LAS VEGAS. Hacker is not a bad word. That’s the assertion of Peiter “Mudge” Zatko, Program Manager, Information Innovation Office, Defense Advanced Research Projects Agency (DARPA) in the U.S Government. Zatko delivered the keynote address at the Black Hat security conference, a stage he’s familiar with, having formerly been a well known hacker with the L0pht hacker collective, which was famous for its L0phtCrack password cracking tool.
Zatko noted that his goal in speaking at Black Hat was to help build a bridge between the security community and the government. He stressed that the modern approach to building security solutions for both government and commercial use isn’t working as well as it could or should.
Zatko explained that DARPA keeps a watchlist of software deployed in the Government that needs patching or security fixes. As a source of irony and frustration, Zatko said that on a recent list, six out of 17 vulnerabilities that DARPA was tracking for fixes were for vulnerabilities in security software. So the software that is supposed to be securing the government is in some cases vulnerable and still unpatched.
The other issue that Zatko is worried about is the fact that modern software is built in multiple layers, which end up increasing the attack surface.
“There is no small target and large target anymore,” Zatko said. “Everything is a large target in modern operating systems.”
Zatko added for every 1,000 lines of code, 1 to 5 bugs are introduced.
“Not all those bugs are exploitable, but some are,” Zatko said. “We are creating a very large and complex surface area and that’s difficult to protect.”
In Zatko’s experience, the commercial world doesn’t always solve security problems, which is where DARPA will be able to help.
Zatko announced that the DARPA RA-11-52 effort just went live this week, which is a program to cyber fast-track security research. He noted that current government effort often involves overly complex process both in terms of acquisition and development.
“I think it’s time to help smaller groups to fund and help security research,” Zatko said.
Zatko wants new energy and faster, more creative solutions that might not fit into existing categories of products. He also wants researchers to reduce the attack surface in programs. He added that DARPA intends to cultivate relations and become a resource.
According to Zatko, in the past trying to deal with the government would often require a researcher to have a team of people to figure out how to handle the ‘government speak’ in the RFP process.
Cyber fast-track is intended to make the whole process easier for security researchers to get government funding. Zatko noted that he expects that between 20 and 100 efforts will be funded each year, with a 14-day turnaround to get on contract.
The Cyber fast-track program will also be looking to do a DARPA Summer of Code effort for auditing open source software. Zatko said that the U.S. Government uses open source code so it will help them as well as the community.
“What’s good for this community is good for DARPA,” Zatko said.