DARPA wants to watch you type

DARPA is getting serious about one of the issues that cyber-security professionals inside and outside government regularly bemoan: the relative inability of weak passwords to protect…anything. To overcome the fact that passwords can be stolen or hacked — and don’t necessarily protect a computer once the authorized user is logged on — the Pentagon’s research ...

U.S. Army
U.S. Army
U.S. Army

DARPA is getting serious about one of the issues that cyber-security professionals inside and outside government regularly bemoan: the relative inability of weak passwords to protect...anything.

To overcome the fact that passwords can be stolen or hacked -- and don't necessarily protect a computer once the authorized user is logged on -- the Pentagon's research arm has kicked off a $14 million effort to develop sensors that can constantly monitor users' online behavior to determine whether they are who they say they are.

This kind of vigilance is going to become all the more important as the Pentagon shrinks the number of networks it runs under its cloud-computing initiative and fields mobile devices capable of handling classified information. Ask any cyber security expert and they will tell you that computer networks will inevitably be compromised and that the best defense lies in constantly monitoring for weird behavior.

DARPA is getting serious about one of the issues that cyber-security professionals inside and outside government regularly bemoan: the relative inability of weak passwords to protect…anything.

To overcome the fact that passwords can be stolen or hacked — and don’t necessarily protect a computer once the authorized user is logged on — the Pentagon’s research arm has kicked off a $14 million effort to develop sensors that can constantly monitor users’ online behavior to determine whether they are who they say they are.

This kind of vigilance is going to become all the more important as the Pentagon shrinks the number of networks it runs under its cloud-computing initiative and fields mobile devices capable of handling classified information. Ask any cyber security expert and they will tell you that computer networks will inevitably be compromised and that the best defense lies in constantly monitoring for weird behavior.

How exactly do you do that? Well, that’s where DARPA’s Active Authentication program comes in. The Active Authentication program is aimed at verifying your identity based on your online behavior instead of an easily guessed or stolen password.  

"The program focuses on the development of new types of behavioral biometrics focused on the user’s cognitive processes," Richard Guidorizzi, DARPA program manager, explained in an email to Killer Apps. In English, that means Active Authentication will monitor your computer habits — like your typing patterns, the way you use a mouse, and even how you construct sentences — to assemble an "online fingerprint."

"Examples of this could include, but are not limited to, behavioral biometrics that focus on a user’s unique way of typing on the device or cognitive biometrics that focus on how the user processes language and structures sentences," he said.

In theory, a user would log onto his computer using a government-issued secure ID card, known as a Common Access Control card. This would tell AA sensors to begin monitoring the user, analyzing typing and sentence structure, and comparing the patterns to previous behavior.

AA isn’t just limited to desktop computers. DARPA will also address mobile devices.

This could come in mighty handy for soldiers and spies who are increasingly reliant on smart phones and tablets to do everything from filing flight plans to collecting and sharing classified information.

Mobile devices will have their own unique safeguards. "For example, the accelerometer in a mobile phone could track how the device rests in a user’s hand or the angle at which he talks into it. Another technique might track the user’s gait, reflecting how he walks as it is transported. In theory, each of these examples could be another layer of user validation," Guidorizzi writes.

Don’t expect AA tech to be put into place anytime in the near future, though — AA’s work is experimental. "This program is not intended to develop fielded systems but instead to advance the technologies and concepts outlined above," added Guidorizzi.

Still, some type of online identity software may emerge in the coming years. Just today White House Cyber Security Coordinator Michael Daniel told an audience at the Center for Strategic and International Studies that he wants to see research and development programs that sound a lot like AA shift the balance of cyber power from favoring the attacker, as it does right now, to favoring the defender.

Daniel told Killer Apps he wants to know whether there are "ways that you can bake in better credentialing into the underlying structure of the Internet? Are there ways you can get the software manufacturers make software secure by default, so that you actually have to work at browsing insecurely?"

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.
A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.

Lessons for the Next War

Twelve experts weigh in on how to prevent, deter, and—if necessary—fight the next conflict.

An illustration showing a torn Russian flag and Russian President Vladimir Putin.
An illustration showing a torn Russian flag and Russian President Vladimir Putin.

It’s High Time to Prepare for Russia’s Collapse

Not planning for the possibility of disintegration betrays a dangerous lack of imagination.

An unexploded tail section of a cluster bomb is seen in Ukraine.
An unexploded tail section of a cluster bomb is seen in Ukraine.

Turkey Is Sending Cold War-Era Cluster Bombs to Ukraine

The artillery-fired cluster munitions could be lethal to Russian troops—and Ukrainian civilians.

A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol  January 8, 2009 in Washington.
A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol January 8, 2009 in Washington.

Congrats, You’re a Member of Congress. Now Listen Up.

Some brief foreign-policy advice for the newest members of the U.S. legislature.