The U.S. Army Research Laboratory (ARL) received the first salvos in the battle for cybersecurity as early as three decades ago. In terms of technology history, it was an astonishingly long time ago. Before most people ever heard of the Internet. Before there were web browsers. Long before the smartphones. Back in 1986, the laboratory withstood attacks by Markus Hess, a Soviet-sponsored hacker who had successfully penetrated dozens of U.S. military computer sites. In his bestselling book, The Cuckoo’s Egg, the pioneering U.S. cyber defender, Cliff Stoll, describes how he monitored the hacker’s networks activities in the fall of 1986: “He then tried the Army’s Ballistic Research Lab’s computers in Aberdeen, Maryland. The Milnet took only a second to connect, but BRL’s passwords defeated him: he couldn’t get through” (Stoll 1989).
Two years later, the laboratory faced the legendary Morris Worm. Around midnight on November 3, 1988, system managers at the Army’s Ballistic Research Laboratory noticed their computers slowing down to a crawl as the worm stole precious computing processing time. Fearing a foreign attack, they pulled their computers off the nationwide network predating the Internet, called ARPAnet.” (Hess, 2016)
The Army’s Ballistic Research Lab, an ancestor of ARL, was the home of the ENIAC, the world’s first electronic digital computer in 1946. It was also where the “ping” program was written in 1983, and where many other milestones of computing and networking took place. The encounters with the Soviet-sponsored hacker and with the Morris Worm were among such milestones.
Since those early beginnings, the history of ARL’s efforts in cyber defense was exciting and challenging (Fig. 1). Although ARL is the Army’s corporate laboratory that focuses on fundamental and early applied research (in the Department of Defense lingo – the research of 6.1 and early 6.2 types), the fundamental science endeavors are closely integrated with extensive operationally-oriented programs. These range from providing continuous cybersecurity defense services to multiple organizations, as well as cyber survivability and vulnerability analysis of Army systems.
A remarkable feature of ARL’s business model is the great degree of collaboration with the academic community. One example is the Cyber Collaborative Research Alliance (CRA) (see the article “Cyber Collaborative Research Alliance” in this issue) that brings together, in closely integrated collaborative projects, ARL scientists with academic researchers from dozens of U.S. universities. Cyber CRA aims to develop the fundamental science of cyber detection, risk, agility, as well as the overarching challenge of human factors in cyber security. Similarly, the Network Science Collaborative Technology Alliance (see http://www.ns-cta.org/ integrates ARL and academic research efforts towards a broad understanding of how multi-genre networks of humans and information and communications devices influence each other and undergo complex dynamic transformations.
ARL collaborations are not limited to U.S. universities. ARL is also actively engaged with international partners. ARL’s Open Campus business model (http://www.arl.army.mil/) helps such wide-ranged collaborations by providing facilities and organizational support for enabling scientists and engineers from the U.S. and abroad to come to ARL for a period of time to work in partnership with ARL scientists.
Fig. 1 ARL cyber research was always informed by real-world environment
Complementing its close ties with academic scientists, ARL research is also intertwined with practical, day-to-day operational responsibilities. Scientists are in direct communications with cyber analysts from the ARL Cybersecurity Service Provider (CSSP), a Tier II organization that defends networks of hundreds of customers belonging to all U.S. Military services, other government organizations, and even industrial entities (e.g., see the article “Information Security Continuous Monitoring (ISCM)” in this issue). ARL has a strong reputation in the area of threat analysis and forensics. The laboratory’s experts in these fields are in high demand as they support cyber-related investigations conducted by law enforcement and counter-intelligence bodies. Vulnerability and survivability assessments of systems and networks that are either already deployed or are still in acquisition process, are another major area of ARL practical, hands-on contributions to Army cybersecurity. ARL’s highly experienced teams of experts perform Cooperative Vulnerability and Penetration Assessments (blue team assessments) as well as Adversarial Assessments (red team assessments). Practical operational insights and needs obtained in operational activities are provided to scientists. They, in turn, utilize observations and data to develop new theories and models, and eventually to develop tools that transition into operational use.
Although participants of a broad cyber research community, ARL cyber scientists are largely driven by challenges unique to the ground operations of the Army. A key example is the exceptionally large attack surface of Army networks: the Army operates in environments within close proximity to allied and civilian assets and adversaries, comprising a complex cyber ecosystem. Forward-deployed network assets are vulnerable to cyber entry or physical capture and subversion of information and devices. Another distinct feature of Army cyber environments is the relatively disadvantaged assets, as the Soldiers’ computing and communication devices are energy and weight constrained, with limited bandwidth and computational capacity. The large number of nodes and fast changes of Army cyber environments are also quite distinct. Soldiers operate in a mobile environment, in complex terrain, with rapidly changing connectivity. Lastly, these networks are often interspersed with civilian, allied, and adversarial networks.
These challenges inform and focus of ARL’s research areas. One key area of research is the understanding the cyber threat. The topics in this area range from inferring influences and relations within a command and control organization from its encrypted communications, to novel uses of stylometry for identifying authors or origins of malware (Caliskan-Islam and Harang 2015), to tools and techniques for forensic analysis, and even to the study of cultural factors and personality that influence patterns of behaviors of cyber actors (Cho et al 2016).
Understanding the threats contributes to the characterization of risk experienced by a system or network. ARL’s research in risk characterization includes such topics as statistical analysis of factors affecting the anticipated frequency of successful cyber attacks and theoretical approaches to network risk computation (see the article “Risk analysis with execution-based model generation” in this issue; also (Cam 2015). It also includes applied efforts to develop better procedures for risk inspection programs; tools for continuous monitoring of risk, cyber situational awareness (Kott et al 2014), and decision support systems for cyber risk assessments.
Knowing the risks helps focus the detection efforts (Kott and Arnold 2013). The comprehensive portfolio of ARL’s research in detection of hostile cyber activities is based on close integration with practical network defense operations. It provides data and insights, and leads to the study of topics like the impact of packet loss in realistic cyber sensors on effectiveness of intrusion detection (Smith et al 2016). Other topics include special issues of detection in cyber physical systems; use of machine learning for detection methods suitable for mobile, resource-constrained devices (Harang et al 2015); cognitive models of human analyst’s process of detection (Acosta et al 2016); and synergistic approaches to human-machine intrusion detection (see the article “Synergistic Architecture for Human-Machine Intrusion Detection” in this issue).
Ultimately, whether detected or not, the hostile cyber activities must be defeated. ARL explores approaches such as active cyber defense (Marvel et al 2014), post-intrusion triage for optimized recovery (Mell and Harang 2014), and cyber maneuvers that limit lateral propagation of hostile malware (Ben-Asher et al 2016).
These research projects are supported by a network of experimental facilities and laboratories dedicated to cyber research. For example, the ARL Cybersecurity Service Provider performs double duty: it supports large-scale operational cyber defense, but also acts as a laboratory for collection of real-world data for research, and a platform for insertion and testing of novel cyber defense tools continually invented and developed by ARL scientists.
Another example of a laboratory is the virtual laboratory called CyberVAN. It is an environment for design and execution of cyber experiments using virtual machines, real Army applications, and a network simulator capable of realistic portrayal of sizeable Army units in mobile operations in complex terrain. CyberVAN is particularly well suited for experimental validation of theoretical results by academic researchers, including international collaborators.
Additionally, the Army Cyber-research and Analytics Laboratory at ARL serves as an environment that supports various industrial and federally-funded partners of ARL. Its functions range: personnel training, product integration, systems engineering, and integrated testing using real-world data. A unique CHIMERA laboratory specializes in the study of human factors and human-information interactions in cyber defense; it helps to explore the human dimension of cybersecurity.