A new effort to rate the security of software and systems could help foster a much-needed better understanding of the economics of cybersecurity and enable an expansion of the cyber insurance market, according to Defense Advanced Research Projects Agency Director Arati Prabhakar.
Inside Cybersecurity reported this week that prominent security researcher Peiter Zatko had secured a $499,935 contract funded by DARPA to independently test and rate the cybersecurity of commercial software and systems. The endeavor would create an unprecedented, publicly available tool for companies and individual consumers to find the most secure products in the marketplace, he said in an interview via email.
The project “potentially could be a very important part of this notion of the emergence of a robust economic model for cybersecurity and insurance and the other products that might go with that,” Prabhakar said Thursday in response to a question from Inside Cybersecurity at an event sponsored by the Christian Science Monitor's Passcode blog.
“So I hope it will make a contribution in that area,” she said. Earlier in her remarks, Prabhakar stressed the need to figure out the economics of cybersecurity and to allow a cyber insurance market to “flourish.” Zatko has also said the new project could help the cyber insurance business assess cyber risks.
Zatko, a.k.a. Mudge, came to fame -- and testified before Congress in 1998 -- as a member of the high-profile hacker group the L0pht. He later spearheaded cybersecurity research at DARPA. Zatko joined Google in 2013, but left the company this year to stand up a new cybersecurity entity modeled on Underwriters Laboratories, the global independent safety science company known for product safety standards development, testing and certification. He has compared the effort to Consumer Reports, which was formed as a nonprofit in 1936 to provide unbiased product testing and ratings.
Bill Vanderlinde, office director for safe and secure operations at the Intelligence Advanced Research Projects Activity, said at the same event Thursday it was “high time” to hold industry accountable for producing insecure products. He cited Zatko's efforts and general discussions about developing an Underwriters Laboratories for software.
“Can I create a capability that allows me to test and evaluate software that says it does everything it is supposed to and it doesn't do things it's not supposed to?” Vanderlinde said.
A perfect capability of this kind is probably impossible, he said, but a “99 percent guarantee” could help boost consumer confidence and hold developers “responsible and liable to some degree” in that developers would not be able to market a product “until it's good enough to get a stamp of approval.”
Deciding who should provide that stamp of approval and whether it should be the government or a nonprofit is “a good public debate to have,” he said. “But we have to move off from just wringing our hands and saying, 'Oh, I don't know what to do about it.'”
Prabhakar acknowledged that she had been unaware of the contract awarded to Zatko until Wednesday because it was not among the agency's largest programs.
“Someone asked me about this at a meeting yesterday and I actually didn't know we had done that with Mudge,” Prabhakar said. “But in addition to the roughly 200 [DARPA] programs . . . that . . . go through a formal process and that I know about and I sign off on, by design we allow our program managers to do smaller seedling projects and I later learned that that's one of our smaller seedling projects.”
“So, sorta cool we're doing something with Mudge that I didn't know about,” she said. “I don't really know in detail about that project. But my understanding is that the objective is to try to rate cybersecurity tools or products and create a little bit better understanding about what their capabilities are.”
The effort, dubbed Consumer Security Reports, has a broad scope that includes software, firmware and the Internet of Things, according to Zatko, whose company is the Cyber Independent Testing Laboratory.
“Think of this as a cybersecurity parallel to nutritional facts on food, energy star ratings on appliances, or vehicle information guides in the windows of new cars,” he said in the interview.
The Cyber Independent Testing Laboratory “is proposed in two tracks that run in parallel,” according to a DARPA spokesman. The first track defines the metrics, ratings and certifications required to provide actionable measurements of software risk. The second track describes the mechanisms and processes needed to assess existing software according to the metrics defined in the first track. A “key feature” of the second track, the spokesman said, “is devaluing the current exploit market by automating static and runtime integrity analysis at scale.” – Christopher J. Castelli (firstname.lastname@example.org)
Correction: The effort described is named Consumer Security Reports. The company involved is the Cyber Independent Testing Laboratory. The story has been updated to clarify this.