For any given software vulnerability, the lengthy time window from initial bug report to widespread patch deployment puts cybersecurity analysts at a significant disadvantage. In many cases a race ensues between miscreants intending to exploit the vulnerability and analysts who must assess, remediate, test, and deploy a patch before significant damage can be done. Experts follow a process that involves sophisticated reasoning followed by manual creation of each security signature and software patch — an artisanal approach that can require months and many dollars. This approach has resulted in an environment of ubiquitous software insecurity that favors attackers over defenders.
To help overcome these challenges, DARPA has launched the Cyber Grand Challenge: a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time. By acting at machine speed and scale, these technologies may someday overturn today’s attacker-dominated status quo.
Just as the first autonomous ground vehicles fielded during DARPA’s 2004 Grand Challenge weren’t initially ready to take to the highways, the first generation of automated network defense systems won’t be able to meaningfully compete against expert analysts or defend production networks. The Cyber Grand Challenge aims to give these groundbreaking prototypes a “league of their own,” allowing them to compete head-to-head to defend a network of bespoke software. DARPA plans to model the contest on today’s elite cybersecurity tournaments.
The program envisions numerous future benefits, including:
Competitors would navigate a series of challenges starting with a qualifying event in which a collection of software is automatically analyzed. Competitors would qualify by identifying, proving, and repairing software flaws. A select group of competitors who display top performance during the qualifying event would be invited to the Cyber Grand Challenge final event, slated for early to mid-2016. Each team’s system would automatically identify software flaws, scanning the network to identify affected hosts. Teams would be scored against each other based on how capably their systems can protect hosts, scan the network for vulnerabilities, and maintain the correct function of software. The winning team would receive a cash prize of $2 million, with second place earning $1 million and third place taking home $750,000.
Realization of this vision will require breakthrough approaches in a variety of disciplines, including applied computer security, program analysis, and data visualization.
A Broad Agency Announcement (BAA) with specific information for potential competitors is available at http://go.usa.gov/WqcH. Competitors can choose one of two routes: an unfunded track in which anyone capable of fielding a capable system can participate, and a funded track in which DARPA awards contracts to organizations presenting the most compelling proposals.
DARPA also plans in the near future to issue a second BAA for proposals to develop technologies to support the competition. Support technologies will include accessible visualization of a real time cyber competition event as well as custom problem sets. That BAA will be available at the Federal Business Opportunities website.
The program also plans to hold two Challengers’ Days—one at DARPA’s offices in Arlington, Va., and the other on the West Coast—where interested competitors can learn more about the event.
Mr. Michael Walkermichael.firstname.lastname@example.org