You smile as your shiny new, factory-fresh IT device boots up for the first time... and a cybercriminal smiles with you, because as soon as you press the "on" button, the device immediately connects to a botnet command-and-control center, ready to start sending over your sensitive data. It's a nightmare, especially if you're a military intelligence agency.
Recent events have shown that this isn't merely a theoretical example of fear, uncertainty, and doubt. Microsoft's Digital Crimes Unit found that malware, including the Nitol botnet code, were being installed on PCs before they even made it to store shelves. In September, the digital crimes unit was deputized by a US court to block and disrupt criminal groups that have infiltrated the PC manufacturing supply chain.
To keep infected devices like these out of the US Department of Defense (DoD), the Defense Advanced Research Projects Agency (DARPA) has created the Vetting Commodity IT Software and Firmware program, aiming to make it possible to vet the security of each and every IT device before it's deployed at DoD. Next Wednesday, DARPA will host an unclassified briefing for researchers who might want to submit proposals for the VET project. According to DARPA's official announcement:
The VET program will seek to demonstrate that it is technically feasible for the Department of Defense (DoD) to determine that the software and firmware shipped on commodity Information Technology (IT) devices is free of broad classes of backdoors and other hidden malicious functionality.
The project has three main objectives. First they need to figure out how to define "malice" -- to identify what should be considered a malicious functionality. Then they need to learn how to confirm the absence of malice on an individual piece of equipment. Then they need to make the assessment methods scalable. The goal is to have each and every device assessed and cleared before it's deployed at DoD -- that's every single one of the millions of smartphones, PCs, routers, printers, etc. that DoD uses. That's a lot of work. As the DARPA notice states:
The goal of making this determination for every new device in a timely fashion at scale across all of DoD is beyond presently deployed techniques. The VET program will seek to develop and demonstrate new tools and techniques to establish that this goal is technically feasible.
But is it feasible? That depends on how deep they want these examinations to go. Adequate assessment might require disassembly and reassembly of each piece of hardware and/or a review of each component's entire code base. That's a lot of work. DoD might also encounter resistance from the manufacturers throughout the global supply chain, who may balk at these investigations of their proprietary code, intellectual property, or business practices.
"Rigorously vetting software and firmware in each and every one of [the DoD devices] is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread," stated DARPA program manager Tim Fraser in the press release. "The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."
Let's say that the VET program does find a way to adequately assess all commodity software and hardware. Of course, they wouldn't approve any tools that are found to have "malicious functionality." However, in their testing, they'll most likely find some non-malicious vulnerabilities in these products that could be exploited by malicious individuals. If they rule those tools out, what (if anything) will they be left with?
What are your predictions? Do you think the VET program will achieve its goals? If so, how long do you think it will take? If it does succeed, what hardware and software do you think will make the final cut? Let us know in the comments below.