Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

DARPA to Hunt for Malicious Functions in Hardware and Software

Vivek Kundra's Push to Cloud Computing and Innovation

Vivek Kundra's Push to Cloud Computing and Innovation

When it comes to commercial, off-the-shelf products available to both the government and the private sector, the fear that a foreign state or other bad actor might have added a backdoor is a common one. To address this concern, especially for the Department of Defense (DoD), the Defense Advanced Research Projects Agency (DARPA) said that it would implement a vetting program in order to determine if a given product is safe.

DARPA’s program will target a scenario that keeps supply chain managers and security teams awake at night. Namely, the widespread dissemination of commercial technology that might be secretly wired to function in unintended ways or even spy on its users.

“From this vantage point, mobile phones, network routers, computer work stations and any other device hooked up to a network can provide a point of entry for an adversary,” the research arm of the DoD said in a statement.

The program is called VET, and it seeks innovative, large-scale approaches to verifying the security and functionality of commodity IT devices to ensure they are free of hidden backdoors and malicious functionality.

There are three challenges that VET will address. The first is identifying items in a given device, a router for example, that may be malicious. Then, taking the generated list of potentially malicious items into account, create a checklist to assess if the device is in fact malicious. From there, the third step is to take the accumulated knowledge and develop a way to enable non-specialists to verify security on a wide scale.

“DoD relies on millions of devices to bring network access and functionality to its users,” said Tim Fraser, DARPA program manager.

“Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”

Earlier this year, a report from Gartner warned that IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years.

Advertisement. Scroll to continue reading.

Hardware vendors are outsourcing not just manufacturing, but also design tasks to OEM suppliers and contractors abroad, Gartner’s report said. Established Asian suppliers are also outsourcing to companies in other countries, introducing more opportunities to compromise the supply chain.

Protecting IT Supply Chain

Additionally, a report from Northrop Grumman published in March 2012 for the U.S.-China Economic and Security Review Commission warned that “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety.”

The GAO has also voiced similar concerns, acknowledging that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.

Additional details and participation information for DARPA’s program are available here.

Related: The Need to Secure the Cyber Supply Chain

Related: Consortium Pushes Security Standards for Technology Supply Chain

Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.