The Defense Innovation Unit awarded a $45 million to a Silicon Valley-based tech startup to perform cybersecurity testing on Defense Department weapon systems’ applications, the company announced May 11.
The company, ForAllSecure, has been prototyping its cybersecurity testing platform, known as Mayhem, with DoD components for more than three years. DIU made the award on the five-year contract April 23, a ForAllSecure spokesperson said.
ForAllSecure is working with the Air Force 96th Cyberspace Test Group, the Air Force 90th Cyberspace Operations Squadron, the Naval Sea Systems Command (NAVSEA) and the U.S. Army Command, Control, Communication, Computers, Cyber, Intelligence, Surveillance and Reconnaissance Center (C5ISR).
The same DoD users have worked with ForAllSecure throughout the prototyping process for the company’s platform, which finds bugs in applications and shows the user how they can be triggered. The platform will allow for a continuous testing for vulnerabilities in weapons systems.
“One of the problems that [the department] run[s] into is this idea that there’s a point in time when you’re done” with cybersecurity,” said David Brumley, chief executive officer of ForAllSecure. “It all comes down to how quickly can you test and retest.”
In the last few years of prototyping, the company went through 10 iterations of Mayhem. One significant piece the company added to those iterations were cybersecurity tutorials for users.
ForAllSecure’s work on Mayhem started before a troubling report from the Government Accountability Office that highlighted several cybersecurity challenges and shortfalls that the Defense Department’s weapons systems faced in light of potential advanced cyberattacks.
“If you look at the GAO report, they simply weren’t embedding cybersecurity testing in the process at all,” Brumley said. “So this is adding this common sense measure and it’s automating it.”
In 2016, the company’s Mayhem platform won the Defense Advanced Research Projects Agency’s Cyber Grand Challenge, an automated defensive cybersecurity competition. That victory came with a $2 million prize.
Since that victory, Brumley said that the company has run into a few unique challenges working with other DoD components, particularly around installing the platform.
“When DARPA has their contest, it really only has to work for the developers,” Brumley said. “When you go to a product, you have to go to an unknown site, you have to install. You have to repeatedly do that.”