By Paul Theron, a Professor of Cyber-secure Engineering Systems and Processes at the Manufacturing Informatics Centre, Cranfield University. He was previously director of the Aerospace Cyber Resilience research chair in France, funded by Thales, Dassault and State-Major de l’Armee de l’Air. Paul continues to be an active member of NATO’s IST 152 Research & Technology Group on Autonomous Intelligent Agents for Cyber Resilience.
There’s an estimated shortage of 50,000 cyber defence specialists in the UK, and up to two million worldwide. Despite the obvious career opportunities, the number of young people opting for IT-related qualifications is falling (down 17% this year says the British Computer Society). We want a digital economy, we want to be consumers of slick IT services, but at the same time we don’t necessarily want to be stuck dealing with its ugly complexities, the breakdowns and crises.
In response to the shortage, there is the current push for a national cyber-skills strategy, for creating a stronger stream of young recruits, for professionalisation of status, up-skilling and re-skilling of general IT staff. But it’s been admitted that this will take time, 10 years or more, to have an effect. And in the meantime, in the UK and across global networks, IT systems used by many organisations – both old and new – are looking more stretched, more exposed and more fragile.
The scale and level of organisation behind the threats will look very different by then. There has already been a sharp evolution of cyber-attacks from hobby to highly organised, targeted and strategic activity, and this will only accelerate. Cyber-attacks have increased in number and the cyber threat is today’s “new normal”. Attackers’ goals are increasingly ambitious; they tend to multiply attack vectors and targets and to continuously increase the sophistication and diversity of their attacks. They attack cyber defence mechanisms themselves to perpetrate in-depth attacks, with low-key wide-ranging attack strategies used with a view to generating severe systemic impacts. Attack technologies have improved from simple programs overriding systems’ functionalities, to scripted pervasive software capable of replication and designed to take control of systems’ security privilege management functions, and finally to remotely controlled software agents that can be activated by a Command & Control server itself masked behind layers of camouflage false IP addresses and routes.
This “new normal” creates a climate of permanent uncertainty and distrust both in systems and societal forces, and even in people operating or simply using systems. As technology makes progress, attack technologies will progress again, with reports that Autonomous Intelligent Agents for cyber-attacks are already being developed to defeat current cyber-defence technologies and to increase attackers’ strike power against teams of human experts. Cyber defence involves some tricky tactics. A clumsy response from a cyber response team, looking to just switch off a system or stop a piece of malware, can spark even more damaging retaliation in terms of wiping data or causing IT paralysis. Humans can be good at developing responses, but are mostly late and slow, especially when it comes to complex systems.
Besides, the focus of research and development in cybersecurity is too much skewed towards the area of protection: to the upgrading of security measures, like cryptography, firewalls, anti-virus software, authentication methods, etc. All of these are important building blocks for cybersecurity. However, organisations need more specialist people to deal with breaches of those basic security systems, working on a response to attacks, and to ensure lessons are learned. Cyber-resilience includes both cybersecurity and cyber defence.
Developing autonomous cyber defence systems can provide the next level of sophistication needed to monitor and manage this escalation. The growing use of big data and machine learning techniques will provide the ‘always on’ supervision power that any number of skilled cyber-professionals couldn’t compete with. But there’s also the potential for swarms of pro-active, self-learning cyber defence agents to work across the web on the side of national infrastructure and lawful activities.
Multi Agent Systems are made of a set of individual agents. Its multiple agents, while acting locally on the basis of their individual knowledge and rules, cooperate together towards a common goal, which requires some form of collective intelligence. They are close to naturalistic behaviours such as ants’ and bees’, their connectivity is in line with the doctrine of information superiority through high connectedness, their versatility implies a vast number of configurations and functions for a wide variety of issues, they help the decentralisation, distribution and sharing of resources and decisions.
They are a set of software or hardware (possibly human) entities, including sensors, actuators, repositories, cyphers, transmitters, cognitive functions. The agents embed their own methods, policies, self-management capabilities, resources, energy-generation features and capacities for hiding, detecting and understanding attacks and their various signals; they are capable of devising their own reaction plans, keeping ‘Situation Awareness’ for sense making and changing or optimising reaction plans when and as circumstances require. They use local and distributed resources to perform or optimise tasks, collaborating with human operators as and if needed, at the same time as learning and improving their own capabilities.
The autonomous system of agents interacts through rules and methods, interfaces, communication and cooperation protocols, discovery and invocation procedures, runtime enablers – in this way creating collectively the intelligence. So not just exchanging data but building together their own emerging capabilities required to carry out cyber defence missions, able to adjust their goals and make decisions and choices in response to the changing context. They work according to a set of ad hoc policies, either administrator-defined, or devised or optimised according to actions and circumstances.
As a result, these can be designed to recognise patterns of actual and potential attacks and the agents can be used to manage the most appropriate forms of counter-measures for each individual attack. The report of their activity can be used by experts to recommend and implement adaptations based on greater breadth and depth of knowledge. These autonomous agents will flag only when expert human intervention or a key judgment call is needed – so merely requiring occasional oversight and input.
This is one future of cyber defence that can offer a through-life and affordable option for supporting large-scale and complex systems, like the Internet of Things, as well as for civil and military operations. It’s an approach that needs serious testing before being put into practice on the live web. With this in mind, we are creating a large-scale Internet of Things simulator, involving interactions with and between millions of objects. It will provide the kind of rich, complex and fast-moving cyber environment that’s needed for replicating modern levels of IoT transactions and those to come.
Autonomous cyber defence is for the medium-term – we’re talking in terms of being operational within seven to 10 years – but needs to be part of cyber-defence planning now, for taking a pro-active, future-looking stance rather than being in a position of always chasing problems, generating evermore interest from cyber-criminals. It will also become essential in a context where the attacks are being run themselves through their own Multi Agent Systems, which would be impossible to defend against with solely human expertise.
We’re still at the stage where fundamental, blue sky research is urgently needed to turn a collection of priniciples and smart ideas into working technology. That means therefore the early attention and involvement from a wide range of beneficiaries: from governments with the key responsibility for defending national infrastructure and economic security, to state defence institutions, national intelligence agencies and the wider defence and security industry.