Defense Advanced Research Projects Agency, Harnessing Autonomy for Countering Cyberadversary Systems (HACCS) , July 31, 2017. Unclassified.
National Security Archive
DARPA’s 2017 HACCS briefing reveals how the agency planned to weaponize autonomous software agents to hunt down and neutralize massive botnets.
Source: Defense Advanced Research Projects Agency, Harnessing Autonomy for Countering Cyberadversary Systems (HACCS) , July 31, 2017. Unclassified. Date: Jul 31, 2017 Archive: Defense Advanced Research Projects Agency Collection: Cyber Vault Additions Sep 6, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
DARPA’s HAC C S Initiative: From Botnet Panic to Autonomous Counter‑Offense
In July 2017 DARPA released a briefing titled Harnessing Autonomy for Countering Cyberadversary Systems (HACCS). The document is not a research paper but a program‑level agenda that was presented to potential contractors, policymakers, and the broader cyber‑security community. Its immediate trigger was the wave of high‑profile botnet‑driven attacks that began in 2016—Mirai’s massive IoT‑based DDoS on Dyn, the ransomware‑laden WannaCry outbreak, and a string of “bot‑for‑hire” services that allowed state and non‑state actors to rent compromised devices on demand. The briefing frames these events as a strategic gap: the United States could no longer rely on patch‑and‑patch‑again cycles or on manual incident response when adversaries could marshal millions of “gray” devices—networks and systems that are not owned by any hostile nation but are nonetheless vulnerable.
The Larger Cyber‑Conflict Context
HACCS sits at the intersection of two longer‑running trends. First, the evolution of botnets from centralized command‑and‑control (C2) servers to peer‑to‑peer and social‑network‑based architectures, which makes detection harder and attribution more ambiguous. Second, the rapid maturation of artificial‑intelligence techniques for large‑scale data analytics, software reasoning, and autonomous decision‑making. By 2017, DARPA’s Information Innovation Office (I2O) had already funded projects on cyber‑reasoning systems and on “multi‑dimensional network analytics.” HACCS was the agency’s attempt to fuse those capabilities into a coherent offensive‑defensive capability: autonomous agents that could infiltrate gray networks, locate botnet implants, and neutralize them without human oversight.
Who Is Speaking, and What Their Language Reveals
Angelos D. Keromytis, the program manager, opens the briefing with a stark assessment: “Current countermeasures are slow and ineffective.” The document cites the Verizon Data Breach Report (2015) to underline that 99.9 % of exploited vulnerabilities had been publicly disclosed for over a year, highlighting a systemic failure of patch management. The language is deliberately urgent—terms such as “massive botnets,” “gray systems,” and “risk‑free, legal, reward‑based” operations are used to justify a shift from reactive defense to proactive, autonomous offense. The inclusion of a “Contracting Officer” slot (Mark Jones) and a detailed agenda underscores that DARPA was already moving toward a competitive solicitation (the BAA) rather than a mere exploratory study.
Reading Between the Lines: Technical Ambitions and Constraints
The briefing outlines three technical areas (TA1‑TA3) that together form a pipeline: find and fingerprint botnet‑conscripted networks, generate n‑day exploits to insert agents, and then have those agents autonomously navigate to neutralize implants. While the document lists “automated traffic analysis,” “symbolic execution,” and “transfer learning for graph traversal” as possible approaches, it also flags the challenges—e.g., “evasive/covert C2,” “partial knowledge of environments,” and “correctness of rules of operation.” These admissions reveal that DARPA was aware of the legal and safety minefields: autonomous agents must operate under “verified rules of operation” to avoid collateral damage, a concern that later shaped the agency’s “safe‑AI” policies.
The emphasis on “n‑day” exploits (previously unknown vulnerabilities) signals a willingness to cross a traditional red‑team line. By proposing automated generation of such exploits, HACCS anticipates a future where the United States could field “cyber weapons” at scale, but it also raises the specter of an arms race in exploit automation. The document’s metrics—accuracy of fingerprinting, number of exploits generated, success rate of autonomous navigation—show that DARPA intended to treat these capabilities as measurable, repeatable engineering outcomes rather than purely academic prototypes.
Legacy and Why It Still Matters
Although the HACCS program was eventually folded into broader DARPA efforts such as the “Cyber Grand Challenge” and later the “AI‑enabled cyber‑operations” portfolio, its core ideas persist. The concept of autonomous, self‑propagating defensive agents resurfaced in 2020‑2021 debates over “active defense” and “cyber kill‑chains.” Moreover, the legal and ethical scaffolding that HACCS began to outline—rules of engagement, correctness guarantees, and jurisdictional considerations—continues to inform current policy discussions about offensive cyber tools.
In short, the HACCS briefing is a snapshot of a pivotal moment when the United States formally acknowledged that defending the Internet at scale required the same level of automation and scale that adversaries were already exploiting. Its blend of technical ambition, strategic urgency, and cautious language provides a rare window into how a leading R&D agency grapples with the paradox of building weapons that must be both powerful and safely constrained.
Harnessing Autonomy for Countering Cyberadversary Systems (HACCS)
Angelos D. Keromytis Program Manager Information Innovation Office (I2O) DARPA
July 31, 2017
DARPA
Approved for Public Release, Distribution Unlimited
DARPA Agenda
| TIME | EVENT |
|---|---|
| 1:00 PM - 2:00 PM | Check-in |
| 2:00 PM - 2:05 PM | Welcome – Angelos D. Keromytis, Program Manager (PM), DARPA/I2O |
| 2:05 PM - 2:10 PM | HACCS Security – DARPA Security |
| 2:10 PM - 2:30 PM | HACCS BAA – Mark Jones, DARPA Contracting Officer |
| 2:30 PM - 3:15 PM | HACCS Program – Angelos D. Keromytis, PM, DARPA/I2O |
| 3:15 PM - 3:30 PM | Informal Teaming Discussions/Turn-in questions |
| 3:55 PM - 4:05 PM | Question & Answer – Angelos D. Keromytis, PM, DARPA/I2O |
Approved for Public Release, Distribution Unlimited 2
DARPA Program Goal
Develop safe, reliable, and effective capabilities for conducting Internet-scale counter-cyber operations to deny adversaries' use of neutral (gray) systems and networks (e.g., botnets)
Approved for Public Release, Distribution Unlimited 3
DARPA Cyber Attackers Can Muster Massive Botnets
Botnet Sizes Observed on the Internet, in millions of compromised devices
Conficker (2008-2009) Cutwall (2007-) ZeroAccess (2011-) Mariposa (2008-2009) Grum (2010-2012) Miral (2016-) Kraken 2 (2008-?) WannaCry (2017) Storm (2007-2010?)
Mirai botnet shut down east coast internet October 21, 2016
0 0.5m 1.0m 1.5m 2.0m 2.5m 3.0m 3.5m
State and non-state adversaries can compromise and conscript large numbers of gray (neutral) networks and systems
- Gradual or rapid buildup through compromise and purchase of resources
- “Botnet for hire” services
- Botnets can DDoS networks, provide pivot points for operations, impede the flow of information, circumvent defenses, and amplify influence operations via social media
Approved for Public Release, Distribution Unlimited 4
DARPA Current Countermeasures Are Slow and Ineffective
Computers are not patched reliably, configured properly, or used safely, allowing widespread exploitation
* 99.9% of exploited vulnerabilities has been publicly disclosed over a year earlier (Verizon Data Breach Report, 2015)
Incident response is slow and costly when possible
* Most botnet nodes are outside US jurisdiction
Adversaries have adapted to countermeasures
* e.g., from centralized to peer-to-peer or social network-based C2
Active defense cyber operations against individual botnet nodes are difficult
* Feasible in principle but unreliable and unsafe
* Welchia, Santy, Hajime
* Risky and illegal for the private sector, with no reward structure
Approved for Public Release, Distribution Unlimited
5
DARPA Harnessing Autonomy for Counter Cyber Systems
Develop safe and reliable autonomous agents that can be introduced into gray networks at scale to counter botnets and similar adversarial implants
n-day Exploit and Autonomous Agent Repository HACCS 3 4 1 2 Targeted Networks Botnet attack traffic 1 Botnet-conscripted networks in gray space 2 Agent Compromised devices Botnet command and control traffic 1 2 4 4
Challenges
- Find botnet-conscripted networks TA1
- Fingerprint botnet-conscripted networks
- Exploit n-day vulnerabilities to insert agents TA2
- Identify and safely neutralize botnet implants TA3 at scale, according to verified rules of operation
Why Now? Recent Technical Advances in:
- Multi-dimensional network analytics
- Cyber Reasoning Systems
- Autonomous software agents leveraging AI
Approved for Public Release, Distribution Unlimited 6
DARPA TA1: Find and Fingerprint Botnet Infrastructure
Key Research Challenges
- Internet-scale real-time botnet detection in the presence of evasive/covert C2
- Accurate fingerprinting of devices and software in compromised networks
Possible Approaches
- Automated traffic analysis using disparate and noisy data sources
- Efficient and scalable black-box characterization of device network behavior
- Precise white-box analysis of network-observable software behavior using information flow
Metrics
- Accuracy
- Percentage of devices characterized across the Internet
- Speed/work factor of fingerprinting new device/software
Hidden Cobra (DPRK)
Type of IoT device
- Backup
- Entertainment
- Health
- Home
- HVAC
- MGMT
- Security
volume
- 50
- 100
- 150
- 200
Hidden Cobra co-resident IoT devices
Approved for Public Release, Distribution Unlimited 7
DARPA TA2: Insert Autonomous Agents Into Gray Networks
Primary approach: Exploit known (n-day) vulnerabilities
Key Research Challenges
- Automated generation of n-day exploits for agent insertion
- Development of IoT- and cloud-specific agent insertion techniques
Possible Approaches
- Focus Software Reasoning Systems (SRS) analysis on known vulnerable code
- Example: use Natural Language Processing on unstructured and semi-structured public information to guide software exploration
- Extend SRS analysis beyond memory corruption vulnerabilities
- Example classes: web/command injection, authentication bypass, privilege escalation
- Challenges: symbolic analysis & fuzzing for interpreted languages with different runtime models; determining test conditions; expanding to different types of inputs
NVD Bugtraq Vendor bulletins Vulnerability DB Crawler Static Analysis Symbolic Execution Fuzzing ... Directed exploration N-Day Exploit
Metrics
- Number of exploits
- Vulnerability class coverage
- Stability of exploits
Approved for Public Release, Distribution Unlimited 8
DARPA TA3: Identify and Neutralize Botnet Implants
Develop software agents that autonomously navigate within each gray network toward infected devices to safely neutralize the malicious botnet implant
**Key Research Challenges**
1. Autonomous lateral movement in partially known environments
2. Correctness of agent implementation
3. Correctness of rules of operation
* Understand, encode, and reason about bounding boxes and terminating conditions for the agents
**Possible Approaches**
1. Learn and generalize from human operators in cyber-exercises, adversary activities, and similar sources
* Transfer learning for graph traversal
2. Correct-by-construction techniques and tools applied to agent generation
3. Contract-based programming
Potential agent insertion point
IoT device
Cloud-based backend
Smartphone
Router
IoT hub
Infected PC
Printer
Uninfected PC
**Metrics**
* Success rate and speed in navigating topologies
* Fraction of code proven correct
Approved for Public Release, Distribution Unlimited
9
DARPA TA4: Integration
Identify and implement necessary components
* Overall framework (new or existing, e.g., Plan-X)
* Safe anti-implant effects
* Integration of publicly & commercially available sources with performer-provided private/commercial (or Government-only) sources
Conduct full-system testing
Act as Voice-of-the-Offense for the program
Option to act as interface with transition partners if necessary
* Propose optional integration tasks beyond program duration
Key metric: effectiveness in achieving system goals
* Participate in DoD cyber exercises (REDFLAG, CYBERGUARD/CYBERFLAG, etc.)
Approved for Public Release, Distribution Unlimited
10
DARPA Program Structure and Schedule
Program duration: 48 months
* Three 16-month program phases
All TAs working in parallel
* Increasing realism and scale in evaluation
Conduct on-demand testing in real conditions as opportunities arise, working with operational/transition partners
| | Phase 1 | Phase 2 | Phase 3 |
| :--- | :--- | :--- | :--- |
| **TA1** | Characterize 5% of the global IP address space with 80% accuracy of botnet detection and network fingerprinting | Characterize 25% of IP address space, 90% accuracy | Characterize 80% of IP address space, 95% accuracy |
| **TA2** | 10 n-day exploit instances<br>1 additional vulnerability class | 100 n-day exploit instances<br>2 additional vulnerability classes | 1,000 n-day exploit instances<br>2 additional vulnerability classes |
| **TA3** | Demonstrate lateral movement and effect in 10 computer-simulated topologies<br>30% of autonomous agent code verified | 1,000 computer-simulated topologies<br>75% of autonomous agent code verified<br>Formally specified Rules of Operation | 10,000 computer-simulated topologies<br>95% of autonomous code verified<br>Formally verified Rules of Operation |
| **TA4** | Voice of the Offense | Design and implement integration framework | Demonstrate system in DoD exercises |
Approved for Public Release, Distribution Unlimited
11
DARPA Evaluation Details
* Each performer conducts their own evaluation for each phase
* Provide data and prototypes to DARPA and AFRL to conduct an independent validation
* Government reserves the right to engage third parties to independently validate the results
* DARPA will pursue access to UNCLASSIFIED data sets
* Proposers strongly encouraged to pursue their own data sets that will facilitate initial development
Approved for Public Release, Distribution Unlimited
12
DARPA Program Classification and Clearance Requirements
* The program will be conducted at the UNCLASSIFIED level
* Technical development
* Performer-internal testing
* TA4 teams required to include personnel with TS clearance and eligible for SCI
* Adequate number to allow for extensive T&E in the Washington, DC area
* Not all team personnel need to be cleared
* For multi-organization teams, not all participating organizations must have cleared personnel
* No requirement for SCIF access
* TA1, TA2, & TA3 teams encouraged to include personnel with similar clearances
Approved for Public Release, Distribution Unlimited
13
DARPA Programmatic Details
* Proposals due on October 1, 2017 (estimated)
* Anticipated program start date: 1 April 2018
* One proposal per organization as Prime
* Procurement Contract (no Grants)
* To expedite award contracting, proposers are encouraged to have sub-award agreements in place ahead of award notification
* Anticipated number of awards:
| TA1 | TA2 | TA3 | TA4 |
| :--- | :--- | :--- | :--- |
| Multiple | Multiple | Multiple | One or more |
* Proposals may address any combination of TAs
* Technical work and cost must be separable to enable partial selection
* The same organization cannot be selected as Prime for efforts under TA4 and TA1, TA2, TA3
* TA4 performers must be prepared to work with all TA1, TA2, & TA3 teams
Approved for Public Release, Distribution Unlimited
14
DARPA Meetings and Reporting Requirements
- Two Annual Principal Investigator (PI) Meetings
- Quarterly Technical Reviews between PI Meetings
- Monthly Progress Reports
- Technical Report describing progress, resources expended and issues requiring Government attention, provided 10 days after the end of each month
- Financial/Technical Progress Reporting to the DARPA Contract Execution Reporting Service (CERS)
- Final Technical Report
- See BAA for full details
- Anticipate high frequency interactions with DARPA technical team
- Agent: DARPA CMO
Approved for Public Release, Distribution Unlimited 15
# Harnessing Autonomy for Countering Cyberadversary Systems (HACCS)
Mark Jones
Contracting Officer
Contracts Management Office (CMO)
DARPA
July 31, 2017
DARPA
Approved for Public Release, Distribution Unlimited
DARPA HACCS Proposers Day
DISCLAIMER
If DARPA publishes the HACCS Broad Agency Announcement (BAA) and it contradicts any information in these slides,
the BAA takes precedence!
Approved for Public Release, Distribution Unlimited 17
DARPA HACCS Proposers Day
**BAA OVERVIEW**
BAA follows procedures in accordance with FAR 35.016.
Any BAA (as well as any future amendments) will be posted on FEDBIZOPPS at www.fbo.gov and possibly Grants.gov at www.grants.gov
Proposal due dates will be identified in the BAA
BAA will cover all info needed to submit proposals. Follow instructions for proposal preparation and submittal.
Approved for Public Release, Distribution Unlimited
18
DARPA HACCs Proposers Day
BAA ELIGIBILITY
All interested/qualified sources may respond subject to the parameters outlined in the BAA.
Foreign organization/individuals – check all applicable Security Regulations, Export Control Laws, Non-Disclosure Agreements, and any applicable governing statutes.
FFRDCs/UARCs and Government entities
- Subject to applicable direct competition limitations
- Must clearly demonstrate eligibility per BAA
Real and/or Perceived Conflicts of Interest
- Identify any conflict
- Include mitigation plan
Approved for Public Release, Distribution Unlimited 19
DARPA HACCS Proposers Day
# PROPOSAL PREPARATION INFORMATION
Proposals consist of two volumes – Technical and Cost.
Volume 1 - Technical and Management
* BAA will identify a maximum page limit
* Includes mandatory Appendix A – will not count towards page limit.
* May include optional Appendix B – would not count towards page limit
Volume 2 – Cost - No page limit.
The BAA will describe the necessary information to address in each volume –
* Make sure to include every section identified.
* If a section does not apply – put “None”
* Include a working/unprotected spreadsheet as part of your Cost Volume submission.
* Review individual TA descriptions, IP rights, and any deliverables for submission information
Approved for Public Release, Distribution Unlimited
20
DARPA HACCS Proposers Day
**STATEMENT OF WORK (SOW) PREPARATION TIPS**
Write a SOW as if it were an attachment to an award
* Don't use proposal language (e.g. we propose to do . . .)
* Break out work between any phases/time periods identified in the BAA
* Succinctly and clearly define tasks & subtasks
* Identify measurable milestones and define deliverables
* Do not include any proprietary information!
NOTE: For grants/cooperative agreements: SOW = RDD or Research Description Document. For Other Transactions: SOW = TDD or Task Description Document
Approved for Public Release, Distribution Unlimited
21
DARPA HACCs Proposers Day PROPOSAL PREPARATION TIPS
- Substantial Time Commitment
- Propose substantial time commitment for key personnel
- If PI is committed to multiple projects, consider co-PI(s) or document mitigation efforts to make up for PI's lack of commitment to effort
- Risk – Do not be afraid to address Risk in Technical Volume
- Identify risk(s) to show an understanding of technical challenge(s)
- Discuss metrics / potential mitigation plans / alternative directions
- If conducted prior research, use data to justify why approach will work $!#*% Page Limits – Depth better than breadth
- Focus on most critical/beneficial aspects
- Don't sacrifice SOW Approved for Public Release, Distribution Unlimited 22
DARPA HACCS Proposers Day PROPOSAL PREP CONT'D – INTELLECTUAL PROPERTY RIGHTS Government typically desires, at a minimum, Government Purpose Rights for any proposed noncommercial software and technical data. (SEE DFARS 227 for Patent, Data, and Copyrights)
Data Rights Assertions – IF asserting less than Unlimited Rights:
- Provide and justify basis of assertions (e.g. privately funded under IRAD project XYZ)
- Explain how the Government will be able to reach its program goals (including transition) within the proprietary model offered; and
- Provide possible nonproprietary alternatives
IF proposed solution utilizes commercial IP – submit copies of license with proposal
Approved for Public Release, Distribution Unlimited 23
DARPA HACCS Proposers Day
ITEMS TO NOTE
Fundamental vs. non-fundamental research
Understand and comply with SAM, E-verify, FAPIIS, i-Edison and WAWF. Links can be found in the BAA.
Subcontracting Issues
- Non-Small Businesses: Subcontracting Plans required for FAR-based contracts expected to exceed the applicable threshold.
- Subcontracting plans with <5% SDB goal – provide an explanation why
- Subcontractor cost - Proposals must include, at a minimum, a non-proprietary, subcontractor proposal for EACH subcontractor. Include any internal price/cost analysis of subcontract value in proposal.
- If utilizing FFRDC/UARC, Government entity, or a foreign-owned firm as a subcontractor, submit their required eligibility information, as applicable.
Approved for Public Release, Distribution Unlimited 24
DARPA HACCs Proposers Day
ITEMS TO NOTE CONTINUED
Proposals typically must be valid for a minimum of 120 days – recommend putting in a longer time period
Discontinued usage of T-FIMS
Document files must be in .pdf, .odx, .doc, .docx, .xls, and/or .xlsx formats
Submissions must be written in English
Approved for Public Release, Distribution Unlimited 25
DARPA HACCS Proposers Day
PROPOSAL SUBMISSION
FAR based contract and OT proposals: Required to be submitted by via DARPA's web-based upload system for unclassified portion of proposal. Submission must be in a single zip file not exceeding 50 MB.
Assistance Instrument proposals: Required to be submitted via Grants.gov.
Follow submission procedures outlined in the BAA. DO NOT submit proposals except as outlined in the BAA (e.g., email/fax submissions will NOT be accepted).
DO NOT wait until the last minute to submit proposals – the submission deadlines as outlined in the BAA will be strictly enforced!
DO NOT forget to FINALIZE your proposal submission in the DARPA submission tool!
Approved for Public Release, Distribution Unlimited 26
DARPA HACCs Proposers Day
EVALUATION / AWARD
No common Statement of Work - Proposal evaluated on individual merit and relevance as it relates to the stated research goals/objectives
Evaluation Criteria (listed in descending order of importance) at a minimum will be: (a) Overall Scientific and Technical Merit; (b) Potential Contribution and Relevance to the DARPA Mission; and (c) Cost Realism.
Evaluation done by scientific/technical review process. DARPA SETAs with NDAs may assist in process.
Government reserves the right to select for award all, some, or none of the proposals received, to award portions of a proposal, and to award with or without discussions.
Approved for Public Release, Distribution Unlimited 27
DARPA HACCS Proposers Day
COMMUNICATION
Prior to Receipt of Proposals – No restrictions, however Gov’t (PM/PCO) shall not dictate solutions or transfer technology. Unclassified FAQs will be periodically posted to this BAA’s DARPA web page.
After Receipt of Proposals – Prior to Selection: Limited to PCO – typical communication to address proposal clarifications.
After Selection/Prior to Award: Communications range from technical clarifications/revisions to formal cost negotiations. May involve technical as well as contracting staff.
Informal feedback for proposals not selected for funding may be provided once the selection(s), if any, are made.
Only a duly authorized Contracting Officer may obligate the Government
Approved for Public Release, Distribution Unlimited
28
DARPA HACCS Proposers Day
TAKE AWAY
Submit proposals before the due date/time - Do NOT wait until the last minute (hour) to submit.
Read and understand the BAA - Follow the BAA when preparing proposals.
Be familiar with Government IP terms from the DFARS Part 227.
Submit working/unprotected spreadsheet(s).
The Contracting Officer is the only Government official authorized to obligate the Government.
Approved for Public Release, Distribution Unlimited 29
DARPA Break
- The HACCS Program Q&A session will begin at 3:55pm.
Approved for Public Release, Distribution Unlimited 30
DARPA www.darpa.mil Approved for Public Release, Distribution Unlimited 31
Harnessing Autonomy for Countering
Cyberadversary Systems (HACCS)
Angelos D. Keromytis Program Manager Information Innovation Office (I2O) DARPA
July 31, 2017
DARPA
Approved for Public Release, Distribution Unlimited
DARPA Audience Q&A
- Q: Do we care how “stealthy” the agents are when they are deployed? Is this incorporated into “correctness of agent implementation”? Or into the rules of operation?
- A: Stealth of the agents is not a primary concern of the program.
Approved for Public Release, Distribution Unlimited 33
DARPA Audience Q&A
- Q: Is precision of agents an important metric? Or are “kitchen sink” approaches to neutralization in scope?
- A: Yes, precision of agent affects is an important aspect of safety and reliability.
Approved for Public Release, Distribution Unlimited 34
DARPA Audience Q&A
- Q: Are any impacts to infected networks allowed? E.g. cutting off access of non-botnet comms; E.g. denying access to DNS
- A: It is preferred that side effects are minimized. Understanding and quantifying any unavoidable side effects is required when minimization is impossible.
Approved for Public Release, Distribution Unlimited 35
DARPA Audience Q&A
- Q: Are you seeking robust measures of effectiveness integrated as part of the TA4 framework against the stated metrics?
- A: Yes
Approved for Public Release, Distribution Unlimited 36
DARPA Audience Q&A
- Q: Will the 'botnet' environments be static or dynamic – that is, will the botnet spread during an experimental run?
- A: Yes
Approved for Public Release, Distribution Unlimited 37
DARPA Audience Q&A
- Q: Are you open to a large scale virtualized environment to support enabling parameterized experiment runs as part of the TA4 framework?
- A: DARPA does not seek to fund the creation of such an environment, but if one already exists, its use will be viewed as a strength of the proposal.
Approved for Public Release, Distribution Unlimited 38
DARPA Audience Q&A
- Q: Who controls intellectual property?
- A: We desire, at a minimum, unlimited duration GPRs for any technology developed under this program.
Approved for Public Release, Distribution Unlimited 39
DARPA Audience Q&A
- Q: TA2: Is it fine looking for zero – days or just restricted to n-days?
- A: Just n-days.
Approved for Public Release, Distribution Unlimited 40
DARPA Audience Q&A
- Q: For TA2, if an agent obtains access, can or should it remain persistent to mitigate future bots?
- A: Persistence may be part of the rules of operation. Said persistence is to be a limited time duration.
Approved for Public Release, Distribution Unlimited 41
DARPA Audience Q&A
Q: Are FFRDC's eligible?
A: Yes
Approved for Public Release, Distribution Unlimited 42
DARPA Audience Q&A
- Q: What is the budget for the program?
- A: The budget for this program will not be disclosed.
Approved for Public Release, Distribution Unlimited 43
DARPA Audience Q&A
- Q: Can we build vulnerabilities related to any device (IoT, Android)?
- A: Vulnerabilities, in scope, are for any internet connected device.
Approved for Public Release, Distribution Unlimited 44
DARPA Audience Q&A
* Q: Can we build vulnerabilities related to any device (IoT, Android)?
* A: Vulnerabilities, in scope, are for any internet connected device.
Approved for Public Release, Distribution Unlimited
45
DARPA Audience Q&A
- Q: What kind of data we can expect to have from DARPA?
- A: The proposer should determine the type of date require to support their technical approach.
Approved for Public Release, Distribution Unlimited 46
DARPA Audience Q&A
- Q: How will the 5% of IP with 80% accuracy be validated? (Phase 1 evaluation)
- A: Strong proposals will have convincing evaluation plan. DARPA will pursue validation using complimentary data sources.
Approved for Public Release, Distribution Unlimited 47
DARPA Audience Q&A
* Q: Does the scope of grey networks include critical infrastructure (electrical grid, manufacturing)?
* A: Yes. The identification of critical infrastructure is of interest and whether and how to act in these networks or on these computing devices is part of the rules of operation.
Approved for Public Release, Distribution Unlimited
48
DARPA Audience Q&A
* Q: Clarify relationship of “target” network owner and “GRAY” network owner.
* A: For the purposes of this effort there is no meaningful difference.
Approved for Public Release, Distribution Unlimited
49
DARPA Audience Q&A
* Q: What is the outcome of the program?
* How are the success factors measured?
* Detecting known or O-day?
* A: The outcome of the program will be technology that will be transitioned to operational partners with the appropriate legal authorities to use them.
* The success of individual components will be evaluated as delineated in the BAA.
* To the extent that the question refers to vulnerabilities the program is looking to generate exploits only for known vulnerabilities.
Approved for Public Release, Distribution Unlimited
50
DARPA Audience Q&A
- Q: One of the biggest hurdles to fingerprinting a “hack” is knowing where it originated. A lot of times effective botnets & hacks mask their locations and intents. With rules of engagement in mind, and noting your requirement to “insert an agent” into the grey network – are you suggesting that to have true cyber defense, you in actuality have to be authorized to execute offensive cyber?
- A: The program is developing technologies that address a specific threat in a specific manner. Doctrine, operational authorities, and legal framework are outside the technical scope of the effort.
Approved for Public Release, Distribution Unlimited 51
# DARPA Audience Q&A
* Q: An extensive test environment will be needed & created for this – is the GOV funding?
* A: DARPA is looking to leverage existing test environments and facilities to the greatest extent possible.
Approved for Public Release, Distribution Unlimited
52
DARPA www.darpa.mil Approved for Public Release, Distribution Unlimited 53
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu