DARPA Seeking to Tempt Innovative Independent Hackers with Streamlined Funding
The Defense Advanced Research Projects Agency who announced a new project called the “Cyber Fast Track” program back at ShmooCon in January of this year, says the new program is expected to allow the Pentagon to more quickly and easily integrate and fund independent hackers in order to help it tackle its growing cyber security needs.
Peiter Zatko, better known as “Mudge” from his former days as a freelance hacker in the L0pht group, is now a program manager at DARPA and is the leading proponent of this new Pentagon program. He discussed the new project which he is spearheading to help counter cyber-threats in more depth during his keynote at last week’s Black Hat 2011 security conference in Las Vegas Nevada. The project’s goal is supposedly to bridge the gap between independent hacker groups and government agencies.
The Cyber Fast Track initiative is expected to fund somewhere between 20 to 100 projects per year, and anybody is apparently welcome to apply, which incidentally I’m sure they’re counting on. Applicants can pitch their project ideas to DARPA and the Pentagon and if all checks out can apparently get approved and start receiving funding within 14 days of the pitch. Not only is this staggeringly fast by Pentagon bureaucracy standards, but there is another sweetener in the deal, approved developers will also supposedly get to retain their intellectual property rights with DARPA operating only under government use rights. Sounds almost too good to be true coming from the Pentagon at this particular point in time doesn’t it?
Peter Zatko went on to explain that “It’s time to start funding hacker spaces, labs and boutique security companies to make it easier to compete with large government contractors; we need new ideas and we need new performers” He went on to explicate that the way the government was currently set up independent researchers and small security businesses were essentially completely cornered off from being able to get any money for funding unless they were prepared to give up all their intellectual property rights and having their companies “gutted” and totally swallowed up by the government.
Zatko quoted figures that supposedly show that malicious cyber-attacks have continued to explode in number over the past decade, quoting that there were somewhere in the range of 1,400 reported incidents at the beginning of the millennium and now they are surpassing the 100,000 mark. Honestly I’d be interested in finding out more about these statistics and what exactly qualifies as an “incident”, but of course it makes perfect sense that attacks would naturally be massively on the rise due to the ever expanding Internet and number of machines being connected every year.
He argued that cutting the red tape in order for the Pentagon to be able to quickly and efficiently fund independent security researchers and give them incentives to spend more time on research that would help the military would make the Internet a safer place. These include auditing and working on open source software tools, bug hunting, and developing so called high-end commodity computing solutions.
He even gave a few examples of projects that would qualify for funding, cheap unmanned aerial vehicles, war dialers, and generally any and all bugging and eaves dropping devices would qualify. Go figure! It would be have been nice if they could have been more imaginative though. Naturally it goes without saying that these are all projects that would make a debt stricken “Big Brother” on a shoe string budget very happy to say the least. Basically what they’re really looking for are small projects whether hardware of software that are able to “reduce attack surface areas” and “reverse current asymmetric threats” and that are quick to implement and execute ideally within a 12 month period.
Zatko went on to state that in their current state, computer systems were needlessly complicated and thus were more vulnerable to attack. You’ve got to love the example of Microsoft Word he used to illustrate this, stating that due to some needlessly sophisticated features included in the software numerous exploits were opened up as a result.
Needless to say it will be interesting to see what reception this gets from the hardcore hacker community and also how much funding this program actually ends up getting from the U.S. Federal government, especially considering their current plethora of debt problems. All in all though, it sounds like it could potentially be a smart step in the right direction from the U.S. Governments perspective, however as always, the devil is in the details, in particular when getting in bed with the Pentagon.