The BBN Technologies division of intelligence systems and security specialist Raytheon and software-assurance tools and cyber-security solutions specialist GrammTech were awarded a $4.8 million contract under the Defense Advanced Research Projects Agency's Vetting Commodity IT Software and Firmware (VET) program.
Under the program, the two companies said they intend to develop tools and techniques to enable organizations to inspect the software and firmware that exist inside network-enabled devices and protect them from attack.
BBN Technologies said it plans to develop techniques that enable analysts to prioritize elements of software and firmware to examine for hidden malicious functionality.
"The U.S. Department of Defense relies on equipment with components manufactured all over the world," Jack Marin, vice president for cyber-security at BBN, said in a statement. "Any backdoors, malicious code or other vulnerabilities hidden in those components could enable an adversary to do serious damage, including the exfiltration of sensitive data and the sabotage of critical operations. The VET program seeks to enable DoD analysts to vigorously vet software and firmware devices before they are connected to our critical networks."
Mobile phones, network routers, computer workstations and other networked devices can be secretly modified to function in unintended ways or to spy on users, a concern that led to the VET program, which seeks to help U.S. government agencies address the threat of malicious code and hidden "backdoor" access in commodity IT devices.
GrammaTech, whose software tools span a myriad of industries including avionics, medical and industrial control, said it plans to develop tools that actually examine software and firmware for exploitable security vulnerabilities.
"Our scientists are developing new technology that aims to advance the state-of-the-art for analyzing machine code," Tim Teitelbaum, GrammaTech's CEO, said in a statement. "We are leveraging these advances to create a tool that could confirm the absence of broad classes of vulnerabilities."
Federal agencies often fail to take the user experience into account when deploying cyber-security solutions, and as a result, users often circumvent security measures and open up their agencies to data theft, data loss and denial-of-service attacks, according to an October report from Meritalk, a public-private partnership focused on IT.
The study, underwritten by Akamai Technologies, found the most challenging user applications to secure are email, external Websites and the Internet from agency workstations. These are tools that more than 80 percent of users rely on daily.