Skip to main content

Analysis | The Cybersecurity 202: DARPA wants hackers to try to crack its new generation of super-secure hardware

By Joseph Marks

with Tonya Riley

The Pentagon’s top research agency thinks it has developed a new generation of technology that will make voting machines, medical databases and other critical digital systems far more secure against hackers.
Now, the Defense Advanced Research Projects Agency, which helped invent GPS and the Internet, is launching a contest for ethical hackers to try to break into that technology before it goes public. DARPA is offering the hackers cash prizes for any flaws they find using a program called a “bug bounty.”
The new technology is based on re-engineering hardware, such as computer chips and circuits, so that the typical methods hackers use to undermine the software that runs on them become impossible. That’s far different from the standard approach to cybersecurity, in which tech companies release a never-ending stream of software patches every time bad guys discover a new bug.
If industry widely adopts the new systems, DARPA researchers believe they can finally shift the tide in a battle that has favored hackers over defenders basically since the birth of the Internet.
“It [would have] a huge, huge impact,” DARPA Microsystems Technology Office Program Manager Keith Rebello, who’s running the program, told me. “About 70 percent of all cyberattacks are due to hardware vulnerabilities. If we can fix those permanently, we can take a large portion of the attack surface away.”

A worker cleans a voting machine. (Andrew Harrer/Bloomberg News)
DARPA has built model versions of several different computerized systems that use the new hardware and that cybersecurity pros will try to break into. 
The agency purposefully chose some of those models to demonstrate the dangers of the current generation of poorly secured hardware and to show how much safer the world could be with more secure versions, Rebello told me.
The biggest ticket item is a voter registration database. State and federal election officials have identified such systems as one of the greatest vulnerabilities if hackers from Russia or elsewhere try to undermine the 2020 election. Kremlin-linked hackers successfully broke into voter databases in Illinois and Florida in 2016, though there’s no evidence they changed any votes.
If DARPA can prove its version of the database is far tougher to hack, that could be a game-changer, allowing officials to be far more confident about election security.
Another model for the bug bounty is a medical database containing research into the novel coronavirus — information that FBI and Department of Homeland Security officials say is being targeted by Chinese hackers.
We wanted to use demonstrations that are relevant to show the impact that we can have with this technology,” Rebello told me.
The program, which is officially called System Security Integration Through Hardware and Firmware, or SSITH, started in 2017 and will run for another year. So there will be time to make fixes based on problems the cybersecurity pros uncover.
The secure hardware itself is funded by DARPA but is being built by researchers and academics at places like Lockheed Martin, the University of Michigan and the Massachusetts Institute of Technology.

Pipettes operate on a rack of test tubes inside a ribonucleic acid (RNA) extractor at the LBM LxBio medical biology laboratory. (Balint Porneczi/Bloomberg News)
This is the first bug bounty for the DARPA hardware program, but such programs have become increasingly popular in government in recent years. 
DARPA is working with the Defense Digital Service, a technology tiger team inside the Pentagon that has managed bug bounties for the Army, Navy and Air Force and recently helped find hackable bugs in systems on a U.S. fighter jet.
The project is also being managed by the cybersecurity company Synack, which specializes in running bug bounties and has worked with the Defense Digital Service on some of its earlier projects.
The largest share of the hacking will be done by cybersecurity pros who work regularly with Synack and have expertise in a number of specialized areas, including hacking hardware. There will also be a broader part of the program that’s basically open to anyone with hacking experience who isn’t barred from working with the government, such as people on terrorist watch lists.
This is a wide pool of people with different skill sets that we might not always find in government,” Rebello said. “We’ll have three months for the hacker community to experiment and take things apart, and try and reverse-engineer our hardware to see if they can break it.”
DARPA couldn’t say how much money it expects to pay out to hackers who find bugs. Synack said its payouts “typically range from hundreds to tens of thousands of dollars for very severe vulnerabilities.”

Computer chips sit on an electronic motherboard. (Andrey Rudakov/Bloomberg News)
The new secure hardware won’t be commercially available in time for the election in November or probably to protect research for a coronavirus vaccine. 
But Rebello is hopeful it will start being integrated into some commercially available computer chips in the next two to four years, he told me.
A handful of companies have already expressed interest in piloting some version of the system, including the British firm Arm Holdings, he said.
The rush is on because cybersecurity is going to grow far more important during the next decade.
That’s partly because critical business sectors will be doing far more of their work using online systems, such as manufacturing, medicine, transportation, energy and agriculture. The Internet will also begin connecting to a slew of new devices that weren’t networked before, such as driverless cars, thermostats and home security systems, creating far more opportunities for hackers.
The attack surface is going to explode, so we really need to start thinking about how we can rein that in,” Rebello said. “And having secure hardware, I think, is one very important key to solving that puzzle.”

The keys
Democrats want to ensure federal agencies aren’t conducting improper surveillance on protests against police brutality. 

Demonstrators protest police brutality and the death of George Floyd. (Olivier Douliery/AFP/Getty Images)

Sen. Kamala D. Harris (Calif.) and Reps. Mary Gay Scanlon (Pa.) and Juan Vargas (Calif.) led 97 colleagues in a letter to Customs and Border Protection and Immigration and Customs Enforcement officials demanding answers about what surveillance tools the agencies have used, how they shared surveillance footage and whether their staffs have been trained to comply with privacy laws.
In a separate letter, Democrats on the House Oversight Committee, including Rep. Alexandria Ocasio Cortez (D-N.Y.) demanded a full account of DHS's role in surveillance of protesters in Minneapolis where George Floyd was killed in police custody and where the protest movement began.
The letter slammed the agency's use of a military drone for surveillance as a "gross abuse of authority."
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) has also demanded answers about the agencies’ surveillance. So far DHS has not scheduled a briefing or answered Thompson’s letter, according to a committee representative.
Drug Enforcement Administration agents have also reportedly conducted surveillance of the protests. Rep. Ted Lieu (D-Calif.) announced on Twitter that he's working on a bill that would ban agencies from using  powerful “Stingray” technology that spoofs cellphone towers to collect cellular messages and data from protesters. 
I am working on legislation to ban the use of Dirtboxes, Stingrays and other powerful cell site simulators on protestors. Warrantless surveillance of #BlackLivesMattters activists and protestors by @TheJusticeDept is unAmerican and unconstitutional.
— Ted Lieu (@tedlieu) June 6, 2020
It's unclear if the DEA actually used the technology, which could ensnare the communications of thousands of bystanders.
Google and Apple are struggling to ban coronavirus contact tracing apps that violate privacy rules. 

A server wearing a protective mask and gloves carries a drink at a restaurant in Chicago. (Christopher Dilts/Bloomberg News)

Some of the suspect apps aren't clear about users' privacy protections while others don't have privacy policies at all, Khadeeja Safdar and Kevin Poulsen at the Wall Street Journal report. Researchers at the International Digital Accountability Council also found apps that failed to safeguard users’ location and other sensitive data, potentially exposing it to hackers.
Lawmakers recently introduced legislation that would limit data coronavirus-tracing apps can collect and potentially ban them from using it for commercial purposes. 
Until those laws are passed, however, it's mostly up to Apple and Google to decide which apps to allow in their stores. And changing guidelines have led to confusion for some developers.
Google removed one contact tracing app that included paid ads allegedly profiting off the pandemic. Apple forced the company to stop taking money for ads on its version of the app. 
A major British bank fears it will face economic reprisals from China if the United Kingdom bans Huawei from its 5G network.

Pedestrians wearing protective masks walk past a HSBC Holdings Plc branch in Hong Kong. (Roy Liu/Bloomberg News)

The chairman of HSBC privately urged Prime Minister Boris Johnson not to go through with banning Huawei, the Telegraph reports. British lawmakers could reach a decision as soon as this month over whether to ban Huawei from its 5G network. The lawmakers previously approved a limited role for the company but have reconsidered the decision in light of a U.S. decision to ban Huawei from using chips made with U.S. technology. 
It's another example of the wide-reaching economic repercussions of the feud between the Chinese telecom giant and the United States. 
The United States has long accused Huawei of providing a possible backdoor for Chinese spying, allegations that the company has denied. 
The Wall Street Journal's Dan Strumpf has a detailed behind-the-scenes account of Huawei's efforts to combat U.S. claims. 

Securing the ballot

An online voting platform that’s been used by voters in several states can be manipulated to alter votes, a new study finds. 

Stickers saying "I Voted Today"  REUTERS/Rachel Wisniewski

That manipulation might not be detected by voters or election officials, according to the study from researchers at the University of Michigan and M.I.T. The platform, called OmniBallot, was offered to voters with disabilities in Delaware’s primary last week and in local elections in New Jersey and it’s been used elsewhere by voters with disabilities.
The new report follows a warning from DHS and the FBI last month discouraging states from using “electronic ballot return technologies.”
The paper also says the company that runs OmniBallot, Democracy Live, fails to protect voters from potential ad targeting based on their voter data.
Democracy Live Chief Executive Bryan Finney defended the platform in a New York Times interview, saying online voting options are necessary to make sure people aren’t blocked from voting. “No technology is bulletproof,” he said. “But we need to be able to enfranchise the disenfranchised. ”

Chat room

Here are recommendations for how election officials can use OmniBallot's technology while mitigating risk from one of the report's lead authors, University of Michigan professor Alex Halderman:
15/ (a) Discontinue online voting. No readily available defense can adequately mitigate the risks of OmniBallot's electronic return mechanism.
— J. Alex Halderman (@jhalderm) June 8, 2020
17/ To reduce security and privacy risks for voters who do need online marking, ballots should be generated locally in the browser, using client-side code. Democracy Live already offers this option in California and some other localities.
— J. Alex Halderman (@jhalderm) June 8, 2020
20/ (e) States should also require public, independent security analysis before considering online voting systems. Without such analysis, voters and officials will be unable to accurately weigh the tradeoffs between risk and access.
— J. Alex Halderman (@jhalderm) June 8, 2020
22/ Bottom line: OmniBallot's ballot delivery and marking can be valuable tools for helping voters participate *if* officials take precautions we suggest. Online voting, however, is a severe danger to election integrity and privacy, and we urge jurisdictions not to deploy it.
— J. Alex Halderman (@jhalderm) June 8, 2020

Cyber insecurity

Hackers targeted more than 100 high-ranking executives helping the German government procure protective equipment during the coronavirus pandemic.

A medical worker disinfects a driver of his ambulance after escorting a patient in Russia on Thursday. (Dmitri Lovetsky/AP)
It's unclear how many of the phishing attacks were successful, IBM X-Force researchers say
The ongoing campaign highlights how a scramble for supplies to battle a second wave of coronavirus could create new hacking threats, they say. 
More in cyberattacks and disruptions:

The network protection firm Cloudflare wrote in a blog post this week that attacks on advocacy sites have experienced a 1,120 percent increase from the month prior.
NBC News


Secure log off

Footage from The Post of the Black Lives Matter protests in Washington:


Popular posts from this blog

Analysis | The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent

By Joseph Marks 13-17 minutes THE KEY President Trump delivers an address about border security amid a partial government shutdown on Jan. 8. (Carolyn Kaster/AP) The partial government shutdown that's now in its 18th day is putting key cyber policy priorities on hold and leaving vital operations to a bare bones staff. But the far greater long-term danger may be the blow to government cyber defenders' morale, former officials warn. With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent. About 20 percent of staffers are furloughed at the De

Democrats call for investigation into Trump’s iPhone use after a report that China is listening:Analysis | The Daily 202 I The Washington Post. By James Hohmann _________________________________________________________________________________ President Trump and Chinese President Xi Jinping visit the Great Hall of the People in Beijing last November. (Andrew Harnik/AP) With Breanne Deppisch and Joanie Greve THE BIG IDEA: If Democrats win the House in two weeks, it’s a safe bet that one of the oversight hearings they schedule for early next year would focus on President Trump’s use of unsecured cellphones. The matter would not likely be pursued with anywhere near the gusto that congressional Republicans investigated Hillary Clinton’s use of a private email server during her time as secretary of state. Leaders of the minority party have higher priorities . But Democratic lawmakers made clear Thursday morning that they will not ignore a New York Times report that Trump has refused to stop using iPhones in the White House, despite repeated warnings from U.S. intelligence offici

RTTNews: Morning Market Briefing.-Weekly Jobless Claims Edge Down To 444,000. May 13th 2010

Morning Market Briefing Thu May 13 09:01 2010   Commentary May 13, 2010 Stocks Poised For Lackluster Open Amid Mixed Market Sentiment - U.S. Commentary Stocks are on pace for a mixed start to Thursday's session, as a mostly upbeat jobs report continued to relieve the markets while some consternation regarding the European debt crisis remained on traders' minds. The major index futures are little changed, with the Dow futures down by 4 points. Full Article Economic News May 13, 2010 Weekly Jobless Claims Edge Down To 444,000 First-time claims for unemployment benefits showed another modest decrease in the week ended May 8th, according to a report released by the Labor Department on Thursday, although the number of claims exceeded estimates due to an upward revision to the previous week's data. Full Article May 13, 2010 Malaysia's Decade High Growth Triggers Policy Tightening Malaysia's economy grew at the fastest pace in a decade in