In the world of computer security, the bad guys are always 10 steps ahead of the good guys. But next month the mad scientists at the government’s Defense Advanced Research Projects Agency (DARPA) will bring together a group of the world’s best computer security experts to see if they can tip the scales in the good guys’ favor for once.
Dubbed the Cyber Grand Challenge (CGC), the event will determine if an autonomous program can hunt for security vulnerabilities that hackers can exploit to attack a computer, create a fix that patches that vulnerability and distribute that patch — all without any human interference.
“The idea here is to start a technology revolution,” said DARPA program manager for the CGC, Mike Walker.
What does that mean for you? Well, if all goes well, the CGC could mean a future where you don’t have to worry about viruses or hackers attacking your computer, smartphone or your other connected devices. At a national level, this technology could help prevent large-scale attacks against things like power plants, water supplies and air-traffic infrastructure.
So much code, so little time
At this point, you’re probably wondering why this is such a big deal. After all, your computer’s anti-virus program finds and fixes security holes all the time, right?
Yes and no. It’s true your own in-home anti-virus software can find security flaws and deal with them. But it takes real-live humans to design software to detect and fix those flaws.
Yes, people — albeit super smart people — are currently responsible for finding and fixing the security problems that make things like viruses and malware possible.
There are two ways companies can find security problems: proactively, that is, they actually search out flaws in operating systems or other programs; and reactively, where researchers learn about a security issue and get to work fixing it.
According to Walker, it takes security researchers an average of 312 days to discover security vulnerabilities in computer programs. During that time, hackers have the ability to do whatever they please with that flaw, whether that includes stealing Social Security information or breaking into your social media account. Even when security researchers actually know of a critical security flaw, Walker said, it takes up to 24 days to patch it.
Why does it take researchers so long to find and fix this stuff? Because the operating systems and programs you’re reading this very article on are created using millions of lines of code. And a single mistake in that code can be used to attack a computer system. To say finding those flaws is akin to finding a needle in a haystack is an incredible understatement.
And just to bring everything full circle, that means the security software on your computer can only recognize and fix security issues it has been programmed with. So while your security program may say you’re protected, you’re actually only shielded from the flaws security firms already know about.
You’re still totally vulnerable to the untold number of flaws that have yet to be discovered.
A grand challenge
That’s where the CGC comes in. The event, Walker explains, is akin to DARPA’s previous technology challenges including its famous self-driving car Grand Challenge, which began in 2004. Like that challenge, the CGC involves teams of researchers, students and programmers working to complete a specific goal.
In this case, the goal is to create a program that can sniff out software vulnerabilities, create a patch and implement it without any human intervention whatsoever. But the teams won’t be playing together. Instead, they’ll face off against each other in a form of digital capture the flag.