Black Hat – Las Vegas 2011: DARPA’s Cyber Fast Track
Peiter C. Zatko (Mudge), network security expert and program manager for DARPA overseeing security research, explained how DARPA funding was going to very large, government contract-bound businesses who know the game and can afford to bid (and lose). The process for these businesses to go from idea to proposal and from funding to the market lasts over six years. Since we have no idea what the security landscape will be in one year, let alone six, this is obviously unacceptable for security projects.
For smaller companies, which he called “boutique security shops,” seeking DARPA funding, there exists an unreasonable amount of hurdles. These smaller entities face massive costs, unnecessary bureaucracies and a significant loss of time. Mudge acknowledged that the process needed improvement, and rolled out a new fast track program to address it.
He documented a few select groups funneling their proof of concept projects through the existing DARPA process, and identified the pain points. One such project was a system that rang every phone in a single country on an interval, which was made by two people in three weeks that essentially cost $0 to develop. This could help counter terrorism by preventing the use of cell phones as bomb detonators. In that scenario, the bomb builders would potentially lose control of the signal that triggers the detonator. This system could be very useful within the defense industry.
The new fast track program will now fund 20 to 100 projects per year. To put into perspective, DARPA was shuffling a mere handful of projects for the same cost and timeline. The government will get government purpose rights, but the shops will retain full ownership and intellectual property rights, including the right to market the product commercially. This seems like an extremely effective way to utilize the private sector’s expertise and ingenuity. Everyone in attendance grew energized at the prospect of having DARPA fund their private projects. Plus, most DARPA security contracts have been granted to businesses that frequent Black Hat and Defcon, so this trend only helped spark the room further.
Mudge is well respected among the security community, and any innuendos of him “selling out” by working directly with the government are dispelled in my book, so long as this project comes to fruition as advertised.