Looking to circumvent the typical onerous, long-term process of funding grants, the US Defense Advanced Research Projects Agency (DARPA) used the program to improve the government’s ability to keep up with fast-moving bad actors on the cybercriminal stage.
"For the time and money currently invested for one program, the government is striving to engage in dozens of programs,” DARPA explained in its mission statement for the program. “The government needs agile cyber projects that are smaller in effort, have a potential for large payoff, and result in a rapid turnaround, creating a greater cost to the adversary to counter.”
Since its launch in fall 2011, CFT has offered fast-track access to grants for a range of short-term security projects, including Charlie Miller’s NFC security research and Moxie Marlinspike's Convergence system, according to Kaspersky Lab. More recently, grants have been used for investigating forensic evidence on Mac OS X-based machines, and “developing software in support of a command and control system for disposable computers that are dropped from a drone into an area of interest,” Nextgov reported.
The program will be shutting its doors to new submissions on April 1, after an 18-month experimental run. In total, CFT received nearly 400 proposals over the course of the program, and bestowed grants to 101 of them.
The project was headed up by Peiter Zatko, who under the handle Mudge was a member of the L0pht hacking collective before joining the federal government as a grey-hat hacker. "CFT is ending because it was an experiment,” he noted, speaking at the CanSecWest conference in Vancouver this week. “DARPA isn't an open organization. We were looking for a new way to work with people.”
He added, "The back end is what's designed to transition so other large organizations can use this. I hope they look for more people who look at this and say, Mudge did it and he got out mostly intact."
Zatko noted that turning to the dark side for ideas was a savvy strategy for the government. "We oftentimes forget in security that your adversary has good ideas too,” he said. “People forget that there are game theoretics involved. If you make a change, they don't just pack up their ball and go home."
Indeed they don’t. In fact, hackers are likely to make use of vendors’ own security bulletins and evolutions to find new vectors. Zatko said, for instance, about 28% of the vulnerabilities introduced every month are lifted from defensive technologies. "Trying to reduce predictable complexity with more predictable complexity is a bad strategy," he concluded.