DARPA Director, Regina E. Dugan, has reinforced that the advent of the Internet more than 40 years ago created both tremendous opportunities and risks.

At DARPA’s colloquium on “Future Directions in Cyber Security” she said that “DARPA’s role in the creation of the Internet means we were party to the intense opportunities it created and share in the intense responsibility of protecting it. Our responsibility is to acknowledge and prepare to protect the Nation in this new environment,” said Dugan. “We need more and better options. We will not prevail by throwing bodies or buildings at the challenges of cyberspace. Our assessment argues that we are capability limited, both offensively and defensively. We need to fix that.”

Since 2009, DARPA has steadily increased its cyber research efforts. The Agency’s budget submission for fiscal year 2012 increased cyber research funding by $88 million from $120 million to $208 million. Over the next five years, the agency plans to grow its top line budget investment in cyber research from eight per cent to 12 per cent.

“We are shifting our investments to activities that promise more convergence with the threat and that recognise the needs of the Department of Defense,” explained Dugan. “Malicious cyber attacks are not merely an existential threat to our bits and bytes; they are a real threat to our physical systems, including our military systems. To this end, in the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs.”

The DARPA Cyber Analytic Framework, completed over a period of months through original research and detailed investigation, concluded that “the US approach to cyber security is dominated by a strategy that layers security on to a uniform architecture. We do this to create tactical breathing space, but this approach is not convergent with an evolving threat,” said Dugan.

Over the past 20 years, using lines of code as a proxy and relative measure, the effort and cost of information security software has grown exponentially—from software packages with thousands of lines of code to packages with nearly 10 million lines of code. By contrast, over that same period, and across roughly 9,000 examples of viruses, worms, exploits and bots, the analysis revealed a nearly constant average of 125 lines of code for malware.

“This is not to suggest that we stop doing what we are doing in cyber security. On the contrary, our existing efforts are necessary,” said Dugan. “These efforts represent the wisdom of the moment. But if we continue only down the current path, we will not converge with the threat.”

Informed by these insights and with a willingness to accept the Agency’s responsibility to contribute, DARPA has recruited a cyber team composed of experts from diverse fields including the “white hat” hacker community, academia, labs and nonprofits, and major commercial companies, in addition to the defence and intelligence communities.

“I should emphasise,” said Dugan, “that national policymakers, not DARPA, will determine how cyber capabilities will be employed to protect and defend the national security interests of the United States. But the agency has a special responsibility to explore the outer bounds of such capabilities so that our nation is well prepared for future challenges.”

The agency’s activities are part of a larger collection of efforts within national security at the National Security Agency, the newly formed US Cyber Command, within the military Services, the private sector, universities, non-profits, and as appropriate, Department of Homeland Security.