MILDEC: “Cyber Deception” is a Specific Focus Area for USAF in FY15-FY16

UPDATE 2017-07-06: updates moved to bottom.

A presolicitation (mirror) from the US Air Force for “capabilities for cyber resiliency” (BAA-RIK-14-07) was release on August 1st 2014, and it mentions “cyber deception” (MILDEC) as a specific focus area for FY15-FY16:


Background: Deception is a deliberate act to conceal activity on our networks, create uncertainty and confusion against the adversary’s efforts to establish situational awareness and to influence and misdirect adversary perceptions and decision processes. Military deception is defined as “those actions executed to deliberately mislead adversary decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission.” Military forces have historically used techniques such as camouflage, feints, chaff, jammers, fake equipment, false messages or traffic to alter an enemy’s perception of reality. Modern day military planners need a capability that goes beyond the current state-of-the-art in cyber deception to provide a system or systems that can be employed by a commander when needed to enable deception to be inserted into defensive cyber operations.

Relevance and realism are the grand technical challenges to cyber deception. The application of the proposed technology must be relevant to operational and support systems within the DoD. The DoD operates within a highly standardized environment. Any technology that significantly disrupts or increases the cost to the standard of practice will not be adopted. If the technology is adopted, the defense system must appear legitimate to the adversary trying to exploit it.

Objective: To provide cyber-deception capabilities that could be employed by commanders to provide false information, confuse, delay, or otherwise impede cyber attackers to the benefit of friendly forces. Deception mechanisms must be incorporated in such a way that they are transparent to authorized users, and must introduce minimal functional and performance impacts, in order to disrupt our adversaries and not ourselves. As such, proposed techniques must consider how challenges relating to transparency and impact will be addressed. The security of such mechanisms is also paramount, so that their power is not co-opted by attackers against us for their own purposes. These techniques are intended to be employed for defensive purposes only on networks and systems controlled by the DoD.

Advanced techniques are needed with a focus on introducing varying deception dynamics in network protocols and services which can severely impede, confound, and degrade an attacker’s methods of exploitation and attack, thereby increasing the costs and limiting the benefits gained from the attack. The emphasis is on techniques that delay the attacker in the reconnaissance through weaponization stages of an attack and also aid defenses by forcing an attacker to move and act in a more observable manner. Techniques across the host and network layers or a hybrid thereof are of interest in order to provide AF cyber operations with effective, flexible, and rapid deployment options.

This focus area is currently envisioned to consist of two phases running approximately 12 months each. The first phase (Concept Development) will consist of one to three study efforts that will examine potential deception technologies that could be developed. This will focus on the description, design and development of techniques and technologies that could be employed in an Air Force network. These efforts will be brought to a proof-of-concept level, and the implementations will be evaluated at the end of this phase. In the second phase (Prototyping), also lasting approximately 12 months, one or more of the concepts that show promise will be further developed to produce a prototype system capable of demonstration in a relevant environment. The system(s) developed by the end of this phase will be evaluated. At the end of this second phase, a “go/no-go” decision will be made to determine if the prototype(s) will undergo further refinement, evaluation, and potential integration with an eye toward transition.

Questions regarding this focus area can be directed to:
Anthony Macera
(315) 330-4480

As an indication of what deception is about, I cite the following from Deception for Defense of Information Systems: Analogies from Conventional Warfare (Neil C. Rowe and Hy S. Rothstein):

  • Six general principles for effective tactical deception (Fowler and Nesbitt, 1995)
    • Deception should reinforce enemy expectations
    • Deception should have realistic timing and duration
    • Deception should be integrated with operations
    • Deception should be coordinated with concealment of true intentions
    • Deception realism should be tailored to needs of the setting
    • Deception should be imaginative and creative
  • Taxonomy of kinds of deception (Dunnigan and Nofi, 2001)
    • Concealment (“hiding your forces from the enemy”)
    • Camouflage (“hiding your troops and movements from the enemy by artificial means”)
    • False and planted information (disinformation, “letting the enemy get his hands on information that will hurt him and help you”)
    • Lies (“when communicating with the enemy”)
    • Displays (“techniques to make the enemy see what isn’t there”)
    • Ruses (“tricks, such as displays that use enemy equipment and procedures”)
    • Demonstrations (“making a move with your forces that implies imminent action, but is not followed through”)
    • Feints (“like a demonstration, but you actually make an attack”)
    • Insight (“deceive the opponent by outthinking him”)

Related reading (partially thanks to Jim Henderson / Raytheon):

UPDATES (from new to old)

UPDATE 2017-06-14: Gartner’s list of Top Technologies for Security in 2017 includes “Deception”: “Deception technologies are defined by the use of deceits, decoys and/or tricks designed to thwart, or throw off, an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or detect an attack. By using deception technology behind the enterprise firewall, enterprises can better detect attackers that have penetrated their defenses with a high level of confidence in the events detected. Deception technology implementations now span multiple layers within the stack, including endpoint, network, application and data”.

UPDATE 2017-01-23: [U.S.] Air Force pursues advanced “deceptive” cybersecurity tactics (Defense Systems)

UPDATE 2014-08-15: updated Related-section and added citations from Deception for Defense of Information Systems: Analogies from Conventional Warfare (Neil C. Rowe and Hy S. Rothstein).


Leave a Reply

Your email address will not be published. Required fields are marked *