ASU spinout provides recon for the cybersecurity battlefield

October 30, 2019

Corporations, small businesses, nonprofits and customers — in other words, nearly everyone — beware! Computer hackers launched more than 137.4 million new malware programs in 2018, the equivalent of more than 261 per minute, according to one estimate.

On a typical day, a large corporation may receive tens of thousands of security alerts warning about possible malware — too many to fix. Traditionally, security systems look for malware by watching for known malicious files and blocking them. However, these systems fall short with threats known as zero-day malware, which exploit a security vulnerability on the same day it becomes known to the public or the vendor who created the software. Download Full Image

“Nearly every technology in cybersecurity today is about stopping attacks that are already in progress,” said Paulo Shakarian, CEO and co-founder of CYR3CON, an Arizona State University cybersecurity spinout. “Even in large companies — with tens of thousands of employees and computer systems — malware can spread through a system in 90 seconds or less. With threats like that, prevention is really the best option.”

Enter CYR3CON, which recently filed its first patent for software that uses artificial intelligence, machine learning and data mining — along with knowledge of the workings of online hacker communities such as those on the dark web — to predict where hackers are likely to strike next. 

CYR3CON collaborated with ASU to form a Practice Lab, a unique partnership that pairs organizations with teams of highly skilled students to help them solve pressing problems. Companies can access a customized talent pool for creating innovative solutions, while the students gain invaluable hands-on experience. 

Students working with CYR3CON accelerated the development of its at-risk system identification software and recent patent application. The new software will be commercialized as part of CYR3CON’s suite of products that guides users in making informed decisions about how to prevent cyberattacks.  

“A major challenge in cybersecurity is the constant need to stay ahead of potential malicious actors. A preventive approach helps address precisely this challenge, allowing the defenders to focus on systemically designing for security, instead of playing whack-a-mole,” said Nadya Bliss, executive director of the Global Security Initiative, ASU’s hub for interdisciplinary security research. The initiative supported some of the early stage research that was pivotal to the launch of CYR3CON. 

A new kind of battleground

The seeds of the idea for CYR3CON’s preventive approach to cybersecurity were planted on the battlefields of Iraq, where Shakarian served two combat tours as an officer in the U.S. Army. 

“I started out as an analyst in the Army, focused on terrorists and insurgents and predicting what they would do. I researched what people wrote about terrorists or insurgents and results from various forms of intelligence. My experience was nontechnical, totally operational, but it gave me a good framework for thinking about how to counter threats,” said Shakarian, now an assistant professor of computer science and engineering in ASU’s Ira A. Fulton Schools of Engineering

“Earlier in my career, I was applying this to the problem of how to deal with terrorists, insurgents and criminals. As things evolved, it became apparent that cybersecurity much needed this technology. When I formed a group at ASU, CySIS (Cyber-Socio Intelligent Systems Laboratory), we focused on cybersecurity. Over time, we discovered some of this technology is commercially viable, so we created CYR3CON,” he added. 


Whispers of WannaCry

After incorporating in 2016, CYR3CON received national media coverage in the Economist, CNN, Slate and CBS for its predictive intelligence prior to the WannaCry attacks in May 2017. 

One of the largest cyberattacks to date, WannaCry paralyzed computers and business operations in more than 150 countries. It forced Great Britain’s public health system to turn away patients and froze computers at government agencies in Russia and FedEx in the United States. A ransomware worm encrypted files, making them impossible to access, and demanded a ransom payment in bitcoin to decrypt them. In just a few hours, the ransomware caused billions of dollars in damages.

CYR3CON found evidence of hackers discussing the WannaCry attacks before they happened on dark web forums in several languages, including English, Russian and Arabic. 

CYR3CON makes it possible to predict what software hackers will target — a key problem in large enterprises. This is accomplished by advanced machine learning algorithms powered by data collected from a platform that scours nearly 1,000 hacker websites. It sifts through thousands of hackers’ posts and discussions on dark web sites to accurately predict what cybersecurity system weaknesses they will target next.

This ingenious approach has won numerous awards, such as the TechConnect Defense Innovation Award at the Defense Innovation Technology Acceleration Challenges Summit, a meeting of leaders in defense and security industries and officials in government agencies and the U.S. military. It was also a finalist in tech startup and business competitions held by the Arizona Technology Council and PricewaterhouseCoopers.

Students creating solutions

As part of the CYR3CON Practice Lab, computer science graduate students Kazuaki Kashihara and Anant Sharma have discovered a fascinating application for their technical expertise. 

“I can apply what I have learned to the real world's issues at CYR3CON through the lab and fill the working experience in my resume while I am pursuing my degree,” Kashihara said. “I also can extend my professional network through this lab experience since I meet other researchers inside and outside of CYR3CON.”

“Machine learning is quickly spreading its roots in the field of cybersecurity,” Sharma said. “I was quite excited to work with a different kind of data set and apply the algorithms in order to detect and classify cyberthreats. Being a startup, I was also excited by the opportunity to learn, grow and develop new skills.” 

Practice Labs played a key role for CYR3CON in accelerating software development and commercialization, Shakarian said.

Cyberattacks take a heavy toll on the U.S. economy, with losses totaling from $57 billion to $109 billion in a single year, according to a 2018 report by the U.S. Council of Economic Advisers. With losses like these, it’s clearly time to reboot the nation’s cybersecurity systems with a new approach. 

Shakarian believes today’s data security threat levels call for a “next-generation cyber threat intelligence company.”

“CYR3CON was really the first company to be doing predictive cyber,” he said. “We want to become the standard for predictive cyber, for both our own products and working with other companies.”

Are you interested in forming a Practice Lab for your company or organization? Contact ASU’s Business Concierge at for more information.

Learn more about ways companies can partner with ASU. 

Lori Baker

Communications Specialist, Knowledge Enterprise

ASU Law student wins award for analysis of U.S. citizen’s legal fight to be removed from ‘kill list’

October 30, 2019

James Cromley, a third-year student at the Sandra Day O’Connor College of Law at Arizona State University, has won the John S. Jenkins Award for Excellence in Military Legal Studies.

Given by the National Institute of Military Justice, the Jenkins Award is presented for the best nominated paper written by a law student on a military legal topic. Cromley’s article, titled “In the Field or in the Courtroom: Redefining the APA’s Military Authority Exception in the Age of Modern Warfare,” examines the Administrative Procedure Act, and, specifically, the definition of “in the field in time of war.” photo of James Cromley during Afghanistan patrol ASU Law student James Cromley recently won the John S. Jenkins Award for Excellence in Military Legal Studies. He served nearly seven years in the Marines and is pictured here while on patrol in Afghanistan. Download Full Image

“I think it’s an interesting topic, but I didn’t know how it would be received,” Cromley said, describing his reaction to winning the Jenkins Award. “I was humbled, surprised and just happy someone enjoyed reading it.”

Having spent nearly seven years in the Marines, Cromley is a habitual reader of the Lawfare blog, which explores the intersection of national security measures and the nation’s laws and legal institutions. He was intrigued when he came across the story of an American journalist, Bilal Abdul Kareem, who concluded his own government was trying to kill him after narrowly avoiding death in five separate airstrikes.

Kareem was covering anti-Assad rebels in the Syrian war and his work required that he be in contact with local militants. Believing that those connections had placed him on a government kill list, Kareem sought an injunction prohibiting his inclusion on such a list until he was given an opportunity to challenge the decision.

“It struck me as too much of a coincidence that he would just narrowly avoid five airstrikes,” Cromley said. “So I dug into the actual pleadings in the case, and I wanted to see what the government's defense was.”

One element of the government’s defense involved the Administrative Procedure Act. Among other things, the APA allows for judicial review of decisions made by administrative agencies. But, Cromley said, military decisions made in the field during a time of war are excepted and cannot be reviewed by a judge. Therefore, one of the many arguments the government made was that whether or not the journalist had been placed on a kill list was irrelevant, because that would have been a military decision made in the field in a time of war.

But, as Cromley said, the judge was not sold on that argument.

photo of James Cromley

James Cromley, a third-year student at the Sandra Day O’Connor College of Law.

“The judge at the time, Judge Rosemary Collyer, took a look at it and said, ‘We may be in a time of war, because we're engaged in warfare in Syria and elsewhere. But this wasn't a decision made in the field. This is a decision that, if it was made, was made in Washington, D.C.,’” Cromley said. “That was the very narrow portion of the APA that I wanted to look at: how ‘in the field’ is interpreted.”

The APA arose as a check against the power of federal agencies created as part of President Franklin D. Roosevelt’s New Deal. It was enacted on June 11, 1946, under the Truman administration, shortly after the conclusion of World War II. As Cromley notes, the definition of the field of combat was already transforming.

“Even back then, the field of combat wasn’t as clear-cut as it had been during World War I or the Revolutionary War, when we literally met on a field and fought,” he said. “So I basically looked at how we now interpret ‘in the field.’ Nowadays, the field is much broader. There’s cyberwarfare. There’s asymmetrical warfare where terrorists are attacking us on public ground here or wherever it may be. And there’s also proxy warfare, where you have someone supporting a force to fight on their behalf, which is what we saw with the United States with the mujahideen in Afghanistan, Russia with the ‘little green men’ in Crimea, and Iran with the Houthis in Yemen. So you take cyberwarfare, you take terrorism, and you take proxy warfare and now the definition of ‘in the field’ could encompass the entire globe.”

And that expanding definition could open the door to dangerously broad interpretations.

“That would essentially allow the United States government to target one of its own citizens, to kill them, without them ever receiving the due process of a court trial or a judge being able to review the decision,” Cromley said.

Research and writing

Cromley credits Professor Amy Langenfeld with helping him shape the paper into its award-winning form.

“I had her as a writing professor my first year, and then I served as her teaching assistant for that same writing class the next year,” he said. “So I already had a good working relationship with her.”

First, they discussed potential topics. Once they had settled on the APA, they met at least once a week, narrowing the focus down and refining the organization of the article, then giving the final draft a once-over to ensure there were no unresolved issues, from flow and structure to grammar and punctuation.

Langenfeld said Cromley stood out as an exceptional writer in his first year of law school, then submitted a fantastic first draft of his “In the Field” article during Year Two.

“I mean, think about that,” Langenfeld said. “A great first draft is kind of a unicorn, for a writer in any discipline. But James has that rare talent of presenting complex material in an accessible way.”

And, she said, Cromley possesses the rare ability to draw on his own experience to inform his argument, but without getting too personal.

“James wrote from his perspective as a veteran while mainly relying on the tools of legal scholarship — analyzing statutory language, reading the case law for what isn’t said as much as what is said, contextualizing problems in different historical eras,” Langenfeld said. “This is a difficult balance to achieve: lived experience informing relatively abstract textual analysis, without sliding into personal essay. James did it.”

A chilling conclusion

The ramifications of the legal interpretation of the APA’s “in the field” caveat are far-reaching and powerful.

“I think it's incredibly important,” Cromley said. “The main point of this paper is that we need to construe the phrase ‘in the field’ very narrowly. The whole purpose of this exception is that we don't have military commanders second guessing split-second decisions on the battlefield. And having been a military commander and having deployed to combat zones twice, both Afghanistan and Yemen, I understand exactly the need for this exception.”

However, Cromley believes if the exception expands, it creates real dangers for everyday Americans, including, as his case examined, journalists. And that could pose an existential threat to democracy.

“I think the foundation of a free society is open, accurate information, and if we're putting journalists at risk and there’s a chilling effect that's been created because journalists are now afraid to cover these conflicts, we're chipping away at the foundation of our democracy.”

Kareem’s case was dismissed on Sept. 24, 2019, citing the privilege of state secrets and the potential threat to national security. As Cromley’s paper noted, it was “a conclusion as unsatisfying as it is chilling.”

Judicial review is a critical element of the nation’s system of checks and balances, and that basic principle underlines the concern with an overly broad interpretation of the APA giving free rein to the military.

“The law of war is very important, and I think that having worked with young Marines, I've seen how good they are at restraint,” Cromley said. “But I don't think the real issue here is the law of war or the law of armed conflict so much as it is a proper balance of powers within our own government.”                                                 

The John S. Jenkins Award

photo of ASLJ Orientation and Cromley

James Cromley (at center) is the executive articles editor for the Arizona State Law Journal, pictured here at ASLJ orientation.

The award honors John S. Jenkins, a leader of the military bar who was a co-founder of the National Institute for Military Justice. Jenkins was in the Navy for 28 years, ultimately serving as judge advocate general.

Cromley, executive articles editor for the Arizona State Law Journal, submitted the piece in April to satisfy the writing requirement that comes with membership on the Journal. It will be published in December, in Volume 51, Issue 3 of the Journal.

“I’m delighted to see ‘In the Field’ get more exposure because of the Jenkins award, and I hope more people have the chance to discuss it with James,” Langenfeld said. “His insights can really advance the discussion in military legal studies and national security law, and I hope ‘In the Field’ is just the beginning of his contributions.”

Nicole Almond Anderson

Director of Communications, Sandra Day O'Connor College of Law