Notice

Competition document: predictive cyber analytics phase 2

Published 3 July 2019

1. Background

Computing infrastructure is a key component of nearly all modern defence systems. There is therefore a risk that this infrastructure could be attacked by adversaries. Cyber security has been in an arms race for decades, with hackers continuously exploiting new vulnerabilities while developers race to patch them.

Traditional cyber security methods respond to known threats; this helps slow and prevent the spread of an attack, but it fails to stop targeted bespoke attacks, or the initial infection. As our understanding of adversaries and attack patterns improves, and increased computing power and data growth continues to drive the artificial intelligence (AI) revolution, new possibilities are emerging to get ahead of threats and better prepare for, or even predict, future cyber-attacks.

Historical approaches to cyber defence have been reactive, relying on black/white lists, known (virus/malware) signatures, and more recently on broader machine-learning anomaly-detection methods. Such methods are post-event or at best real-time and leave defenders on the back-foot. In Phase 1 of this competition we funded seven proposals to investigate novel predictive approaches to cyber defence in the enterprise environment. We now seek to further develop, adapt, merge and explore predictive approaches that can defend a military environment against cyber-attack.

2. Competition Challenge

2.1 What are we seeking?

Prediction often makes use of one or more assumptions to identify probable actions. In cyber defence, the approaches might be: actor-centric (making an assumption about who will attack you, then using knowledge of their past behaviour to make relevant predictions); system-centric (identifying weaknesses and/or core capabilities in your system, and prioritising defences accordingly); or trend-centric (using knowledge of the most recent attacks to prioritise monitoring and defensive approaches for similar attacks). With this in mind, proposals may consider one or more of the following capabilities:

• predict the most likely attack vectors or techniques
• recommend and/or implement optimal cyber defences
• predict the goals of a (future or ongoing) attack
• predict the affiliation of an attacker (during an attack)
• predict which adversaries are most capable of compromising a specific system
• prioritise the monitoring, detection and analysis approaches given specific adversary(ies) or trend(s) or system capability
• optimise defences to protect either system-critical or mission-critical components
• organise defensive actions in chronological order to maintain the function of a system or component for as long as possible, given an adversary’s preferred attack methods and likely attempts to circumvent each implemented counter-measure
• predictions of a system’s health, performance or capability with regard to potential offensive and defensive actions
• identify what other courses of action an adversary might take if their primary intention is blocked, convey the severity of the resulting situation with respect to the function of the system being defended, and identify the most advantageous outcome for defenders (potentially in a no-win situation)
• gamify and simulate a system and mission to identify a range of attack methods, and successful defence approaches
• make use of known tactics, techniques and procedures (TTPs) to simulate how an adversary might try to compromise a system and how best to defend against them

All of the approaches above should ideally make predictions that: * can consider all adversaries or a sub-set of adversaries * are relevant to the chosen system being defended * can adapt to prioritise mission goals, or continued system function, or safeguard specific system components.

2.2 What data can approaches make use of?

Proposals may make use of any source of data that a representative military environment could reasonably be expected to have access to. Traditional sensors (sources of data) for cyber defence include those from:

• host (system/process) logs
• antivirus
• host intrusion detection systems (HIDS)
• network intrusion detection systems (NIDS)
• network traffic logs/captures
• network (enumeration or vulnerability) scans
• software vulnerability databases
• virus/malware signature databases

Proposals should consider sensors available from industry, ideally that adopt open standards. Proposals may wish to consider sensors specific to the military environment, such as in the electromagnetic spectrum. Given these novel sensors may not be freely available from industry and are not the focus of the competition, proposals should implement simple approaches to act as place-holders for integration of more complex devices at a later date.

We recognise the importance of intelligence in predictive approaches. We strongly encourage proposals that use Cyber Threat Intelligence (CTI) in collecting and disseminating data for prediction: higher level intelligence products such as threat actors and their TTPs offer far greater potential for prediction than indicators of compromise. In addition, we recognise that certain information (e.g. IP and domain reputation) can change with time and such dynamic indicators are also best distributed though CTI systems.

CTI is not a new concept and many areas of industry are adopting and developing approaches around it. Consequently, we want to see technical solutions that adopt and integrate the CTI approaches currently available through industry.

With this in mind, less traditional but highly relevant sources of data for proactive cyber defence include:

• curated intelligence on adversaries and their attack patterns such as TTPs and kill-chains (shared through the use of CTI systems)
• autonomous interaction with the adversary (e.g. with honeypots) to generate observations, knowledge and higher-level intelligence

We recognise the importance of data fusion from a broad and varied range of sources. It can provide a privileged position of information advantage to allow and enhance our ability to make predictions. We encourage approaches that build on, automate and fuse information from traditionally isolated areas of cyber defence.

Accordingly, approaches might consider leveraging and fusing one or more of the following:

• risk assessment/analysis/accreditation approaches, or adherence to similar ‘good practice’ guidelines
• penetration testing exercises (including attack propagation simulation techniques)
• primary requirements from mission planning (including simulation of performance and capability with respect to attacks and countermeasures)
• identification and ranking of priorities from Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognisability (CARVER) analysis
• understanding of adversary profiles, including: humanistic traits, cultural differences, identifying features, and psychological strengths and weaknesses
• enumeration of an adversary’s options, an understanding of an adversary’s potential resources, and an appreciation of an adversary’s appetite for risk and escalation (when restricting the adversary’s choices)

2.3 Defining a representative military environment

The current and future equipment, systems and environment used by the military can differ from the systems used in business enterprises and environments. While the UK armed forces may not deploy in this manner, for the purpose of this competition and based on academic literature fixed and deployed military equipment and systems may be assumed to involve the following:

• the union of hardware from different organisations to achieve a collective infrastructure. Hardware will be maintained and protected by each organisation, but the network and services will function across those boundaries to achieve a collective goal. Different networks with different functions may operate (entirely or partly) over the same bearers.
• integration of systems. Approaches should appreciate that networks may support services for planning, mission data, sensing, signals and communications, logistics, operations, intelligence, resources engineering, and legal aspects across each Front Line command (FLC) and Joint Operations.
• non-overlapping command structures. Multiple systems may be used collaboratively but may not be under a single command. While requests for changes (e.g. blocking a service, address or domain) can be made, these need to be considered and prioritised in the wide mission context.
• multiple classifications for the correct distribution of information and services. Systems on the same or different networks may rely on formal classifications to assure the correct distribution of sensitive information: one system may hold information at just a single (low) classification, while another may hold information at multiple (low and high) classifications.
• transfer of information between classifications. This is strictly controlled and as such standard industry approaches for sharing CTI using human judgement (e.g. the traffic light protocol) will need adapting (e.g. with virtual tear-lines defining what can be passed to lower classifications).
• prioritised communications. Some services on a network will be prioritised over others. Proposals may wish to make use of this when developing approaches (e.g. collate logs at lower priority, distribute alerts at higher priority).
• intermittent and/or low-bandwidth connections. Links from deployed headquarters (HQs) to UK home networks may be over comparatively low-bandwidth connections (e.g. SATCOM). Links from deployed HQs to forward units will be over radio connections, with less bandwidth; these communication channels may well be operating in a contested electromagnetic environment and availability cannot always be guaranteed.
• distributed ad-hoc (e.g. mesh) networks connected through radio communications. Not all devices will have direct communication to HQ. Some devices may be more critical to the network integrity and system function than others; some devices may at higher risk from the adversary.
• limited visibility. Sensors are required for each network boundary to enable full visibility of all systems across the networked battlespace.
• air-gapped systems and networks. These systems can be vulnerable to various forms of attack and still require protection.
• use of specialist equipment, like Industrial Control Systems (ICS). Together with associated software and network structures, these systems can include proprietary communication and data formats for which there are limited commercial HIDS/NIDS options. The types of vulnerabilities, exploits and TTPs can be quite different to those seen in business enterprise systems. Active enumeration of ICS networks can interfere with, and even disrupt and deny the system’s operation. They may use completely different technologies, for example Serial connections rather than Ethernet.
• physical as well as virtual attack. An adversary may decide to adopt a kinetic approach to deny or degrade parts of a system. Approaches should attempt to be robust against sudden loss of components.
• human defenders, continually monitoring and maintaining the system. This can be advantageous if exploited with human-in-the-loop approaches.
• an intelligence system. The military has a good appreciation of the importance of curated intelligence and has the capacity to create and share intelligence on-the-fly during operations. Leveraging and automating this capability for the creation and dissemination of CTI is a valid assumption that should be made in this phase of the competition; open-source data on cyber threat actors (excluding social media, personal and private information) and their TTPs may be adapted and ingested as representative military intelligence.

Proposals that build in more of these factors when defining and developing a representative military environment will be more favourable than those that incorporate fewer of them, given similar capability.

Proposals may make reasonable assumptions regarding how CTI is collected and distributed within their representative military environment: if an approach is already proven and available in industry, it may be adopted for this competition. However, please be aware that both Structured Threat Information eXpression, version 2 (STIX2) and Trusted Automated eXchange of Indicator Information, version 2 (TAXII2) have been selected for use in UK government.

Whilst there is a wide spectrum of technical capability across military cyber systems, for the purposes of this DASA call, proposals must look at more challenging conditions than business enterprise systems. While the UK armed forces may not deploy in this manner, for the purpose of this competition proposals should make the following assumptions about their representative military systems:

• no persistent high-bandwidth connectivity to commercial internet services
• no patching without first considering the impact to the mission
• no instantaneous commercial cloud computing infrastructure (either deployed or through connections) to handle on-demand high performance computing (HPC) requirements
• no requirement to store and/or transfer every system (host, network or electromagnetic) command, event or alert to a central location in real time. Log collection should be selective, appropriate, dynamic, and appreciate what processing can be done locally and at HQ.
• some parts of a network may be at considerably higher risk of attack than others due to their deliberate deployment in a contested environment. Therefore physical security is not guaranteed across all components.

2.4 Clarification of what we want

We want novel ideas to benefit users working in UK Defence and Security. Your proposal should include evidence of:

• innovation or a creative approach
• high quality theoretical development, methodological advancement, or prototype research which can demonstrate potential for translation to practical demonstration at ~TRL5 before the end of this phase
• clear demonstration of how the proposed work applies to a Defence and Security context
• explicit relevance to improving predictive approaches in cyber defence for the military domain
• a high level schematic of your proposed representative military cyber system

Proposed technical solutions should make use of open-source software with permissive licences where possible. Unjustified use of, and expenditure on, proprietary solutions is undesirable.

Proposals should ensure their approaches make use of open standards wherever possible. Modular approaches are encouraged and internal communications between modules must make use of open standards too. Proposals that use proprietary standards, methods or formats for internal or external communications are highly undesirable, and are unlikely to be funded.

For this competition we are not interested in proposals for:

• consultancy, paper-based studies or literature reviews
• solutions that do not offer significant benefit to Defence/Security
• proposals that only offer a written report, or system design plans
• proposals that cannot demonstrate feasibility or achieve less than TRL5 within the Phase 2 timescale
• minor improvements in existing high TRL (TRL 5+) technologies
• demonstrations of off-the-shelf products requiring no experimental development
• identical resubmission of a previous bid to DASA or MOD without modification
• incremental improvements on existing technology
• proposals which offer no real long-term prospect of integration into defence capabilities
• proposals with no real prospect of out-performing existing technological solutions
• proposals that develop theoretical models, or that lack implementation to real data
• proposals that use social media feeds, visit the dark web, or ingest other public data that could be of a personal nature

2.5 Funding

Up to £850,000 is available for Phase 2 of this competition. We anticipate funding up to three proposals for a duration of 12 months, starting in October 2019. You may submit more than one bid to this competition, either as a lead supplier or as a sub-contractor. Please note if you are involved in more than one bid you should indicate if you can undertake all the work if funded. If work overlaps between bids please indicate that in your submissions and be sure it is clear what costs relate to the overlapping work. We would encourage applicants to collaborate. We would strongly encourage single partner applications to bid under £300k and multi-partner applications to bid under £600k.

2.6 Competition close

This competition closes at midday (BST) on Monday 12th August 2019.

3. Exploitation

It is important that over the lifetime of DASA competitions, ideas are matured and accelerated towards appropriate end-users to enhance capability. How long this takes will be dependent on the nature and starting point of the innovation. Early identification and appropriate engagement with potential end-users during the competition and subsequent phases are essential.

All proposals to DASA should articulate the expected development in Technology Readiness Level (TRL) of the potential solution over the lifetime of the contract and how this relates to improved operational capability against the current known (or presumed) baseline. Your deliverables should be designed to evidence these aspects with the aim of making it as easy as possible for potential collaborators to identify the innovative elements of your proposal in order to consider routes for exploitation. DASA Innovation Partners are available to support you with Defence and Security context. For further information on TRLs, please see here.

For this second phase of the competition it is envisaged that proposals will start at around TRL 3 and aim to develop to TRL 5/6. Any future phase will focus on developing to beyond TRL 5/6 to move concepts closer to integration and exploitation. You may wish to include some of the following information, where known, to help the assessors understand your exploitation plans:

• the intended Defence or Security users of your final product and whether you have previously engaged with them, their procurement arm or their research and development arm
• the current TRL of the innovation and where you envisage it will be by the end of Phase 2
• awareness of, and alignment to, any existing end-user procurement programmes
• the anticipated benefits (for example, in cost, time, improved capability) that your solution will provide to the user
• whether it is likely to be a standalone product or integrated with other technologies or platforms
• expected additional work required beyond the end of the contract to develop an operationally deployable commercial product (for example, ‘scaling up’ for manufacture, cyber security, integration with existing technologies, environmental operating conditions)
• additional future applications and wider markets for exploitation
• wider collaborations and networks you have already developed or any additional relationships you see as a requirement to support exploitation
• requirements for access to external assets, including Government Furnished Assets (GFA) - for example, information, equipment, materials and facilities
• how your product could be integrated in to a representative military system in the final phase
• any specific legal, ethical, commercial or regulatory considerations for exploitation

4. How to apply

Proposals for funding to meet these challenges must be submitted by 12 August 2019 at midday BST via the DASA submission service for which you will be required to register.

If successful, contracts will be awarded for durations of up to 12 months.

Further guidance on submitting a proposal is available on the DASA website.

4.1 What your proposal must include

When submitting a proposal, you must complete all sections of the online form, including an appropriate level of technical information to allow assessment of the bid and a completed finances section.

The proposal should focus on the Phase 2 requirements and include a brief (uncosted) outline of the next stages of work required for integration and exploitation in Phase 3.

The proposal must also include a costed option for MOD to license the Phase 2 product, including all dependencies (internal products with background IP and/or any additional third-party software), for a further 3 years after the end of the competition, for the purpose of demonstrating and evaluating the product at military exercises.

A project plan with clear milestones, task dependencies, meetings with the technical partner and deliverables must be provided. Deliverables must be well defined and designed to provide evidence of progress, and technical work, against the project plan and towards the end-point for this phase. The following deliverables must be specified and costed in any proposal submitted for this phase of the competition (failure to list these mandatory deliverables in your proposal will automatically render your proposal non-compliant and disqualify you from funding):

• a kick-off meeting with Dstl (UK).
• attendance at a ‘representative military environment’ design meeting, alongside military advisors (in the UK)
• atechnical report delivered by end February 2020 describing the ‘representative military environment’ that your capability will be demonstrated in. This will detail assumptions regarding supporting physical infrastructure (e.g. operational technologies, the system and network architectures, required resources) and all supporting software, including those containing any background IP, or requiring third party licenses (e.g. CTI systems) and anticipated human workforce (e.g. deployed cyber protection teams to collect and disseminate CTI from front lines; cyber security operation centre (CSOC) at HQ to collect, digest generate high-level CTI), and how any intelligence is generated/simulated (e.g. adapting open-source CTI to simulate front line collection, HQ amalgamation and dissemination, at multiple classifications).
• a plan for adopting a human-centred design approach to support human-computer interface specification, design and evaluation. Describe how you will use a recognised human-centred design process for human-computer interaction specification, design and testing.
• attendance at two user-interface (UI) and user-experience (UX) design meetings, alongside potential military end-users (in the UK)
• attendance at a collaboration event in the UK
• a final prototype demonstration at a customer and supplier attended event (in the UK)
• a final full-rights technical report as well as a Limited Rights version of the technical report
• all software, including both complied code and source code, developed under this phase with supporting software documentation
• all datasets created and/or used in this phase together with supporting documentation and the means to recreate them (i.e. all software and relevant documentation for dataset generation)
• installation and demonstration of the final product. This must include any software dependencies (internally developed products containing background IP, and any additional third-party software and licences). The installation may be requested on Dstl-owned hardware and you will provide the rights for us to run, test and adapt this single deployment of the entire software suite to different experimental (simulation or exercise) scenarios for the duration of the competition plus one year.

A resourcing plan must be provided in your proposal that identifies, where possible, the names and nationalities of those proposed Research Workers that you intend to have working on this phase. In the event of proposals being recommended for funding, DASA reserves the right to undertake due diligence checks including the clearance of proposed Research Workers. Please note that this process will take as long as necessary and could take up to 6 weeks in some cases for non-UK nationals.

You must identify any ethical / legal / regulatory factors within your proposal and how the associated risks will be managed, including break points in the project if approvals are not received. MODREC approvals can take up to 3 months therefore you should plan your work programme accordingly. Further details are available in the DASA guidance. If you are unsure if your proposal will need to apply for MODREC approval, then please contact DASA for further guidance.

In addition, requirements for access to Government Furnished Assets (GFA) must be included in your proposal. DASA cannot guarantee that GFA will be available.

Your proposal must demonstrate how you will complete all R&D activities/services and provide all deliverables within the competition timescales (for this competition, the competition timescales are 12 months maximum duration). This includes the delivery of the final report. Proposals with any deliverables (including final report) outside the competition timeline will be rejected as non-compliant.

Completed proposals must comply with the financial rules set for this competition. The upper-limit for this competition is £850,000. Proposals will be rejected if the financial cost exceeds this capped level.

4.2 Public facing information

When submitting your proposal, you will be required to include a proposal title and a short abstract. If your proposal is funded, the title and abstract you provide will be used by DASA, and other government departments as appropriate, to describe the project and its intended outcomes and benefits. It will be used for inclusion at DASA events in relation to this competition and included in documentation such as brochures for the event. This information (proposal title) will also be published in the DASA transparency data on gov.uk, along with your company name, the amount of funding, and the start and end dates of your contract.

4.3 How your proposal will be assessed

All proposals will be checked for compliance with the competition document and may be rejected before full assessment if they do not comply. Only those proposals which demonstrate their compliance against the competition scope and DASA criteria will be taken forward to full assessment. Failure to achieve full compliance against stage 1 will render your proposal non-compliant and will not be considered any further:

Mandatory Criteria

The proposal outlines how it meets the scope of the competition.	Within scope (Pass) / Out of scope (Fail)
The proposal fully explains in all three sections of the DASA submission service how it meets the DASA criteria	Pass / Fail
The proposal clearly details a financial plan, a project plan and a resourcing plan to complete the work proposed in Phase 2	Pass / Fail
The proposal identifies the need (or not) for MODREC approval	Pass / Fail
The proposal identifies any GFA required for phase 2	Pass / Fail

Proposals will then be assessed against the standard DASA assessment criteria by subject matter experts from the MOD (including Dstl), other government departments and front-line military commands. You will not have the opportunity to comment on assessors’ comments.

DASA reserves the right to disclose, on a confidential basis, any information it receives from bidders during the procurement process (including information identified by the bidder as Commercially Sensitive Information in accordance with the provisions of this competition) to any third party engaged by DASA for the specific purpose of evaluating or assisting DASA in the evaluation of the bidder’s proposal. In providing such information the bidder consents to such disclosure. Appropriate confidentiality agreements will be put in place.

Further guidance on how your proposal is assessed is available on the DASA website. After assessment, proposals will be discussed internally at a Decision Conference where, based on the assessments, budget and wider strategic considerations, a decision will be made on the proposals that are recommended for funding. Proposals that are unsuccessful will receive brief feedback after the Decision Conference.

4.4 Things you should know about DASA contracts

Please read the DASA terms and conditions which contain important information for suppliers. For this competition we shall be using the Standardised Contracting (SC) Innovation Contract; see Terms and Schedules. We will require unqualified acceptance of the terms and conditions. For the avoidance of any doubt, for this Themed Competition we are NOT using the DASA Short Form Contract (SFC).

Funded projects will be allocated a Technical Partner as a technical point of contact. In addition, the DASA team will work with you to support delivery and exploitation.

We will use deliverables from DASA contracts in accordance with our rights detailed in the contract terms and conditions.

For this phase, £850k is potentially available to fund proposals. There may be occasions where additional funding from other funding lines may subsequently become available to allow us to revisit those proposals deemed suitable for funding but where limitations on funding at the time prevented DASA from awarding a subsequent contract. In such situations, DASA reserves the right to keep such proposals in reserve. In the event that additional funding subsequently becomes available, DASA may ask whether you would still be prepared to undertake the work outlined in your proposal under the same terms. Your official DASA feedback will indicate if your proposal was fundable or not.

5. Phase 2 Dates

Dial-in	8th July 2019
Pre bookable 1-1 telecom sessions	8th July 2019
Competition closes	12th August 2019
Contracting	Aim to start October 2019 and end 12 months later in October 2020

5.1 Supporting events

8th July 2019– A dial-in session providing further detail on the problem space and a chance to ask questions in an open forum. If you would like to participate, please register on the Eventbrite page.
8th July 2019 – A series of 20 minute one-to-one teleconference sessions, giving you the opportunity to ask specific questions. If you would like to participate, please register on the Eventbrite page.

6. Help

Competition queries including process, application, technical, commercial and intellectual property aspects should be sent to accelerator@dstl.gov.uk, quoting the competition title. While all reasonable efforts will be made to answer queries, DASA reserves the right to impose management controls if volumes of queries restrict fair access of information to all potential suppliers.