capture the cyber flag (1)Capture the Flag (CTF) is one of the simplest games children play. Based on the history of warfare in which capturing the enemy’s flag effectively ended a battle, some variant of the game is played in countries around the world. In recent times, adults have created more sophisticated versions of the game, and in all likelihood, the most sophisticated, and certainly best known in cyber circles, is the game played at the famous annual DEF CON hacking conference. The DEF CON CTF pits teams of hackers against each other to attack and defend computers and systems.

This year, just before the conference began, the US Defense Advanced Research Projects Agency (DARPA) sponsored a different sort of competition, the first all-machine hacking tournament. DARPA offered a $2 million prize to the team that won its version of Capture the Flag, called “The Cyber Grand Challenge.” Seven competitors entered the contest, and seven high performance computers competed.

The attraction to computers is obvious. Defending against threats and addressing vulnerabilities takes enormous amounts of time, and there are a limited number of humans who have the appropriate skills. It’s estimated that more than one million jobs are going unfulfilled in computer security worldwide. Moreover, the lag time from threat detection to resolution takes months, which provides a huge advantage and incentive to cyber criminals. If cyber defenses could be automated, with machines that can discover and fix software flaws in real-time, that would be a game-changer.

The highly anticipated Cyber Grand Challenge was a huge hit. Writing in The Christian Science Monitor, Sara Sorcher reported, “In a sign of what’s to come, the crowd went wild when the supercomputer robots found flaws that the judges didn’t even know were there.” Spectators were excited over seeing what they perceived as a transformative moment. “It’s really going to change us as a society,” said an audience member who identified himself as Baset. “I can only think of how this will look in five or 10 years. This kind of technology is going to enable countries that aren’t superpowers to level the playing field. The theme of DEF CON is really the rise of the machines, and I’m getting that sense here.”

So who won the $2 million prize? The chillingly named Mayhem, built by a team of Pittsburgh- based researchers called the ForAllSecure team, who used technology from Carnegie Mellon University.  Mike Walker, the DARPA program manager who launched the challenge, hailed the results saying, “I’m enormously gratified that we achieved CGC’s primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defense is indeed possible…The effort by the teams, the DARPA leadership and staff, and all the hundreds of people who helped make this unique, open-to-the-public test happen was enormous. I’m confident it will speed the day when networked attackers no longer have the inherent advantage they enjoy today.”

How quickly will that day come? Well, Mayhem was invited to participate in this year’s DEF CON Capture the Flag competition, marking the first time a machine was allowed to play in that historically all-human tournament. In an intensely spirited competition the team from Carnegie Mellon won—but not that team.  Carnegie Mellon’s competitive computer security team, The Plaid Parliament of Pwning, won its third title. Mayhem finished near the bottom. Humans rule for at least one more year.

By Tom Davis, SDI Cyber Risk Practice
August 9, 2016