Why security vendors can’t keep up with malware authors — and what to do about it

There’s a reason why malware creators are outrunning the security vendors now. It’s a lot easier to attack computer networks than it is to protect them, according to a cyber security expert at the Pentagon.

Peiter Zatko, a famous hacker (known as Mudge) from the early L0pht group, is now program manager for cyber security at the Pentagon’s Defense Advanced Research Projects Agency. At his keynote speech at the Black Hat security conference, he painted a grim picture of the cyber security landscape — and he proposed a new DARPA program to deal with the problems.

He noted that the number of viruses keeps rising, even though the amount of money the federal government is spending on cyber security is also rising.

“It looks like the Russian government during the Cold War,” he said, referring to how rising defense spending drove the old Soviet Union into ruin.

Zatko analyzed 9,000 samples of malware code and found that, on average, each consisted of 125 lines of software code. That’s not a lot of cost, time, or engineering effort. By comparison, the most sophisticated cyber protection software uses about 10 million lines of code. And, based on research by IBM, there are one to five bugs introduced in every 1,000 lines of code, Zatko said.

Malware writers thrive by finding bugs and exploiting the vulnerabilities that the bugs introduce. Modern day operating systems may consist of 150 million lines of code, which means that each new OS can introduce 150,000 bugs to exploit. These numbers make it seem like keeping up with the bad guys is a losing game, Zatko said.

Zatko was also cynical about antivirus software vendors. He said those vendors are motivated to create fixes that eliminate each new branch of malware. But he said the heavy cost of investing in software that takes out a whole new source of viruses — what he calls a tree — tends to scare off the antivirus vendors. They can charge subscription fees for patches that fix each little branch, but they usually can’t monetize a gigantic fix so easily. So the antivirus vendors are commercially motivated to keep putting Band-aids on the problem of an explosion of malware.

That’s why Zatko is proposing a new DARPA-funded program to fund lots of “maker spaces” for hackers and boutique security firms. He is doing so to try to get around the huge government contractors that tend to move too slow. He wants to fund the equivalent of the new Homebrew Computer Club, the creative maelstrom that led to the creation of the first personal computers. Dreamed up over the past nine months, the Cyber Fast Track is aimed at accelerating the government’s interaction with security startups and small vendors.

“The average government program is created in 81 months,” he said. “That’s six years. …Time is a hot commodity in cyber.”

He pointed out some examples of projects that got funding and took a few people a small amount of money to produce. He said one project created “attritable” unmanned aerial vehicles, with five people working for half a year. Zatko said this program is why he signed on with the government to get something done. Under the programs, the government gets government-purpose rights for whatever gets created and the creators can commercialize the technology.

About 20 to 100 projects will be funded each year, with 14 days as the target time to create a contract.

“We have to come up with a new process,” he said. “This is cool stuff. We can hack this stuff together.”