The White House has announced a contest incentivizing the development of new artificial intelligence systems designed to hunt for software vulnerabilities in critical infrastructure. The “AI Cyber Challenge” will be a two-year government-sponsored competition designed to spur the creation of new automated security solutions that can protect some of the country’s most sensitive web-connected systems.
The contest, which was publicly announced Wednesday at 2023’s Blackhat USA cybersecurity conference, will be operated by DARPA, the Defense Department’s research and development agency, and will hand out nearly $20 million in prizes to top-performing contest participants, with the winner getting a total of $4 million in prize money.
Advertisement
In a call with reporters on Tuesday, White House officials expressed hope that the new program would be a first step towards creating previously unheard-of cyber defenses. Anne Neuberger, deputy national security advisor for Joe Biden’s White House, said that she felt the challenge would help America “stay ahead in the race against our adversaries’ cyber offensive capabilities.”
Defending critical infrastructure…with a little help from Silicon Valley
The new AI cyber challenge (which is being abbreviated “AIxCC”) will have a number of different phases. Interested would-be competitors can now submit their proposals to the Small Business Innovation Research program for evaluation and, eventually, selected teams will participate in a 2024 “qualifying event.” During that event, the top 20 teams will be invited to a semifinal competition at that year’s DEF CON, another large cybersecurity conference, where the field will be further whittled down.
Advertisement
Advertisement
Interestingly enough, a number of prominent AI-focused companies have partnered with the government to assist with the contest. Google, Microsoft, OpenAI (which is itself entwined with Microsoft), and Anthropic (which has been heavily funded by Google) will be “lending their expertise and making their cutting-edge technology available” to contest participants, said the White House in a press release Wednesday. The companies have offered to open up their software systems to contest participants, who can use the software in the crafting of their new security solutions. These same companies also recently took part in a White House summit where participants agreed to a vague set of industry “commitments” designed to stave off the destructive capabilities that AI poses. At that summit, one of the central areas of discussion was also the intersection between AI and cybersecurity.
To secure the top spot in DARPA’s new competition, participants will have to develop security solutions that do some seriously novel stuff. “To win first-place, and a top prize of $4 million, finalists must build a system that can rapidly defend critical infrastructure code from attack,” said Perri Adams, program manager for DARPA’s Information Innovation Office, during a Zoom call with reporters Tuesday. In other words: the government wants software that is capable of identifying and mitigating risks by itself.
The focus of this project (critical infrastructure code) is an important one. In cybersecurity, the term “critical infrastructure” refers to vital industrial systems—things like power grids, oil pipelines, water supplies, and other important digitally-connected physical systems. In recent years, cyberattacks on such systems have become more and more routine. Most notably, the 2021 ransomware attack on Colonial Pipeline, which occurred during Biden’s first year in office, threatened to cut off vital energy flows throughout large parts of the southeastern United States and was considered a wakeup call for those in the industrial security sector.
Automating cybersecurity
It’s easy to see this contest as an attempt by the Biden administration to kill two birds with one stone. While the White House has previously made it known that it wants to beef up critical infrastructure security, there’s also been a lot of chatter about what AI can do to automate the cybersecurity field. If successful, this contest could accomplish both of those goals at once.
Advertisement
Technically speaking, the new program promises to automate the process of bug hunting, which has long been an imperfect art. Right now, the internet is positively swimming with security holes and the only bulwark against those holes are so-called “bug hunters,” security-minded nerds that search for and report vulnerabilities to impacted companies (usually for a small fee). The future that the new DARPA contest envisions is one in which automated systems scan for, uncover, and “fix” vulnerabilities with rapid speed, hopefully beating out ill-intentioned cybercriminals or nation-state threat actors that wish to exploit the bugs to wreak havoc.
That said, it’s unclear how some of the still less-than-perfect elements of existing AI systems may impact the shape of the solutions that are developed. Artificial intelligence is still in its infancy, really, and it hasn’t been made entirely clear yet how competition participants will actually be using the AI systems provided by some of Silicon Valley’s heaviest hitters. In short: how this all shakes out is still unknown but, suffice it to say, competition members will be boldly going where infosec has never gone before.
Services Marketplace – Listings, Bookings & Reviews