warfare? General Alexander?
As harebrained as the NCR project can sound when described in flat military-ese and it does sound a little Matrix-esque at times we think it may actually have merit.
The basic idea is to provide a proving ground for cyber defenses (and offensive tools and strategies, as well, were guessing) that would allow the military to try them out first without unnecessarily jeopardizing the real network the one on which we all depend.
This, surely, is a good thing.
The NCR will not simply simulate the physical infrastructure of the global Internet and give military researchers a place to mess around with cyber weapons, though. It will also simulate users. DARPA actually refers to them in its request for proposals (RFPs) as replicants.
The system will have to be able to produce a realistic chain of events between many users without explicit scripting behavior. The model cyber world, in other words, will replicate real autonomous, sometimes random human behavior.
And the behavior will have to change realistically in response to alterations in the environment when the Defense Department calls different DefCon (defense readiness conditions) or InfoCon (information operations condition) levels, for example, or executes war plans, or detects attacks or degradations of services.
The level of detail sounds incredible. Replicants will have to simulate physical interaction of individual users with keyboard and mouse. Theyll run common desktop PC applications and interact with authentication systems access cards, identity tokens, etc. that real DoD and military personnel would.
Is it worth $10 million? A better question might be, is $10 million enough? But of course, we dont really know how much DARPA has already done on this project.
Our take, for what its worth: the less the military messes around with the engine of the information economy, the better off well all be. Let em have their playground. DARPA: call General Alexander.
Gerry Blackwell is a veteran technology journalist based in Canada. He writes monthly for eSecurityPlanet on the topic of cyber security.