Our local and state level government systems are hacked and held ransom with disheartening regularity. At the Black Hat USA Conference in Las Vegas on Wednesday, the Biden Administration revealed its plans to better defend the nation’s critical digital infrastructure: It's launching a DARPA-led challenge competition to build AI systems capable of proactively identifying and fixing software vulnerabilities. That’s right, we’re having a hackathon!
The “AI Cyber Challenge” (AIxCC) is a two-year development program open to competitors throughout the US. It’s being hosted by DARPA in collaboration with Anthropic, Google, Microsoft and OpenAI. Those companies are providing both their expertise in the field and access to their AI technologies.
“The challenge is critical in bringing together the cutting-edge in automatic software, security and AI, which will empower our cyber defenses by being able to quickly exploit and fix software vulnerabilities,” Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, said during a press call Tuesday.
“This is one of the ways that public and private sectors work together to do big things to change how the future unfolds,” Arati Prabhakar, Director of the White House Office of Science and Technology Policy, added. “That's why the White House asked DARPA to take on the critical topic of AI for cybersecurity.”
White House officials concede that properly securing the nation’s sprawling federal software systems against intrusion is a daunting task. “They don't have the tools capable of security at this scale,” Perri Adams, Program Manager, Information Innovation Office, DARPA, said during the call. “We've seen in recent years, hackers exploiting the state of affairs, posing a serious national security risk.”
Despite those vulnerabilities, “I think we have to keep one step ahead and AI offers a very promising approach for that,” Adams said. There’s nearly $20 million in prize money up for grabs. And to ensure that the competition isn’t dominated by the teams with the deepest pockets, DARPA is making $7 million available to small businesses who want to compete as well.
The research agency will hold an open qualifying event next spring where the top scoring teams (up to 20 can potentially qualify) will get invited to the semifinals at DEF CON 24. That cohort will be whittled down to the top five teams, who will win monetary prizes at the competition and be invited back to DEF CON 25 for the finals. The top three scoring teams from DC25 will win even more money. You land first place, you get $4 million — but to do so, your AI had better be able to, “rapidly defend critical infrastructure codes from attack,” per White House officials. Ideally, the resulting system would scour networks seeking out and autonomously repairing any software security bugs it finds.
The winning team will also be strongly encouraged to open-source their resulting program. The competition is bringing on The Open Source Security Foundation (OpenSSF), a Linux Foundation project, as an advisor to the challenge. Their job is to help ensure that the code is put to use immediately, “by everyone from volunteer, open-source developers to commercial industry,” Adams said. “If we're successful, I hope to see AIxCC not only produce the next generation of cybersecurity tools in this space, but show how AI can be used to better society by defending its critical underpinnings.”
“The president has been completely clear that we have got to get AI right for the American people,” Prabhakar said. Last fall the Biden White House unveiled its Blueprint for an AI Bill of Rights, which defined the Administration’s core values and goals on the subject. Follow-up efforts included pushing for an AI risk management framework and investing $140 million in establishing seven new national research institutes to AI and machine learning. In July, the White House also wrangled a number of leading AI companies to agree to (non-binding) assertions that they will develop their products responsibly.