The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: DARPA wants hackers to try to crack its new generation of super-secure hardware

with Tonya Riley

The Pentagon’s top research agency thinks it has developed a new generation of technology that will make voting machines, medical databases and other critical digital systems far more secure against hackers. 

Now, the Defense Advanced Research Projects Agency, which helped invent GPS and the Internet, is launching a contest for ethical hackers to try to break into that technology before it goes public. DARPA is offering the hackers cash prizes for any flaws they find using a program called a “bug bounty.”

The new technology is based on re-engineering hardware, such as computer chips and circuits, so that the typical methods hackers use to undermine the software that runs on them become impossible. That’s far different from the standard approach to cybersecurity, in which tech companies release a never-ending stream of software patches every time bad guys discover a new bug.  

If industry widely adopts the new systems, DARPA researchers believe they can finally shift the tide in a battle that has favored hackers over defenders basically since the birth of the Internet. 

“It [would have] a huge, huge impact,” DARPA Microsystems Technology Office Program Manager Keith Rebello, who’s running the program, told me. “About 70 percent of all cyberattacks are due to hardware vulnerabilities. If we can fix those permanently, we can take a large portion of the attack surface away.” 

DARPA has built model versions of several different computerized systems that use the new hardware and that cybersecurity pros will try to break into. 

The agency purposefully chose some of those models to demonstrate the dangers of the current generation of poorly secured hardware and to show how much safer the world could be with more secure versions, Rebello told me.

The biggest ticket item is a voter registration database. State and federal election officials have identified such systems as one of the greatest vulnerabilities if hackers from Russia or elsewhere try to undermine the 2020 election. Kremlin-linked hackers successfully broke into voter databases in Illinois and Florida in 2016, though there’s no evidence they changed any votes. 

If DARPA can prove its version of the database is far tougher to hack, that could be a game-changer, allowing officials to be far more confident about election security. 

Another model for the bug bounty is a medical database containing research into the novel coronavirus — information that FBI and Department of Homeland Security officials say is being targeted by Chinese hackers

We wanted to use demonstrations that are relevant to show the impact that we can have with this technology,” Rebello told me. 

The program, which is officially called System Security Integration Through Hardware and Firmware, or SSITH, started in 2017 and will run for another year. So there will be time to make fixes based on problems the cybersecurity pros uncover. 

The secure hardware itself is funded by DARPA but is being built by researchers and academics at places like Lockheed Martin, the University of Michigan and the Massachusetts Institute of Technology. 

This is the first bug bounty for the DARPA hardware program, but such programs have become increasingly popular in government in recent years. 

DARPA is working with the Defense Digital Service, a technology tiger team inside the Pentagon that has managed bug bounties for the Army, Navy and Air Force and recently helped find hackable bugs in systems on a U.S. fighter jet. 

The project is also being managed by the cybersecurity company Synack, which specializes in running bug bounties and has worked with the Defense Digital Service on some of its earlier projects. 

The largest share of the hacking will be done by cybersecurity pros who work regularly with Synack and have expertise in a number of specialized areas, including hacking hardware. There will also be a broader part of the program that’s basically open to anyone with hacking experience who isn’t barred from working with the government, such as people on terrorist watch lists. 

This is a wide pool of people with different skill sets that we might not always find in government,” Rebello said. “We’ll have three months for the hacker community to experiment and take things apart, and try and reverse-engineer our hardware to see if they can break it.”

DARPA couldn’t say how much money it expects to pay out to hackers who find bugs. Synack said its payouts “typically range from hundreds to tens of thousands of dollars for very severe vulnerabilities.” 

The new secure hardware won’t be commercially available in time for the election in November or probably to protect research for a coronavirus vaccine. 

But Rebello is hopeful it will start being integrated into some commercially available computer chips in the next two to four years, he told me. 

A handful of companies have already expressed interest in piloting some version of the system, including the British firm Arm Holdings, he said. 

The rush is on because cybersecurity is going to grow far more important during the next decade

That’s partly because critical business sectors will be doing far more of their work using online systems, such as manufacturing, medicine, transportation, energy and agriculture. The Internet will also begin connecting to a slew of new devices that weren’t networked before, such as driverless cars, thermostats and home security systems, creating far more opportunities for hackers. 

The attack surface is going to explode, so we really need to start thinking about how we can rein that in,” Rebello said. “And having secure hardware, I think, is one very important key to solving that puzzle.” 

The keys

Democrats want to ensure federal agencies aren’t conducting improper surveillance on protests against police brutality. 

Sen. Kamala D. Harris (Calif.) and Reps. Mary Gay Scanlon (Pa.) and Juan Vargas (Calif.) led 97 colleagues in a letter to Customs and Border Protection and Immigration and Customs Enforcement officials demanding answers about what surveillance tools the agencies have used, how they shared surveillance footage and whether their staffs have been trained to comply with privacy laws.

In a separate letter, Democrats on the House Oversight Committee, including Rep. Alexandria Ocasio Cortez (D-N.Y.) demanded a full account of DHS's role in surveillance of protesters in Minneapolis where George Floyd was killed in police custody and where the protest movement began.

The letter slammed the agency's use of a military drone for surveillance as a "gross abuse of authority." 

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) has also demanded answers about the agencies’ surveillance. So far DHS has not scheduled a briefing or answered Thompson’s letter, according to a committee representative.

Drug Enforcement Administration agents have also reportedly conducted surveillance of the protests. Rep. Ted Lieu (D-Calif.) announced on Twitter that he's working on a bill that would ban agencies from using  powerful “Stingray” technology that spoofs cellphone towers to collect cellular messages and data from protesters. 

It's unclear if the DEA actually used the technology, which could ensnare the communications of thousands of bystanders.

Google and Apple are struggling to ban coronavirus contact tracing apps that violate privacy rules. 

Some of the suspect apps aren't clear about users' privacy protections while others don't have privacy policies at all, Khadeeja Safdar and Kevin Poulsen at the Wall Street Journal report. Researchers at the International Digital Accountability Council also found apps that failed to safeguard users’ location and other sensitive data, potentially exposing it to hackers.

Lawmakers recently introduced legislation that would limit data coronavirus-tracing apps can collect and potentially ban them from using it for commercial purposes. 

Until those laws are passed, however, it's mostly up to Apple and Google to decide which apps to allow in their stores. And changing guidelines have led to confusion for some developers.

Google removed one contact tracing app that included paid ads allegedly profiting off the pandemic. Apple forced the company to stop taking money for ads on its version of the app. 

A major British bank fears it will face economic reprisals from China if the United Kingdom bans Huawei from its 5G network.

The chairman of HSBC privately urged Prime Minister Boris Johnson not to go through with banning Huawei, the Telegraph reports. British lawmakers could reach a decision as soon as this month over whether to ban Huawei from its 5G network. The lawmakers previously approved a limited role for the company but have reconsidered the decision in light of a U.S. decision to ban Huawei from using chips made with U.S. technology. 

It's another example of the wide-reaching economic repercussions of the feud between the Chinese telecom giant and the United States. 

The United States has long accused Huawei of providing a possible backdoor for Chinese spying, allegations that the company has denied. 

The Wall Street Journal's Dan Strumpf has a detailed behind-the-scenes account of Huawei's efforts to combat U.S. claims. 

Securing the ballot

An online voting platform that’s been used by voters in several states can be manipulated to alter votes, a new study finds. 

That manipulation might not be detected by voters or election officials, according to the study from researchers at the University of Michigan and M.I.T. The platform, called OmniBallot, was offered to voters with disabilities in Delaware’s primary last week and in local elections in New Jersey and it’s been used elsewhere by voters with disabilities. 

The new report follows a warning from DHS and the FBI last month discouraging states from using “electronic ballot return technologies.”

The paper also says the company that runs OmniBallot, Democracy Live, fails to protect voters from potential ad targeting based on their voter data. 

Democracy Live Chief Executive Bryan Finney defended the platform in a New York Times interview, saying online voting options are necessary to make sure people aren’t blocked from voting. “No technology is bulletproof,” he said. “But we need to be able to enfranchise the disenfranchised. ”

Chat room

Here are recommendations for how election officials can use OmniBallot's technology while mitigating risk from one of the report's lead authors, University of Michigan professor Alex Halderman:

Cyber insecurity

Hackers targeted more than 100 high-ranking executives helping the German government procure protective equipment during the coronavirus pandemic.

It's unclear how many of the phishing attacks were successful, IBM X-Force researchers say

The ongoing campaign highlights how a scramble for supplies to battle a second wave of coronavirus could create new hacking threats, they say. 

More in cyberattacks and disruptions:

Bail organizations, thrust into the national spotlight, are targeted by online trolls (NBC News)


Secure log off

Footage from The Post of the Black Lives Matter protests in Washington:

More than 10,000 demonstrators took to the streets of Washington, D.C., on June 6, the ninth day of protests in the District over police brutality. (Video: The Washington Post)