Forecasting Cyberattacks

Let’s just take a step back and imagine a world in which we didn’t have people who forecasted the weather at all. Wouldn’t planning and dressing appropriately for the entire day (or even for different intervals throughout the day) be very difficult? The bottom line here is that forecasting is essentially the best solution we have for prediction, even if prediction, by default, cannot be 100% accurate all the time.

But weather isn’t the only thing that needs forecasting. Dr. Jason Matheny, Director of the Intelligence Advanced Research Projects Activity (IARPA) program under the Director of National Intelligence, works to forecast cyberattacks.

Matheny sat down with Christopher Dorobek on the DorobekINSIDER to discuss his agency’s role in forecasting potential cyber attacks and what that means in the grand scheme of cybersecurity.

So, can forecasting something as complicated as cyber really work? Forecasting is a very real possibility according to Matheny. “Cyber attackers leave digital footprints in cyberspace when they’re planning for an attack. So even before an attack occurs there are behaviors that cyberattackers leave traces of; including actions that are taking place during planning phases and reconnaissance phases (i.e. testing particular sites for their integrity or their security).”

Matheny shared a bit about a current IARPA program, Cyber-attack Automated Unconventional Senior Environment (CAUSE), which is working to forecast cyberattacks. This program is meant “to test a variety of different methods that we could use to detect those early planning and reconnaissance phases that occur before cyberattacks and to test them in real time against real events.” IARPA runs these tests by “using a data science approach in which multiple streams of data, both network host data and external data that’s coming from social media or web search queries, calculate a probabilistic estimate that an attack may be being planned,” Matheny stated.

Technology is playing a big role in helping IARPA employees forecast potential cyberattacks. “We have a very large investment in computing, machine learning, data analysis, as well as the development of new sensors and programs, to improve human judgment since an awful lot of intelligence analysis is done by human analysts making judgments about very complicated geopolitical events,” Matheny said. This mesh of technology and the human touch makes this a similar replica of the work being done in weather forecasting. “This is sort of akin to weather forecasting in which probabilities are assigned to a potential event.” Matheny also pointed out the need to know about the highly consequential events, regardless of the improbability of them happening.

In the end, why is forecasting cyberattacks important? Matheny gives us two reasons why IARPA’s work in cyber forecasting is crucial. First, forecasting can help national security decision-makers prepare appropriately for an attack through “anticipatory intelligence about events as they’re unfolding.” Secondly, “the purest test of a scientific theory is to use that theory to generate a forecast and then test it against real events. And I think the science is getting us to a point where we can do that beyond physics, chemistry, or biology and start doing it with social phenomena.” Which is why CAUSE proves to be unique. “Doing the behavioral science on cybersecurity is a real innovation in this program,” Matheny said.

Therefore, even though forecasting, in any form, is difficult, it is necessary. IARPA is setting up government to prevent getting caught in the rain, but we still may have some storms ahead before a system of forecasting is truly set in place.