The Pentagon’s far-out research agency and its brand new military command for cyberspace have a confession to make. They don’t really know how to keep U.S. military networks secure. And they want to know: could you help them out?
Darpa convened a “cyber colloquium” at a swank northern Virginia hotel on Monday for what it called a “frank discussion” about the persistent vulnerabilities within the Defense Department’s data networks. The Pentagon can’t defend those networks on its own, the agency admitted.
Because it’s the blue-skyresearch agency that helped create the internet, Darpa framed the problem as a deep, existential one, not a pedestrian question of insecure code. “It is the makings of novels and poetry from Dickens to Gibran that the best and the worst occupy the same time, that wisdom and foolishness appear in the same age, light and darkness in the same season,” mused Regina Dugan, Darpa’s director. She’s talking about the internet. “These are the timeless words of our existence. We know it is true of everything.”
Put in a blunter way, U.S. networks are “as porous as a colander,” Richard Clarke, the former White House counterterrorism chief turned cybersecurity Cassandra, told a packed ballroom.
“We are losing ground because we are inherently divergent from the threat,” conceded Dugan, swooping down from the stratosphere. Current network security is a numbers game: according to Darpa research, securing sensitive information on the military’s networks requires, typically, on programs running 10 million lines of code. On average, the malicious code, viruses, bots, worms and exploits that try to penetrate those defenses rely on 9,000 lines of code. Eventually, simple beats over-engineered.
Dugan didn’t go as far as Clarke did — she’s a senior Defense Department official, after all — but she implied that left to its own devices, the government’s network defenses will allow crucial data to increasingly sluice through, like water through Clarke’s colander. And it’s not just information leaking out: it’s the danger of a cyberattack crippling U.S. financial systems or the power grid, according to many at the colloquium. ”We believe we need more and better options,” Dugan said.
That means, to use a hackneyed phrase, a “new paradigm,” according to Gen. Keith Alexander, who leads U.S. Cyber Command, the military organization devoted to active, day-to-day defense of military networks. “We diagnose the malware, clean up the systems, get set up again and wait for the next exploitation. We have to change the way we think abut defending our systems.”
Government officials have floated all sorts of replacement paradigms: a second, secure network-of-networks apart from the internet’s “wild west”; or an internet, minus the anonymity. All of the models are problematic. So Alexander and Dugan are looking for some new ideas. That’s where the conference comes in.
There’s about 700 people packed into this ballroom, listening to Darpa or military speakers, snacking on bowls of M&Ms and sipping blueberry-infused lemonade. Some are in uniform. More are in business suits. A few have wallet chains, Day-glo sneakers and ponytails. That latter cohort is whom Darpa is really interested in: “visionary hackers,” in the words of Darpa spokesman Eric Mazzacone.
Pentagon agencies have been hiring these security types for years. Dugan is looking for something different. She wants “the efforts of technical experts at unprecedented levels, including at the development of policy and legal frameworks.” In other words, Darpa wants to bring in hackers to help set policy, designing dynamism into the framework, “on timescales that correspond with the dynamic nature of advances in cyberspace.” That would be a big bureaucratic shift.
These sorts of maneuvers usually require a fair amount of cash to pull off. But that may not be too much of a problem. Cybersecurity is faddish in Washington: even in an era of budget cuts, Darpa’s asking Congress for $208 million for annual cybersecurity research, and Dugan said over the next five years she expects that pot of money to grow. Some of this cash will go to new or existing Darpa programs for cybersecurity, which rely on funding academic research and defense contractors. Even cheaper is convening fora like these and asking hackers for their ideas — and maybe there’s cash down the line. Already, legendary hackers like Peter “Mudge” Zaitko of the L0pht Collective work for Darpa designing some of these programs.
It’s unclear how many hackers or other technical experts will follow Zaitko’s lead. Around the conference, lots more people are wearing nametags for big traditional defense companies — Raytheon, Booz Allen Hamilton, SAIC — than are wearing Tor Network t-shirts. But one of them, Tor’s research director Roger Dingledine, feels pretty good about the colloquium. Sure, this is the greater D.C. area, not Las Vegas for Def Con. (Where Darpa also recruits.) But “lots of academics” get “funding from Darpa, and that wasn’t always the case years ago, so it’s a good sign,” says Dingledine. (Actually, Darpa’s funded academics for decades, but point taken.)
A post-doc at Columbia University working on cyber issues, Jonathan Voris, appreciated Dugan’s candor. “They honestly realized how big the problem is and they want to reach out,” says Voris, whose work already receives Darpa cash. Nor does he mind the occasional jargon-filled military presentation: “Working in security, we have a lot of jargon on our own.”
Perhaps, but maybe not the kind that Dugan offers up. The internet “is both vulgar and sublime,” Dugan said, imploring people with intimate familiarity with both sides to help Darpa figure out how to defend it. “The best and the worst occupy the same time… It is true in cyberspace too.”
Photos: U.S. Air Force; Spencer Ackerman