When it comes to commercial, off-the-shelf products available to both the government and the private sector, the fear that a foreign state or other bad actor might have added a backdoor is a common one. To address this concern, especially for the Department of Defense (DoD), the Defense Advanced Research Projects Agency (DARPA) said that it would implement a vetting program in order to determine if a given product is safe.
DARPA’s program will target a scenario that keeps supply chain managers and security teams awake at night. Namely, the widespread dissemination of commercial technology that might be secretly wired to function in unintended ways or even spy on its users.
“From this vantage point, mobile phones, network routers, computer work stations and any other device hooked up to a network can provide a point of entry for an adversary,” the research arm of the DoD said in a statement.
The program is called VET, and it seeks innovative, large-scale approaches to verifying the security and functionality of commodity IT devices to ensure they are free of hidden backdoors and malicious functionality.
There are three challenges that VET will address. The first is identifying items in a given device, a router for example, that may be malicious. Then, taking the generated list of potentially malicious items into account, create a checklist to assess if the device is in fact malicious. From there, the third step is to take the accumulated knowledge and develop a way to enable non-specialists to verify security on a wide scale.
“DoD relies on millions of devices to bring network access and functionality to its users,” said Tim Fraser, DARPA program manager.
“Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”
Earlier this year, a report from Gartner warned that IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years.
Hardware vendors are outsourcing not just manufacturing, but also design tasks to OEM suppliers and contractors abroad, Gartner’s report said. Established Asian suppliers are also outsourcing to companies in other countries, introducing more opportunities to compromise the supply chain.
Additionally, a report from Northrop Grumman published in March 2012 for the U.S.-China Economic and Security Review Commission warned that “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety.”
The GAO has also voiced similar concerns, acknowledging that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.
Additional details and participation information for DARPA’s program are available here.