Automated “pre-cyber terrorism” indicators, anyone?

I came across what I thought was an interesting concept: the Cyber Attack Automated Unconventional Sensor Environment (CAUSE) program from IARPA.

The briefing provided by IARPA to entities who may propose solutions is fascinating.


In short, the idea is to get beyond the *reactive* nature of indicators of compromise (IOCs). While I am a proponent of information sharing, I am well aware that IOCs are a treadmill game much of the time. I don’t think IOCs are useless, but I generally view them the same way I view antivirus signatures.

IARPA wants to progress towards an *automated* and *predictive* approach that combines a wide variety of information (about industries, markets, geopolitics, etc.) with cyber security indicators.


According to the slide deck, IARPA has a whole plan set up to *measure* the effectiveness of each proposed solution. The measurements will even include a “ground truth” component theoretically allowing IARPA to compare warnings generated with actual events.

Lots of good thoughts in this one. Will it work? At least they have a plan to find out.

Owners and operators of critical infrastructure might benefit from re-examining their own use of cyber intelligence and how they plan to move beyond the reactive IOC treadmill.