DoD Aims to Vet Every Device's Security

Sara Peters, Editor in Chief | 12/5/2012 | 5 comments

Sara Peters
You smile as your shiny new, factory-fresh IT device boots up for the first time... and a cybercriminal smiles with you, because as soon as you press the "on" button, the device immediately connects to a botnet command-and-control center, ready to start sending over your sensitive data. It's a nightmare, especially if you're a military intelligence agency.

Recent events have shown that this isn't merely a theoretical example of fear, uncertainty, and doubt. Microsoft's Digital Crimes Unit found that malware, including the Nitol botnet code, were being installed on PCs before they even made it to store shelves. In September, the digital crimes unit was deputized by a US court to block and disrupt criminal groups that have infiltrated the PC manufacturing supply chain.

To keep infected devices like these out of the US Department of Defense (DoD), the Defense Advanced Research Projects Agency (DARPA) has created the Vetting Commodity IT Software and Firmware program, aiming to make it possible to vet the security of each and every IT device before it's deployed at DoD. Next Wednesday, DARPA will host an unclassified briefing for researchers who might want to submit proposals for the VET project. According to DARPA's official announcement:

    The VET program will seek to demonstrate that it is technically feasible for the Department of Defense (DoD) to determine that the software and firmware shipped on commodity Information Technology (IT) devices is free of broad classes of backdoors and other hidden malicious functionality.

The project has three main objectives. First they need to figure out how to define "malice" -- to identify what should be considered a malicious functionality. Then they need to learn how to confirm the absence of malice on an individual piece of equipment. Then they need to make the assessment methods scalable. The goal is to have each and every device assessed and cleared before it's deployed at DoD -- that's every single one of the millions of smartphones, PCs, routers, printers, etc. that DoD uses. That's a lot of work. As the DARPA notice states:

    The goal of making this determination for every new device in a timely fashion at scale across all of DoD is beyond presently deployed techniques. The VET program will seek to develop and demonstrate new tools and techniques to establish that this goal is technically feasible.

But is it feasible? That depends on how deep they want these examinations to go. Adequate assessment might require disassembly and reassembly of each piece of hardware and/or a review of each component's entire code base. That's a lot of work. DoD might also encounter resistance from the manufacturers throughout the global supply chain, who may balk at these investigations of their proprietary code, intellectual property, or business practices.

"Rigorously vetting software and firmware in each and every one of [the DoD devices] is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread," stated DARPA program manager Tim Fraser in the press release. "The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

Let's say that the VET program does find a way to adequately assess all commodity software and hardware. Of course, they wouldn't approve any tools that are found to have "malicious functionality." However, in their testing, they'll most likely find some non-malicious vulnerabilities in these products that could be exploited by malicious individuals. If they rule those tools out, what (if anything) will they be left with?

What are your predictions? Do you think the VET program will achieve its goals? If so, how long do you think it will take? If it does succeed, what hardware and software do you think will make the final cut? Let us know in the comments below.

Related posts:

View Comments: Newest First | Oldest First | Threaded View
kstaron   DoD Aims to Vet Every Device's Security   12/5/2012 4:30:45 PM
No more BYOD
If they want to vet every device's security then they need to supply those devices and not expect any BYOD. After they vet a device, then they need to have security for what programs can be downloaded onto it. It would be a logistical nightmare. I wonder how long something like that would take?

And then, if they ca nstreamline it, how can they bring it to the general public so everyone can start with devices that don't have malware on them or any malicious intent. (Why does that make it sound like the machines are trying to take over?)
LuFu   DoD Aims to Vet Every Device's Security   12/5/2012 1:18:33 PM
Good luck

The goal is to have each and every device assessed and cleared before it's deployed at DoD...

So, the question is, what happens after my smartphone, iPad mini, and China manufactured laptop have been assessed and cleared? Are they going to prevent me from downloading Angry Birds Star Wars or Guitar Hero?

Pedro Gonzales   DoD Aims to Vet Every Device's Security   12/5/2012 10:59:42 AM
vet program a real challenge
I agree I don't think this is a feaseable project . I will require a lot of staff to check each individual device, communication with their providers.  I think they will need two stages one to detect the malicious software another one to make the procedures so fast that it doesn't affect distributing the devices to their intended users.
Sara Peters   DoD Aims to Vet Every Device's Security   12/5/2012 10:25:58 AM
Re: Inevitable Disappointment
@CMTucker  "Is it inevitable?" I don't think that it's inevitable, no... actually I think it's rather unlikely. But I'm rooting for this really ambitious project. If DARPA can find a way to conduct this kind of rigorous assessment in a way that's quick, relatively easy, and doesn't demand an enormous amount of extra manpower, then it will be a great model for the rest of organizations to follow.
CMTucker   DoD Aims to Vet Every Device's Security   12/5/2012 10:12:26 AM
Inevitable Disappointment
@Sara that's a HUGE task to undertake! I don't know how this would work, seems like the biggest CIO nightmare ever. That's an incredible amount of man-hours for each of the different pieces of technology. I don't know if it is feasible, but that's probably not the question to ask.

Is it inevitable?


The blogs and comments posted on do not reflect the views of TechWeb,, or its sponsors., TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Sara Peters
Sara Peters   5/30/2014   18 comments
Before I throw my knapsack over my shoulder, head out the door, slouch my way down lonely roads, and try to get a kind stranger to give me a lift to DarkReading, I want to bid a fond adieu ...
Sara Peters   5/7/2014   55 comments
There's a new player in the wearable technology market. While it has a new attitude and a new business plan, it also seems to have new problems that may cause it to miss the mark and the ...
Sara Peters   5/1/2014   32 comments
It's time for an intervention. This addiction to Windows XP has gone too far.
Sara Peters   4/10/2014   21 comments
The race is on to restore trust in the very security tools that are used to ensure online trust. Websites, applications, and services are hastening to patch Heartbleed, a flaw in the ...
Sara Peters   4/4/2014   17 comments
Tablets are becoming more affordable all the time, but they're not so inexpensive that you wouldn't worry if kindergartners treated them with the same care they treat construction paper ...
E2 IT Migration Zones
IT Migration Zone - UK
Why PowerShell Is Important
Reduce the Windows 8 Footprint for VDI
Rethinking Storage Management
IT Migration Zone - FR
SQL Server : 240 To de mémoire flash pour votre data warehouse
Quand Office vient booster les revenus Cloud et Android de Microsoft
Windows Phone : Nokia veut davantage d'applications (et les utilisateurs aussi)
IT Migration Zone - DE
Cloud Computing: Warum Unternehmen trotz NSA auf die „private“ Wolke setzen sollten
Cloud Computing bleibt Wachstumsmarkt – Windows Azure ist Vorreiter
Like Us on Facebook
Twitter Feed
Enterprise Efficiency Twitter Feed
Site Moderators Wanted
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail:
A Video Case Study – Translational Genomics Research Institute
e2 OEM Video

On the Case
TGen IT: Where We're Going Next

7|11|12   |   08:12   |   10 comments

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
On the Case
Better Care Through Better Communications

6|6|12   |   02:24   |   11 comments

The achievements of the TGen/Dell project could improve how all people receive healthcare, because they are creating ways to improve end-to-end communication of medical data.
On the Case
TGen IT: Where We Are Now

5|15|12   |   06:58   |   6 comments

TGen is breaking new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions.
On the Case
TGen IT: Where We Were

4|27|12   |   06:45   |   10 comments

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
On the Case
1,200% Faster

4|18|12   |   02:27   |   12 comments

Through their partnership, Dell and TGen have increased the speed of TGen’s medical research by 1,200 percent.
On the Case
IT May Improve Children's Chances of Survival

4|17|12   |   02:12   |   8 comments

IT is helping medical researchers reach breakthroughs in a way and pace never seen before.
On the Case
Medical Advances in the Cloud

4|10|12   |   1:25   |   5 comments

TGen and Dell are pushing the boundaries of computing, and harnessing the power of the cloud to improve healthcare.
On the Case
TGen: Living the Mission

4|9|12   |   2:25   |   3 comments

TGen's CIO puts the organizational mission at the heart of everything the IT staff does.
On the Case
TGen Speeding Up Biomedical Research to Save More Lives

4|5|12   |   1:59   |   6 comments

The Translational Genomics Research Institute is revamping its computing to improve speed, storage, and collaboration – and, most importantly, to save lives.
On the Case
Computing Power Helping to Save Children's Lives

3|28|12   |   2:13   |   3 comments

The Translational Genomics Institute’s partnership with Dell is enabling them to treat kids with neuroblastoma more quickly and save more lives.
Curtis Franklin Jr.
OEMs Change Roles

1|18|13   |   1:55   |   3 comments

OEMs can change markets – here's why IT should have a say in the decision.
Tom Nolle
The Enterprise Side of Amazon Fire

9|29|11   |   2:04   |   6 comments

Amazon Fire’s split-browser model hosts some of the GUI in the cloud, which could have a major impact on virtual desktop thinking.
Curtis Franklin Jr.
The OEM Relationship

9|13|11   |   02:02   |   1 comment

The growth of OEM relationships means that enterprise IT execs must pay closer attention to who's responsible for support and development.
Pablo Valerio
Can't Land on the Runway Behind You

8|15|11   |   1:36   |   1 comment

One lesson from aviation also applies to big IT projects: Give yourself plenty of leeway and have room to maneuver.
Ivan Schneider
Flecksequence Explained

7|28|11   |   2:46   |   3 comments

How to use the term in a sentence and, more importantly, how flecksequence can help manufacturers.
Sara Peters
E2 Has a New Look!

7|20|11   |   2:53   |   6 comments

E2's gotten a makeover. Take a tour through some of our new features.