Analysis | The Cybersecurity 202: DARPA wants hackers to try to crack its new generation of super-secure hardware
By Joseph Marks
The Pentagon’s top research agency thinks it has developed a new generation of technology that will make voting machines, medical databases and other critical digital systems far more secure against hackers.
Now, the Defense Advanced Research Projects Agency, which helped invent GPS and the Internet, is launching a contest for ethical hackers to try to break into that technology before it goes public. DARPA is offering the hackers cash prizes for any flaws they find using a program called a “bug bounty.”
The new technology is based on re-engineering hardware, such as computer chips and circuits, so that the typical methods hackers use to undermine the software that runs on them become impossible. That’s far different from the standard approach to cybersecurity, in which tech companies release a never-ending stream of software patches every time bad guys discover a new bug.
If industry widely adopts the new systems, DARPA researchers believe they can finally shift the tide in a battle that has favored hackers over defenders basically since the birth of the Internet.
“It [would have] a huge, huge impact,” DARPA Microsystems Technology Office Program Manager Keith Rebello, who’s running the program, told me. “About 70 percent of all cyberattacks are due to hardware vulnerabilities. If we can fix those permanently, we can take a large portion of the attack surface away.”
A worker cleans a voting machine. (Andrew Harrer/Bloomberg News)
DARPA has built model versions of several different computerized systems that use the new hardware and that cybersecurity pros will try to break into.The agency purposefully chose some of those models to demonstrate the dangers of the current generation of poorly secured hardware and to show how much safer the world could be with more secure versions, Rebello told me.
The biggest ticket item is a voter registration database. State and federal election officials have identified such systems as one of the greatest vulnerabilities if hackers from Russia or elsewhere try to undermine the 2020 election. Kremlin-linked hackers successfully broke into voter databases in Illinois and Florida in 2016, though there’s no evidence they changed any votes.
If DARPA can prove its version of the database is far tougher to hack, that could be a game-changer, allowing officials to be far more confident about election security.
Another model for the bug bounty is a medical database containing research into the novel coronavirus — information that FBI and Department of Homeland Security officials say is being targeted by Chinese hackers.
“We wanted to use demonstrations that are relevant to show the impact that we can have with this technology,” Rebello told me.
The program, which is officially called System Security Integration Through Hardware and Firmware, or SSITH, started in 2017 and will run for another year. So there will be time to make fixes based on problems the cybersecurity pros uncover.
The secure hardware itself is funded by DARPA but is being built by researchers and academics at places like Lockheed Martin, the University of Michigan and the Massachusetts Institute of Technology.
Pipettes operate on a rack of test tubes inside a ribonucleic acid (RNA) extractor at the LBM LxBio medical biology laboratory. (Balint Porneczi/Bloomberg News)
This is the first bug bounty for the DARPA hardware program, but such programs have become increasingly popular in government in recent years.DARPA is working with the Defense Digital Service, a technology tiger team inside the Pentagon that has managed bug bounties for the Army, Navy and Air Force and recently helped find hackable bugs in systems on a U.S. fighter jet.
The project is also being managed by the cybersecurity company Synack, which specializes in running bug bounties and has worked with the Defense Digital Service on some of its earlier projects.
The largest share of the hacking will be done by cybersecurity pros who work regularly with Synack and have expertise in a number of specialized areas, including hacking hardware. There will also be a broader part of the program that’s basically open to anyone with hacking experience who isn’t barred from working with the government, such as people on terrorist watch lists.
“This is a wide pool of people with different skill sets that we might not always find in government,” Rebello said. “We’ll have three months for the hacker community to experiment and take things apart, and try and reverse-engineer our hardware to see if they can break it.”
DARPA couldn’t say how much money it expects to pay out to hackers who find bugs. Synack said its payouts “typically range from hundreds to tens of thousands of dollars for very severe vulnerabilities.”
Computer chips sit on an electronic motherboard. (Andrey Rudakov/Bloomberg News)
The new secure hardware won’t be commercially available in time for the election in November or probably to protect research for a coronavirus vaccine.But Rebello is hopeful it will start being integrated into some commercially available computer chips in the next two to four years, he told me.
A handful of companies have already expressed interest in piloting some version of the system, including the British firm Arm Holdings, he said.
The rush is on because cybersecurity is going to grow far more important during the next decade.
That’s partly because critical business sectors will be doing far more of their work using online systems, such as manufacturing, medicine, transportation, energy and agriculture. The Internet will also begin connecting to a slew of new devices that weren’t networked before, such as driverless cars, thermostats and home security systems, creating far more opportunities for hackers.
“The attack surface is going to explode, so we really need to start thinking about how we can rein that in,” Rebello said. “And having secure hardware, I think, is one very important key to solving that puzzle.”
Democrats want to ensure federal agencies aren’t conducting improper surveillance on protests against police brutality.
Demonstrators protest police brutality and the death of George Floyd. (Olivier Douliery/AFP/Getty Images)
In a separate letter, Democrats on the House Oversight Committee, including Rep. Alexandria Ocasio Cortez (D-N.Y.) demanded a full account of DHS's role in surveillance of protesters in Minneapolis where George Floyd was killed in police custody and where the protest movement began.
The letter slammed the agency's use of a military drone for surveillance as a "gross abuse of authority."
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) has also demanded answers about the agencies’ surveillance. So far DHS has not scheduled a briefing or answered Thompson’s letter, according to a committee representative.
Drug Enforcement Administration agents have also reportedly conducted surveillance of the protests. Rep. Ted Lieu (D-Calif.) announced on Twitter that he's working on a bill that would ban agencies from using powerful “Stingray” technology that spoofs cellphone towers to collect cellular messages and data from protesters.
I am working on legislation to ban the use of Dirtboxes, Stingrays and other powerful cell site simulators on protestors. Warrantless surveillance of #BlackLivesMattters activists and protestors by @TheJusticeDept is unAmerican and unconstitutional. https://t.co/4Y6iWJzALk— Ted Lieu (@tedlieu) June 6, 2020
Google and Apple are struggling to ban coronavirus contact tracing apps that violate privacy rules.
A server wearing a protective mask and gloves carries a drink at a restaurant in Chicago. (Christopher Dilts/Bloomberg News)
Lawmakers recently introduced legislation that would limit data coronavirus-tracing apps can collect and potentially ban them from using it for commercial purposes.
Until those laws are passed, however, it's mostly up to Apple and Google to decide which apps to allow in their stores. And changing guidelines have led to confusion for some developers.
Google removed one contact tracing app that included paid ads allegedly profiting off the pandemic. Apple forced the company to stop taking money for ads on its version of the app.
A major British bank fears it will face economic reprisals from China if the United Kingdom bans Huawei from its 5G network.
Pedestrians wearing protective masks walk past a HSBC Holdings Plc branch in Hong Kong. (Roy Liu/Bloomberg News)
It's another example of the wide-reaching economic repercussions of the feud between the Chinese telecom giant and the United States.
The United States has long accused Huawei of providing a possible backdoor for Chinese spying, allegations that the company has denied.
The Wall Street Journal's Dan Strumpf has a detailed behind-the-scenes account of Huawei's efforts to combat U.S. claims.
Securing the ballot
An online voting platform that’s been used by voters in several states can be manipulated to alter votes, a new study finds.
Stickers saying "I Voted Today" REUTERS/Rachel Wisniewski
The new report follows a warning from DHS and the FBI last month discouraging states from using “electronic ballot return technologies.”
The paper also says the company that runs OmniBallot, Democracy Live, fails to protect voters from potential ad targeting based on their voter data.
Democracy Live Chief Executive Bryan Finney defended the platform in a New York Times interview, saying online voting options are necessary to make sure people aren’t blocked from voting. “No technology is bulletproof,” he said. “But we need to be able to enfranchise the disenfranchised. ”
Chat roomHere are recommendations for how election officials can use OmniBallot's technology while mitigating risk from one of the report's lead authors, University of Michigan professor Alex Halderman:
15/ (a) Discontinue online voting. No readily available defense can adequately mitigate the risks of OmniBallot's electronic return mechanism.— J. Alex Halderman (@jhalderm) June 8, 2020
17/ To reduce security and privacy risks for voters who do need online marking, ballots should be generated locally in the browser, using client-side code. Democracy Live already offers this option in California and some other localities.— J. Alex Halderman (@jhalderm) June 8, 2020
20/ (e) States should also require public, independent security analysis before considering online voting systems. Without such analysis, voters and officials will be unable to accurately weigh the tradeoffs between risk and access.— J. Alex Halderman (@jhalderm) June 8, 2020
22/ Bottom line: OmniBallot's ballot delivery and marking can be valuable tools for helping voters participate *if* officials take precautions we suggest. Online voting, however, is a severe danger to election integrity and privacy, and we urge jurisdictions not to deploy it.— J. Alex Halderman (@jhalderm) June 8, 2020
Hackers targeted more than 100 high-ranking executives helping the German government procure protective equipment during the coronavirus pandemic.
A medical worker disinfects a driver of his ambulance after escorting a patient in Russia on Thursday. (Dmitri Lovetsky/AP)
The ongoing campaign highlights how a scramble for supplies to battle a second wave of coronavirus could create new hacking threats, they say.
More in cyberattacks and disruptions:
- The president of Estonia, Kersti Kaljulaid, will be participating in a webinar, “Deciding on the Rules of the Road for Cyberspace: The Who, What, Where, When, How,” presented by the Institute for International Cyber Stability at 10 a.m. Tuesday.
- The House Administration Committee will hold a hearing on the impact of covid-19 on voting rights and election administration Thursday at 1 p.m.
- The House Financial Services committee will host a hearing on how cybercriminals are exploiting the covid-19 pandemic on June 16 and 12 p.m.