Seven teams from around the United States have earned the right to play in the final competition of DARPA's Cyber Grand Challenge (CGC), a first-of-its-kind tournament designed to speed the development of automated security systems able to defend against cyberattacks as fast as they are launched. The winners successfully squared off against dozens of other teams for the opportunity to compete head to head next year for nearly $4 million in prizes — and the chance to help revolutionize cybersecurity going forward.
Computers are important for detecting known network vulnerabilities and the swarms of malicious programs that are constantly seeking to take advantage of those weaknesses, but cyber defense today still ultimately depends on experts to patch those weaknesses and stymie new attacks — a process that can take months or longer, by which time critical systems may have been breached. CGC aims to automate the cyber defense process to identify weaknesses instantly and counter attacks in real time.
Out of 104 teams that had originally registered in 2014, 28 teams made it through two DARPA-sponsored dry runs and into last month's CGC Qualifying Event. In that contest, teams tested the high-performance computers they had built and programmed to play a round of "capture the flag" (CTF) — a game that experts use to test their cyber defense skills. CTF games require competitors to reverse engineer software created by contest organizers and locate and heal its hidden weaknesses in networked competition. The CGC final event will take place in Las Vegas in August 2016, in conjunction with DEFCON, home of the longest-running annual CTF competition for experts.
"After two years of asking 'What if?' and challenging teams around the world with a very difficult series of preliminary events, we've shown that there is a place for computers in an adversarial contest of the mind that until now has belonged solely to human experts," says Mike Walker, DARPA program manager. "As we had hoped when we launched this competition, the winning teams reflect a broad array of communities — academic pioneers of the field, security industry powerhouses, and veterans of the CTF circuit, each of which brings to CGC its own strengths."
Each team designed an innovative system that achieves, to varying degrees, the difficult task of finding and fixing software safety problems in the kind of code used everywhere every day. "The results bode well for an exciting competition next year and confirm the value of using a grand challenge format," Walker says. "With no clear best approach going in, we can explore multiple approaches and improve the chances of producing groundbreaking improvements in cybersecurity technology."
The CGC Qualifying Event from which the seven winning teams emerged:
Most CGC competitors entered on an open track available to self-funded teams, while seven teams participated on a funded track with DARPA support. The three funded-track teams heading to the CGC finals are:
The four winning open-track teams are:
Each qualifying team will receive $750,000 to help them prepare over the next 13 months for the CGC final competition. They will have the opportunity to access a specialized IT infrastructure, a "digital arena" in which they can practice and refine their systems against dummy opponents that DARPA is providing. For its part, DARPA is developing custom data visualization technology to make it easy for spectators — both a live audience and anyone watching the event's video stream worldwide — to follow the action in real time during the final contest.
The winning team from the CGC final competition will receive $2 million. Second place will earn $1 million and third place $750,000. More important to Walker than the prize money, however, is igniting the cybersecurity community's belief that automated cybersecurity analysis and remediation are finally within reach.
"We want an automation revolution in computer security so machines can discover, confirm and fix software flaws within seconds, instead of waiting up to a year under the current human-centric system," Walker says. "These capabilities are essential for protecting data and processes as more and more devices, including vehicles and homes, get networked in the 'Internet of things.'"
No entries found