WHY THIS MATTERS IN BRIEF
DARPA’S Cyber Grand Challenge is over but the winner is still no match for humans.
The Heartbleed security bug existed in many of the world’s computer systems for nearly two-and-a-half years before it was discovered and a fix circulated in the spring of 2014, by which time it had rendered an estimated half a million of the internet’s secure servers vulnerable to theft and other mischief. And while Heartbleed was in some respects an outlier, long-lived critical flaws in widely deployed bedrock internet infrastructure are not rare. Analysts have estimated that, on average, such flaws go unremediated for 10 months before being discovered and patched, giving nefarious actors ample opportunity to wreak havoc in affected systems before they move on to exploit new terrain.
The reason for these time lags? In contrast to the sophistication and automation that characterize so much of today’s computer systems, the process of finding and countering bugs, hacks and other cyber infection vectors is still effectively artisanal. Professional bug hunters, security coders, and other security pros work tremendous hours, searching millions of lines of code to find and fix vulnerabilities that could be taken advantage of by users with ulterior motives.
But what if that system of finding and fixing flaws were just as fast and automated as the computer systems they are trying to protect? What if cyber defense were as seamless, sophisticated, and scalable as the internet itself?
That’s the question that the 2016 DARPA Cyber Grand Challenge (CGC) that pitted the world’s best autonomous AI robo-hackers against each other, set out to answer, and the winning team, Carnegie Mellon University’s ForAllSecure”Mayhem” took home the $2 million grand prize.
Unlike previous CGC challenges that DARPA has run recently this particular competition focused on pitting fully autonomous “Robo-Hackers” against each other then set them loose in a threat filled environment.
In all DARPA invited seven teams to compete at Las Vegas in a 96 round game of Capture the Flag (CTF) – a time tested competitive hacking game where teams are assigned servers that must perform certain tasks while constantly being fed new code filled with bugs, security holes, inefficiencies and threats of all kinds – much like most of the firmware updates we download on a daily basis then – and each team had protect their own data at all costs while attempting to hack the other teams systems.
The difference in this game though was that the players in the game were totally autonomous, hence the term ro of-hacker. Normally a human would be looking at and correcting the code, choosing who to attack and so on but for this CGC, all that had to be done by the teams robo-hackers.
DARPA’s grand idea of course is to create AI based autonomous cyber security systems that can patch themselves, watch for intrusions and hack other systems all with minimal human interaction and after some 8 hours of battle in a ballroom in the Paris Hotel, the victor, ForAllSecure’s “Mayhem,” emerged and second place went to TechX’s Xandra.
Video: Watch the final as it unfurled, POVs and all
Here come the humans
No sooner than Mayhem was crowned the winner organisers from the DEF CON event next door invited the team to pit its smarts against the smarts of the human operators who were competing in other CTF challenges and, somewhat surprisingly Mike Walker, the manager of the DARPA CGC event promptly threw Mayhem under the bus.
“I don’t expect Mayhem to finish well,” he said in the DARPA press release.
“This competition is played by masters and this is their home turf. Any finish for the machine save last place would be shocking.”
Not the nicest thing to say about a champion AI that just took first place in an incredibly sophisticated virtual game, but he probably knows what he’s talking about and as you can see from the results table below, and, as predicted, Mayhem tanked.
— Vito Genovese (@Vito_lbs) August 7, 2016
Walker then went on to say, “unlike the case with self-driving cars, where the path to full autonomy, while challenging, is now just a matter of technological advances, we still don’t know if autonomy involving the kind of reasoning that’s required for cyber defense makes conceptual sense,” Walker said.
“We certainly didn’t expect any machine to win against humans at DEF CON this year and the results bore that through. But at a minimum we’ve learnt a lot from seeing how the systems fared against each other, and if we can even provide a clear proof of concept for autonomous cyber defense then that would be revolutionary,” he said.
“In the same way that the Wright brothers’ first flight didn’t go very far but launched a chain of events that quickly made the world a much smaller place, a convincing demonstration that automated cyber defense is truly doable would be a major paradigm shift, and would speed the day when networked attackers no longer have the inherent advantage they enjoy today.”
I suppose in one way it’s good to see that in today’s cyber age it’s good to see that we humans can still best the machines, but for how much longer who knows and I’m sure it won’t be too long until we see a robe-hacker that annihilates us.
