Zatko will become a program manager in mid-March within the Strategic Technologies Office at DARPA (Defense Advanced Research Projects Agency), which is the research and development office for the Department of Defense. His focus will be cybersecurity, he said in an interview with CNET on Tuesday.
One of his main goals will be to fund researchers at hacker spaces, start-ups, and boutiques who are most likely to develop technologies that can leapfrog what comes out of large corporations. "I want revolutionary changes. I don't want evolutionary ones," he said.
He's also hoping that giving a big push to research and development will do more to advance the progress of cybersecurity than public policy decisions have been able to do over the past few decades.
"Not much has changed" with regard to strengthening the U.S. cybersecurity position, he said. "As a society, we have a larger dependence on being wired in, yet the government only focuses on particular areas."
The connectedness of commercial, government, and military networks makes the situation even more dire, he said. "I'm going to argue that they're all pretty much intertwined now and we've seen how vulnerable some of those sectors are now. That's unacceptable," Zatko said. "I aim to fix that."
The current state of technology isn't working adequately, for the government or commercial companies, he said. For instance, the current defense mechanisms need to change so they can block attacks, instead of responding to them, he added.
"I don't want people to be putting out virus signatures after a virus has come out," he said. "I want an active defense. I want to be at the sharp pointy end of the stick."
Zatko cut his security chops as a teen-age hacker in the 1980s and managed to stay one step ahead of the law. He ran the L0pht hacker space during the 1990s, where he invented anti-sniffing technology that became the first remote promiscuous system detector used by the Defense Department. He also pioneered work on buffer overflows, which are a basis for many computer network attacks.
"L0pht turned the industry on its head," he said. "You didn't have security response teams at major organizations like Microsoft or Intel until we came along."
He started the corporate information security group at BBN Technologies in the 1990s, was chief executive at L0pht Heavy Industries when the hacker space decided to incorporate, and founded security consultancy @Stake, which was later acquired by Symantec. Since 2004, he's been back at BBN, working as division scientist and technical director for the company's National Intelligence Research and Applications department.
Zatko has also done his fair share of work for the government. He was appointed to the Information Assurance sub-committee out of the Executive Office of the President, named as a subcommittee member to the Partnership for Critical Infrastructure Protection and testified several times before Congressional committees. The main hacker character in the book Breakpoint by former U.S. cybersecurity guru Richard Clarke is believed to be based on him.
"I don't want people to be putting out virus signatures after a virus has come out. I want an active defense. I want to be at the sharp pointy end of the stick."
He's not the only self-described hacker to embrace public service. Jeff Moss, founder of the Black Hat and Defcon conferences, joined the Homeland Security Advisory Council
One of the reasons Zatko decided to take the job is that the new DARPA director, Regina Dugan, is entrepreneurial and is looking to engage more with academics, following years of DARPA being closed to nongovernmental researchers for national security reasons, he said. "Now they are running more programs out of DARPA that are not classified beyond what they need to be, so it will enable more people to have visibility into them," he added.
Another lure of the job was the budget he will have. Zatko said he doesn't know exactly how much of the $3.5 billion a year DARPA spends to fund research he will oversee but said it's likely to be a "good chunk."
From his many years doing penetration testing and working to break security systems, he understands what it takes to try to defend networks and how to come up with innovative solutions to break through barriers and get around obstructions.
"I've got a track record of doing novel things on both the offense and defense side," he said. "In the commercial world I wasn't able to take those to fruition because often the market drivers and the money drivers were at odds. You don't want to put yourself out of business. But now, I want to put myself out of business."
By Elinor Mills