U.S. to Fund Hacking Projects That Thwart Cyber-Threats

A DARPA official and former freelance hacker discussed the details behind the agency's Cyber-Fast Track project which will fund small and quick cyber-security projects.

LAS VEGAS-Former L0pht hacker known as "Mudge" discussed a new government initiative to fund hacking projects designed to help block cyber-threats at the Black Hat security conference.

The Defense Advanced Research Projects Agency will fund new cyber-security proposals under the new Cyber-Fast Track project, Peiter Zatko, currently a program manager for the agency's information innovation office, said in his Aug. 4 keynote speech at Black Hat. The project, originally announced at ShmooCon cyber-security conference back in January, will bridge the gap between hacker groups and government agencies, he said.
Under the Cyber-Fast Track initiative, DARPA will fund between 20 to 100 projects annually. Open to anybody, researchers can pitch DARPA with ideas and have a project approved and funded within 14 days of the application, Zatko said. Developers will retain intellectual property rights while DARPA will operate under government use rights, Zatko said.
"It's time to start funding hacker spaces, labs and boutique security companies to make it easier to compete with large government contractors," Zatko said.
The way the government is currently set up, these independent researchers and small businesses can't get money for research without giving up intellectual property or having their company bought out and "gutted," according to Zatko. "We need new ideas and we need new performers," Zatko said.
Despite increased security spending, the number of malware attacks on government agencies has skyrocketed in recent years, according to Zatko. There were about 1,400 "incidents of malicious cyber activity" in 2000, which jumped to more than 71,000 by 2009, he said.
Funding independent security researchers, who currently do most of their work on their own time for free, would encourage them to divert their energies in ways that would make the Internet safer, he said.
Anything that could help the military will be considered, including bug-hunting exercises, commodity high-end computing and open software tools. Projects such as cheap unmanned aerial vehicles and an automated war dialer that could repeatedly ring phones in a given area would qualify, Zatko said. The projects should be small and quick to execute, ideally within 12 months, according to Zatko. Projects with the potential to "reduce attack surface areas, reverse current asymmetries" are of "particular interest. DARPA is encouraging efforts in a more strategic, rather than tactical, direction.
Current computer systems are needlessly complicated and are more vulnerable to malicious hacking as a result, according to Zatko. An example of a project that would reduce the attack surface would be one that simplified Microsoft Word, which has a number of sophisticated features that are also the source of numerous exploits, he said.
"Proposed technologies may be hardware, software or any combination thereof. Efforts developing proofs of concept or finished products are also of particular interest," Zatko said.

While Zatko did not say how much funding the program overall has received, he said that if there is a lot of activity and tools are being developed, then increased funding will be likely.
DARPA wasn't the only branch of the federal government visible at Black Hat. The Federal Bureau of Investigation, Federal Reserve and the Internal Revenue Service had booths set up on the expo floor.