Darpa’s new project is called CINDER, for Cyber Insider Threat. It’s lead by a legendary hacker-turned-Darpa-manager. CINDER may have preceded Pfc. Bradley Mannings’ alleged disclosure of tens of thousands of documents about the Afghanistan war from Defense Department servers. But the idea is to find someone just like him. By hunting for poker-like “tells” in people’s use of Defense Department computer networks, Darpa hopes to find indications of indicate hostile intent or potential removal of sensitive data. “The goal of CINDER will be to greatly increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks,” according to the defense geeks’ request for contractor solicitations on the project.

That took on an increased urgency last month after WikiLeaks dropped 77,000 Afghanistan field reports into the public domain. While Admiral Mike Mullen’s furious blood-on-its-hands reaction got all the press coverage, Defense Secretary Robert Gates’ response appears to have been the more lasting one, policy-wise. Gates fretted that a casualty of WikiLeaks’ document dump would be the Defense Department’s years-long initiative to push vital information down to the front lines, so lower ranking officers and enlisted men had the sort of high-level battlefield views that used to be the province of their commanders. All that’s been jeopardized by Manning, he said, the soldier accused of being WikiLeaks’ inside man.

“We want those soldiers in a forward operating base to have all the information they possibly can have that impacts on their own security, but also being able to accomplish their mission,” Gates mused in a July press conference. “Should we change the way we approach that, or do we continue to take the risk” of future leaks? Gates partially answered his own question — however cryptically — by adding, “There are some technological solutions,” though “most of them are not immediately available to us.”

That’s where CINDER comes in. But the program Darpa envisions would establish patterns of malign behavior, distinct and quietly detectable from the normal Defense Department information user, to “expose hidden operations within networks and systems.” That carries with it the likelihood of a big data or meta-data-mining operation. Or, as Steve Aftergood, an intelligence-policy expert at the Federation of American Scientists puts it, “a sort of system-wide surveillance of Pentagon networks.” After all, how else to tell normal network usage from abnormal usage?

Indeed, Darpa expressly recognizes CINDER’s likelihood of intercepting false positives. So Darpa doesn’t want CINDER from focusing on any individual user — it wants the program’s as-yet-unbuilt algorithms to uncover the “malicious missions” that they undertake. “If we were looking for the insider actor himself, we might not detect someone who performs a single, isolated task and we run the risk of being inundated with false positives from events being triggered without context of a mission,” Darpa explains. It gives instructions for would-be designers to expressly identify the kinds of missions its detectors will hunt so as to minimize inundation with a glut of benign data.

But some of the examples Darpa gives of those fiendish activities sound difficult to distinguish from normal usage. “Anomalous missions [may] be comprised of entirely ‘legitimate’ activities, observables and the data sources they will be derived from,” Darpa notes. So CINDER researchers should “make use of logs and accounting information that tracks allowed activities rather than depending entirely on alerts from monitoring systems focused on anomalous or disallowed activities.” Feel any more comfortable executing your boss’ order to find him information on roadside bombs in your area?

Then again, Darpa has people on hand who know the difference between benign and malicious online actions. In February, the agency hired Peiter “Mudge” Zatko –one of the hackers of Boston’s L0pht collective, who famously told a congressional committee in 1998 that they could shut down the internet in 30 minutes — as a program manager for cybersecurity. “I don’t want people to be putting out virus signatures after a virus has come out,” he told CNet when Darpa hired him. “I want an active defense. I want to be at the sharp pointy end of the stick.” Next month, Zatko, CINDER’s program manager, holds a pair of conferences with potential researchers.

And not all traditional privacy advocates are so concerned about CINDER, since it’s not hunting the private Internet. CINDER’s might indeed “involve the automated collection of lots of benign, incidental data about individual users in order to establish a baseline of ‘normal’ activity,” notes Aftergood, an anti-secrecy critic of WikiLeaks). “But I would think that the privacy implications are limited, since most employees should not be conducting personal business on classified or other official networks anyway.”

A full-blown CINDER application is still years away. But at least one precursor effort will be the Defense Department’s forthcoming cybersecurity strategy, due out, according to Deputy Secretary William Lynn, before year’s end. How much internal monitoring will that strategy’s “active defense” authorize?