The Complex

DARPA wants to watch you type

DARPA is getting serious about one of the issues that cyber-security professionals inside and outside government regularly bemoan: the relative inability of weak passwords to protect...anything.

To overcome the fact that passwords can be stolen or hacked -- and don't necessarily protect a computer once the authorized user is logged on -- the Pentagon's research arm has kicked off a $14 million effort to develop sensors that can constantly monitor users' online behavior to determine whether they are who they say they are.

This kind of vigilance is going to become all the more important as the Pentagon shrinks the number of networks it runs under its cloud-computing initiative and fields mobile devices capable of handling classified information. Ask any cyber security expert and they will tell you that computer networks will inevitably be compromised and that the best defense lies in constantly monitoring for weird behavior.

How exactly do you do that? Well, that's where DARPA's Active Authentication program comes in. The Active Authentication program is aimed at verifying your identity based on your online behavior instead of an easily guessed or stolen password.  

"The program focuses on the development of new types of behavioral biometrics focused on the user's cognitive processes," Richard Guidorizzi, DARPA program manager, explained in an email to Killer Apps. In English, that means Active Authentication will monitor your computer habits -- like your typing patterns, the way you use a mouse, and even how you construct sentences -- to assemble an "online fingerprint."

"Examples of this could include, but are not limited to, behavioral biometrics that focus on a user's unique way of typing on the device or cognitive biometrics that focus on how the user processes language and structures sentences," he said.

In theory, a user would log onto his computer using a government-issued secure ID card, known as a Common Access Control card. This would tell AA sensors to begin monitoring the user, analyzing typing and sentence structure, and comparing the patterns to previous behavior.

AA isn't just limited to desktop computers. DARPA will also address mobile devices.

This could come in mighty handy for soldiers and spies who are increasingly reliant on smart phones and tablets to do everything from filing flight plans to collecting and sharing classified information.

Mobile devices will have their own unique safeguards. "For example, the accelerometer in a mobile phone could track how the device rests in a user's hand or the angle at which he talks into it. Another technique might track the user's gait, reflecting how he walks as it is transported. In theory, each of these examples could be another layer of user validation," Guidorizzi writes.

Don't expect AA tech to be put into place anytime in the near future, though -- AA's work is experimental. "This program is not intended to develop fielded systems but instead to advance the technologies and concepts outlined above," added Guidorizzi.

Still, some type of online identity software may emerge in the coming years. Just today White House Cyber Security Coordinator Michael Daniel told an audience at the Center for Strategic and International Studies that he wants to see research and development programs that sound a lot like AA shift the balance of cyber power from favoring the attacker, as it does right now, to favoring the defender.

Daniel told Killer Apps he wants to know whether there are "ways that you can bake in better credentialing into the underlying structure of the Internet? Are there ways you can get the software manufacturers make software secure by default, so that you actually have to work at browsing insecurely?"

U.S. Army

National Security

House intel committee working with White House to avoid another CISPA veto

The leaders of the House intelligence committee say they are working with the White House to ensure passage of the Cyber Intelligence Sharing and Protection Act, which fell to a presidential veto threat last year but which Chairman Mike Rogers' (R-Mich.) reintroduced yesterday.

The bill would establish rapid information-sharing about cyber threats between private businesses and the government. Last year, the White House threatened to veto it over concerns from privacy groups that the bill gave the government too much authority to view people's online activities without a warrant.

"We were working with the White House for one year, and we thought everything was going to be fine," Dutch Ruppersburger, the committee's ranking member, said yesterday in a joint appearance with Rogers. "Fifteen minutes before we went to the rules committee, we received a phone call that the president was going to veto our bill."

"We've resolved all that," he added. "We're working with the White House as of today. Mike [Rogers] and I talked with the national security advisor [Tom] Donilon and the White House is now working with us to ensure that somehow, some way, we get a bill."

Rogers was a little more cautious, telling reporters yesterday that White House "does not endorse the bill" as it stands right now and that negotiations over its contents are ongoing. "They want to see changes in the bill, but that's a long way from where we used to be," said Rogers. "We're actually having a dialogue on how the bill moves through, I welcome that, that's a good thing." 

Ruppersburger and Rogers repeatedly emphasized during a Capitol Hill hearing today that the bill will not infringe on privacy, and that CISPA only authorizes the government and private companies to share digital threat signatures, "ones and zeros" that make up packets carrying malware.

It does not allow the government to not "monitor your computer, read your email, tweets or Facebook posts," Ruppersburger said yesterday.

The two lawmakers also said they are committed to working with privacy advocates on the bill.

Getty Images