Type 'S' for Suspicious

DARPA's far-out, high-tech plan to catch the next Edward Snowden.

Government-funded trolls. Decoy documents. Software that identifies you by how you type. Those are just a few of the methods the Pentagon has pursued in order to find the next Edward Snowden before he leaks. The small problem, military-backed researchers tell Foreign Policy, is that every spot-the-leaker solution creates almost as many headaches as it's supposed to resolve.

With more than 1.4 million Americans holding top-secret clearance throughout a complex network of military, government, and private agencies, rooting out the next Snowden or Bradley Manning is a daunting task. But even before last week's National Security Agency (NSA) revelations, the government was funding research to see whether there are telltale signs in the mountains of data that can help detect internal threats in advance.

In the months following the WikiLeaks revelations, the Defense Advanced Research Projects Agency (DARPA) -- the U.S. military's far-out tech arm -- put out a number of requests for research on methods to detect suspicious behavior in large datasets as a way to root out rogue actors like Manning (or in more extreme cases, ones like Fort Hood shooter Nidal Malik Hasan.)

The most ambitious of these is known as Anomaly Detection at Multiple Scales (ADAMS), a program that as an October 2010 research request put it, is meant "to create, adapt and apply technology to the problem of anomaly characterization and detection in massive data sets." The hope is that ADAMS would develop computers that could analyze a large set of user-generated data -- the emails and data requests passing through an NSA office in Honolulu for instance -- and learn to detect abnormal behavior in the system.

The tricky part of this kind of analysis is not so much training a computer to detect aberrant behavior -- there's plenty of that going around on any large network -- it's training a computer what to ignore.

"I like to use the example of learning to recognize the difference between reindeer and elk," wrote Oregon State University computer scientist Tom Dietterich, who worked on developing anomaly detection methods for ADAMS, in an email to Foreign Policy. "If all I need to do is tell these species apart, I can focus on the size [of] their antlers and whether the antlers have velvety fur, and I don't need to consider color. But if I only focus on these features, I won't notice that Rudolph the Red-Nosed Reindeer is anomalous, because I'm ignoring color (and noses, for that matter). So in an anomaly detection system, it is important to consider any attribute (or behavior) that might possibly be relevant rather than trying to focus on a very few specific characteristics."

Over the past three years, DARPA has shelled out millions of dollars on efforts to learn how to root out Rudolphs from the rest of the reindeer and find out exactly what these red noses look like. This includes a $9 million award to Georgia Tech to coordinate research on developing anomaly detection algorithms. You can peruse much of the research funded through ADAMS online. For instance, a proposal by the New York-based firm Allure Security Technology, founded by a Columbia University computer science professor, calls for seeding government systems with "honeypot servers" and decoy documents meant to entice potential leakers to subversives. The files would alert administrators when accessed and allow the system to develop models for suspicious behavior. The company cheekily refers to this technique as "fog computing."

Another ADAMS-funded paper by Carnegie Mellon University computer scientist Kevin Killourhy looks at systems to "distinguish people based on their typing." For instance, Killourhy explains, when three typists are asked to type the password ".tie5Roanl," the three users can be easily identified by how long they hold down the "t" key. The paper suggests such technologies "could revolutionize insider-threat detection," though unfortunately even the best systems can have an error rate of up to 63 percent, and detection can apparently be thrown off if the person just isn't a very good typist. (Note to prospective whistle-blowers: Try two-finger typing.)

Under the fairly obtuse title "Non-Negative Residual Matrix Factorization with Application to Graph Anomaly Detection," two DARPA-supported IBM researchers attempted to identify the kind of behaviors that might indicate suspicious behavior in a large network. These included "a connection between two nodes which belong to two remotely connected communities," such as an author publishing a paper on a topic not normally associated with his or her research; "port-scanning like behavior," which is when a particular IP address is receiving information from an unusually high number of other addresses; and "collusion," such as a "group of users who always give good ratings to another group of users in order to artificially boost the reputation of the target group."

The thinking has gone somewhat beyond the theoretical level. At a conference in May, researchers from defense firm SAIC presented results from the PRODIGAL (Proactive Discovery of Insider Threats Using Graph Analysis and Learning) research team -- part of the overall ADAMS initiative -- which tested a series of anomaly detection methods on an organization of approximately 5,500 users over the course of two months. "Red teams" were inserted into the data simulating characters such as a "saboteur," an intellectual property thief, and a "rager" -- someone prone to "strong, vociferous, abusive, and threatening language in email/Webmail/instant messages." The detection methods varied widely in effectiveness.

Such systems are clearly not yet up to the task of identifying a leaker before he or she strikes, and Dietterich, the Oregon State computer scientist, was cautious when asked whether they ever would be. "Anything I would say here would just be speculation, and artificial intelligence researchers have learned the painful lesson that we are very bad at predicting when, if, or how the methods we develop will be useful," he stated.

ADAMS may still be in the trial stage, but "insider threat" detection was clearly a major priority for the U.S. government even before last week. In October 2011, for instance, President Barack Obama signed an executive order calling for the creation of an interagency Insider Threat Task Force charged with the "safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure."

The Snowden affair will no doubt only accelerate efforts to combat these threats. Of course, if these efforts included high-tech initiatives along the lines of ADAMS, it would be somewhat ironic, as this type of big-data analysis is a not-so-distant cousin of the much larger surveillance programs that Snowden sought to expose. This type of analysis may alarm privacy advocates, but in the end, the idea of intelligence agencies developing a vast high-tech data-surveillance program to prevent anyone from learning about an even vaster high-tech data-surveillance program feels a little more Catch-22 than 1984.



Longform's Picks of the Week

The best stories from around the world.

Every weekend, Longform highlights its favorite international articles of the week. For daily picks of new and classic nonfiction, check out Longform or follow @longform on Twitter. Have an iPad? Download Longform's new app and read all of the latest in-depth stories from dozens of magazines, including Foreign Policy.

Dear Leader Dreams of Sushi

Adam Johnson • GQ

The odyssey of Kim Jong-il's personal chef.

Soon there was another sushi party, with many shouts of "Toro, one more!" At its conclusion, Shogun-sama tossed Fujimoto an envelope, which landed at his feet. Whether Kim Jong-il meant the envelope to land on the table in front of Fujimoto or whether Shogun-sama wanted to see Fujimoto stoop to retrieve it is unknown.

"I was pissed," Fujimoto said. "I refused to pick it up."

Kim Jong-il stared at Fujimoto, his large glasses and jowls projecting his trademark Pekingese demeanor.

Fujimoto's interpreter whispered in Japanese that they could be shot for this offense.

But Fujimoto can be a stubborn man. His temper, he says, is "in my DNA."

Finally the interpreter retrieved the envelope and handed it to Fujimoto.

In it was a thousand dollars.

Over the next week, Fujimoto contemplated how close he'd come to death.

STR/AFP/Getty Images

Maxed Out on Everest

Mark Jenkins • National Geographic

On the dangerous glut of visitors looking to conquer Mt. Everest, where there is sometimes a two-hour wait to climb the Hillary Step.

An hour above high camp on the Southeast Ridge of Everest, Panuru Sherpa and I passed the first body. The dead climber was on his side, as if napping in the snow, his head half covered by the hood of his parka, goose down blowing from holes torn in his insulated pants. Ten minutes later we stepped around another body, her torso shrouded in a Canadian flag, an abandoned oxygen bottle holding down the flapping fabric.

Trudging nose to butt up the ropes that had been fixed to the steep slope, Panuru and I were wedged between strangers above us and below us. The day before, at Camp III, our team had been part of a small group. But when we woke up this morning, we were stunned to see an endless line of climbers passing near our tents.

Now, bumper to bumper at 27,000 feet, we were forced to move at exactly the same speed as everyone else, regardless of strength or ability. In the swirling darkness before midnight, I gazed up at the string of lights, climbers' headlamps, rising into the black sky.


When the Beautiful Game Turns Ugly

Wright Thompson • EPSN

A journey into the world of Italy's racist soccer thugs.

Kevin-Prince Boateng comes into the posh drawing room in the AC Milan headquarters rapping Snoop Dogg. The word "believe" is tattooed on his left hand. Wealthy, engaged to a swimsuit model, he's left behind a childhood in the Berlin slums. The 9-year-old him would be awestruck by the room in his house completely filled with sneakers, which he cleans carefully with toothpaste. But the 9-year-old him also has scars, ripped open that afternoon on the Pro Patria pitch, when strangers looked him in the eye and called him a monkey.

"It's happened to me before," he says.

He wasn't Boateng then, just a kid named Kevin with a German mother and a Ghanaian father. During an away game, the father of an opponent said, "Little n-----, for every goal you score, you're gonna get a banana."

Boateng repeats those words sitting in the quiet, peaceful lounge. "It's inside of me," he says. "I will never forget the father. He had a big beard and no hair. I even remember his son. I remember the face of his son. I wanted to kick his son so hard. I didn't. I scored a goal, and we won the game. This I remember."

Valerio Pennicino/Getty Images

Silent War

Michael Joseph Gross • Vanity Fair

Tracing a secretive cyber-war's battles and casualties.

One of the most innovative features of all this malware-and, to many, the most disturbing-was found in Flame, the Stuxnet precursor. Flame spread, among other ways, and in some computer networks, by disguising itself as Windows Update. Flame tricked its victim computers into accepting software that appeared to come from Microsoft but actually did not. Windows Update had never previously been used as camouflage in this malicious way. By using Windows Update as cover for malware infection, Flame's creators set an insidious precedent. If speculation that the U.S. government did deploy Flame is accurate, then the U.S. also damaged the reliability and integrity of a system that lies at the core of the Internet and therefore of the global economy.

Asked whether he sees this development as crossing a Rubicon, Kaspersky raised his hand as if to make a point, brought it back down to his chest, then put his fingers to his mouth and cast his eyes to the side, collecting his thoughts. In an hour-long interview, it was the only question that made him fidget. The response he settled on evoked the moral ambiguity-or, maybe, incoherence-of a cyber-warfare operation such as Flame, which surreptitiously did wrong for the sake of doing right. "It's like gangsters in a police uniform," he finally said. Pressed about whether governments should be held to a higher standard than criminals, Kaspersky replied, "There is no rules for this game at the moment."

Patrick Lux/Getty Images

On Your Left, the Decline and Fall

Gareth Harding • Foreign Policy

A museum depicts Europe's dystopian future after the fall of the EU.

The year is 2063 and the Friends of a Reunited Europe have organized the "first international exhibition on life in the former European Union" -- which collapsed under the weight of its own contradictions in 2018. The show focuses on the last decade of the Union, when "prosperity and stability lulled Europe to sleep," according to the mock "House of European History in Exile" pamphlet handed out to visitors. It was a time when "people everywhere used a single currency called the 'euro,'" when "national borders were blurred" and Brussels, not Warsaw, lay at the beating heart of the old continent.

The exhibition, organized by the Royal Flemish Theatre, is housed in a derelict former boarding school several hundred yards from the headquarters of the European Commission, in the architectural wasteland of this city known as the "European quarter." A slow but steady trickle of visitors trudges up two flights of rickety stairs to a lobby that looks like the waiting room of a regional Polish tax inspectorate circa 1974. The walls are clad in formica, the sink is filthy, the flatpack cupboards unhinged, and a neon light flickers overhead. A mousy receptionist hands me a lottery ticket with my assigned number and tells me my personal tour will start in 10 minutes. When my number is called out, I move to pick up an ancient audio guide but it's stuck to the table. "Sorry, but it's out of order," says the receptionist, with a wry smile.


For daily picks from around the web, check out Longform or download Longform for iPad.