We need better tools to predict cyberattacks

You’d be forgiven for thinking that every time you turn on the radio or TV, pick up a newspaper or open your preferred news app, you’ll hear, see, or read a story of the latest cyberattack or data breach. It’s a reflection of the world we live in today, and it’s no longer the sole territory of state-backed groups or criminal gangs.

“One individual can pose a threat whether motivated as a state actor, by criminal intent or just for the challenge of hacking,” says Nick Barsby, chief of staff at the UK Government’s Defence and Security Accelerator (DASA). “Key to preventing future threats is understanding the evolving cyber landscape and identifying potential threats we might not anticipate are a threat today.”

Figures released by the UK Government in April 2018 revealed more than four in ten UK businesses and around two in ten charities had been the victims of cyberattacks or breaches in the preceding 12 months.

In response, the government has announced a raft of measures to improve cyber security across private, public, and the charitable sectors – including new regulations, the establishment of the National Cyber Security Centre (NCSC), and almost £2bn in funding to “protect the nation from cyber threats” - according to the Minister for Digital and the Creative Industries, Margot James MP.

DASA’s mission is to facilitate innovations within the defence arena, bringing together government, academia and industry by providing a platform for collaboration and, ultimately, funding proof-of-concept research that offers a high potential benefit to defence and security.

Part of this mission is addressed through competitions, such as the latest one in predictive cyber analytics. “This is a new competition we have just launched, and one of many new competitions DASA is running this year,” explains Barsby.

“We are looking for novel innovations across a range of potential suppliers who can address the challenge. We are interested in novel approaches to cyber security that can predict the most likely offensive cyber events and/or predict optimal defensive cyber actions to enable proactive defence in a hostile and contested cyber environment.”

It is hoped the competition will ultimately result in a deployable solution which can help to predict and counter future cyber threats. DASA is not simply looking for something that enables defences to detect and protect against a current attack, but can predict them before they have even begun, and as far in advance as possible.

“Key to this competition is for the developments to be predictive in nature, i.e. we are interested in forecasting future activity. What we don’t want is tools to identify or stop a current cyberattack; we don’t want a new anti-virus tool,” Barsby says.

The competition will consist of a number of phases. Each phase will accelerate the maturity of the innovations towards deployability in an operational environment. In phase 1, entrants will be expected to provide proof-of-concept ideas with the possibility of securing £1m for their research project. The first phase will last for six months and these bids will be contracted in the new year. Details of the second phase will be released in the middle of next year.

Published in early September, the notice called for entrants to adapt and implement predictive approaches from other industries to the cyber security domain, create and implement novel predictive analytics specific to cyber security, and exploit empirical observation-based models of attackers in order to make predictions, among other things.

However, the scope is not limited. Barsby explains: “The key thing with a DASA competition is that we try not to get into solutionising. We set the framework for the challenge space and ask the experts in the wider supplier base to suggest new and novel innovations. There are a number of different frameworks for describing cyber threats; we are not prescriptive in how suppliers want to frame their proposals, what is important is they articulate how their bid will address the challenges.”

In the first phase, proposals that make use of commercial data systems are permitted but thereafter they should be able to display scalability, utilising data from military operational technology. There should also be evidence of how the phase 1 concept can be developed further.

“We are interested in a range of ideas which can appropriately be applied to the challenge; we don’t have a single solution in mind and will likely fund a number of different approaches,” Barsby continues, suggesting there may be a collection of proposals they may consider and fund.

Importantly, however, any proposal that focuses on theoretical models, or that lack implementation to real data, and those that ingest social media feeds or other public data of a personal nature, will not be considered.

Asked whether it might often be too late to predict cyberattacks, Barsby says: “This is one of the aims of the call. In the past we have relied on individual expertise in predicting the future threats but the big data revolution will provide us with many more opportunities to develop predictive tools to help stay ahead of the threats.

“The UK is lucky in this regard as we have world leading capabilities in artificial intelligence (AI) and machine learning and a wider understanding of big data opportunities.”

However, the UK is said to be in the midst of a skills shortage in cybersecurity experts, and those that are available often demand a high fee, perhaps into six figures. It is because of this that AI is becoming increasingly useful as a cybersecurity tool, but it might not be the ‘silver bullet’, warns an article in the Financial Times in September 2018.

One expert said AI was beneficial for notifying users once they’ve been compromised, and not before.

Gemalto’s chief technology officer of data protection Jason Hart warned the technology was at least three to four years away, telling the newspaper: “What we want it to do is identify when something suspicious happens, apply the appropriate security controls to mitigate the risk, then report back that it has noticed a potential attack, stopped it and protected the data.”

Methods for predicting cyberattacks have changed dramatically in recent years. As technology moves forward and our understanding of cyberspace grows, so too does the determination and capability of adversaries.

However, as in the physical world, certain “traits” or “signs” can be evident ahead of an attack. It’s those indicators that can be crucial in cyber defence. Predictive tools can go much further than that, as the call by DASA shows. How far? For now, we just don’t know.

“It is often the things we have not thought of, which will provide us with the best solutions,” Barsby concludes.