A Case for a Cyber Manhattan Project
Truth be told, I've been beating this drum for about 20 years, but in light of recent public awareness I think its a good time to revisit it.
Recent news is full of stories of foreign adversaries hacking our critical infrastructure, interfering with satellites, jamming GPS, spying on our government agencies and corporations.
Fears of a devastating cyber attack have even found their way into popular culture and movies.
We desperately need a Cyber Manhattan Project.
By this I mean a Federally Funded Research & Development Center (FFRDC) whose primary focus is on Offensive and Defensive cyber research in the same way that there are National Labs focused on Stockpile Stewardship, Energy, Special Nuclear Materials, etc.
This FFRDC needs a Sponsor, or group of Sponsors to commit to funding it for a long period of time just like the other National Labs. The types of sponsors I can envision are:
- Cyber-Command
- Space Command
- The Intelligence Community (NSA, CIA, DIA, FBI, etc.)
- Department of Energy (Due to its oversight of some aspects of Critical Infrastructure)
- DARPA
The Problems
There are several problems that I see:
a.) There already exists a National Cybersecurity FFRDC under MITRE sponsored by NIST, so why do we need another one?
NCF is doing good work with things like MITRE Att&ck and CVE. However it is limited in scope and its sponsor is limited in authorities as well as funding. It is housed under an organization with many different focus areas. Los Alamos National Laboratory was founded to design nuclear weapons and maintain the stockpile in order to ensure US supremacy in military and national security. We need an FFRDC with a similar vision.
b.) NSA, Cyber-Command, and others already have a cyber-focus within their organizations so what do we need a cyber FFRDC for?
STRATCOM, the Airforce & the Navy do not build their nuclear weapons. The labs do that for them, and they in turn are authorized to manage and deploy the weapons. This is a relationship with clearly defined roles.
A cyber FFRDC would interact with those organizations as customers, taking input regarding their needs and gaps, performing research, and providing capabilities that those organizations could then deploy. This would also provide opportunities for standardization and compatibility between different toolsets across the government and military.
c.) Existing Agencies won't want to give up or share their cyber programs.
There is no reason they have to. A cyber FFRDC would provide enablement, support, and enhancement to existing programs. This actually helps make the case for a Cyber FFRDC. Each of those organizations have their own authorities and areas of focus:
- NSA: Large scale capabilities in support of mass international collection efforts.
- CIA: Highly targeted capabilities in support of specific HUMINT targeting and covert actions.
- Cyber-Command: Military effects.
In many cases the capabilities used by these sorts of organizations are produced by contractors anyway. A cyber FFRDC can produce research & development beneficial to all those organizations, who can then tailor and integrate it according to their needs. Additionally, a cyber FFRDC can be a powerful partner in testing & validating externally provided solutions (similar to the relationship between MIT Lincoln Labs and DARPA).
d.) Defense contractors have the cyber space covered.
They do not. There is a near infinite amount of work to be done in the space, plenty of room for other players. Also, the defense contractor approach is fraught with issues and limitations. Let me illustrate with one simple example:
1.) A defense contractor wins a bid to develop a capability for a government customer.
2.) It costs $15 million, takes 2 years, and requires 30 people to build.
3.) The capability is specifically crafted for that moment in time.
4.) If the capability is burned it is lost. The whole process must be repeated to create a new capability.
5.) Those capabilities are often constructed in a monolithic way that makes it hard to adapt them for different operational use cases and environments.
6.) Defense contractor staff commonly switch between companies, following bid wins, limiting diversity of thought and approach available to the government. Defense contractors are also highly incentivized to keep costs down, often limiting the quality of cyber staff available. We are limited in how we can use cyber defense contractors in ways other countries are not.
The Solution
How would such a cyber FFRDC be constructed?
The first consideration is to build up a broad capability in fundamental cyber-science research. What do I mean by this?
Lets take a National Lab. In order to accomplish their mission they must have a cadre of :
- Physicists
- Chemists
- Materials Scientists
- Optical Experts
- Explosives Technicians
- Radio Frequency Engineers
- etc.
Along with the associated equipment and lab space so that those experts can perform research. A cyber FFRD would have a similar need. Here are some examples of the pillars of fundamental skills required:
In a cyber FFRDC there would be Divisions, Groups, and Teams working in dedicated facilities on all of the above subjects and more.
The results and tools that come out of that research would feed into:
- Sponsors
- Select Industry Partners
- Interested Agencies
- Standards Organizations
- Policy Makers
- Tech Transfer & CRADA
The Questions
What types of questions would a Cyber FFRDC explore?
- How knowledge flows back and forth between offense and defense and how to improve these flows?
A cyber FFRDC could employ and improve upon the Red Crow Lab testing process outlined here: https://blog.redcrowlab.com/the-process/.
- How can AI/ML be used to enable cyber research?
- How can quantum computers accelerate solving cyber problems?
- Large scale virtualization of cyber effects on critical and telecommunications infrastructures.
- How can instrumentation, data collection & mining of controlled cyber attacks assist in the rapid development of heuristics and signatures?
- What would a "cyber nuke" look like, what would be its impact, and what would be the policies and impacts of its use?
- What is the current cutting edge in cyber of our adversaries?
- Cross domain research between cyber, RF, space, and hardware.
- What does the future of cyber-weapons look like?
There are many more questions that could be answered by a properly funded and staffed cyber FFRDC and this is just want the country needs to get back on track as a leader in the field and to preserve National Security.
If you are in a position to have an impact on the concept of a cyber FFRDC and you want to learn more, feel free to contact me.
Thanks for reading.
A.