Foreign Hackers Spur DARPA Technology Development

More than 25 years ago, the threat of nuclear war prompted the Defense Advanced Research Projects Agency to develop the almost bomb-proof communications conduit, otherwise known as the Internet. Now the threat of foreign hackers using the Internet has sent the agency back to the lab to develop innovative computer-defense technology.

But the development of a nationwide defense against hackers will take perhaps two decades, said Howard Frank, director of the information technology office at DARPA in Arlington, Va. "This is a 20-year problem," he said.

Over the next three years, the agency will spend $116 million on its Survivability of Large-Scale Systems computer-security program. The program is intended to help the nation's electronic nervous system -- phones, power grid, air traffic control network and banking system -- to continue operating throughout a determined, intelligent and well-funded attack by a foreign enemy.

Defense officials fear that an enemy could use computer viruses, logic bombs and other hacker tools to crash these critical networks during a war or crisis, thus causing more economic damage than could be inflicted by a non-nuclear missile strike, and also crippling U.S. military power. Officials say the Pentagon depends on the commercial networks to transport, pay, supply and organize its troops during war time.

DARPA officials do not plan to build and sell information-security products, but they want to develop new ideas, technologies and expertise for industry to use from 1997 onward, said Frank. Deployment of the technology "is not our mission," he said.

One of the first steps in DARPA's technology program is an agreement with the Washington-based National Academy of Sciences to launch a two-year study of existing computer-security technology.

Software developers and software-using companies will eventually use DARPA's new defense measures, said Frank, because they don't want to suffer from hacker attacks. "Every now and again, you see fairly massive failures of [computer] systems," which cost companies money and may expose them to expensive lawsuits, he said. Also, software developers and other experts have a professional ethic that will prompt them to design high-security systems that operate well despite hacker attacks, he said.

DARPA's technology development program was welcomed by executives in the burgeoning computer-security industry. Charles Stuckey, CEO of the computer-security company Security Dynamics Technologies Inc., said DARPA's track record indicates the computer-security industry will likely benefit from DARPA's technology. "A little bit of [DARPA] seed funding from the government goes a long way" toward the development of valuable technology, echoed Brian O'Higgins, director of Northern Telecom's security products unit.

But Stuckey and O'Higgins warned that DARPA and the government may not be able to keep pace with the fast-changing infotech business. For example, DARPA has worked for several years to develop secure operating system software for computers, but industry's attention has now shifted to the World Wide Web, O'Higgins said.

DARPA's vision of a national computer defense is modeled after the defenses built by biology and society against viruses. People are protected from diseases by their skin, duplicate organs, immune systems and ability to heal themselves. Societies try to fend off disease by creating a public health system to detect and suppress plagues, by using a marketplace to rationally distribute critical resources such as medicine and shelter, and by educating sufficient people to ensure a disease can't wipe out critical skills.

To match this vision, Frank is developing so-called canary computer systems, whose failure would warn U.S. officials and executives when their computer systems are being attacked, just as caged canary birds in the 1800s warned miners of dangerous gas buildups.

To gather more information about attackers, DARPA officials are considering the development of computerized "honeypots." These cordoned-off computers contain apparently interesting data and would be carefully monitored to allow government or company officials to study the hackers' techniques.

DARPA officials also want to develop technology for an automated clearinghouse for computer services. This clearinghouse would provide a nationwide marketplace for computer processing power, which could be bought and sold electronically, and be instantly made available via high-speed networks. During any massive hacker attack, the clearinghouse would allow the government -- or a private company -- to quickly buy vital computing power from agencies or companies with functioning computers and networks.

Another critical element of the national computer defense would introduce variety within each software product, said Frank. DARPA officials would like to develop techniques that would allow each software product to be produced in many different forms, greatly increasing the chance that some would survive a computer virus or another hacker attack.

For example, software manufacturers could frequently alter the position and time sequence of standard software components within a software product such as Windows 95. They could also develop software designed to adapt to the needs of its user, ensuring that each copy of the software sold in the marketplace would evolve into a slightly different form.

DARPA also wants to help jump-start long-term research by universities and other non-government organizations, said Frank. "There are growing pockets of expertise" at the Massachusetts Institute of Technology, Cambridge, Mass., Cornell University, Ithaca, N.Y., and the industry-sponsored Open Systems Foundation. Additional centers of expertise are needed in such places as software giant Microsoft Corp., Redmond, Wash., he said.

Frank's program is coordinated with other government defense efforts, including development efforts launched by the National Security Agency, Fort Meade, Md., and the Defense Information Systems Agency, based in Arlington, Va.

DARPA already has awarded contracts for the development of innovative security tools. For example, the Software Engineering Institute in Pittsburgh has won an $800,000 contract to help design an attack-warning center. The warning center would operate like the government-sponsored Center for Disease Control, which now alerts doctors, hospitals, the medical industry and citizens to emerging diseases.

Another contract went to Trusted Information Systems Inc., based in Glenwood, Md., for the development of a policy-neutral key management concept. If completed, the concept could promote the use of data-scrambling encryption devices in international trade, while allowing many governments to maintain domestic controls on the use of encryption technology.