recommended reading

Hatching cyberwar: Pentagon incubator will manage weapons

Defense Department file photo

This story has been updated to clarify points about the role of the lab.

The Pentagon’s research wing is setting up a technology incubator for Defense-funded developers to stitch together computer code to automate offensive cyber operations.

The Arlington, Va.-based experimental lab, called the Collaborative Research Space, will function as the test grounds for Plan X, a four-year funding drive to build a system to “control a cyber battlespace in real-time,” a newly-released contract document on the initiative reveals. The Defense Advanced Research Projects Agency wants onsite developers to build algorithms and combine code that could make it easier for planners to implement more proactive security measures and launch malware campaigns against adversaries. According to the document, DARPA seeks to build "an end-to-end system that enables the military to understand, plan, and manage cyberwarfare in real-time" and an "open platform architecture for integration with government and industry technologies." 

Plan X, also called “foundational cyberwarfare,” signals an increasingly aggressive turn in the Defense Department’s approach to addressing threats to its networks. The laboratory, a designated Collateral Secret area, is described as a collaborative space for contractors and the military. “DARPA intends to arrange program interaction with a variety of users from DoD and other government agencies, including onsite military personnel who will be testing and using the Plan X system on a daily basis,” contract databases indicate.

The public call for proposals, released Nov. 20, marks the Pentagon’s growing willingness to advertise its work on cyber weapons. The initiative comes as the National Cyber Range for Defense personnel to hone computer attack capabilities is slated for a multimillion dollar boost as the system transitions from research laboratories into deployment. President Obama in October signed a secret directive giving the military additional leeway to address computer threats, according to reports.

A request for proposals for Plan X had first been scheduled for release at the end of September but was delayed following an unexpected volume of interest from security researchers and contractors. More than 350 participants attended briefings on the program in October, according to DARPA. The DARPA program is spearheaded by Daniel Roelker, who had started defensive security company Sourcefire as well as DC Black Ops unit at Raytheon SI Government Solutions.

Organizations looking to be funded under Plan X should plan on providing one to two full-time developers with Secret security clearances at the incubator, while supporting the individuals off-site. All code created will be incorporated into a full system located at the space.

While explicitly not funding tools to scan networks, DARPA said in the tender it is looking to fund ways to pool information from such tools to create a map of a network – including security infrastructure such as firewalls and intrusion detection systems – that military strategists can rely on to plan computer-oriented campaigns.

A central tenet of Plan X involves identifying areas for automation and machine assistance in cyber operations. “The speed of planning hinges on using machine assistance to automate as much of the process as possible,” the tender states. With algorithms that can help calculate the resources and tools needed to infiltrate networks, assess possible collateral damage from targeting enemy systems, and capabilities to model opponent moves, DARPA hopes that planners will be able to draw up a plans of action more quickly.

Once a cyberwarfare mission plan can be drawn up for an operation, “the next step is to compile or synthesize the plan into a fully encapsulated executable program or script,” according to the tender. DARPA wants researchers to think about how to build “automated techniques that allow mission planners to graphically construct detailed and robust plans that can be automatically synthesized into an executable mission script.” While automation could speed up the response time of the military, moves to reduce human control could raise concerns, especially if computer glitches go unchecked. 

DARPA has explicitly stated it is not funding research into computer vulnerabilities or command and control protocols through Plan X. The broad agency announcement, however, indicates that proposers working on run-time environments -- which interpret programming languages and allow them to be executed -- “should leverage public and commercial capabilities such as Metasploit, Immunity CANVAS, and other standard toolkits.” These are pentesting and exploit-related tools that identity vulnerabilities in computer systems.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.