Cyber threats are very real and among the most serious facing the United States, Dr. John Launchbury told Pacific Council members in a discussion about the Defense Advanced Research Projects Agency’s (DARPA) role in developing innovative information science and technology for U.S. national security.
Launchbury is the director of the Information Innovation Office (I20) at DARPA. Following his opening remarks, the discussion was moderated by Dr. Elizabeth Bodine-Baron, director of the RAND Corporation Center for Applied Network Analysis and System Science.
Since 1958, DARPA has been at the forefront of innovation for the U.S. Department of Defense. The agency is responsible for some of the world’s most significant scientific and technological breakthroughs, from advances in precision weapons and stealth technology to the modern internet, automated voice recognition, Unmanned Aerial Vehicles, and more.
"The problems that our nation faces in cybersecurity are facing enormous attention," said Launchbury. "The president has called for a national plan to address these problems and we’re working actively with other elements of the federal government to respond to this request. There is also strong bipartisan support in Congress for work in this area. If you add to this the emerging energies from the private sector, it adds up to a lot of momentum to do something about this problem. This is a good thing because the threat has grown."
"The president has called for a national plan to address [cybersecurity] problems and we’re working actively with other elements of the federal government to respond to this request."
Dr. John Launchbury
Launchbury pointed out some recent examples of high-profile cyber-attacks, including on the Office of Personnel Management, where millions of personnel records including security clearance information were stolen; Sony Pictures, where the theft of data and emails led to the cancellation of a major motion picture; and the Democratic National Committee during the recent presidential campaign, which is the subject of ongoing attention and investigation as it relates to the Trump administration’s ties to Russia.
"As we’ve seen, the computer servers of both the government and commercial enterprises have been vulnerable to attack," said Launchbury. "Any system, whether military, government, or commercial, that is connected to the internet is potentially vulnerable. A serious cyber-attack could jeopardize national security, military operations, the power grid, the financial sector, and so on."
Launchbury said there is no single silver bullet that can fix everything. Even a combination of advanced technology programs cannot entirely solve the problems the world faces in the cyber domain.
"We have a huge cybersecurity deficit built into our systems," he said. "For many years, we have been building vulnerable software on top of vulnerable software. So how can DARPA help?"
DARPA was originally created by President Eisenhower in 1958 as a response to the Soviets' surprise launch of Sputnik, the world’s first satellite. DARPA’s mission was to prevent such a surprise from happening to the United States again. DARPA was also the birthplace of the internet itself, which is now an infrastructure that supports all aspects of modern life, ranging from critical national security to commerce, entertainment, finance, healthcare, and social interaction, as well as crime, espionage, and cyberwarfare.
"We’re developing technologies to detect, isolate, and characterize cyber-attacks against the electric power grid, which would have severe economic and human costs for the United States."
Dr. John Launchbury
"At DARPA, we focus our cybersecurity goals in three areas: hardening systems against cyber-attack; figuring out how to get our jobs done even in the presence of insecurity; and developing the tools and techniques to win in the cyber domain against our adversaries," said Launchbury. "We’re developing technologies to detect, isolate, and characterize cyber-attacks against the electric power grid, which would have severe economic and human costs for the United States. The goal of our program is to provide skilled cyber and power engineers with the system tools that would enable them to restore power within seven days after a cyber-attack."
Launchbury said that there are many policy issues that arise as they develop new technologies. It is often the case that developments in technology allow for and inform policy options, not the other way around.
"We’re working to enhance our understanding of who’s responsible for attacks," said Launchbury. "At the moment, it’s almost impossible to tell who pushed the button to launch a cyber-attack. In response, DARPA has developed techniques like active authentication. The idea is that the computer recognizes you as you by how you use your machine. The way we use a computer is unique to us as individuals. The particular way you move the mouse, the particular cadence you have on the keyboard, all of those things are very individual. So someone may login to your banking website and after a while the website says, ‘I don’t think you’re Joe. I’m not going to let you transfer that money. I need a higher level of authentication.’ We’re trying to find ways to use that to identify cyber attackers."
DARPA continues to work on encryption technologies, including homomorphic encryption, which allows operations and calculations on data while it is still encrypted. Encryption technology, though, provokes concerns about the tradeoff between privacy and local or national security, Launchbury said.
"Privacy is a big concern and we’re developing technology like encrypted facial recognition to address that," he said. "How do you find the right balance between private interests and public oversight? We’re in the situation where we’re really struggling with this."
"The incentives for both companies and the government to protect their customers or employees from cyber-attacks have to improve."
Dr. John Launchbury
Launchbury also lamented what he sees as the unwillingness of many organizations to accept risk of attack rather than spend the time and money to build in high levels of security.
"The social and economic costs and consequences of failing to secure one’s system have not been high enough yet to warrant upfront security investment," he said. "The incentives for both companies and the government to protect their customers or employees from cyber-attacks have to improve."
Meanwhile, Launchbury said individuals can take measures to protect their own data and identity by keeping their software updated, using a different password for each account and also using a password manager, and being cautious whenever asked for a password.
Looking at the bigger picture, Launchbury said the United States needs to look at the cybersecurity situation holistically, as well as help develop international norms.
"We don’t yet have international cyber norms," he said. "For example, when is a cyber-attack an act of war?"
Ultimately, Launchbury has hope that the United States can do what it takes to protect the nation against cyber threats.
"When our private and public sector organizations come together to solve a problem, we can be a powerful force in creating technologies, capabilities, and policies for national security," said Launchbury. "Cybersecurity is a problem for all of us now. Let’s invent effective ways to work together to solve this problem for us all."
The views and opinions expressed here are those of the speaker and do not necessarily reflect the official policy or position of the Pacific Council.