In its unending effort to find more technologically innovative ways to accomplish things most of the government agencies that are its clients can’t do at all, DARPA called a conference this week to ask for help security military and government networks against hackers.
Who did it invite?
Hackers.
Not, fortunately, the divisions of Chinese military hackers who have been digitally marching one by one through military and government installations with impunity for anywhere from five to ten years.
The Defense Advanced Research Agency (DARPA) called the “cyber colloquium” to talk about the difficulty DARPA and the Pentagon have securing their systems.
“DARPA seeks the elite of the cyber community—visionary hackers, academics and professionals from small and large businesses—to change the dynamic of cyber defense,” the invitation read.
U.S. government and military networks are built on the same model as the Internet – with redundant pathways, little restriction or ablity to identify the source of traffic and quick acceptance of new sources of identical data. The Internet was built to recover from holes blown in it by nuclear bombs, not to secure one portion against unauthorized access without impeding anything else running across it, DARPA director Regina Dugan told the crowd.
U.S. networks “are as porous as a colander,” according to Richard Clarke, former White House counterterrorism chief, as quoted in Wired.
To solve a cyber-security problem the General Accountability Office reported had been so low on the Dept. of Defense’s agenda during the past 21 years that the DoD had no coherent central policy, procedures or even identified leaders in the process of stopping the leak of information from its servers and those of its defense contractors.
Did DARPA get the fresh ideas and offers of help it was hoping for when it put the colloquium together?
Will the $208 million it is asking that Congress give it for cybersecurity research next year do any good?
Probably. You can’t wave that much cheese around – while promising it will continue to grow – without getting a few rodents sniffing after it.
Wired reported that the DARPA people were happier about recruiting in their own conference than they are at the Black Hat/DefCon conference in Las Vegas.
It also reported most of the “hackers” in the room wore nametags from existing defense companies, or academic institutions already funded by DARPA.
It may have been difficult for hackers who are outside the defense-industry clique to even have heard about the conference, let alone gotten themselves an invite without cracking the server holding the guest list and adding their own names.
It doesn’t sound like this one conference broke much ice, but it does show DARPA and the DoD at least know what the problems are and that they’re going outside their comfort zone to find solutions.
It’s not surprising that DARPA would recruit from the counterculture for technical skills it needs.
It is surprising that the super-secret, super-conservative National Security Agency would, let alone the U.S. Cyber Command – the recently minted wing of the U.S. military charged with securing the U.S. against Cyber attack would do so. The DoD, at least, has a very heavy bias toward those already in uniform or contractors working for established defense suppliers.
Right there among the (very few, according to Wired) hackers was Gen. Keith Alexander, head of the secret National Security Agency and of the new U.S. Cyber Command, speaking optimistically and doing his part in what was essentially a pep talk to the civilian infosec community.
Alexander’s been making the rounds lately, too. Talking up the potential of a second, secure Internet for critical services, urging more planning and resources for national response to cyber-emergencies and revealing his NSA security wonks were helping their counterparts in the financial services industry shore up their own security a bit.
That’s rare for a DoD security guy; it’s unheard of for one from the NSA.
It, and the DARPA conference, could be real-world indications the two are changing the way they think about, react to and build security systems and expectations online.
By coming out in public with so unguarded a request for help, DARPA and the DoD are doing more than just recruiting hackers.
They’re doing the political prep work to raise the issue in the public eye and fertilize the political ground so any seeds they manage to plant with lawmakers have a better chance to grow.
It’s not, strictly speaking, security work, which tends to be done most often in the shadows, where both tactics and weaknesses can be better hidden.
It is the way change is begun in Washington. Slowly, with lots of talk, lots of bluster, lots and lots of fertilizer and, according to Wired’s rundown of the DARPA conference’s menu, “bowls of M&Ms and blueberry-infused lemonade.”
There’s a tool for everything. Sometimes it’s a hacker and, I guess, sometimes it’s lemonade with blueberries.
Read more of Kevin Fogarty’s CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.