Washington: Officials at the Defence Advanced Research Programs Agency (DARPA) have begun nudging Defence Department managers to utilise idling DARPA cybersecurity tools meant to preempt hacks and accidents in critical programs.
A series of high-profile incidents in recent years has highlighted a kind of passivity among defence officials in the face of the damage caused, according to Kathleen Fisher, the director of DARPA’s Information Innovation Office. Believing that systems can’t stave off catastrophic cyber incidents caused by software vulnerabilities, the department often focuses instead on reactive fixes, she said.
But proactive tools for building more resilient software already exist in the Pentagon’s arsenal of countermeasures, she said at a demonstration day at the agency’s Arlington, VA headquarters earlier this month.
“We have many critical mission systems that have these kinds of vulnerabilities in them, and the way we’ve learned to deal with them is after they’ve been attacked, after we’ve learned, ‘OK, that’s a bad one,’ we then go and fix it,” Fisher said. “We pay billions of dollars after the fact to go fix these problems.”
In 2017, Russia conducted a cyberattack against Ukraine that’s now known as NotPetya. While the attack targeted Ukraine’s power infrastructure, it ended up spreading outside the country, affecting infrastructure and businesses across Europe, including a Danish logistics company, Maersk, which is responsible for about 20% of global container shipping. In seven minutes, the attack destroyed 50,000 of the firm’s computers and nearly wiped out the active directory system tracking its container ships. The company estimated the damage at around $300 million.
Seven years later, in July 2024, faulty software from security firm CrowdStrike took millions of government and private sector computers offline, delaying thousands of commercial flights and cancelling medical procedures as part of the global outage. The disruption was widespread, but the root cause was determined to be an accident — a software glitch that spread through a routine update.
Events like these — adversarial or accidental — have become more prevalent in recent years. And according to Fisher, they highlight troubling software vulnerabilities in critical infrastructure. In response, the Defence Department and the broader US government have developed a sense of “learned helplessness” when it comes to addressing software vulnerabilities.
Over the last 10 to 15 years, DARPA has proven that a software design approach called “formal methods” can address these vulnerabilities before they’re exploited by a coding error or an attack. Rather than validate the security of software code solely by testing it after it’s already written, a formal-methods approach designs software through rigorous mathematical analysis, verifying its performance before and as it’s being built.
Some of the tools DARPA has developed have made their way into DOD programs of record, but adoption has been limited. Now, as concerns grow about the cybersecurity of military weapon systems, the agency is trying to raise awareness in the defence acquisition community that these solutions exist and are available for use.
“We can imagine a world without these software vulnerabilities, where we can eliminate the sense of learned helplessness across DOD, where we can rapidly secure critical systems . . . and where we can create a sustainable ecosystem of formal-methods tools that are ready and off the shelf for people to use,” Fisher said.
