The speculation is rampant that certain manufacturers are installing backdoors in their own products or that foreign and criminal elements are exploiting weaknesses in the supply chain to compromise IT and networking equipment somewhere between vendors and their customers. The Pentagon is trying to find some way of guaranteeing that their hardware and software are secure, and so the Department of Defense is assigning its out-there research division, the Defense Advanced Research Projects Agency (DARPA), to do just that.
On Friday, DARPA officials said that the DoD does not have the capacity to ensure the security of all of its devices in a timely fashion with the resources currently at its disposal. To remedy this, DARPA intends to develop a litmus test capable of determining the presence of backdoors and other malicious functions within the DoD’s current and future IT infrastructure.
The “Vetting Commodity IT Software and Firmware” (VET) program plans to find, in their words, “innovative, large-scale approaches to verifying the security and functionality of commodity IT devices.” The Pentagon’s goals are as simple and straightforward as they are lofty. DARPA’s announcement lists ‘defining malice,’ ‘confirming the absence of malice,’ and ‘examining equipment at scale’ as the primary technical challenges that the project will address.
More specifically, department analysts will define and itemize malice (inasmuch as it could exist in their networks). Non-specialist employees will then confirm the absence of malice by examining the software, computing devices, networking equipment, and other hardware systems installed on or connected to their network. The inspections, which will conform to a checklist establishing what constitutes malice, must scale effectively to an organization as large as the DoD.
“DoD relies on millions of devices to bring network access and functionality to its users,” said DARPA program manager Tim Fraser in a statement. “Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”
A broad agency announcement (BAA) calling for research proposals for the VET program will not be published on the Federal Business Opportunities Website until after the program’s Proposer’s Day on December 12 at the Capital Conference Center in Arlington, Va.
This is the second piece of Internet security related news out of DARPA in as many days. Yesterday, DARPA published a BAA that bluntly called for research proposals that would strengthen the U.S. military’s capacity to wage electronic warfare.