Filling ‘cyber-cracks’ isn’t enough
Regarding the July 9 Economy & Business article “DARPA seeking system that finds, fixes cyber cracks”:
The Defense Advanced Research Projects Agency’s (DARPA) plan to “build a fully automated, computerdriven system that would find bugs in software and patch them on its own” represents yet another failure to understand why we have a cybersecurity crisis. Finding “bugs” in deployed software and firmware assumes that one understands the constantly changing code base that constitutes today’s Internet and can fix security exposures before hackers can take advantage of them. But what if the hacker installs his own bad code (as hackers often do) into a system or uses a hack to write over a computer’s memory and then loads malware nanoseconds later?
A hacker can be in and out of a system with the bug-finder none the wiser. If hackers can manipulate a computer’s code base (especially while it is running) at will, building a faster bug-finder and patching system will accomplish very little.
DARPA would be wise to build more trustworthy computer system firmware, operating systems and programming languages that would minimize hackers’ ability to attack systems and to find and patch buggy code that could be exploited.