Last time I set the stage for Mission Resilient Clouds (MRC). This time I will review the requirements released by DARPA, the Defense Advanced Research Projects Agency of the U.S. Department of Defense.
The DARPA MRC program has three main goals:
- Collective Immunity.
Several hosts working in concert can achieve greater immunity to attack than any single host can. Multiple system “voting” solutions have been used for decades (I worked briefly on one at UC Berkeley in the early 1970s). They are, by definition, expensive. Because they try to keep multiple systems in sync they can introduce chaotic performance behavior in networks. If the hosts are identical, than any remaining vulnerability is easily exploited. If the hosts are different (e.g., different operating systems and maybe even chip sets), the operational and maintenance costs go up geometrically. The DARPA MRC program “seeks to produce collective-immunity techniques that are scalable, resistant to coordinated attacks, and offer tunable tradeoffs between attack resistance and overhead.”
- Cloud-wide “public health” infrastructure.
The goal is to maintain mission effectiveness in the face of a coordinated attack. This means that the infrastructure must recognize an attack, assess the trustworthiness of each resource in the infrastructure, and continuously reallocate resources to provide sufficient trustworthy resources to support the mission. These resources are servers, network band-pass, and storage. It also requires that different tasks have different priorities. The MRC program seeks to produce technologies that share information across the infrastructure, and then make assessments as to the trustworthiness of individual resources. Once an attack is recognized, it must be diagnosed. When the cause is identified, patches or other workarounds need to be distributed across the infrastructure. Compromised resources need to be quarantined and potentially, in the case of a host or storage, regenerated. Most existing detection and correction technologies look for a single failure and deal with it. Since many cyber attacks are multi-step, the program looks to the “public health” infrastructure to determine if the attack is multi-step and then to take appropriate action.
- Manageable and taskable diversity and moving-target defense.
Homogeneous computational systems provide rich targets for an attack, as a single attack can exploit vulnerability across many systems. A vulnerability shared across only a subset of the infrastructure can still be exploited and used as base for further attack. If such an attack can be exploited in a quorum of the hosts before detection, it can completely negate any collective-immunity schemes. As noted before, heterogeneous infrastructures are inherently more expensive to manage. The MRC program “seeks to develop techniques … that make all hosts appear different to the attacker while preserving a common manageability interface, thus allowing the “public health” techniques to effectively monitor and control the cloud.” The “moving-target defense” is to periodically reallocate tasks to different servers to make it more difficult for an attacker to “map” the infrastructure and launch coordinated attacks. This is much like the “random” frequency shifting some wireless systems use to make it harder to read or even jam the signal. Since any of these techniques can consume significant resources, the program specifies that these should be tunable, allowing the resource utilization to be changed to match the current threat level.
The MRC program has five technical areas of interest.
- Scalable and tunable innate distributed defenses.
This technical area capitalizes on the virtually infinite size of the Cloud to erect defenses to penetration. Possible techniques include fault tolerant computing, proactive recovery, and proactive defensive techniques against a skilled cyber terrorist in the Cloud. “The goal is to create tunable and analyzable versions of these techniques that are capable of making tradeoffs between resource consumption and level of guarantee, and that offer predictable behavior in large-scale networked environments.”
- Shared situational awareness, trust modeling, and diagnosis.
This technical area focuses on sharing diagnostic information and the diagnosis of large-scale, multi-step attacks. This area builds on other DARPA projects that have focused on individual hosts. This area also covers modeling the trustworthiness of individual resources within the Cloud, plus developing “attack plan recognition” techniques that can recognize Cloud-wide attacks in their earliest stages.
- Optimizing missions and resources.
This technical area also takes advantage of the massively redundant resources in the Cloud. The goal of this area is to create the planning technologies that will continuously re-plan the allocation of resources to meet the mission’s needs.
- Mission-aware networking.
Currently, the Cloud network technologies tend to maximize overall throughput. This can sometimes leave individual nodes with too little or no communication. The goals of this technical area are to allow the network to measure its own behavior and allocate resources according to the individual mission priorities.
- Manageable and taskable diversity.
The technical area will develop new techniques to make each host appear different to attackers and to shuffle the allocation of tasks to hosts so the attacker perceives a moving target.
Individual companies can bid on one or more of the technical areas. DARPA is planning on spending real money on this effort, with multiple awards expected in each technical area, and each award ranging from $500,000 to $1.5 million per year.
DARPA has a fairly optimistic time line for this project, with integration and testing in 2015.
What will we all get out of this project? Probably not what we expect, and probably a lot more than we can imagine. DARPA is a military research group, but the first generally visible positive effects will probably be in the financial world. As General Peter Pace, former Chairman of the Joint Chief of Staff, indicated: the job of the Joint Chiefs of Staff is to protect the U.S. from foreign attack, and that includes attacks on our financial systems. I expect that we will see, as early as 2012, some significant security improvements in Cloud-based financial systems, including your own bank-from-home activities, as a result of this MRC and similar private industry programs.
I also expect we may see in the same timeframe self-generating smart phone networks as another commercial outcome. These will probably evolve as the natural extension of today’s Mobile ad-hoc networks. As you send your team out into an area with no network infrastructure, the individual smart phones will use each other to eventually find their way to a real network hub.
And, just maybe, we can get a little ahead of the cyber terrorists out there.
The last word:
The Cloud is evolving rapidly. Today, the Cloud is not a good solution for a number of applications. The usual problems are security and performance. Performance issues can usually be resolved by spending money – it becomes a simple business decision that is getting easier to make every year. Security in the Cloud is also evolving, and fairly quickly. It you should not move something to the Cloud today, look again in six months. Watch your competitors and pay attention to the Cloud Service Providers that are advertising in your trade journals. You may not want to be the first in your industry to jump fully into the Cloud, but you do not want to be the last to get the financial and agility advantages of the Cloud.
Keep your sense of humor.