Army opts for openness with new computer security tool

The U.S. Army wants you! (to improve the security of its computers, no enlistment required)

Army researchers in a lab outside Washington worked for years on a software tool to help soldiers understand how hackers were targeting military computers.

Late last year they did something unusual: They released their project for anyone on the Internet to poke and prod.

William Glodek, the leader of the project, said the Army Research Lab hopes that if his team gives something, they'll get something.

"The Army is open and willing to collaborate," he said. "Hopefully, we can attract some bright talent to contribute to the project."

The federal government is looking for ways to improve the security of the nation's computers, but its plan to share information about threats faces legal obstacles before it can get moving. By offering up code, rather than data, Glodek's team has been able to take a step forward — and join a growing movement among military and intelligence community coders to share what they make.

Among developers, the practice of putting code online is common. Software that embraces the approach, known as open source, underpins the Firefox Web browser and the Android mobile operating system.

Over the years, government agencies and contractors have released some of their code. But the Army project stands out because it was published on GitHub, a popular destination for programmers.

Dan Guido, a computer security researcher, said the decision to publish the project on GitHub, instead of some obscure site, is "really amazing."

"It lets it get into more people's hands," Guido said. "That benefit is clear."

The idea behind making the code for security software widely available is that it lets thousands of sets of eyes review each line for vulnerability to hackers and other problems. The reviewers can then suggest fixes to patch any holes they find.

GitHub's Ben Balter compares it to locksmithing. You can hope that by keeping the design of your lock secret, a burglar won't figure out how to pick it. Or you can share the design with everyone and ask for help to make it secure.

All the while, you make sure that the key is kept private.

Glodek said sharing such code might give hackers the opportunity to explore weaknesses to exploit and ways to hide their attacks. But he said he'd rather have them doing that than actually getting up to mischief. And any changes to the code proposed by the community are carefully reviewed to make sure they do not introduce new problems.

The lab published the code on GitHub in December, and site users quickly took notice. Users have created more than 700 versions of the tool, and some have suggested modifications to the Army researchers.

"We're actually getting meaningful dialogue and technical contributions from the security community," Glodek said.

The Army demonstrated the tool at its Adelphi research center in a windowless lab with brown carpet tiles and large screens suspended from the ceiling. (The real work spaces are off limits to the public.)

The tool is designed to make it easier for soldiers to analyze large volumes of Internet traffic and spot attempts by hackers to coordinate attacks. The aim is to let them make decisions about how to respond more quickly.

With a few keystrokes, a researcher pumped data into the tool and the screens filled with rows of information that showed which computers were talking to each other, for how long, and how much data they exchanged.

Another screen showed ways of visualizing the data, with colored threads tying Internet addresses together.

Glodek, who started working with the Army a decade ago as an intern, said he started building the tool because there was no good way to sort through all that network information and spot a problem, even when he knew what the problem looked like.

Guido, founder of the security company Trail of Bits, said many businesses face a similar problem. He called the Army project "a very useful tool."

What might be more important, Guido said, is that the release of the tool could spur other agencies to make their projects public. In 2001, the National Security Agency announced security improvements for the operating system Linux, a major Defense Department contribution to the open-source community.

While the Army Research Lab project is not on the same scale, it has attracted notice and acclaim.

"This could be another great shining example of this approach," Guido said.

Balter, whose job involves encouraging agencies to use GitHub, said he's seeing growing interest from programmers inside the government. He said government coders rarely tell him that they are against offering up their projects, but there are still hurdles.

Faced with a novel idea, he said, the "bureaucratic immune system" sometimes kicks in to defend the old way of doing things, and security worries often have to be sorted out.

But if the Army can do it, he said, maybe other agencies will be convinced.

"It's very new and very exciting in the sense of having the military and intelligence community, who you'd expect to be the most secretive ... really coming around," he said.

iduncan@baltsun.com

twitter.com/iduncan

Copyright © 2017, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad