DOD using Army tool to fulfill directive under AI executive order
A tool developed by Army Cyber Command is now serving as the Department of Defense’s solution to fulfill a key directive in President Joe Biden’s watershed artificial intelligence executive order.
That October 2023 EO, among many tasks, directed the secretary of defense to develop plans for, conduct and complete an operational pilot to “identify, develop, test, evaluate and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.”
U.S. Cyber Command is leading that effort on behalf of the DOD and, in working with Army Cyber Command, designated its Panoptic Junction tool to fulfill that directive, officials from both organizations said.
PJ, as the tool is referred to, was initially developed in response to Army Cyber Command leader Lt. Gen. Maria Barrett’s early 2023 guidance to reduce complexity for the workforce, find ways to automate away tasks that are hard to get right and do that at scale, according to an Army Cyber Command spokesperson.
The command assembled a “tiger team” of cyberspace operations, artificial intelligence and machine learning experts from across the Army to analyze how to do that across the sprawling cyber mission space. That team eventually determined that automating key parts of the continuous monitoring process to enable detection of “living off the land” — a tactic where an actor uses legitimate tools organic to the systems for malicious purposes — would help the most while enabling the authorizers, system owners and cybersecurity service providers to have a continuously updated, common view of any given system’s current level of vulnerability, according to the spokesperson.
The effort was a partnership between the Army Cyber Command Technology and Innovation Center Lab, industry and Cybercom.
Upon evaluating PJ, Cybercom determined it would be a good fit for its response to Biden’s executive order.
“We leveraged our limited acquisition and laboratories and teamed up with an industry partner to develop a prototype,” Barrett said May 15 during the distinguished visitors day at Cyber Yankee 24, a National Guard exercise. “Our industry partner was able to develop this prototype for a very reasonable amount because they are using off-the-shelf AI systems … The key part of that last statement is this then means that future opportunities for industry partners to build and share critical analytics can be rapidly deployed.”
Booz Allen Hamilton is responsible for building the tool, according to Army Cyber Command, while the C5ISR Center is the “tool champion” and recipient.
According to Army Cyber Command — which stressed Cybercom is leading the overall project for the executive order and it will work through them on this effort — PJ is a prototype platform that, once productized, will revolutionize security monitoring of IT systems.
PJ’s primary goal is to enhance the detection of anomalous and malicious cyber activity — including living off the land — through scalable and continuous monitoring. It is seen as a significant step towards more effective digital security.
Living-off-the-land techniques have come into sharp focus with the May 2023 disclosure of a Chinese actor called Volt Typhoon. That threat has been found to have penetrated U.S. critical infrastructure systems at an unprecedented scale — over a year later, the government is still finding remnants — signaling a paradigm shift in China’s cyber actions.
While typically focused on espionage and intellectual property theft, Volt Typhoon has shifted the dynamic by now targeting critical infrastructure for the purpose of disrupting these services at the time and place of its choosing.
“Open-source reporting talks about this actor out of China who has access to our critical infrastructure and some of our key capabilities. Why? Not just for foreign intelligence collection, but to be able to do a couple of things: to foment terror within societal panic; to be able to deny our capability, our ability to surge or maneuver or fight in the time and place of our choosing; but also to gain a military advantage for China,” Maj. Gen. Lorna Mahlock, commander of the Cyber National Mission Force, Cybercom’s elite sub-unified command tasked with defending the nation from significant digital threats, said in April.
Several officials across the U.S. government have noted that there is no valid intelligence reason to be lurking in critical infrastructure systems such as water or power.
The PJ effort was started before Volt Typhoon was disclosed and living-off-the-land activities were not its original purpose. However, the working group adjusted PJ’s focus to include these techniques, shifting its test and assessment criteria to focus on Volt Typhoon-like behaviors in one of the two critical assessment scenarios, the Army Cyber Command spokesperson said.
The tool uses AI-driven, programmatic access to Enterprise Mission Assurance Support Service (EMASS), the platform for authorizing IT systems, and threat intelligence to identify what risks most apply to a specific enclave’s architecture. It delivers those priorities to a second set of AI-driven functions to conduct event log analysis and identify anomalies or malicious activity, the spokesperson said. PJ is novel in that it uses artificial intelligence to link EMASS with continuous cybersecurity monitoring tools.
“The Army requires the ability to continuously monitor ever-increasing numbers of IT systems to enable faster detection of malicious activity, rapid response, and comprehensive Vuln Management while reducing complexity for people,” they added.
Multiple assessment iterations kicked off in April and a final prototype is expected to be delivered in July.