Pulse

By GCN Staff

Blog archive
Inside a laptop

DARPA targets supply-chain threats in hardware, firmware

Amid growing concerns about malware threats in the IT supply chain, the Defense Advanced Research Projects Agency is looking for ways to test commercial products on a large scale to make sure they’re “clean.”

DARPA has launched the Vetting Commodity IT Software and Firmware (VET) program  to find methods of ensuring that the commercial IT products the Defense Department buys, ranging from smart phones to routers, are free of backdoors, malicious code and other potential threats.

Supply-chain security has come to the fore recently, with a congressional intelligence panel warning that the United States “should view with suspicion” the growth of Chinese telecommunications companies in the U.S. market. A recent report by the Georgia Tech Information Security Center and Georgia Tech Research Institute identified supply chain threats as a serious, and hard to detect, threat.

Back doors, spyware and other malicious code could theoretically be designed into products or added by a manufacturer, vendor or integrator.

DARPA’s VET program wants to test products before they’re installed, which would seem to be a pretty big job.

“DOD relies on millions of devices to bring network access and functionality to its users,” Tim Fraser, DARPA program manager, said in a statement. “Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”

With VET, DARPA wants to develop a three-step process:

  • Defining malice:  Given a sample device, how can DOD analysts produce a prioritized checklist of software and firmware components to examine and list broad classes of hidden malicious functionality to rule out?
  • Confirming the absence of malice:  How can analysts demonstrate the absence of those broad classes of hidden malicious functionality?
  • Examining equipment at scale:  How can the procedure scale to non-specialist technicians who must vet every individual new device used by DOD prior to deployment?

DARPA will host a proposer’s day Dec. 12 in Arlington, Va., to brief interested participants in the program.

Posted by Kevin McCaney on Dec 04, 2012 at 9:39 AM


Featured

  • Management
    people standing on keyboard (Who is Danny/Shutterstock.com)

    OPM-GSA merger plan detailed in legislative proposal

    The White House is proposing legislation for a dramatic overhaul of human resources inside government and wants $50 million to execute the plan.

  • Cloud
    cloud applications (chanpipat/Shutterstock.com)

    GSA plans civilian DEOS counterpart

    GSA is developing a cloud email and enterprise services contract inspired by the single-source vehicle the Department of Defense devised for back-office software.

  • Defense
    software (whiteMocca/Shutterstock.com)

    DOD looks to unify software spending for 2020

    Defense Department acquisition head, Ellen Lord, hopes to simplify software buying and improve business systems following the release of the Defense Innovation Board's final software acquisition study.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.