Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Network Security

DARPA to Hunt for Malicious Functions in Hardware and Software

Vivek Kundra's Push to Cloud Computing and Innovation

Vivek Kundra's Push to Cloud Computing and Innovation

When it comes to commercial, off-the-shelf products available to both the government and the private sector, the fear that a foreign state or other bad actor might have added a backdoor is a common one. To address this concern, especially for the Department of Defense (DoD), the Defense Advanced Research Projects Agency (DARPA) said that it would implement a vetting program in order to determine if a given product is safe.

DARPA’s program will target a scenario that keeps supply chain managers and security teams awake at night. Namely, the widespread dissemination of commercial technology that might be secretly wired to function in unintended ways or even spy on its users.

“From this vantage point, mobile phones, network routers, computer work stations and any other device hooked up to a network can provide a point of entry for an adversary,” the research arm of the DoD said in a statement.

The program is called VET, and it seeks innovative, large-scale approaches to verifying the security and functionality of commodity IT devices to ensure they are free of hidden backdoors and malicious functionality.

There are three challenges that VET will address. The first is identifying items in a given device, a router for example, that may be malicious. Then, taking the generated list of potentially malicious items into account, create a checklist to assess if the device is in fact malicious. From there, the third step is to take the accumulated knowledge and develop a way to enable non-specialists to verify security on a wide scale.

“DoD relies on millions of devices to bring network access and functionality to its users,” said Tim Fraser, DARPA program manager.

“Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”

Advertisement. Scroll to continue reading.

Earlier this year, a report from Gartner warned that IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years.

Hardware vendors are outsourcing not just manufacturing, but also design tasks to OEM suppliers and contractors abroad, Gartner’s report said. Established Asian suppliers are also outsourcing to companies in other countries, introducing more opportunities to compromise the supply chain.

Protecting IT Supply Chain

Additionally, a report from Northrop Grumman published in March 2012 for the U.S.-China Economic and Security Review Commission warned that “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety.”

The GAO has also voiced similar concerns, acknowledging that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.

Additional details and participation information for DARPA’s program are available here.

Related: The Need to Secure the Cyber Supply Chain

Related: Consortium Pushes Security Standards for Technology Supply Chain

Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet