Cyberattacks by actors targeting individuals, the private sector, local and state governments, and the federal government, are a pervasive problem that often has cybersecurity experts playing whack-a-mole. From holding online individual or business accounts for ransom, to stealing sensitive Personally Identifiable Information (PII) from millions of government employees and contractors, cyberattackers have shown they are nothing if not relentless.
Mitigating this complex and ever-growing problem is an issue cybersecurity professionals continue to struggle with. Even with multi-layered defensive measures—e.g., firewalls, anti-virus software, multi-factor authentication, and other efforts—cyber defenders must constantly work to prevent access to and loss of sensitive data.
A complicating factor is that the most sophisticated and persistent cyberattacks are primarily human-driven, and they take advantage of human error. This begs the question: Since the human element can’t be eliminated, can anything be done to frustrate cyberattackers?
As it turns out, there may be.
This is where one of IARPA’s newest programs, Reimagining Security with Cyberpsychology-Informed Network Defenses (ReSCIND), which will incorporate cyberpsychological defensive measures, comes into play. Cyberpsychology is an emerging, interdisciplinary scientific field that integrates human behavior and decision-making into the cyber-domain, allowing one to understand, anticipate and influence cyber operator behavior. It has seldom been used in cyber defense, however, online advertising, political campaigning, e-commerce, and online gaming all successfully profit by manipulating vulnerabilities in human psychology.
While ReSCIND’s goal is to develop new cyber defense methods, its focus is different from traditional cybersecurity protocols because it is more proactive and actor-focused rather than reactive and static. Instead of just creating a new passive defense measure, like a different password or firewall, ReSCIND researchers will seek to exploit an attacker’s cognitive weaknesses. Specifically, ReSCIND will seek to improve cybersecurity for the Intelligence Community (IC) by developing a new set of cyberpsychology-informed defenses that leverage an attacker’s human limitations, such as innate decision-making biases and cognitive vulnerabilities.
Because cybercriminals are constantly probing for new ways to get around cyber defenses, ReSCIND will potentially make an attacker’s job that much harder.
“By imposing the cyber-penalties of wasted time and effort on attackers, ReSCIND will ultimately delay and potentially thwart attacks, and more rapidly expose attackers,” ReSCIND Program Manager, Dr. Kimberly Ferguson-Walter argued. “And while there will always be a need for layered cyber defense, we also require a new approach that enhances our defenses.”
Since the ReSCIND program is just getting started and has yet to select the performer teams who will research and develop the program’s technology, its ultimate success—like all IARPA research programs—is not guaranteed. However, Dr. Ferguson-Walter, citing her previous experiments on decoys (i.e. fictitious machines created by the defender as a method to distract, confuse, and detect attackers) and their impact on cyberattackers, found deception works against experienced red teamers (attackers performing emulation tasks).
Decoys often slowed-down the teams’ forward progress, confused them, and set off alerts that revealed their presence, even though the technology only utilized a small subset of potentially relevant cognitive biases. “These results give me great confidence we’ll be successful,” Dr. Ferguson-Walter said.
ReSCIND, which is expected to release a BAA in spring 2023, will tentatively award contracts and formally launch before the end of the year. Slated to run for nearly four years, the program will measure success through well-defined metrics with six-month program reviews.