Pulse

By GCN Staff

Blog archive
Inside a laptop

DARPA targets supply-chain threats in hardware, firmware

Amid growing concerns about malware threats in the IT supply chain, the Defense Advanced Research Projects Agency is looking for ways to test commercial products on a large scale to make sure they’re “clean.”

DARPA has launched the Vetting Commodity IT Software and Firmware (VET) program  to find methods of ensuring that the commercial IT products the Defense Department buys, ranging from smart phones to routers, are free of backdoors, malicious code and other potential threats.

Supply-chain security has come to the fore recently, with a congressional intelligence panel warning that the United States “should view with suspicion” the growth of Chinese telecommunications companies in the U.S. market. A recent report by the Georgia Tech Information Security Center and Georgia Tech Research Institute identified supply chain threats as a serious, and hard to detect, threat.

Back doors, spyware and other malicious code could theoretically be designed into products or added by a manufacturer, vendor or integrator.

DARPA’s VET program wants to test products before they’re installed, which would seem to be a pretty big job.

“DOD relies on millions of devices to bring network access and functionality to its users,” Tim Fraser, DARPA program manager, said in a statement. “Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”

With VET, DARPA wants to develop a three-step process:

  • Defining malice:  Given a sample device, how can DOD analysts produce a prioritized checklist of software and firmware components to examine and list broad classes of hidden malicious functionality to rule out?
  • Confirming the absence of malice:  How can analysts demonstrate the absence of those broad classes of hidden malicious functionality?
  • Examining equipment at scale:  How can the procedure scale to non-specialist technicians who must vet every individual new device used by DOD prior to deployment?

DARPA will host a proposer’s day Dec. 12 in Arlington, Va., to brief interested participants in the program.

Posted by Kevin McCaney on Dec 04, 2012 at 9:39 AM


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.