The Senate Commerce Committee approved last week what could prove to be an essential piece of legislation for cybersecurity researchers: The Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems, or Cyber LEAP Act of 2020. Sponsored by Commerce Committee Chairman Roger Wicker (R-MS) and Senators Cory Gardner (R-CO) and Jacky Rosen (D-NV), the bill establishes a national series of Cybersecurity Grand Challenges so that the country can “achieve high-priority breakthroughs in cybersecurity by 2028.”
The challenges set up under the legislation will offer prizes, including cash and non-cash prizes, to competition winners, although the prizes aren’t yet spelled out. The legislation directs the secretary of commerce to set up the competitions in six key areas:
- Economics of a cyber attack, focused on building more resilient systems while raising the costs for adversaries
- Cyber training, to give Americans digital security literacy and boost the skills of the cyber workforce
- Emerging technology, to advance cybersecurity knowledge in emerging technologies such as artificial intelligence
- Reimagining digital identity, aimed at protecting the digital identities of US internet users
- Federal agency resilience, to reduce cybersecurity risks to federal networks and improve the federal response to cyberattacks
- Other challenges as determined by the secretary of commerce
Transforming society’s approach to security
The legislation further says the commerce secretary should consider the recommendations of a 2018 report produced by the National Security Telecommunications Advisory Committee entitled NSTAC Report to the President on a Cybersecurity Moonshot. That report recommended an approach called the “Cybersecurity Moonshot” named after NASA’s efforts to send a man to the moon.
Unlike a moon landing, the cybersecurity moonshot outlined in the 2018 report seeks societal transformation rather than one big, recognizable triumph. The moonshot approach outlined by NSTAC should also result in a clear, strategic “whole of nation” framework to help the government, private industry, academia, and civil society achieve the objectives of the moonshot, according to the report.
The NSTAC report was an industry-led initiative, spearheaded by executives from Unisys and Palo Alto Networks and governed by a committee of industry and government representatives from AT&T, Microsoft, Raytheon, CenturyLink, McAfee, Neustar, NSA and other organizations. The use of competitions or challenges to achieve strategic goals is “a well-established model for accelerating whole-of-nation innovation in critical areas,” Ryan Gillis, vice president, cybersecurity strategy and global policy, Palo Alto Networks, tells CSO.
Grand cybersecurity challenges are a recent phenomenon. The first and, so far, only big Cyber Grand Challenge (CGC) was created by the Defense Advanced Research Projects Agency (DARPA) and culminated in a final contest in 2016 at the 24th DEF CON in Las Vegas. The goal was to host the “world’s first automated network defense tournament,” modeled on the hugely popular capture-the-flag contests held at most major hacking conferences, including DEF CON.
The original Cyber Grand Challenge (CGC) offered a $2 million prize to the ultimate winning team, $1 million for the second-placed team, and $750,000 for the third-placed runner-up. The CBC teams were competing against one another to create machine learning-based systems that could simultaneously exploit flaws in the other teams’ systems while patching vulnerabilities on their own systems.
ForAllSecure, a cybersecurity start-up that had its roots in the academic corridors of Carnegie Mellon University (CMU), developed the winning system called Mayhem. The importance of ForAllSecure’s breakthrough was validated even further earlier this month when the Defense Innovation Unit awarded it a $45 million contract to perform cybersecurity testing on Defense Department weapon systems’ applications.
Cyber Grand Challenges will be “authentic”
The lead for the ForAllSecure team during CGC, and the company’s CEO, is David Brumley, a professor of electrical and computer cngineering at CMU and the faculty advisor to the school’s hacking team, which has walked away with five championships at the top hacking competition held each year at DEF CON. Brumley thinks that games, and in particular the branch of mathematics called gaming theory, can help the US government protect the nation by advancing knowledge in offensive and defensive cybersecurity.
“I’m pretty excited that congress is getting involved because I think that is the right level. That’s definitely even a bigger step than the Cyber Grand Challenge, which grew organically,” Brumley tells CSO. “But they have to be careful in the way that they run it so that it inspires innovations.”
To Brumley’s way of thinking, one key to the original CGC’s success was its leader Mike Walker, who is now at Microsoft but back then was spearheading the competition at DARPA. “He was authentic in the field. In particular, he was authentic in the hacker field,” Brumley says. “If you bring in a CISO from Walmart and you bring in a CISO from Symantec, none of the people who are out there in the field exploiting stuff or out there in the field defending against it are really going to care.”
Another model that underscores the value of how federal government-backed contests and competitions can advance cybersecurity is the President’s Cup Cybersecurity Competition, which was established by executive order in 2019 and was run out of the newly created Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security. The first President’s Cup contest was held last year and drew more than 1,000 individuals and 200 teams. The individuals and teams were given a series of challenges to solve with the winners snagging $25,000 in prize money.
The President’s Cup did not, however, achieve its objective to come up with cybersecurity innovation, Brumley says. “I think what happened with the President’s Cup is that it was very inauthentic,” he said. “The people who ran it had never entered a hacking contest before, had never won a hacking contest before, so the best teams did not participate.”
A key element in guiding a real cybersecurity competition toward success is figuring out to transition from science to practice. “So, we struggled for a little bit after CGC, and I think the government did as well with “what’s the transition plan?” Brumley said. “How do we bridge the valley of death between science experiment…showing the art of the possible and something that people can use.”
It could be a while before the contests reach that stage because the Cyber LEAP Act of 2020 still has a way to go to before becoming reality. The bi-partisan bill has moved from Committee to the Senate floor where it will await passage, no sure thing in the current crisis-driven legislative environment.
Copyright © 2020 IDG Communications, Inc.