Darren Cofer, principal fellow at Collins Aerospace demonstrates the company’s Secure Mathematically-Assured Composition of Control Models (SMACCM) capabilities at a DARPA demonstration day. (Photo courtesy of DARPA.)
WASHINGTON — The US’s vulnerable cybersecurity systems are indirectly allowing North Korea to bolster its nuclear arsenal, but thanks to existing technology this can be easily avoided, an official from the Defense Advanced Research Project Agency said Monday.
North Korea is able to use the funds it acquires from ransomware attacks on US systems and those of other countries to pay for the development of nuclear weapons, Kathleen Fisher, director of DARPA’s Information Innovation Office, said during an agency event Monday.
However, thanks to the advanced technology DARPA has funded and industry and the Pentagon have been able to develop, stopping the ransomware attacks is preventable. The problem lies within getting the tech into the hands of the right people, which is often bogged down by bureaucratic processes like authority to process (ATO) procedures, Fisher said.
“We are essentially funding nuclear weapons development in North Korea with our bad software practices,” she said. “We know how to do better. It’s like all of that [North Korea’s ransomware attacks] is even worse, because we know how to do better. Imagine a world where our software is not riddled with these vulnerabilities.”
“This is compounded by our current ATO process, which means that it takes a very long time to update the software in our systems, because the ATO process is so slow, we have many mission critical systems that have known vulnerabilities, exploitable vulnerabilities in them that we can’t update for very long periods of time because the ATO process is so slow,” she said. “We can’t afford to continue that practice — the learned helplessness that is afforded in that practice.”
ATO procedures have long been viewed as a thorn in the side of the Pentagon’s acquisition process because of their redundancy. Different organizations typically have their own Authorizing Officer (AO) who has to give a piece of software an ATO before it can be implemented. AOs often have different criteria, so the software company going through this process has to operate a little differently each time, dragging the process down when the office next door may already have been cleared to use the same software.
Related: Pentagon announces new reciprocity guidance to streamline software adaptation
Last May, the DoD issued new guidance that enforced the concept of ATO “reciprocity,” which essentially means if one office certifies that a system is cyber secure, then all offices can accept it instead of having to redo the certification process. However, Fisher said that the lack of reciprocity in software systems is still prolific, hindering the advancement of cybersecurity software.
Impact Of Formal Methods
Though the dilemmas that ATOs pose are likely not going to be resolved anytime soon, the defense industrial base (DIB) still must focus its energy and resources in building resilient cybersecurity into software systems, Fisher said.
One technology practice that Fisher said should be more widely adopted to prevent ransom attacks are “formal methods” — mathematically based approaches to produce software that come with checked guarantees and proofs that the code “cannot go wrong.” Some use cases of formal methods include DARPA’s previous High-Assurance Cyber Military Systems (HACMS) and Assured Micropatching (AMP) programs along with the current Verified Security and Performance Enhancement of Large Legacy Software (V-SPELLS) program.
These programs, along with others, have showcased that using formal methods can ensure adversaries cannot penetrate systems. For example, with the HACMS program, run by Collin Aerospace (Rockwell Collins at the time), Secure Mathematically-Assured Composition of Control Models (SMACCM) were developed to showcase new tools for building unmanned aerial vehicle software that was resilient to adversarial hacking. During demos of the program, when a group of fictional hackers tried to hack into the drone’s system, nothing happened — an indication that everything went as planned.
An Alternative Route
The DIB and industry partners sometimes have to adopt less-traditional methods of acquiring cyber-secure tech to ensure the tech gets in the hands of operators and software engineers.
For example, it is increasingly common for DARPA to conduct the research required to see if a method or technology is possible to execute, and then once it proves its worth industry can adopt it, Col. Rob Gerbracht, the Marine Corps Operational Liaison for DARPA told reporters Monday. Then, it makes its way back into the Pentagon, he said.
“Some of the technologies that DARPA leaps forward end up in the commercial sector and come back to us in the defense industrial base, far after they had actually been introduced,” Gerbracht said.
“Sometimes that’s the easiest way to do it,” Fisher added. “Everything is on the table to get maximization as fast as possible. DARPA isn’t about creating technology for the sake of creating technology, it’s about creating technology to change the world for better national security, for the warfighter’s safety.”
