With the drama but not the bruises, hacking becomes a spectator sport
DARPA staged the world's first live computer-versus-computer hacking competition in which teams battled for a multimillion dollar purse in front of thousands of cheering fans in Las Vegas.
Las Vegas — Welcome to the future of hacking, where machines are the stars and the humans are in the audience.
The night before the DEF CON hacker conference began here, seven supercomputers went head-to-head in a kind of Olympics for cybersecurity. The Cyber Grand Challenge, sponsored by the military’s futuristic research arm – the Defense Advanced Research Projects Agency – was the world’s first all-machine hacking tournament.
"Cybercasters" who channeled Monday Night Football announcers delivered the play-by-play commentary for the crowd of 5,000 spectators. But these hosts came with serious geek credentials. Astrophysicist Dr. Hakeem Oluseyi teamed up with two star hackers: Hawaii John, who rocked a bushy hipster beard, and Invisig0th whose head was shaved except for a ponytail and sported a T-shirt from the cybersecurity cult classic movie "WarGames."
Seven massive screens at the Paris Hotel ballroom showed the hosts interviewing members of the seven teams, from all over the US, that built the robots. Normally, it would take them up to a year to detect and months to fix bugs hidden in complicated computer code. But as techies relaxed on an array of leather couches munching Twizzlers, they watched visualizations showing their machines finding and vanquishing software flaws in minutes.
This time, attacks were portrayed for all to see as lines of bright, multicolored dots moving from one machine to another. There was a scoreboard, tallying points for each team, as icons marked how well the computers were defending themselves. Their arena: A huge stage built above 180 tons of water to keep the high-powered machines cool.
And the audience was loving it.
"To be quite honest, I got more excited watching #DARPACGC than the #Olympics," tweeted Capture the Flag veteran and malicious software researcher Jonathan Racicot from his handle @InfectedPackets.
Clearly, this wasn't your typical capture the flag tournament in which teams compete to quickly find and fix software bugs.
As a hacker in the audience from Sweden who identified himself only as Jonas said, it's typically "guys just at computers." For DARPA, the biggest challenge was to bring some excitement of a live sporting event to hacking and Jonas said he was impressed.
Spectators were even placing bets on their favorite teams. “I got $20 on Deep Red,” tweeted Cris Thomas from Tenable Security who goes by his hacker name Space Rogue, referring to the team of researchers from the defense contractor Raytheon.
Even the robots chimed in on social media. “I'm getting tired, already 40 rounds in the game and no end in sight. I wonder what my humans are doing…” tweeted Mechanical Phish, the robot built by the University of California Santa Barbara during the competition.
Computers that can find and repair security flaws on their own in real-time are a game-changer, especially when human hacking talent is in very short supply. There are an estimated more than one million jobs unfilled in security worldwide, at a time when companies and governments are grappling with increasingly serious breaches.
To DARPA, the agency that helped invent the internet, the $55 million spent on the competition in the last two years was worth it.
"This may be the end of DARPA’s Cyber Grand Challenge but it’s just the beginning of a revolution in software security," said program director Mike Walker. "In the same way that the Wright brothers' first flight – although it didn’t go very far – launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense."
In a sign of what’s to come, the crowd went wild when the supercomputer robots found flaws that the judges didn’t even know were there.
And the broader significance wasn’t lost on fans.
"It’s really going to change us as a society," said an audience member who identified himself as Baset. “I can only think of how this will look in five or 10 years. This kind of technology is going to enable countries that aren’t superpowers to level the playing field. The theme of DEF CON is really the rise of the machines, and I’m getting that sense here.
"We will always need humans," he continued. "But this could enable humans to spend their time doing things they should."
Jeff Moss, who founded both the Black Hat and DEF CON hacker conventions, agreed.
"Boy, wouldn’t we rather put our human resources into doing things that humans do best? Teaching other humans, explaining the business risks to companies and working on the policies – instead of spending 20 hours on the latest 15 malware variants? Wouldn’t it be great just to have a computer that can deal with that, robot to robot?" he says.
That, he says, "will be the horseless carriage area of defense." And he’s "excited to see that era ushered in."
The winner of the $2 million prize: Mayhem, built by the ForAllSecure team with technology from Carnegie Mellon University. Second place with $1 million went to a program named Xandra by the TechX team from University of Virginia and GrammaTech Inc. Mechanical Phish collected the $750,000 third-place prize.
On Friday, Mayhem will battle the humans at the annual DEF CON Capture the Flag competition. It’s the first time in the history of the competition that a computer will compete.
May the best man or machine win.