In a massive conference room at a hacker conference inside a hotel with a giant Eiffel Tower on top, celebrity astrophysicist Hakeem Oluseyi is taking on an unusual gig: hosting a real-time cybersecurity contest where automated bots compete instead of humans. The room is packed with thousands of onlookers because DARPA–the Pentagon’s highly secretive Defense Advanced Research Projects Agency–wants private industry to develop autonomous cybersecurity tools to do things humans can’t or won’t. At the DARPA Cyber Grand Challenge, millions of dollars in prize money is being given away to contestants who range from wonky university researchers to employees of some of the world’s biggest defense contractors.
The goal of the Cyber Grand Challenge–the latest in a series of future tech competitions held by DARPA over the years–is to create what they call “Cyber Reasoning Systems” that automatically identify software flaws, detect security holes in real time, and automatically fix issues without human oversight. Rather than being designed to replace human cybersecurity experts, these systems are designed to assist them by taking on challenges they haven’t noticed yet, or that are so well hidden human eyes wouldn’t notice them.
At a pre-event press conference, DARPA director of strategic communications Rick Weiss explained that “We want to follow in the tradition of reasoning machines like Deep Blue or Watson to make machines that can compete in adversarial contests of mind and can someday compete in computer security contests.”
On-site at the event’s venue outside the DEFCON hacker convention at the Paris Casino in Las Vegas, I spoke with DARPA information innovation deputy director Brian Pierce. Pierce repeatedly mentioned DARPA’s groundbreaking work in self-driving car research and the role of a previous DARPA challenge in spurring private-sector investment in autonomous vehicles; the clear implication is that DARPA hopes the same thing will take place for autonomous cybersecurity systems.
According to Pierce, “Our motivation is that computers operate on short, fast timelines. They do billions or more operations per second. Human response time is under half a second if you’re incredibly good at what you do–for instance, in Major League Baseball–but that’s still slower than the machine. We see a partnership of the human analyst and the machine.”
Seven teams participated in Thursday’s finals out of nearly 100 that initially applied. These ranged from CSDS, a two-person team affiliated with the University of Idaho, to a student collective from the University of California-Santa Barbara called Shellphish, to Deepred, a team of security engineers from defense giant Raytheon.
These teams competed for a $2 million grand prize and a $1 million runner-up prize in a special public forum consisting of 15 supercomputers on a giant stage masking a massive water-cooling system hidden below. The stage was airgapped to prevent hacking, and the teams didn’t “participate” in real time. All in all, there was $3.75 million in prize money and even color commentators on stage calling the competition play-by-play.
The challenge itself consists of a classic competition called “Capture the Flag,” which is regularly used in schools to teach cybersecurity and by hackers at conventions like (yes) DEFCON to show off their skills. But here, the software projects were competing autonomously in Capture the Flag rather than having human techies at the controls.
Once it was time for the event, contestants deployed their creations and hoped for the best.
The winning product was “Mayhem,” created by a Carnegie Mellon spin-off called ForAllSecure. Runners-up to ForAllSecure were Xandra, which was created by a team called TECHx, and the student group Shellphish.
When I spoke with Brumley, he explained that one of the big areas his team (and his company) is interested in is using automation to improve security for the Internet of Things.
“One of the concerns we see is computers are infiltrating our lives. Our cars, our microwaves, and even our coffeemakers are hooked up to networks today. Even thermostats are places where attackers can get a foothold. We can keep doing things where we find vulnerabilities after we’re hacked, but computers are more critical in more safety-intensive situations.”
Brumley added that connected devices traditionally have little security, and that cybersecurity researchers are stymied by the massive size of the market. As an example, he noted that there are only a handful of web browsers that are used by the vast majority of Internet users, while “for wireless routers there are a dozen manufacturers each with 100 different programs.”
The competition itself was more thrilling than any competition where bots compete against each other ever should be. The two color commentators on stage narrated the complex goings-on for the audience, and here’s the crazy thing: The bots did well. Not as replacements for humans, but as tools to make the jobs of human cybersecurity experts easier? Absolutely.
It’s also important to keep in mind DARPA’s key role in the Pentagon. The military has a keen interest in using defensive cybersecurity bots to conduct real-time analysis and patching; as defensive and offensive cyberwarfare becomes part of America’s everyday reality, the Pentagon is going to have a keen interest in making sure that government and military systems have access to the latest and best in tech…which includes these bots.
The private sector is likely to reap the benefits of automation too. The scale of systems used at most corporations means that intrusions are increasingly more difficult to detect–and even small businesses are at risk because they depend on large vendors for everything from the cloud software they use to the utility systems that bring electricity to their workplace. For all of those, automation is going to mean big, big changes in cybersecurity. Which means that, for DARPA, giving out all that prize money is a small price to pay for all the benefits they’ll reap down the line.