The idea that you can’t trust everything you see on the Internet is a conventional, if sporadically followed, wisdom. But as hackers become increasingly skilled and sneaky, as “fake news” officially enters the dictionary, and as fake video and fake audio become more of a thing, you might not necessarily be paranoid to wonder if you can trust anything.
The Pentagon’s lead research arm wants to stem the tide, with a new project that would help ensure the integrity of documents transmitted over the Web–such as text, maps, images and video–by improving software’s ability to detect when documents have been messed with.
Through the simply titled Safe Documents, or the SafeDocs, program, the Defense Advanced Research Projects Agency (DARPA) is aiming to find better ways “to detect and reject invalid or maliciously crafted input data,” and to do it without affecting the functionality of the data formats themselves.
“To create a safer internet, we must first create safer electronic documents,” Sergey Bratus, program manager in DARPA’s Information Innovation Office (I2O), said in a statement. “Through SafeDocs, we are looking for ways to reduce the complexity of electronic document exchange and minimize the means of exploitation for all malicious actors–from cybercriminals to nation states.”
Aside from people just making things up, the forgery or manipulation of seemingly trustworthy documents and files have the potential to do a lot of damage. The FBI’s 2017 Internet Crime Report, for example, includes an account of an elaborate investment scam that bilked 20 victims out of $7 million which included the fabrication of official-looking U.S. government documents along with criminals posing as executives from major U.S. banks. On a smaller scale, the Federal Trade Commission issued a warning earlier this year about a simple, but at times effective, tactic of phishers emailing fake invoices.
In another example, the European Union Agency for Network and Information Security last year detailed a phishing and disinformation campaign targeting French President Emmanuel Macron that included the theft, manipulation and subsequent leaking of documents. That practice, dubbed “tainted leaks” by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, is becoming more common. The lab described one case in which Russia-linked hackers stole information from a journalist (David Satter, who has been critical of the Kremlin), tampered with documents, and then leaked them as part of a disinformation campaign.
And the proliferation of artificial intelligence stands to make these types of attacks more common and malicious. A report this year on a study led by Oxford and Cambridge universities said that advances in AI and machine learning would greatly improve and accelerate the ability of malicious actors to produce fraudulent text, image, audio, and video files that would appear to be the genuine article.
Trying to keep up with the enormous flow of daily information in multiple formats, some of which is coming from untrusted sources, is already hard enough, but it’s compounded by the fact that the software used to process the information is flawed and vulnerable to exploitation. “With today’s online risk environment, allowing software to interact with untrusted electronic documents and messages is akin to downloading and running untrusted programs on your computer,” Bratus said.
The SafeDocs program wants to create efficient methods to automatically check documents to make sure they’re safe to open, while also putting untrustworthy versions into safer document formats. The program will focus on two areas: methods of capturing and defining human-intelligible, machine-readable descriptors of electronic data formats; and creating software construction kits for building secure, verified parsers that will break down data inputs into manageable portions and reveal exploitable flaws and behaviors.
DARPA will hold a Proposer’s Day Aug. 24 in Arlington, Va., to explain more about the program to interested vedndors.