DARPA Gave a Company $500K to Keep Tabs on White Hat Hackers

Spies gonna spy—but they normally don't publicly announce that.

DARPA, the blue-sky research group of the Pentagon, appears to have made that mistake on Monday, when it published details of a project that appears to be designed to monitor the activities of information security researchers with the goal of anticipating what vulnerabilities they might be looking for.

The project is called "Internet Cyber Early Warning of Adversary Research and Development" or ICEWARD, and DARPA paid nearly $500,000 to an obscure contractor to develop the technology to make it a reality.

"Proposers hypothesize that vulnerability researchers make use of public information and resources (such as search engines and websites) that are relevant to their missions, targets, and techniques in such a way that it is possible to glean part of their intent if only we could observe such use and differentiate it from noise," read the DARPA contract award.

The description of what ICEWARD is vague, but some privacy activists took it as a program to spy on security researchers. The Electronic Frontier Foundation's Dave Maass first spotted the contract, and weirdly enough, DARPA pulled the program's description shortly after.

DARPA scrubbed a page showing a $500k program to spy on security researchers. The original: EFFOctober 26, 2015

The award page now only shows who got the contract, and the amount paid, but there are no details on what the program entails. DARPA did not respond to multiple requests for comment.

While details on the program are scant, some security researchers were reluctant to sound the alarm.

"I think ICEWARD might not be as damning as people see it. In fact, I think it's kinda clever thinking from DARPA," Mikko Hypponen, the Chief Research Officer at antivirus firm F-Secure, told Motherboard in an email. "Yes, it seems to be about trying to find out what security researchers are working on. But it's not about breaking into their systems or intercepting their emails."

The noted security researcher, who's only known as the Grugq, called it a valid topic of research and told Motherboard that "it stands to reason that DARPA wants to know if people are hunting vulnerabilities in specific targets, and which targets are being hunted."

In some ways, this effort is not too different from other open source intelligence collection programs. For example, documents leaked by former NSA contractor Edward Snowden revealed earlier this year that the British spy agency GCHQ keeps tabs on the most interesting and well-known security researchers and hackers on Twitter.

The other side of the spectrum is actually hacking into defensive cybersecurity firms to know what they're up to. That's what happened earlier this year to the Russian antivirus company Kaspersky. While it's unclear who broke into its servers, it seems it was the Israeli government, in an attempt to figure out what Kaspersky knew about Israel's own hacking operations.

ICEWARD doesn't go that far, and seems to be simply an effort to collect public information. The pulled description used "search engine crawlers" as an example of how to implement it. The contract was awarded to a company called Kudu Dynamics, which "was forged out of a decade of full spectrum computer network operations (CNO) across the US Government," as its website puts it (CNO is the US government's euphemism for hacking).

Kudu Dyamics did not respond to a request for comment.

In any case, perhaps something good will come out of this.

"It's a good reminder for security researchers to carefully think about their OPSEC if they don't want to leak their research to the US government," Hypponen said.

Many researchers are already well aware. Marion Marschalek, a senior malware researcher at Cyphort, who has exposed French hacking operations in the past, told me that she is already "as paranoid as everyone else in this business."

"The thought has crossed my mind that i need to watch what i type into Google," she said in an online chat.