The Defense Advanced Research Projects Agency stirred notice when it asked contractors to come up with ideas on how to create systems and platforms that can engage in cyberwarfare.
But perhaps what was even more attention-getting has been the response. DARPA reported last month that its Plan X, as the effort is known, has received an “unanticipated and overwhelming response from industry and academia.”
So much so that the agency was forced to cancel an industry day planned for late September and reschedule a two-day event to accommodate the intense interest.
As cybersecurity becomes a familiar — and, some say, even overused — term, more aggressive and dynamic capabilities are becoming a new focus.
DARPA’s Plan X, for instance, asks for innovative research in areas including building “battle units” that can perform cyberwarfare and developing “high-level mission plans” that can act as auto-pilot functions.
Still, there seem to be more questions than answers at this point. Cyberwarfare remains a fuzzy area in which government bodies are still trying to figure out exactly what’s legal, said David Z. Bodenheimer, a partner at Crowell & Moring.
“On the offensive side, the law of war is poorly developed, raising considerable risks to governments who engage in cyberwar,” he said. The risks are there, too, for contractors, who will “be at the forefront of cyberwar battles,” Bodenheimer added.
But some companies are already seeking to learn from exploring these new areas. Suzanne E. Kecmer, a vice president at McLean-based investment firm KippsDeSanto who specializes in cyber and intelligence, said working on offensive capabilities can help companies strengthen their defense.
The “way for them to understand the art of the possible is breaking their own tools and services,” she said.
Still Richard A. Clarke, a former special adviser to the president on cybersecurity who now advises Fairfax-based SRA International, is skeptical that the federal government — and its contractors — should be spending its time on cyberwarfare.
Companies, he said, are generally finding vulnerabilities in software, which they should be reporting, rather than exploiting.
“At the end of the day, the obligation of the U.S. government is to defend first and, until we get that right, we shouldn’t be running around attacking other people,” he said.