As previously said it looks like I know what I’ll be doing the next few months: working on a DARPA funded project that I submitted to the Cyber Fast Track (CFT) program. I had paused because I wanted to confirm some stuff before writing more about it… here’s a brain dump of the process. I’ll write up what I’m doing in a later bit.
I’m still struck – what a remarkable thing Mudge has created (he says he “hacked the government” to make it happen (hack as in old-school, did something nifty to get around the usual constraints.))
To get a contract you fill out a proposal form (mine was about 25 pages, but much of that was simply boilerplate and time schedules – probably 12-15 real pages, going over what my project would accomplish and the various pitfalls and risks associated with such a short timeline) and send it in – I submitted my own (online) on a Friday, 1/6/12. On Monday, 1/17/12 – 7 working days later (MLK day was in there), I got the acceptance letter. I talk to a subcontractor, go over some of the details of what I mean when I said X or Y, and then get a contract 3 days later. Wow! This is government? My government? I’m still looking for the man behind the curtain.
Mr. Armitage, Raphael Mudge (who claims not to be the DARPA Mudge… but I’ve never seen them in the same room together, so who knows?), writes about his experience in far better terms than I can, points to invaluable documents and resources and explains what the heck CFT is; my experience was pretty darn similar to his in terms of speed of turnaround, etc. I guess their current acceptance rate is maybe 1/3 of all presentations, which tells me perhaps that either they’re crazy or not enough people know about this ;) And as Raphael writes, I had zero connections to anyone, have no clearance, hadn’t done any contract work with DARPA before, etc., etc.
I’ve made several suggestions on how to improve the already wonderful process – my biggest complaint that there really wasn’t that much information on the specifics of what they wanted, so I felt like I was flying a bit blind, but I guess in the end they just wanted your basic, standard stuff. Indeed, when I talked to the subcontractor, my contact person told me that the best proposals generally came from people who had never done it before, as the insiders would write in that poetic and stultifying government lingo franca that makes reading government documents so enthralling (ok, not quite a quote, but that’s what I got from what he said ;))
The key to using a government subcontractor is that they can pay and make things happen very fast; I was told (will find out in a few weeks, with my first milestone meeting) that you usually get paid within a few days of sending in expenses or hitting milestones. Again, just remarkable. My contact said that they understand that as a SMB or individual timeliness on payment is key; while they’re only contractually obligated to pay within 30 days, they have a weekly payday – if you submit prior to that you get paid then, if after then you’ll get it the next week.
A few things I either found out early and/or wished I had known before… perhaps think of this as advice from your drunk old uncle, feel free to ignore or not.
First, they really want shorter projects, not year+ things… a couple to several months seems to be what they really are receptive too.
Second – the main goal here is security, and more about DEFENSE than the reverse (after all, that’s what the D in DARPA is). You can do some things about attack or compromise, but it really should be couched in terms of how it would ultimately help the white hats, whether through illustration of the bad or concrete good things.
Thirdly – if you really feel that you have a good idea but you’re a bit unsure of how it might be received… I would highly advise writing up a one paragraph summary which not only says what the project would do, but why it’s important. One paragraph isn’t a lot, but trust me on this one. Show it to some friends (or smart enemies) that will tell you in no uncertain terms that they understand what the hell you’re talking about. Then, if bold, send it to Mudge (if you can’t find his email, what kind of security person are you? :)) and just ask him – “hey, here’s a very small description of what I had in mind… I’m not asking for any guarantees or assurances or anything, but is this the kind of thing that DARPA is looking for?” (I told Mudge he should write up a list of topics, but until he does I’ll sic people on him ;)) At least this is kind of the approach I took… asked him about some ideas, and then after listening to him, ignored it and did something completely different. But I’m like that.
Fourth, write up the report. It probably took me… 30-35 hours of concentrated effort to write mine up (again, I’m struck by the similarities to of Raphael’s experience; it’s too bad I didn’t see his until like the last day I was writing my own proposal!) This doesn’t include the time sitting around thinking up the idea. All I can say is don’t try to snow them with technical mumbo-jumbo. Just be clear, concise, get an editor if you have to, demonstrate you know what the hell you’re talking about, and send it in.
4B. For costs in the report I used a doc I can’t even find on the web anymore, so I’ll just attach it at the end, but here was the important bit:
I also put in for one trip to DC at the end of the effort to give a lil’ dog and pony show and expensed one modest server so I could keep the separation of church and state clean. If the costs are too high (or seem to high) they won’t accept.
4C. I had a pretty good idea of the problem space I was going after and the audience, so that was pretty fast – the hardest and most time consuming thing for me was putting together a schedule. I just used a spreadsheet and took some best guesses as to the time it would take to do things with clear and unambiguous milestones. The milestones are key – basically if I don’t do what I say (or have a damn good and defendable reason why not) I don’t get paid. My only advice here is focus on the basics – you can always add frills as you go along, but as someone said, “programmers are optimists”, so be very sure you can hit your milestones! Again, mine was simple – here’s a lil’ screenshot:
(The various blue colors are work days, the red is a milestone, etc. )
Fifth. Send it in. Wait. And good luck! If you get a contract – or don’t – I’d encourage you to share your experiences.
The best part of all of this? The work you do is yours. OK, the government gets a free license, which is only fair, they’re paying for it. But the rest… it’s yours. That’s pretty neat.
I would highly suggest anyone interested in doing self-direct small scale defense research to give this a try. It might take two weeks or so to write up everything, do some legwork, ask some friends for feedback, etc. I would also argue it’s not wasted time even if you don’t get it – by the time I finished writing my own all up I had a better understanding of what I wanted to do and why. Of course it was nice hearing yes ;)
Good luck to ya’ll. And kudos again to Mudge and DARPA.