Summary
The Department of Defense’s (DOD) reliance on aging information technology infrastructure, using security standards developed over the last 30 years, creates inherent vulnerabilities in its systems, from legacy architectures to advanced weapons.
Adversaries like Volt Typhoon are actively exploiting these vulnerabilities, gaining access to critical systems and infrastructure. They are also stealing and reengineering sensitive military system source code to gain knowledge of DoD-relevant systems, which could enable national security-relevant cyberattacks.
We can do better. Technology exists to minimize exploitable software vulnerabilities. DARPA has developed scalable, open-source tools that can secure and prove the absence of exploitable vulnerabilities across nearly all DoD systems. These tools employ software development practices based on formal mathematical methods (“formal methods”).
Formal methods tools and techniques are universally applicable and can drastically improve the security of the DOD’s vast catalog of deployed legacy code and secure future systems. Many of these tools and techniques have transitioned to the services for further maturation and operational use, but broad adoption is needed to dramatically improve overall DoD cybersecurity. Rapid implementation of these tools in legacy and future systems can significantly reduce the DoD’s cyber vulnerabilities.
DARPA is working on additional pathways to support the transition of these critical tools, including conducting a Resilient Software Systems Accelerator. This accelerator will provide seed funding to formal methods tool developers who partner with Defense Industrial Base companies to identify DoD systems that would benefit from the use of their tools as described above.
DARPA funding would support an initial red team assessment of the DoD system’s vulnerabilities, the application of the formal methods tool(s), and a second red team assessment to measure impact and level of effort.