So far, the cybersecurity war has been a lopsided rout. And it’s the bad guys who are on an epic winning streak.
They’ve hacked into retailers, looting credit card information from Target and Home Depot, and stolen sensitive patient data from major health insurers. They’ve hit Hollywood, the media, the Pentagon. And in one of the largest attacks against the federal government, they recently rooted around in the databases of the Office of Personnel Management.
But now the audacious Pentagon research agency that invented the Internet is trying to figure out how to protect it.
The agency’s conclusion: We’re doing cybersecurity all wrong.
Today, most network protective systems are like fire alarms; they sound when there’s smoke, and then the firefighters arrive to extinguish the flames. But the Defense Advanced Research Projects Agency, dubbed the “Department of Mad Scientists,” envisions a massive, automated computer system that not only detects the smoke, but prevents the fire from happening in the first place — or snuffs it out almost immediately.
“The computer security industry is basically a bunch of automated detectors set up to let us know when it’s time to call the cavalry -- those people who can do the job computers can’t,” said Michael Walker, a DARPA program manager. “And when we call in the cavalry, most of the time we’ve already lost.”
To build a fully automated, computer-driven system that would find bugs in software and patch them on its own, DARPA has invited teams from all over the country to compete in a major cyberbattle it calls the Grand Cyber Challenge, with a $2 million first prize.
The goal is to level a playing field that today is wildly in favor of hackers, Walker said. If a computer system could be envisioned as being 1 million miles long, he said, hackers only have to find a single crack, while “the defense has to guard the entire wall.”
Only a computer system is capable of the immense task of finding every crack and patching them before they can be exploited, he said.
DARPA initially started with more than 100 teams when it began the program a year ago, but the field was quickly whittled down. On Wednesday, it announced the seven finalists chosen to compete in the competition next year. They are an eclectic band of cyberwarriors, ranging from academics representing major university computer science programs to well-known hackers and defense industry heavyweights.
Perhaps the most unlikely finalist is a two-person team made up of a computer science professor at the University of Idaho and a post-doctoral fellow, who had applied for DARPA funding but were rejected “because we didn’t know enough about this field,” said Jim Alves-Foss, director of the university’s Center for Secure and Dependable Systems.
At first he thought building an automated cybersecurity network was impossible. But it was an interesting challenge, and so he tinkered with the program on nights and weekends. “We played with it to see what we could do,” he said.
Their idea was to take the software’s preexisting code and then add the security techniques to it. They failed. And failed again.
But then in October, while scribbling ideas on a white board, “we had an ‘Ah-ha’ moment,” Alves-Foss said. And during a practice round in December, the team finished in second place.
Going up against such giants in the hacking world was “intimidating,” he said. “These are people whose papers I’ve been reading for years."
Another of the finalists comes from Raytheon, the giant defense contractor, which has invested $3.5 billion into building up its cyberbusiness over the past decade. The maker of the Patriot missile and other major weapons systems started out defending its own networks and products. But it also has seen a huge opportunity to apply its expertise to commercial uses as well.
It has built a 30,000-square-foot cybercenter, which Jack Harrington, the vice president for cybersecurity and special missions, called a "live-fire cyber range" where they focus on "hard-core systems engineering and hard-core vulnerability assessments."
Robust cyberdefenses have become increasingly important during the age of the “Internet of Things,” where cars, refrigerators and medical devices are all connected to the Web.
Tim Bryant, Raytheon’s team leader, said the goal of the program is to ultimately “put the attacker out of business.”
But just as it took years for IBM’s Watson and Deep Blue to take on the world’s best in Jeopardy and chess, it will be a while before a computer is ready to play cyberdefense on its own against the best hackers in the world at “capture the flag” contests at places such as the DefCon Conference.
And it may be impossible to build a system that can’t ever be hacked.
The competition, though, is an important step in that direction, Walker said.
“The great thing about trying to kick off an industry revolution,” he said, “is we’re trying to make people believe that this is possible and set them on that course.”