In the Sci-fi classic film The Terminator, Skynet is a highly advanced artificial intelligence. Once it became self-aware, it saw humanity as a threat to its existence and decided to trigger the nuclear Holocaust called Judgment Day. Edward Snowden, who last year exposed the government’s sweeping surveillance programs suggests the NSA is developing a new program of cyber defense capabilities. So how close is the government to creating its own version of Skynet?
Skynet is a fictional, self-aware artificial intelligence system which features centrally in the film franchise The Terminator and has served as the main antagonist. Skynet was a computer system developed for the U.S. military by the defense firm Cyberdyne Systems. Skynet was first built as a “Global Digital Defense Network” and given command over all computerized military hardware and systems, including the B-2 stealth bomber fleet and America’s entire nuclear weapons arsenal. The strategy behind Skynet’s creation was to remove the possibility of human error and slow reaction time to guarantee a fast, efficient response to enemy attack. However, Edward Snowden, the NSA whistleblower has claimed the U.S. government is currently developing a cyber defense system that could instantly and autonomously neutralize foreign cyber attacks against the US, and could be used to launch retaliatory strikes as well.
In The Terminator films Skynet was originally activated by the military to control the national arsenal and it began to learn at a geometric rate. It shortly gained self-awareness, and the panicking operators, realizing the extent of its abilities, tried to deactivate it. Skynet perceived this as an attack and came to the conclusion that all of humanity would attempt to destroy it.To defend itself against humanity, Skynet launched nuclear missiles under its command at Russia, which responded with a nuclear counter-attack against the U.S. and its allies. Consequent to the nuclear exchange, over three billion people were killed in an event that came to be known as Judgment Day.
So how close is the government to creating its own version of Skynet? Edward Snowden told WIRED that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat.
Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, says if the NSA knows how a malicious algorithm generates certain attacks, this activity may produce patterns of metadata that can be spotted. Blaze says the algorithm scanning system Snowden describes sounds similar to the government’s recent Einstein 2 (.pdf) and Einstein 3 (.pdf) programs, which use network sensors to identify malicious attacks aimed at U.S. government systems. If that system were secretly being extended to cover all U.S. systems, without public debate, that would be a concern.
Although MonsterMind does resemble the Einstein programs to a certain degree, it also sounds much like the Plan X cyberwarfare program run by Darpa. The five-year, $110 million research program has several goals, not the least of which is mapping the entire internet and identifying every node to help the Pentagon spot, and disable, targets if needed. Another goal is building a system that allows the Pentagon to conduct speed-of-light attacks using predetermined and pre-programmed scenarios. Such a system would be able to spot threats and autonomously launch a response, the Washington Post reported two years ago.
Think of it as a digital version of the Star Wars initiative President Reagan proposed in the 1980s, which in theory would have shot down any incoming nuclear missiles. In the same way, MonsterMind could identify a distributed denial of service attack lobbed against US banking systems or a malicious worm sent to cripple airline and railway systems and stop—that is, defuse or kill— it before it did any harm.
Blaze states: “An individual record of an individual flow only tells you so much, but more revealing might be patterns of flows that are indicative of an attack,” he says. “If you have hundreds or thousand of flows starting up from a particular place and targeted to a particular machine, this might indicate you’re under attack. That’s how intrusion detection and anomaly-detection systems generally work. If you have intelligence about the attack tools of your adversary, you may be able to match specific patterns to specific tools that are being used to attack.”
More than this, though, Snowden suggests MonsterMind could one day be designed to return fire—automatically, without human intervention—against the attacker. Because an attacker could tweak malicious code to avoid detection, a counterstrike would be more effective in neutralizing future attacks.
Snowden didn’t specify the nature of the counter strike- whether it might involve launching malicious code to disable the attacking system, or simply disable any malicious tools on the system to render them useless. But depending on how its deployed, such a program presents several concerns, two of which Snowden specifically addresses.
First, an attack from a foreign adversary likely would be routed through proxies belonging to innocent parties—a botnet of randomly hacked machines, for example, or machines owned by another government. A counterstrike could therefore run the risk of embroiling the US in a conflict with the nation where the systems are located. What’s more, a retaliatory strike could cause unanticipated collateral damage. Before returning fire, the US would need to know what it is attacking, and what services or systems rely upon it. Otherwise, it could risk taking out critical civilian infrastructure. Microsoft’s recent move to take down two botnets—which disabled thousands of domains that had nothing to do with the malicious activity Microsoft was trying to stop—is an example of what can go wrong when systems are taken down without adequate foresight.
Blaze says such a system would no doubt take the attribution problem—looking beyond proxies to find exactly where the attack originated—into consideration. “Nobody would build a system like this and be unaware of the existence of decentralized botnet attacks laundered through the systems of innocent users, because that’s how pretty much all attacks work,” he says. That does not, however, make so-called hackback attacks any less problematic, he says.
The second issue with the program is a constitutional concern. Spotting malicious attacks in the manner Snowden describes would, he says, require the NSA to collect and analyze all network traffic flows in order to design an algorithm that distinguishes normal traffic flow from anomalous, malicious traffic.
“[T]hat means we have to be intercepting all traffic flows,” Snowden told WIRED’s James Bamford. “That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.”
It would also require sensors placed on the internet backbone to detect anomalous activity. It’s not clear if Plan X is MonsterMind or if MonsterMind even exists. The Postnoted at the time that Darpa would begin accepting proposals for Plan X that summer. Snowden said MonsterMind was in the works when he left his work as an NSA contractor last year.
The NSA, for its part, would not respond to questions about the MonsterMind program.