No offense, human cybersecurity workers, but you are TOO SLOW!
DARPA says that in the time it takes to identify new flaws and threats and patch them up – a process that can take over a year – miscreants can exploit them:
This slow reaction cycle has created a permanent offensive advantage.
The Defense Advanced Research Projects Agency (DARPA) wants us to speed it up and grab back that time advantage by moving to automated cyber defenses: machines that can “discover, prove and fix software flaws in real-time, without any assistance.”
It’s putting its money where its mouth is in what’s being billed as the “world’s first all-machine hacking tournament.”
The historic battle takes place in Las Vegas in a few weeks, and it will happen at the very heart of hacking.
On 4 August, DARPA’s Cyber Grand Challenge (CGC) finals will take place in the middle of the two of the biggest hacking conventions out there: Black Hat USA and DEF CON.
The goal is to find out whether artificial intelligence-fueled machines can beat even the best meat-based hackers, as Mike Walker, program manager for the CGC, told Tech Insider:
Cyber grand challenge is about bringing autonomy to the cyber domain. What we hope to see is proof that the entire security life cycle can be automated.
Walker said that on average, software flaws go unnoticed for around 312 days, leaving systems vulnerable to exploitation. Even after somebody finds a given flaw, it has to be understood, and patched, and then the fixes have to be deployed and released.
DARPA wants it done in minutes, or even seconds, automatically.
Seven finalist teams, bearing names such as Deep Red, Shellphish, and Forallsecure, will be competing at the security shows. DARPA says they’re a diverse bunch that include “industry leaders, university off-shoots, startups, academic researchers and hacker community competition veterans.”
On 3 June, finalists had fielded an autonomous system that found and fixed enough vulnerabilities to gain an invitation to this final event.
As Tech Insider tells it, DARPA gave each team a computer that it had itself constructed. The teams’ job was to recognize and understand the software on that system, sniff out flaws, and fix them.
After the challenge starts, it’s hands-off: the teams’ artificial intelligence systems will be left to do those tasks, without human intervention.
The machines have to comprehend the language of the software, author the logic for that software, write their own network clients, and arrive at the path of the new vulnerabilities entirely on their own.
And while DARPA’s using terms like “tournament,” there won’t be any lances plunged into opponents’ hearts. The focus is, for the most part, on the defensive.
The teams’ AI systems can scan other machines, but Walker says they’ll only be flagging any vulnerabilities they find, rather than exploiting them. Rather, the AI systems will flag the flaws to a DARPA referee, who will verify whether the vulnerability is correct and whether an exploit would bring down a machine.
According to Tech Insider, Walker likened it to calling your shot in a game of pool, without actually hitting the ball.
The payouts will be sizable: the first prize will be $2 million, while second and third will get $1 million and $750,000, respectively.