The technology research arm of the U.S. Department of Defense has launched a cyber-security grand challenge—a contest to take on a fundamental problem in cyber-security—tasking teams to create a system capable of automatically defending a network by generating security patches.
Modeled after the grand challenges for the development of automated vehicles and cheap space flight, the Defense Advanced Research Projects Agency (DARPA) contest aims to help give companies, academic institutions and government agencies the ability to react to vulnerabilities in near real time. DARPA envisions the winning system as one that finds vulnerable software, generates a patch for the issue and plugs the holes. The top-three teams in the event will split $3.75 million in prize money, with the top team taking home $2 million.
“The growth trends we’ve seen in cyber-attacks and malware point to a future where automation must be developed to assist IT security analysts,” Dan Kaufman, director of DARPA’s Information Innovation Office, said in a statement.
The announcement of the Grand Challenge came three weeks after noted computer scientist Eugene Spafford, a lamented the lack of progress in computer security since the Morris Internet worm on Nov. 2, 1988. A decade ago, the Computer Research Association and the National Science Foundation created a list of four Grand Challenges in cyber-security, none of which has had appreciable progress in the past 10 years, Spafford wrote in a blog post. The challenges were to stop epidemic-style worm and virus attacks, develop highly trustworthy systems capable of securely handling critical functions, create security risk management systems that are as good as financial risk management systems, and deliver to end users the ability to easily control their privacy and security.
“I would argue—without much opposition from anyone knowledgeable, I daresay—that we have not made any measurable progress against any of these goals, and have probably lost ground in at least two,” he wrote. “Why is that? Largely economics, and bad understanding of what good security involves.”
In the DARPA competition, the research agency will create a set of digital attack simulations against which the automated systems have to defend. In the first event, the teams will have to automatically analyze software programs and find vulnerabilities, with later simulations requiring that contenders automatically patch the software’s vulnerabilities.
The DARPA challenge, however, will not likely solve any of the fundamental problems in security because it is not a grand-enough challenge, said Michael Davis, chief technology officer for CounterTack, a cyber-security consultancy.
“I believe they are missing the largest part of the problem: the attacker,” he said in a statement sent to eWEEK. “New weapons move the arms race forward, but the fact still remains that attackers will undoubtedly continue to research and identify new ways to breach enterprise security and those ways might not be detected by the automated capabilities from DARPA making it ineffective.”
Rather than focus on vulnerabilities, the challenge should focus on finding and detecting bad behaviors on the systems, he said.