The Smartest Hackers in the Room (Hint: They're Not the Humans)


The $2 million “Cyber Grand Challenge” pits hacker-fighting software against malicious code programmed by Pentagon personnel.

Next month, unmanned computers all over the globe will face off in a dress rehearsal for a Las Vegas hacking tournament run by the U.S. military.

The $2 million “Cyber Grand Challenge” pits hacker-fighting software against malicious code programmed by Pentagon personnel. During the 2016 finals in Vegas, the humans who built these cyberbots might as well go play blackjack. 

At stake in the cyber challenge is a chunk of change and perhaps societal gratitude. That's because the research and development gleaned during the two-year competition could lay the groundwork for a world where machines are in charge of cybersecurity.

At least, that's the hope of many of the contestants and the Defense Advanced Research Projects Agency, the Pentagon component leading the program. 

The machines aren't running the show entirely just yet. Teams of contenders are still doing a little hand-holding. 

Last December, DARPA held a 24-hour unofficial test run to see if each group's vulnerability-obliterating software could even function.

During the practice session, “we certainly weren’t just sipping lemonade,” said player David Brumley, co-founder of the Pittsburgh-based startup For all Secure. Employees who are dedicated full time to the project were monitoring logs indicating the number of security weaknesses detected and the number that had been fixed. The team also had to make sure its system didn't crash.

"Since it was mostly automated, we didn’t spend the whole 24 hours with ourselves there," he said. "We didn’t have to baby-sit. We tried to run this as much like the real competition as possible."

At the time, Brumley happened to be in Washington for a funding meeting. He and the seven employees assigned to the team often communicate with one another from a distance, using videoconferencing tools and chat rooms. "The Internet culture is distributed by nature, so it becomes second nature to collaborate," Brumley said last October, when the team was still in the early stages of development.

Spotting the Next Heartbleed before the Bad Guys Do

Team members last year won a $750,000 grant that allows them to take time off work for the endeavor. "Our main motivation is -- it’s just fun for us,” explained Brumley, who also is a computer engineering professor at Carnegie Mellon University. “It’s just something that we like and care about. The money allows us to do that.”

That said, they'd be creating the same kind of software in a 9-5 setting even if DARPA hadn't come calling.

Since 2011, Brumley's research has involved automatic "exploit generation,” which involves pinpointing security holes that are either created intentionally by hackers or, as in the case of the Heartbleed bug, unwittingly by software developers -- and then breaking in.

"The way we see it is, the competition was written for our research," he said last year.

Brumley's white-hat hacker research -- and the team's hacker-fighting bot -- aims to find the next Heartbleed before the bad guys do. Over the past year, software companies and researchers found about 8,500 security vulnerabilities, according to Department of Homeland Security statistics. It’s unknown how many the hackers found.

No one expects to create a fully-automated cyber warrior within the two-year timeline.

"It took competitive computer chess programs a decade to get competitive with the best people and even longer to beat them regularly," Brumley said, referring to Deep Blue, the IBM chess-playing supercomputer that beat grandmaster Garry Kasparov in 1997. "It's not the sort of thing where at the end of a year or two you are going to have unhackable software."

And partly for this reason, Brumley, when wearing his professor's cap, trains students for the hands-on hacking sport "capture the flag" at annual hacker confabs like DEFCON. In 2016, the Vegas event will host both DARPA's tourney and its traditional tournament, known as the "World Series" of hacking. Brumley has been a member of CMU’s "Plaid Parliament of Pwning," a team that won the contest two years in a row. Just last month, he helped DARPA coach a similar game for members of four military service academies.

It’s doubtful "full automation is going to replace the human in the next 10 years," Brumley said. "We’d like to see it, but we don’t think so, and in the meantime, we have to grow the field."

He doesn't wholly believe in the Cyber Grand Challenge prophecy of artificial intelligence taking charge of cybersecurity. Cyber defense always will require human minds to envision the next vulnerability and design security software accordingly, Brumley said. 

“Computers can do what we program them to do, but you always are going to need that human who is thinking up a new attack and then programming the computer," he said. 

So far, so good for the team. For All Secure ended up placing among the top 10 contestants. 

The Payoff? $2M and a Chance to Kickstart a Revolution

Trail of Bits, a self-described boot-strapped startup headquartered in NYC, had about 10 employees glued to their computers during last month's dry-run event. Four of them are staffed to the project full time.

"It was a very tense situation where this was the first time that we were able to test our system from end to end with DARPA's side," said Dan Guido, the company's co-founder. "Everybody was on call. All hands on deck, trying to make sure that the system would operate the way that it would should. That it was correctly solving challenges and that nothing was broken."

The team's system, maintained in Amazon’s cloud, also ended up ranking among the top ten.

Trail of Bits, like For All Secure, is receiving government funding to participate.

Guido's hope is just to break even after winning the competition.

"We're taking a little bit of a hit," he last fall. "We're not looking at this as a project that makes money for the company. $2 million would be a nice bonus."

The real payoff will be creating software that automatically spots and fixes vulnerabilities. Most organizations cannot afford to hire talented, ethical hackers who are able to identify increasingly sophisticated computer threats, Guido said.

The stakes are much higher than the $2 million prize, according to Mike Walker, the Cyber Grand Challenge program manager. 

"The stakes are the beginning of an automation technology revolution -- the idea that automation is the future of computer security -- and a chance to level the playing field between experts and automation," Walker said late last year at a Bloomberg cybersecurity conference.

DARPA is not the only federal agency trying to invent self-healing computers. The National Security Agency and DHS recently started collaborating on the Enterprise Automated Security Environment, or EASE, that could lead to PCs and other devices being able to robotically bounce back from assaults.

Betting on the Robots

Neither humans nor machines are moving fast enough to restrain hackers today. While major previously-unknown vulnerabilities were fixed within about four days after initial detection in 2013, security firm Symantec says it found 174,651 attacks still occurring within 30 days of discovery.

There just isn’t enough human capital in the world to provide adequate protection. Self-defending software would be a more economic approach to cybersecurity for small companies, Guido said. And it would provide large companies with consistent universal coverage, he added.

Trail of Bits couldn't even recruit 20 pros in New York.

"There is no way that I can have a team that is based one city," Guido said. His employees, some of whom work in isolation in Chicago, Washington and Oakland, California, have meetings in New York once a quarter.

For the match, the team built a proprietary videoconferencing system from scratch, "because things like Skype are not secure enough for where we'd like it to be," Guido said. 

Trail of Bits and For All Secure are up against stiff competition. Raytheon, a big government contractor with heavy Pentagon cyber defense experience, has a team playing. Deep Red -- a riff off the company's logo color and the name of IBM's chess-winning computer -- won the unofficial dry run.

"We still think that we can beat them," Brumley said. "We actually really like the fact that they are doing it because it gives us a lot of extra motivation."

Hand Over the Software and Let the Chips Fall Where they May

Raytheon's team of three full-timers, and other corporate employees who pitch in as needed, mostly works out of a Florida office space. The group uses a lot of the firm's hardware while crafting its system. All teams are given the option of hosting their systems in the Amazon cloud.

Raytheon is using its own hardware because “you have a lot of control over what you do. We don’t do it because our hardware is bigger, or are hardware is faster, or smaller or slower," Deep Red team member Tim Bryant said. "We think that what’s most important is getting the algorithms right, because if you don’t have software that analyzes other software efficiently, in a sense it doesn’t really matter how much hardware you have."

Raytheon is self-funded and retains all intellectual property. Grant recipients, including the other two teams, must give the government rights to their software and technical data.

While the multinational corporation may not be a startup, its challenge participants have to think like one.

"We use our whiteboards frequently, drawing pictures and going through thought experiments," said Brian Knudson, another Raytheon player. "Inspirations come from the process of going through those thought experiments and design work and sometimes they occur out of nowhere. You could be sitting on a couch at home and it hits you."

Raytheon, a participant in the more traditional DEFCON capture-the-flag contest six consecutive years, said it's preparing to hand over the software for the unmanned competition and let the chips fall where they may. In fact, Bryant said some of his team members might "possibly" might show up for the other hand's-on matches. 

"With the automated capture the flag, we envision that you sort of press the button and then the machine goes and you drink lemonade or go play in the other capture the flag," he said.