Pentagon Aims to Close the GAPS for Sensitive Data in the Cloud

Data can travel around the world in a blink of an eye and show up on practically any device, be it a networked PC, a phone, or some other mobile component. That’s great, in the context of the anytime-anywhere availability that is among the goals of most organizations. But ensuring the security and integrity of that data as it travels the connected cyber universe is another story.

When information is entered into a phone, does it stay with the phone or is it sent to a server somewhere in the cloud? When sensitive information, perhaps involving national security, comes into contact with an internet-connected system, does it remain isolated from outside influences?

The Pentagon wants to develop a way to securely and verifiably track data and communications as they make their rounds, which is the goal of the Defense Advanced Research Projects Agency’s (DARPA) recently launched Guaranteed Architecture for Physical Security (GAPS) program.

“As cloud systems proliferate, most people still have some information that they want to physically track – not just entrust to the ether,” Walter Weiss, DARPA’s program manager for GAPS, said in an announcement. “Users should be able to trust their devices to keep their information private and isolated.”

GAPS is part of DARPA’s larger Electronics Resurgence Initiative (ERI), a five-year program under which DARPA plans to spend at least $1.5 billion to develop a new generation of trusted electronics components, particularly with regard to security and privacy protections. Launched in June 2017 and now into Phase 2, ERI “is seeding the foundation of a more robust, secure, and heavily automated electronics industry to move us from an era of generalized hardware to specialized systems,” said Dr. Bill Chappell, director of DARPA’s Microsystems Technology Office (MTO).

In Phase 1, DARPA funded research and development efforts to create specialized circuits, architectures, and designs. Phase 2 is aiming to establish domestic semiconductor manufacturing capable of making use of specialized circuits that can ensure trust throughout the supply and communications chains, and which would be available to both the Department of Defense and the commercial sector, Chappell said. GAPS is intended to develop hardware and software architectures that can physically prove the integrity of high-risk transactions and data transfers between multiple security levels, such as those when one system is secured and another is not.

Such a system would help secure transactions as they go from device to device via the cloud as well as data and devices in “air-gapped” systems, which include spaces that aren’t connected to the internet within systems to prevent the leakage of sensitive information. But air-gap interfaces are complex and usually added as an afterthought, which makes managing them difficult. The bottom line, DARPA said in a Broad Agency Announcement for GAPS, is that, “modern computing systems are incapable of creating sufficient security protections such that they can be trusted with the most sensitive data while simultaneously being exposed to untrusted data streams.”

Air-gapped systems, which protect systems by isolating them from online connections, can nevertheless be vulnerable, since data is still moved onto and off of them. A high-profile example was the U.S.-Israeli introduction of the Stuxnet computer worm into Iran’s Natanz nuclear facility, when an Iranian double-agent reportedly inserted a Stuxnet-carrying thumb drive into a computer at the air-gapped Natanz facility. Discovered in 2010, the worm disrupted uranium enrichment at the facility and knocked it offline for a time.

DARPA is holding a Proposer’s Day for GAPS to solicit input and answer questions from industry.