Cyber security will soon be the work of machines

July 10, 2016
Financial Times
Anjana Ahuja

We are soon to become cogs in the “internet of things”, that futuristic, ultra-connected, sensor-filled world in which our every action is measured and our every whim anticipated. This utopia promises undreamt-of convenience (the heating switched on as the commute home begins) and perfectly tailored commerce (a boiler advertisement when the heating fails).

But there is a potential nightmare lurking in the wires: in an era of pervasive interconnectedness, a cyber attack on one machine cannot necessarily be contained. Securing cyber space is recognised as one of engineering’s top priorities.

That is why, next month, all eyes will be on the Cyber Grand Challenge in Las Vegas, a competition hosted by the research arm of the US military.

Seven teams will compete against each other on a given system, to locate cyber attacks and “patch” them in real time. And, for the first time, there will be no human fixer behind the patches, just supercomputers racing against each other. The event, which will be streamed live, is being billed as the first all-machine hacking tournament.

Computers are already used to detect vulnerabilities in networks, and to ferret out malicious software that can exploit chinks in security. Once a flaw is detected, though, the remedy requires human input — and it can take months for software engineers to effect a fix. This means the status quo favours cyber attackers over defenders.

Two years ago, the US Defense Advanced Research Projects Agency (Darpa) launched a grand challenge to develop machines that could write fixes automatically. Upgrading cyber security to the speed of machine learning, the agency said, would shift the status quo. Darpa even offered to fund the best proposals.

The agency held three qualification rounds, during which a field of 104 teams was winnowed down to seven. They vie for a cash prize of $2m.

The contestants are drawn from academia, industry and security: CodeJitsu is a group of elite programmers from the University of California, Berkeley; DeepRed comprises engineers from Raytheon, and TECHx is a bunch of software professionals from a security company in Virginia. The underdog of the septet is CSDS, a two-person team from the University of Idaho.

The tournament will take place alongside Defcon 2016, the world’s largest hackers’ convention, and is loosely modelled on the “Capture the Flag” format of cyber security competitions. The objective of such games is to infiltrate other machines and retrieve a “flag” — such as a protected file — while simultaneously protecting your own team’s flag.

The Darpa contest will pit each of the seven machines against specially written software. In the qualifying rounds, the competing teams managed to find and fix each of the 590 flaws in the test software. Moreover, the patches were written and deployed in record time.

Surrendering our cyber security to machines may be inevitable. We have gradually given up our superiority over other domains once thought impervious to computing power; look at how Google’s Alpha Go was able to overcome the world’s top-ranked player of the strategy game Go.

Mike Walker, the Darpa programme manager, says the hacking tournament similarly shows “there is a place for computers in the adversarial contest of the mind that until now has belonged solely to human experts”.

But that is the power of today’s machines: they do not think like machines any more. They think like us — only better and faster. They keep learning and they never tire. We have long debated whether machines will be our masters or our servants. Now we need to consider whether they should become our protectors.