UPDATE–One of the longstanding problems in security–and the software industry in general–is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime researcher and hacker better known as Mudge in security circles, announced he’s leaving Google to start an initiative designed to be a cyber version of Underwriters’ Laboratory.
Zatko said on Monday that he had decided to leave Google’s Advanced Technology and Projects team and start a cyber UL, at the behest of the White House.
“Goodbye Google ATAP, it was a blast. The White House asked if I would kindly create a #CyberUL, so here goes!” Zatko said on Twitter.
The new project will not be run out of the White House, Zatko said, and the specifics of the plan are not clear right now. But the fact that someone with Zatko’s experience, history, and respect in the security community is involved in the project lends immediate weight and potential to it.
Zatko is one of the members of the L0pht hacker collective that formed in Boston in the 1990s, and the idea for something along the lines of this project took shape back then. John Tan, one of the members of the L0pht, wrote a paper describing a possible model for a “cyber UL” in 1999, an organization that would certify the reliability and quality of a security product. The paper describes a key problem in the security industry, a problem that still exists more than 16 years later: No one has a good way to prove the claims made by vendors.
“Similarly to early electrical inventions, today’s computer security products may introduce more harm than good when implemented by end users. While some of these products do what they claim, most do not. The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil. While many of the products may solve old problems and
inadvertently introduce worse ones, some just do not perform as advertised at all,” the paper says.
Describing the problem is one thing, and solving it is another thing altogether. Product testing and certification authorities for software and hardware have existed for many years, but they are sometimes seen as ineffective or beholden to the manufacturers whose products they are testing. Creating an independent organization that will perform these functions could solve much of this problem.
“The arrival of a government body interested in standardizing security testing for software and hardware couldn’t come at a better time. A well-designed entity here would rely on automation as much as possible, as to address the massive scale of the security problem for software,” said Christien Rioux, a member of the L0pht and currently the chief scientist at Veracode.
Zatko has a long record in the security community and has held a wide variety of positions in the last decade. Before joining Google, he worked at DARPA for several years, running a number of influential research programs, including Cyber Fast Track, which funded security research programs. Several high-profile researchers used grants from the CFT program to fund their research, including Charlie Miller and Chris Valasek, who funded their ground-breaking work on the security of automotive systems, and Joe Grand, who did work on deconstructing printed circuit boards. CFT also helped fund Miller’s research on NFC security and Moxie Marlinspike’s work on the Convergence system.
Grand, a hardware engineer and researcher who runs Grand Idea Studios, said he sees a lot of potential in the cyber UL idea, but also some possible hurdles.
“Technology, especially in the ‘cyber’ community, moves so quickly that having a checklist, rating system, test procedure, etc. to classify the security of products/systems won’t be enough. I’ve always been fearful/doubtful of any type of compliance/rubber stamp of ‘Product x is secure’ or ‘Product x meets required specifications’ (e.g., like FIPS140), since just because features are implemented doesn’t mean they’re implemented correctly and could still potentially be broken (either in ways we know or future attacks that we don’t),” Grand said via email.
Two years ago, when he announced that the CFT program was ending at DARPA, Zatko said that the complexity of the security landscape makes defenders’ jobs progressively more difficult.
“When you see that more and more money is being invested and the problem is getting worse, people ask whether we should invest more or none at all,” he said during a talk at the CanSecWest conference in 2013. “Why are we not making progress? There’s a whole bunch of factors involved.”
Before moving to DARPA, Zatko spent many years at BBN Technologies, a pioneering technology company, and was a top researcher at @stake, the security consultancy and research company.
This story was updated on June 30 to add Rioux’s and Grand’s comments.