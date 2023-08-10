Share Comment on this story Comment

The Defense Department kicked off a two-year competition on Wednesday that seeks to harness the power of artificial intelligence for cybersecurity, putting up nearly $20 million worth of prize money.

The Defense Advanced Research Projects Agency (DARPA) is leading the competition in collaboration with top AI companies Anthropic, Google, Microsoft and OpenAI, which are making their technology available to participants in what’s known as the AI Cyber Challenge (AIxCC).

“If we’re successful, I hope to see AIxCC not only produce the next generation of cybersecurity tools in this space, but show how AI can be used to better society by here defending its critical underpinnings,” Perri Adams, DARPA’s director, told reporters.

The AI cyber challenge arrives as the cyber world grapples with AI’s influence on security. Some companies have embraced AI as part of their defensive offerings, but there are also worries about malicious hackers leveraging AI for nefarious purposes.

Officials announced the challenge at the Black Hat cybersecurity conference in Las Vegas. It’s one of two significant announcements so far that federal government cyber leaders are making at the convention, with another today: Agencies are requesting outside perspectives on open-source software security and safer programming languages.

The challenge

Here’s the timeline:

There will be a qualifying event in the spring of 2024.

Up to 20 of the top teams will advance to the semifinals at another cyber conference, Def Con.

From there, the top five teams will receive prize money and compete at Def Con 2025. The top three teams will get additional prize money. The top prize is $4 million.

The competition is offering $7 million for small businesses to compete.

The Open Source Security Foundation, a project of the Linux Foundation, will advise on the challenge, and the challenge will ask winners to open-source their systems so that everyone can use the innovations the challenge produces. “Open-source software makes the majority of the code we run every day and it plays a deeply important role in the software supply chain,” Adams said, explaining the foundations’ involvement. It also ties the two government Black Hat announcements together.

The AI companies that are contributing to the challenge naturally praised it. Here’s Royal Hansen, vice president of privacy, safety and security engineering at Google:

Exciting news out of #BlackHat this morning: @Google is partnering w/ @DARPA and industry partners for its upcoming AI cyber challenge. Security work is done better together & I look forward to seeing all the great insights that come from this initiative: https://t.co/j5NqfxKGK2 — Royal Hansen (@royalhansen) August 9, 2023

“The competition will be a clarion call for all kinds of creative people and organizations to bolster the security of critical software that American families and businesses and all of our society relies on,” Arati Prabhakar, director of the White House Office of Science and Technology Policy, told reporters.

DARPA previously held a multiyear “all-machine” Cyber Grand Challenge (CGC) that launched in 2013. First prize then was $2 million.

“I’m enormously gratified that we achieved CGC’s primary goal, which was to provide clear proof of principle that machine-speed, scalable cyberdefense is indeed possible,” Mike Walker, the DARPA program manager who launched that challenge, said in 2016 at the conclusion of the competition.

“In the same way that the Wright brothers’ first flight — although it didn’t go very far — launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyberdefense,” Walker said, billing it as a “revolution in software security.” “That is a huge advance compared to where the cyberdefense world was yesterday.”

The second announcement

Today brings the announcement of a “request for information,” or RFI, on open-source security and memory-safe programming languages, the latter of which many believe is one of the most important security problems in cyber.

This one’s being led by the Office of the National Cyber Director, in partnership with the Cybersecurity and Infrastructure Security Agency, the National Science Foundation, the Office of Management and Budget and yep, there’s DARPA again.

“The Biden administration has made securing the open-source software ecosystem a priority,” said Kemba Walker, acting national cyber director. “This RFI is an opportunity for the U.S. Government to listen and learn from a diverse and multidisciplinary group of stakeholders as they share their expertise on this important topic.”

Replies are due Oct. 9.

The keys

Northern Ireland police service accidentally releases list of officers’ data

Police in Northern Ireland apologized for accidentally leaking the personal data of all of their officers in the providence, our colleague Karla Adam reports.

Karla writes: “The Police Service of Northern Ireland was responding to a Freedom of Information request when a staffer gave the surnames, initials, ranks or grade and work locations of all 10,000 of its police officers and civilian employees.”

The data was publicly available for several hours Tuesday and PSNI officials urged anyone with the information to delete it immediately.

“As a service, we are acutely aware of the seriousness of this breach and have declared it to be a critical incident,” said Chris Todd, the assistant chief constable of the force.

The breach is especially sensitive in Northern Ireland because it is considered the only U.K. province with a “severe” terrorist threat, Karla writes.

“Intelligence agencies raised the threat level in March, shortly after the new IRA, a small Irish republican paramilitary group, claimed responsibility for shooting and seriously wounding a senior police detective,” the report says.

Details of a separate PSNI breach surfaced Wednesday. As Karla writes: “The police said they were investigating the theft of a police-issued laptop and documents that had the names of over 200 officers and staff members. They were thought to have been stolen in July from a private car.”

The news comes the day after the U.K.’s Electoral Commission said hackers accessed emails and voter information in a cyberattack the organization discovered in October.

U.S., Poland dismantle major bulletproof hosting service

The popular bulletproof hosting service known as “<Lolek>Hosted” was taken down by U.S. and Polish authorities this week, the Record’s Jonathan Greig reports.

“This domain has been seized by the Federal Bureau of Investigation and Internal Revenue Service — Criminal Investigation as part of a coordinated law enforcement action taken against Lolek Hosted,” according to the site’s banner page. An IRS spokesperson also confirmed the takedown to the outlet.

The U.K.-based site has been regarded as a major bulletproof hosting service, a type of provider that is laissez faire about the types of content that are uploaded and exchanged on its platforms while keeping their users’ identities anonymous.

They are deemed difficult to take down even if law enforcement officials interfere because such providers are often not subject to mainstream internet law jurisdictions.

These services have frequently provided tools for cybercriminals and have served as gathering spots for hackers to plan cyberattacks, though, as Greig notes, “U.S. authorities have made a point of going after the people behind bulletproof hosting services, extraditing those involved and handing out lengthy sentences.”

The Justice Department in June, for instance, “sentenced 39-year-old Mihai Ionut Paunescu to three years in federal prison for his role in helping run” Powerhost, another bulletproof hosting service, according to the report.

The FBI declined to comment to the Record on the takedown notice, while Polish authorities did not respond to the outlet’s requests for comment.

Biden order sets stage for restricted U.S. tech investments to China

President Biden on Wednesday signed an executive order curbing U.S. investment flows to key tech sectors in China in a move that seeks to blunt Beijing’s military and intelligence capabilities, our colleagues Ellen Nakashima and David J. Lynch report.

The order, set to take effect next year, authorizes the Treasury Department to regulate U.S. investments in three types of Chinese companies: quantum computing, artificial intelligence related to military uses and advanced semiconductors.

The agency on Wednesday began seeking comments on how to implement the directive, which would require U.S. venture capitalists and other investors to notify the agency of planned investments toward Chinese firms in those sectors.

“The White House order comes amid a tenuous thaw in a relationship marked by on-again, off-again engagement, which was frustrated by the appearance of a Chinese surveillance balloon over the continental United States earlier this year,” Ellen and David write.

Chinese officials pushed back against the move. “The U.S. habitually politicizes technology and trade issues and uses them as a tool and weapon in the name of national security,” Chinese Embassy spokesperson Liu Pengyu told our colleagues. Meanwhile, China hawks in Congress argue the order — which does not consider biotechnology or energy — doesn’t go far enough, the report adds.

Secure log off

