WASHINGTON – The Pentagon’s top research agency thinks it has developed a new generation of technology that will make voting machines, medical databases and other critical digital systems far more secure against hackers.
Now, the Defense Advanced Research Projects Agency, which helped invent GPS and the Internet, is launching a contest for ethical hackers to try to break into that technology before it goes public. DARPA is offering the hackers cash prizes for any flaws they find using a program called a “bug bounty.”
The new technology is based on re-engineering hardware, such as computer chips and circuits, so that the typical methods hackers use to undermine the software that runs on them become impossible. That’s far different from the standard approach to cybersecurity, in which tech companies release a never-ending stream of software patches every time bad guys discover a new bug.
If industry widely adopts the new systems, DARPA researchers believe they can finally shift the tide in a battle that has favored hackers over defenders basically since the birth of the Internet.
“It [would have] a huge, huge impact,” DARPA Microsystems Technology Office Program Manager Keith Rebello, who’s running the program, told me. “About 70 percent of all cyberattacks are due to hardware vulnerabilities. If we can fix those permanently, we can take a large portion of the attack surface away.”
The agency purposefully chose some of those models to demonstrate the dangers of the current generation of poorly secured hardware and to show how much safer the world could be with more secure versions, Rebello told me.
The biggest ticket item is a voter registration database. State and federal election officials have identified such systems as one of the greatest vulnerabilities if hackers from Russia or elsewhere try to undermine the 2020 election. Kremlin-linked hackers successfully broke into voter databases in Illinois and Florida in 2016, though there’s no evidence they changed any votes.
If DARPA can prove its version of the database is far tougher to hack, that could be a game-changer, allowing officials to be far more confident about election security.
Another model for the bug bounty is a medical database containing research into the novel coronavirus – information that FBI and Department of Homeland Security officials say is being targeted by Chinese hackers.
“We wanted to use demonstrations that are relevant to show the impact that we can have with this technology,” Rebello told me.
The program, which is officially called System Security Integration Through Hardware and Firmware, or SSITH, started in 2017 and will run for another year. So there will be time to make fixes based on problems the cybersecurity pros uncover.
The secure hardware itself is funded by DARPA but is being built by researchers and academics at places like Lockheed Martin, the University of Michigan and the Massachusetts Institute of Technology.
DARPA is working with the Defense Digital Service, a technology tiger team inside the Pentagon that has managed bug bounties for the Army, Navy and Air Force and recently helped find hackable bugs in systems on a U.S. fighter jet.
The project is also being managed by the cybersecurity company Synack, which specializes in running bug bounties and has worked with the Defense Digital Service on some of its earlier projects.
The largest share of the hacking will be done by cybersecurity pros who work regularly with Synack and have expertise in a number of specialized areas, including hacking hardware. There will also be a broader part of the program that’s basically open to anyone with hacking experience who isn’t barred from working with the government, such as people on terrorist watch lists.
“This is a wide pool of people with different skill sets that we might not always find in government,” Rebello said. “We’ll have three months for the hacker community to experiment and take things apart, and try and reverse-engineer our hardware to see if they can break it.”
DARPA couldn’t say how much money it expects to pay out to hackers who find bugs. Synack said its payouts “typically range from hundreds to tens of thousands of dollars for very severe vulnerabilities.”
But Rebello is hopeful it will start being integrated into some commercially available computer chips in the next two to four years, he told me.
A handful of companies have already expressed interest in piloting some version of the system, including the British firm Arm Holdings, he said.
The rush is on because cybersecurity is going to grow far more important during the next decade.
That’s partly because critical business sectors will be doing far more of their work using online systems, such as manufacturing, medicine, transportation, energy and agriculture. The Internet will also begin connecting to a slew of new devices that weren’t networked before, such as driverless cars, thermostats and home security systems, creating far more opportunities for hackers.
“The attack surface is going to explode, so we really need to start thinking about how we can rein that in,” Rebello said. “And having secure hardware, I think, is one very important key to solving that puzzle.”