Since the dawn of computing there’s been a cold war between those who run computer systems and those who attack them.
And never the twain shall meet–at least until now.
Speaking at the ShmooCon hacker convention in Washinton, D.C., Defense Advanced Research Projects Agency (DARPA) project manager Peiter Zatko has announced Cyber Fast Track, a new scheme that will rely on the skills of “small organizations, boutiques, hacker spaces, [and] maker labs” in order to find cybersecurity solutions.
Zatko is perhaps best known in hacker circles by the handle of “Mudge,” and as the one-time member of the L0pht and Cult of the Dead Cow collectives. He created the legendary password-cracking tool L0phtCrack and was one of the first to highlight buffer overflow hacks in 1995. In 1998 he famously told a Senate committee that hackers could bring down the Internet within 30 minutes.
The nature of government contracting means that cybersecurity projects undertaken by the Department of Defense typically involve millions of dollars and are designed to take years to complete. There’s nothing wrong with that, Zatko claims, but more agile thinking is necessary.
Zatko described what he called the “asymmetry” between the ease of creating malware compared to the solutions used to defend against it; a piece of malware typically involves 125 lines of computer code, he said, and that’s stayed the same since 1985. However, the latest unified threat management solutions involve around 10,000,000 lines of code, having risen from the same kind of figures as malware in 1985.
Attaching a one dollar value to each line of code, it’s clear that creating defensive solutions is becoming increasingly expensive, complex, and time consuming, while malware is remaining simple to produce.
Zatko’s solution is to harness those within the hacking community who typically present research at black or white hat conventions but whose work flies under the radar of DARPA. He intends to harness teams or individuals employed on the back of short fixed-price DARPA contracts to produce results within months rather than years.
“I went over to the dark side because they need it,” Zatko explained in his keynote, referring to his employment by DARPA, and adding later: “I want the government to modify and change.”
So will it work?
To answer the question it’s necessary to understand what motivates hackers: curiosity, a sense of fun, and community. Finding out secrets within software or hardware is a reward within itself, but sharing those secrets with others increases standing among your peers.
Although hackers have had various criticisms leveled at them over the years, few have ever suggested hackers are motivated by money. That kind of thinking is limited to fiction.
However, mere pecuniary advantage isn’t what Zatko is using to motivate his former comrades. He spoke of creating “hacker incubators” and made it clear that the DoD would not request commercial rights to any innovations discovered.
Essentially, Zatko wants to sponsor researchers, rather than providing them with rewards if they do well. This is much more in thinking with typical hacker aspirations–getting somebody to pay the bills while they do the things they love. And, in any case, at the end of the process the hacker or team concerned is free to seek all the rewards they can get for the work.
Zatko merely wants to exploit the huge brain power and creativity of the hacker community, and as a former member, he knows exactly what makes it tick. Although his scheme will not go into operation for a few months yet, the signs are that it might produce results that improve security for all of us.
You can view Zatko’s keynote speech below on YouTube.
Keir Thomas has been making known his opinion about computing matters since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com. His Twitter feed is @keirthomas.