Government researchers in the U.S. are studying methods to help identify hackers based on the code they use to carry out cyberattacks.

The Intelligence Advanced Research Projects Activity, the lead federal research agency for the intelligence community, plans to develop technologies that could speed up investigations for identifying perpetrators of cyberattacks.

“The number of attacks is increasing far more than the number of forensic experts that are available to go after these attacks," said Kristopher Reese, who is managing the research program at IARPA and holds a doctorate in computer science and engineering. The lack of forensic resources means hackers who target small organizations or companies that don’t fall under critical infrastructure sectors often escape identification, he said.

Tools that are developed as part of the planned 30-month research project won’t replace human analysts, who are crucial for identifying social and political dynamics that might explain why a particular hacking group targeted a victim, Reese said. But using artificial intelligence to analyze code used in cyberattacks will make investigations more efficient, he said.

IARPA is accepting pitches from researchers until next month and plans to begin research next summer.

Law enforcement authorities often take months or years to identify hackers behind major cyberattacks. Hackers take steps to hide their identities online and often share tools with other groups, which can make it harder for investigators to pinpoint a suspect. Often, investigators get lucky if a hacker is sloppy, said Jordan Rae Kelly, a senior managing director and head of cybersecurity for the Americas at corporate advisory company FTI Consulting and a former chief of staff and chief of strategic initiatives in the Federal Bureau of Investigation’s cyber division.

“Being able to catch a mistake they make is often the way there can be a breadcrumb that leads back to a trail of positive attribution," she said.

There hasn’t been enough research into how analyzing code can reveal a hacker’s identity, Reese said. Behavioral traits evident in code can reveal specific countries where hackers might be from or even the university where they were trained, he said. Some companies also have style guides outlining how employees should program, which could leave traces that indicate a person worked there, he said.

Reese acknowledges that the research faces challenges, particularly as generative AI improves and hackers use AI to write code. That could mean that different cybercrime groups will use malicious AI-generated tools that look similar, he said.

The potential for AI to hinder cyber detectives has caused concern in many countries. In a statement after the meeting of interior and security ministers from the Group of Seven countries that ended on Dec. 10, ministers referred to how emerging technologies, including generative AI, can “make it more difficult for law enforcement agencies to identify, investigate and prosecute cyberattacks."

Still, AI could help law enforcement agencies tackle the growing number of cyberattacks. IARPA’s research and use of AI to analyze code could help law enforcement authorities trawl through vast volumes of data and connect dates from past cyberattacks, said Tim Gallagher, managing director and head of the digital investigations practice at Nardello, a legal investigations company. Gallagher was previously the special agent in charge of the Newark, N.J., office in the FBI’s cyber division. Authorities collect huge amounts of data from cyberattacks around the world and receive evidence about hacks from their partners in other countries, he said.

“They don’t have enough bodies to go through this data. That’s where they’d be looking for technical solutions," he said.

