When it comes to cybersecurity, often the weakest link in the chain isn’t antivirus programs or firewalls. It’s the humans involved in the process.
Such was the case in the Target hack last December in which some 40 million credit card numbers and other valuable pieces of personal information were stolen. A subsequent investigation into the incident revealed that Target’s recently installed, state-of-the-art cybersecurity system accurately identified the security breach before the thieves absconded with the information. However, a delayed reaction from the humans overseeing the security system allowed the attackers enough time to successfully make their getaway.
With Web systems becoming increasingly integrated into everyday life, the U.S. military is keenly aware of the havoc cyberattackers can potentially wreak.
That’s why the Defense Advanced Research Projects Agency (DARPA) has just launched a two-year scientific development competition, encouraging top security researchers to come up with a new, fully automated defense system that can immediately identify and neutralize threats without human intervention.
“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere—a process that can take months from the time an attack is first launched,” said Mike Walker, DARPA program manager, in a written statement. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”
DARPA wants to jumpstart scientific development in this area by offering a $2 million grand prize to the team that can come up with the most effective automated defense system. So far, more than 30 teams have signed up to participate in the so-called Cyber Grand Challenge. Most of the teams are comprised of university or private researchers. The competition will take place over the next two years, with the finals being held as a capture-the-flag style tournament at the Def Con hacker conference in Las Vegas in 2016.
Similar past competitions have been used to spur scientific development in other areas. In the late 1990s and early 2000s, for example, the Ansari X-Prize helped fuel the development of private spacecrafts.
In addition to the $2 million grand prize, DARPA will also be giving out $1 million and $750,000 awards for second and third place finishing teams, respectively.
It’s understandable why DARPA and other agencies would want a speedier response to cyber attacks. However, there are skeptics who question the wisdom of removing humans from the cyber defense equation altogether.
Back in March, Edward Kiledjian, the chief information security officer for Bombardier Aerospace, another firm that uses FireEye, told Bloomberg Businessweek that it was not uncommon for security teams to turn off such automatic response features in order to maintain total control. However, that comes with the added pressure of making sure human responses are quick and diligent.
“Typically, as a security team, you want to have that last decision point of ‘what do I do,'” Kiledjian said.
Still, having a human manning the controls is not a fool-proof plan. In the Target case, security team members could have automatically neutralized the attack, had they not turned off an automatic response feature in the company’s recently-installed, $1.6 million FireEye security program.