The Smartest Hackers in the Room (Hint: They're Not the Humans)

wk1003mike/Shutterstock.com

The $2 million “Cyber Grand Challenge” pits hacker-fighting software against malicious code programmed by Pentagon personnel.

Next month, unmanned computers all over the globe will face off in a dress rehearsal for a Las Vegas hacking tournament run by the U.S. military.

The $2 million “Cyber Grand Challenge” pits hacker-fighting software against malicious code programmed by Pentagon personnel. During the 2016 finals in Vegas, the humans who built these cyberbots might as well go play blackjack. 

At stake in the cyber challenge is a chunk of change and perhaps societal gratitude. That's because the research and development gleaned during the two-year competition could lay the groundwork for a world where machines are in charge of cybersecurity.

At least, that's the hope of many of the contestants and the Defense Advanced Research Projects Agency, the Pentagon component leading the program. 

The machines aren't running the show entirely just yet. Teams of contenders are still doing a little hand-holding. 

Last December, DARPA held a 24-hour unofficial test run to see if each group's vulnerability-obliterating software could even function.

During the practice session, “we certainly weren’t just sipping lemonade,” said player David Brumley, co-founder of the Pittsburgh-based startup For all Secure. Employees who are dedicated full time to the project were monitoring logs indicating the number of security weaknesses detected and the number that had been fixed. The team also had to make sure its system didn't crash.

"Since it was mostly automated, we didn’t spend the whole 24 hours with ourselves there," he said. "We didn’t have to baby-sit. We tried to run this as much like the real competition as possible."

At the time, Brumley happened to be in Washington for a funding meeting. He and the seven employees assigned to the team often communicate with one another from a distance, using videoconferencing tools and chat rooms. "The Internet culture is distributed by nature, so it becomes second nature to collaborate," Brumley said last October, when the team was still in the early stages of development.

Spotting the Next Heartbleed before the Bad Guys Do

Team members last year won a $750,000 grant that allows them to take time off work for the endeavor. "Our main motivation is -- it’s just fun for us,” explained Brumley, who also is a computer engineering professor at Carnegie Mellon University. “It’s just something that we like and care about. The money allows us to do that.”

That said, they'd be creating the same kind of software in a 9-5 setting even if DARPA hadn't come calling.

Since 2011, Brumley's research has involved automatic "exploit generation,” which involves pinpointing security holes that are either created intentionally by hackers or, as in the case of the Heartbleed bug, unwittingly by software developers -- and then breaking in.

"The way we see it is, the competition was written for our research," he said last year.

Brumley's white-hat hacker research -- and the team's hacker-fighting bot -- aims to find the next Heartbleed before the bad guys do. Over the past year, software companies and researchers found about 8,500 security vulnerabilities, according to Department of Homeland Security statistics. It’s unknown how many the hackers found.

No one expects to create a fully-automated cyber warrior within the two-year timeline.

"It took competitive computer chess programs a decade to get competitive with the best people and even longer to beat them regularly," Brumley said, referring to Deep Blue, the IBM chess-playing supercomputer that beat grandmaster Garry Kasparov in 1997. "It's not the sort of thing where at the end of a year or two you are going to have unhackable software."

And partly for this reason, Brumley, when wearing his professor's cap, trains students for the hands-on hacking sport "capture the flag" at annual hacker confabs like DEFCON. In 2016, the Vegas event will host both DARPA's tourney and its traditional tournament, known as the "World Series" of hacking. Brumley has been a member of CMU’s "Plaid Parliament of Pwning," a team that won the contest two years in a row. Just last month, he helped DARPA coach a similar game for members of four military service academies.

It’s doubtful "full automation is going to replace the human in the next 10 years," Brumley said. "We’d like to see it, but we don’t think so, and in the meantime, we have to grow the field."

He doesn't wholly believe in the Cyber Grand Challenge prophecy of artificial intelligence taking charge of cybersecurity. Cyber defense always will require human minds to envision the next vulnerability and design security software accordingly, Brumley said. 

“Computers can do what we program them to do, but you always are going to need that human who is thinking up a new attack and then programming the computer," he said. 

So far, so good for the team. For All Secure ended up placing among the top 10 contestants. 

The Payoff? $2M and a Chance to Kickstart a Revolution

Trail of Bits, a self-described boot-strapped startup headquartered in NYC, had about 10 employees glued to their computers during last month's dry-run event. Four of them are staffed to the project full time.

"It was a very tense situation where this was the first time that we were able to test our system from end to end with DARPA's side," said Dan Guido, the company's co-founder. "Everybody was on call. All hands on deck, trying to make sure that the system would operate the way that it would should. That it was correctly solving challenges and that nothing was broken."

The team's system, maintained in Amazon’s cloud, also ended up ranking among the top ten.

Trail of Bits, like For All Secure, is receiving government funding to participate.

Guido's hope is just to break even after winning the competition.

"We're taking a little bit of a hit," he last fall. "We're not looking at this as a project that makes money for the company. $2 million would be a nice bonus."

The real payoff will be creating software that automatically spots and fixes vulnerabilities. Most organizations cannot afford to hire talented, ethical hackers who are able to identify increasingly sophisticated computer threats, Guido said.

The stakes are much higher than the $2 million prize, according to Mike Walker, the Cyber Grand Challenge program manager. 

"The stakes are the beginning of an automation technology revolution -- the idea that automation is the future of computer security -- and a chance to level the playing field between experts and automation," Walker said late last year at a Bloomberg cybersecurity conference.

DARPA is not the only federal agency trying to invent self-healing computers. The National Security Agency and DHS recently started collaborating on the Enterprise Automated Security Environment, or EASE, that could lead to PCs and other devices being able to robotically bounce back from assaults.

Betting on the Robots

Neither humans nor machines are moving fast enough to restrain hackers today. While major previously-unknown vulnerabilities were fixed within about four days after initial detection in 2013, security firm Symantec says it found 174,651 attacks still occurring within 30 days of discovery.

There just isn’t enough human capital in the world to provide adequate protection. Self-defending software would be a more economic approach to cybersecurity for small companies, Guido said. And it would provide large companies with consistent universal coverage, he added.

Trail of Bits couldn't even recruit 20 pros in New York.

"There is no way that I can have a team that is based one city," Guido said. His employees, some of whom work in isolation in Chicago, Washington and Oakland, California, have meetings in New York once a quarter.

For the match, the team built a proprietary videoconferencing system from scratch, "because things like Skype are not secure enough for where we'd like it to be," Guido said. 

Trail of Bits and For All Secure are up against stiff competition. Raytheon, a big government contractor with heavy Pentagon cyber defense experience, has a team playing. Deep Red -- a riff off the company's logo color and the name of IBM's chess-winning computer -- won the unofficial dry run.

"We still think that we can beat them," Brumley said. "We actually really like the fact that they are doing it because it gives us a lot of extra motivation."

Hand Over the Software and Let the Chips Fall Where they May

Raytheon's team of three full-timers, and other corporate employees who pitch in as needed, mostly works out of a Florida office space. The group uses a lot of the firm's hardware while crafting its system. All teams are given the option of hosting their systems in the Amazon cloud.

Raytheon is using its own hardware because “you have a lot of control over what you do. We don’t do it because our hardware is bigger, or are hardware is faster, or smaller or slower," Deep Red team member Tim Bryant said. "We think that what’s most important is getting the algorithms right, because if you don’t have software that analyzes other software efficiently, in a sense it doesn’t really matter how much hardware you have."

Raytheon is self-funded and retains all intellectual property. Grant recipients, including the other two teams, must give the government rights to their software and technical data.

While the multinational corporation may not be a startup, its challenge participants have to think like one.

"We use our whiteboards frequently, drawing pictures and going through thought experiments," said Brian Knudson, another Raytheon player. "Inspirations come from the process of going through those thought experiments and design work and sometimes they occur out of nowhere. You could be sitting on a couch at home and it hits you."

Raytheon, a participant in the more traditional DEFCON capture-the-flag contest six consecutive years, said it's preparing to hand over the software for the unmanned competition and let the chips fall where they may. In fact, Bryant said some of his team members might "possibly" might show up for the other hand's-on matches. 

"With the automated capture the flag, we envision that you sort of press the button and then the machine goes and you drink lemonade or go play in the other capture the flag," he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.