Los funcionarios de la Agencia de Programas de Investigaci\u00f3n Avanzada de Defensa han comenzado a instar a los gerentes del Departamento de Defensa a utilizar herramientas de ciberseguridad de DARPA inactivas destinadas a prevenir ataques y accidentes en programas cr\u00edticos.<\/p>\n
Officials at the Defense Advanced Research Programs Agency have begun nudging Defense Department managers to utilize idling DARPA cybersecurity tools meant to preempt hacks and accidents in critical programs.<\/p>\n
A series of high-profile incidents in recent years has highlighted a kind of passivity among defense officials in the face of the damage caused, according to Kathleen Fisher, the director of DARPA\u2019s Information Innovation Office. Believing that systems can\u2019t stave off catastrophic cyber incidents caused by software vulnerabilities, the department often focuses instead on reactive fixes, she said.<\/p>\n
But proactive tools for building more resilient software already exist in the Pentagon\u2019s arsenal of countermeasures, she said at a demonstration day at the agency\u2019s Arlington, VA headquarters earlier this month.<\/p>\n
\u201cWe have many critical mission systems that have these kinds of vulnerabilities in them, and the way we\u2019ve learned to deal with them is after they\u2019ve been attacked, after we\u2019ve learned, \u2018OK, that\u2019s a bad one,\u2019 we then go and fix it,\u201d Fisher said. \u201cWe pay billions of dollars after the fact to go fix these problems.\u201d<\/p>\n
In 2017, Russia conducted a cyberattack against Ukraine that\u2019s now known as NotPetya.<\/p>\n
While the attack targeted Ukraine\u2019s power infrastructure, it ended up spreading outside the country, affecting infrastructure and businesses across Europe, including a Danish logistics company, Maersk, which is responsible for about 20% of global container shipping. In seven minutes, the attack destroyed 50,000 of the firm\u2019s computers and nearly wiped out the active directory system tracking its container ships. The company estimated the damage at around $300 million.<\/p>\n
Seven years later, in July 2024, faulty software from\u00a0security firm CrowdStrike<\/a>\u00a0took millions of government and private sector computers offline, delaying thousands of commercial flights and canceling medical procedures as part of the global outage. The disruption was widespread, but the root cause was determined to be an accident \u2014 a software glitch that spread through a routine update.<\/p>\n Events like these \u2014 adversarial or accidental \u2014 have become\u00a0more prevalent in recent years<\/a>. And according to Fisher, they highlight troubling software vulnerabilities in critical infrastructure. In response, the Defense Department and the broader U.S. government have developed a sense of \u201clearned helplessness\u201d when it comes to addressing software vulnerabilities.<\/p>\n Over the last 10 to 15 years, DARPA has proven that a software design approach called \u201cformal methods\u201d can address these vulnerabilities before they\u2019re exploited by a coding error or an attack. Rather than validate the security of software code solely by testing it after it\u2019s already written, a formal-methods approach designs software through rigorous mathematical analysis, verifying its performance before and as it\u2019s being built.<\/p>\n Some of the tools DARPA has developed have made their way into DOD programs of record, but adoption has been limited. Now, as concerns grow about the cybersecurity of military weapon systems, the agency is trying to raise awareness in the defense acquisition community that these solutions exist and are available for use.<\/p>\n \u201cWe can imagine a world without these software vulnerabilities, where we can eliminate the sense of learned helplessness across DOD, where we can rapidly secure critical systems . . . and where we can create a sustainable ecosystem of formal-methods tools that are ready and off the shelf for people to use,\u201d Fisher said.<\/p>\n DARPA demos<\/strong><\/p>\n One early DARPA program to showcase the utility of formal methods was the\u00a0High-Assurance Cyber Military Systems effort, or HACMS<\/a>. The program ran from 2012 to 2016 and culminated with two demonstrations, the first using a small quadcopter drone and then, in 2017, using Boeing\u2019s autonomous helicopter, the Unmanned Little Bird.<\/p>\n During the second demonstration, a red team of hackers tried unsuccessfully to infiltrate the aircraft, according to Darren Cofer, a principal fellow at Collins Aerospace, whose predecessor Rockwell Collins was a contractor on HACMS.<\/p>\n \u201cIn HACMS, we showed that formal methods could be used to eliminate important security vulnerabilities from embedded systems in real aircraft,\u201d Cofer said during the DARPA demo day.<\/p>\n The agency has since pursued several other efforts to improve the usability of formal methods for DOD platforms. One of those programs, called SafeDocs, addresses vulnerabilities in parsers \u2013 software tools that convert data into a usable format. Another effort, Assured Micro Patching or AMP, provides a way to fix software bugs without the source code and ensure that the fix itself doesn\u2019t do more damage.<\/p>\n