IARPA's plan to hack the brains of hackers

Aitor Diago/Getty Images

The intelligence research agency released a broad agency announcement on Tuesday for a program that looks to leverage psychological biases among hackers for cyber defense.

The Intelligence Community's leading research agency is moving forward with a plan to create new cybersecurity defenses by utilizing the decision-making biases and cognitive vulnerabilities of would-be hackers to its advantage. 

The Intelligence Advanced Research Projects Activity issued a broad agency announcement Tuesday, calling for contract bids for its Reimagining Security with Cyberpsychology-Informed Network Defenses, or ReSCIND, program.

The solicitation describes a 45-month, three-phase program that aims to identify cognitive vulnerabilities relevant to cyber attackers, cognitive models to predict attacker behavior, and ultimately produces Adaptive Psychology-informed Defenses that deploy specific defenses based on attacker behavior. 

Cyberpsychology has become a developing study of human interactions with internet-connected devices, frequently focusing on areas where web-based tools have the potential to impact mental health, such as social media, or also influence decision-making, such as e-commerce. 

A 2019 paper by researchers at Arizona State University, the Laboratory for Advanced Cybersecurity Research and the Naval Information Warfare Center  suggested deploying a strategy that relies on triggering established cognitive biases affecting human judgment — first identified by psychologists Daniel Kahneman and Amos Tversky — and using them to confuse and thwart cyber attackers .

The ReSCIND program plans to put those strategies in action. IARPA issued a cyberpsychology request for information in September 2022 and followed up with a proposers' day in February to gain market research insights on how it might pursue the effort. 

The program includes an 18-month Phase I period with human subjects research to identify cognitive vulnerabilities and the methods needed to “induce, exacerbate and measure” them. 

Phase II will use 15 months to develop "cyberpsychology-informed defenses" to disrupt cyber attack behavior and Phase III will run 12 months to apply the research into automated systems to predict attacker behavior and respond. 

The BAA did not quote a contract ceiling, but noted that multiple awards are expected and that “financial resources made available under this BAA shall depend on the quality of the proposals received and the availability of funds.”

The deadline for responses is May 26.