It’s an open secret: For years, hackers and feds have been strange bedfellows in the mission to defend military networks. Three-letter agencies set up recruiting booths with schwag at security conferences like Black Hat, and feds party it up with the computer nerds at the so-called “underground hacking conference” DefCon after enlisting intelligence help.
Darpa, with the help of former hacker Peiter “Mudge” Zatko, wants to find a way for the government make that alliance even easier. With an eye on hacker-minded researchers who operate on small budgets and in their free time, Darpa is awarding small, short-term contracts to those who have a knack for discovering holes in network defenses. It’ll harness some of the creativity brewing at hacker-conferences and experimental hacker-spaces — which, incidentally, already underpin some of the multi-million, multi-year defense contracts being inked.
The program is called Cyber Fast Track. And in the two months since it was launched, seven contracts have been awarded to nontraditional players, such as small boutique companies and independent researchers. Average time for award money to be okayed in this program? Seven days: the military equivalent of a nano-second. ”Actually, four is the median because we got better and faster at it,” said Zatko, who spoke about the program at a New York University-Poly campus in Brooklyn last week. (The video above is from an earlier, more formal presentation at the University of Rhode Island.)
The idea is to push funding quickly so that the military will have a ready catalogue of new ways to fix security issues that emerge as defense networks grow and get more complicated. Researchers keep commercial intellectual property rights over their work. Zatko hopes to generate a hundred projects out of the program in a year.
“The government needs agile cyber projects that are smaller in effort, have a potential for large payoff, and result in a rapid turnaround, creating a greater cost to the adversary,” said the Cyber Fast Track research announcement. It added that “of particular interest are efforts with the potential to reduce attack surface areas, reverse current asymmetries, or that are strategic, rather than tactical in nature.”
That’s jargon for network defense. But Darpa may be interested in cracking networks, as well as securing them. At a “colloquium” with hacker-types in Virginia last week, Darpa director Regina Dugan also said that the agency was interested in developing offensive cyber capabilities.
Cyber Fast Track’s focus on unconventional, smaller players might attract more offensive-minded types, said Dino Dai Zovi, an independent security researcher, aka the “Mac hacker,” who is going to submit some proposal ideas of his own. Big corporations tend to steer from picking apart systems, he added, erring on the side of caution to avoid being sued. Smaller firms may be more willing to take a risk.
CFT is already funding the work of a self-described former “worker bee” at the National Security Agency, the secretive signals intelligence agency. Consultant Charlie Miller is focusing on the security of “Near Field Connections,” which allows a smartphone to transmit credit-card account information to a reader, so you can pay for things by tapping your phone against a terminal. “I’m looking at the security of the software that runs NFC,” he said. “If I walked over to you, could I take over your phone?”
As he keeps looking for security ideas from people like Miller, Zatko has a delicate dance to do: convincing the military brass that it should put money into what may well turn out, high-risk research, and addressing the “pain points and difficulties for brilliant individuals who should be worthy of receiving contracts.”
Seated comfortably in a casual sweater on the stage in an NYU-Poly auditorium on Wednesday, Zatko cracked jokes and made references to friends in an audience of 50, as piano music tinkled in the next room.
“The big goal was: How will we legally put something together that will enable us to reach out to this community and not try to co-opt them, but engage them and treat them the same way we treat the traditional performers?” he said.
It’s no surprise that it took nine months of working with lawyers to work out kinks in the program. “I never worked with legal staff and lawyers that much in my life before,” Zatko added. But now, hackers who want to work on projects for Darpa won’t have to deal with the same kind of hassles.
Photo: Wikimedia Commons