Black Hat 2011: New program to reduce the complexity of government-funded security research

Zatko announced the new Cyber Fast Track program during his keynote presentation at this year’s Black Hat security conference – a program he hopes will extend US Department of Defense funding on cybersecurity defense research to a wider array of researchers at a faster pace.

In reviewing the Defense Advanced Research Project Agency’s (DARPA) old approach to research funding, Zatko lamented that it often took teams of personnel to create proposals, with a turnaround time of approximately eight months before funding was awarded and research commenced. But Cyber Fast Track promises to reduce this lead-in time, while also simplifying the application process. It also will extend funding opportunities to smaller, more agile teams of researchers and boutique security labs.

“One of the main reasons I decided to join DARPA was that I was frustrated with how the government was handling cybersecurity”, Zatko admitted. “Cyber is very fast, very agile, flexible, resilient, and adaptable.” These are not attributes one can use to explain the operation of the US government, he jokingly added.

With this in mind, Zatko said his goal has been to also bridge the gap between hackers and the intelligence community to work on issues of security and defense. What he has also observed is that the number of cyber-related incidents continues to rise, even as the government spends more money on defense technologies.

The money, time, and effort put into malicious code has remained constant through the decades, he observed, while at the same time the money spent on IT security technologies has ballooned. And the number of attacks continues to rise, Zatko continued, because the technologies used to combat them have become far too complex, increasing the available attack surface.

Cyber Fast Track was created to deal with the complexity issue on both the technology and research fronts. “Welcome to the new DARPA”, Zatko declared as he announced the details of the program for the audience. “I’ve decided it’s time to start funding hacker groups and boutique security companies and making it easy enough for them to compete for government research money against the large, traditional government contractors.”

The program he outlined would allow for multiple, smaller teams of researchers to receive funding on research projects, thereby providing the government with numerous approaches to a particular problem. The objective is to keep pace with “the adversary lifecycle” Zatko noted, while also achieving quality research at a lower price.

He anticipates 20–100 funded projects each year, with a 14-day turnaround time on application decisions. In addition, there will be “simple proposal templates” for Cyber Fast Track applications. Finally, researchers who are awarded funding will keep permanent commercial intellectual property rights for the research, while the government will retain IP rights for defense/public sector applications.

Details of the new Cyber Fast Track program can be found at http://www.cft.usma.edu/.

What’s Hot on Infosecurity Magazine?