The United States Intelligence Community is looking to better understand how emerging technologies can exploit human cognition for what can be characterized as “cyberpsychological” warfare.
According to a recently issued “Request for Information” (RFI), the Intelligence Advanced Research Projects Activity, or IARPA, “is seeking information on methods, studies, findings, approaches, and appropriate metrics for characterizing the cognitive effects in cyber operations.”
IARPA appears to be taking a broad approach to understanding cyberspace’s human element, examining how cyberpsychological factors can be used in both offensive and defensive cyber operations.
“Techniques currently used in online advertising, political campaigning, e-commerce, and online gaming successfully profit from vulnerabilities in human psychology,” reads the RFI issued by IARPA. “Cyber attackers often take advantage of similar human limitations through social engineering.”
In recent years, the Russian Federation has used cyberspace extensively for social engineering operations designed to influence foreign decision-making processes favorable to Moscow’s interests.
The underlying framework behind Russia’s modern cyber-influence campaigns is a reinstatement of a Soviet-era psychological warfare concept called “reflexive control.” According to the Russian Ministry of Defense, reflexive control is a “massive psychological manipulation of the population to destabilize the state and society.”
And while the concept may not be new, the internet and social media have provided a perfect venue for reflexive control to become a potent weapon for asymmetrical warfare. So much so that some researchers have said Russia’s standard tactic of using paid social media users, or “troll factories,” to influence public opinion represents an entirely new form of psychological warfare called “masspersonal social engineering.”
A significant portion of IARPA’s recent request is focused on better understanding the personal psychology of cyber-attackers as part of its efforts to mitigate cyberpsychological and conventional cyber warfare operations.
“What kinds of intrinsic and extrinsic motivators drive cyber operator behavior?” is one of eight questions posed by IARPA to subject matter experts from academia and private industry. Known or likely “cognitive effects,” “cultural factors,” or any other “specific attributes” of cyber operators are some other points of interest.
IARPA’s interest in the personal psychology of cyber operators likely stems from recent studies suggesting cognitive judgment or decision-making biases can impact the actions of adversarial cyber actors.
Additional new research has also explored how “oppositional human factors,” or cyberpsychological methods designed to exploit cognitive biases and limitations, can be used to degrade and disrupt the performance of cyber attackers.
“Recent experiments demonstrating the power of framing effects were investigated, indicating that attackers who were provided information that deceptive technology was present on a network had less forward progress,” IARPA notes.
Falling under the Office of the Director of National Intelligence (ODNI), IARPA is the U.S. Intelligence Community’s high-risk/high-payoff brain trust, akin to the Department of Defense’s better-known Defense Advanced Research Projects Agency or DARPA.
In a previous program codenamed SIRIUS, IARPA developed several “Serious Games” to reduce cognitive biases in intelligence analysis. However, the agency notes in its recent request, “Research into cognitive effects in the cyber domain has been less prolific.”
Based on responses to its RFI, IARPA will likely determine if there is adequate research to move forward with establishing a new program office specific to cyberpsychology. Research grants could also be issued for any particular areas found to be lacking empirical support.
The agency stresses that its initial inquiry is for “planning purposes only and does not constitute a formal solicitation for proposals or suggest the procurement of any material, data sets, etc.”
“Capable and qualified” sources wishing to answer IARPA’s request have until 5:00 p.m. (EST) on October 4, 2022, to electronically submit a maximum 8-page response, covering at least one of the agency’s eight posed questions on cognitive effects in cyber operations.
Tim McMillan is a retired law enforcement executive, investigative reporter and co-founder of The Debrief. His writing typically focuses on defense, national security, and the Intelligence Community. You can follow Tim on Twitter: @LtTimMcMillan. Tim can be reached by email: tim@thedebrief.org or through encrypted email: LtTimMcMillan@protonmail.com