From vulnerable smart fridges to personal care robots that go crazy, a military think tank is preparing for the digital worst.
by Ben Fox RubinMay 9, 2017 5:00 AM PDT
There’s not a whole lot for Mike to do most days. Thanks to a trusty artificial intelligence platform, he can kick his feet up and let the machine handle the logistics work at his Brooklyn distribution company.
But today is different. Today the AI system gets hit with a flood of requests as if everyone in Manhattan simultaneously ran out of milk. The network is so slammed that workers at the nearby port in Red Hook switch to random manual scans of incoming containers, since several scanners are down.
Just as Mike senses something’s wrong, a dirty bomb explodes close by. Scores are killed. The bomb, it ends up, snuck through thanks to a terrorist-controlled botnet made up of millions of smart refrigerators that all started crying for milk. We were undone by our fridges.
That story, predicting a cyberattack in 2025, wasn’t created by a sci-fi author. The US Army whipped up this tale to prevent attacks like it from ever happening.
It’s one example of an idea called “threatcasting,” which tries to anticipate and influence the world 10 years from now. The concept is being developed by the Army Cyber Institute (ACI) at West Point, a new military think tank created to study the not-too-distant future of cyberspace.
Threatcasting and the institute are part of a broader effort by the military to prepare for a tech-stuffed future when even a toothpick may have an internet connection. That future could allow cyberattacks to evolve from the mostly digital sphere into destabilizing physical attacks and informational warfare, similar to the hacks during the US and French presidential elections.
Smart home hijacks? Economy-busting disinformation campaigns? Spam advertising hacks on connected contact lens? Sure, it’s all possible, and the ACI is thinking up these sometimes terrifying, sometimes oddball ideas in hopes of keeping those concepts in the realm of “Mr. Robot” and “Black Mirror.”
“Part of what we do with threatcasting, you’re trying to put yourself into what the attack surface will look like in 10 years,” Colonel Andrew O. Hall, the think tank’s director, told me. “Because we know the attack surface is going to be huge.”
Full Metal HoloLens
I’m sitting across from Hall in his office at a circular wooden table decorated with dozens of commemorative military coins under glass. We’re in a drab, 1960s-era brick building called Spellman Hall just outside of the imposing grey stone arches of the US Military Academy at West Point, in upstate New York, where many of the institute’s staff teach.
Hall, wearing a crisp blue service uniform and shiny black shoes, filled his office with memorabilia of his past lives. On the windowsill, he keeps two combat helmets, one from his time during the war in Iraq. His bookcases are lined with math and military textbooks — “Statistical Techniques for Manpower Planning,” “Adventures in Stochastic Processes” — that he’s collected since his graduate degree studies in applied math and operations management. His desk also has a Pikachu mug on it — he’s a big Pokémon fan.
The roughly 50-person think tank, a tiny piece of the government’s vast cyberdefense resources, was created five years ago to study online warfare and build new military partnerships with universities and companies. The ACI also houses several labs, including an “internet of things” space jammed with smart home devices and a virtual reality and augmented reality lab where workers can test military applications for the Microsoft HoloLens and View-Master VR headset (yes, the one for kids).
“We’re trying to ask and answer the questions that others would not necessarily be thinking about,” Hall said.
Which get us back to threatcasting. The idea can be used to look at the futures we want and the futures we want to avoid, then reverse-engineering from there to determine what we’d need to do today.
In a measured, earnest tone that belied the sci-fi nature of the subject, Hall discusses some of the concepts the institute is noodling as part of its threatcasting project. He talks about hijacking a personal-care robot to harm its owner, or hacking a dam, causing catastrophic damage. He also touched on autonomous war drones coordinating with tanks and bionic warriors working with teams of 10 to 15 robot soldiers.
A little surprised, I asked him: “That’s really the conversations you’re having here?”
“That’s definitely what some people would consider sci-fi,” Hall responded. “When you think about where we could be 10 years from now, most people don’t think that we will have cyborg soldiers, but we may … We definitely have to think about it before we can even count on it happening or discount it.”
Science fiction prototyping
Threatcasting first developed eight years ago with the help of Brian David Johnson, Intel’s first futurist who’s now Arizona State University’s futurist in residence. Johnson adapted the concept from “futurecasting,” a similar idea he’s used for more than two decades to help tech companies he’s worked for anticipate technological changes just over the horizon.
“Everybody always thinks the future is set. They’ll ask me, ‘How do I prepare for the future?'” Johnson told me on a call a few weeks ago. “I’ve spent my entire career telling people the future is built by people, the actions of people. So you have to take action. If you don’t, you’re ceding control.”
He started working on threatcasting with the US Air Force Academy nearly a decade ago and took the concept a step further by opening the ASU Threatcasting Lab to manage the ACI project.
Back at West Point, I spoke with Major Natalie Vanatta, the ACI’s deputy chief of research and Johnson’s counterpart at the think tank. Sitting at a mock living room set up at the internet of things lab, she wore a typical West Point garb of Army fatigues and combat boots. The ACI and ASU, she said, plan to host two threatcasting workshops every year with academics, military personnel, policy makers and business leaders to come up with dozens of future scenarios like Mike’s untimely death in Brooklyn.
Those futures will then be compiled to find trends and work out actions the government and businesses can take. The point of making these scenarios into specific stories, something called “science fiction prototyping,” is to make them more approachable to anyone, not just technologists or military staff.
The first of these workshops was held last August at West Point, and a second just wrapped up earlier this month in Arizona. The Marine Corps Warfighting Lab hosted similar exercise last year with sci-fi writers that looks even further into the future.
The intent is to “start a larger conversation and create a public body of knowledge in this space as we work through what some of these challenges might be,” Vanatta said. “Because let’s be honest, the challenges the Army is going to face on the cyber or the digital domain are going to affect the nation too and everybody else.”
Cyber Pearl Harbor
Are you still skeptical? You’re not alone.
Dmitri Alperovitch, co-founder and chief technology officer of cybersecurity firm Crowdstrike, applauded the mission of the ACI but questioned the viability of threatcasting. He noted that the potential of a “Cyber Pearl Harbor” has been bandied about in his industry for the past 25 years, but it’s never happened.
“A lot of these threats that are real and we’ve seen for so many years,” he said, referring to data hacks, “we’re continuing to ignore and focusing on the sexy new ones that may never come.”
Chase Cunningham, a Forrester security analyst and Navy veteran, offered another concern.
“The nature of the threat changes so fast,” he said, “trying to forecast any further than a couple years is like throwing darts at a wall.”
Vanatta and Johnson say threatcasting is nothing like staring into a crystal ball. The ACI’s work is fluid, with forecasts changing depending on new events and whether certain mile markers set by researchers come along. If one idea becomes more plausible, then that will gain more focus.
“These threats are never going to go away completely, but what we’re trying to do is to start taking action,” Johnson said.
All these folks would agree that, if anything, the future is hard to predict. It’s probably even harder to notice a catastrophe was averted thanks to forecasting and preplanning years in advance.
So it’s possible the ACI will someday prevent some digital disaster, and no one — including the think tank itself — will know it did.