DIUx Texas Lead, US Air Force Reserve
There is no greater maxim than speed is decisive in war. However, cyber warfare today is a mostly manual process. Humans scour code to find vulnerabilities and fix problems with patches. Humans evaluate whether a patch will maintain overall system functionality, and whether a patch is performant. Human attackers exploit unpatched systems or vulnerabilities that, in some cases, have been latent in systems for over a decade.
For example, the 2017 WannaCry attack was based on a vulnerability latent in every version of Microsoft Windows since 2001. It took 16 years for a latent vulnerability to become weaponized and wreak havoc across the world. In a sense, modern cyber warfare revolves around attackers taking advantage of low-hanging fruit and defenders hoping that Microsoft will release a patch to fix their systems before it’s too late.
In the future, we won’t have the luxury of waiting 16 years to patch a bug that leads to a zero-day exploit. Humans will augment attack and defense with machine scale and artificial intelligence – as DARPA has said, to take advantage of “zero-second” vulnerabilities. The first to master autonomous cyber warfare will be able to sow disruption, gain access to communications, persist, disrupt, and alter the course of battle. Those left behind will be at a tremendous disadvantage.
Artificially intelligent cyber warfare is already here. DARPA’s Cyber Grand Challenge (CGC) had the audacious goal of building autonomous systems capable of identifying, exploiting, and mitigating previously unknown vulnerabilities. DARPA held the CGC in August 2016 with a machine-only Capture the Flag-style tournament at DEFCON 24. But is the tech ready for prime time? Congress seemed to think so. In the 2017 Senate Appropriations Committee Department of Defense Appropriations Bill, the Senate suggested that DoD explore “automated exploit generation and vulnerability identification… such as those exemplified in the Cyber Grand Challenge.” Last week, the 2019 NDAA Conference Report articulated the need for a Cyberspace Solarium Commission to give the nation a cyber warfare strategy in which zero-second attack and defense will be the norm.
Another remarkable aspect of the CGC was that it demonstrated the use of artificial intelligence for finding and remediating vulnerabilities. In its Perspectives on AI, DARPA describes three waves of AI. The first, Handcrafted Knowledge, entails reasoning over narrowly defined problems where the structure of the problem is defined by humans but the specifics are explored by machines. This is how the CGC played out; with virtually limitless ways to find and exploit vulnerabilities in the game, machines had to figure out actions would be the most lucrative. It was truly artificially intelligent cyber warfare.
For All Secure, the winner of the CGC, came out of the competition with $2 million in prize money and a long line of companies and nation-states interested in their tech. What didn’t they leave CGC with? A contract to bring their tech into the Department of Defense (DoD). DARPA's job is to prove the possible with their challenges, and that's exactly what they did in the CGC. But the DoD wasn't yet ready to accept this technology. Fortunately, the Defense Innovation Unit Experimental (DIUx) was. Leveraging Other Transaction Authority as defined in 10 U.S.C. 2371(b), DIUx launched a project called VOLTRON to find out if commercial “cyber reasoning” could be used to find and remediate previously unknown vulnerabilities in DoD weapon systems. Companies had until June 20, 2017 to respond to a single-sentence solicitation: “The Department of Defense is interested in systems to automatically find previously unreported vulnerabilities in software without source code and automatically generate patches to remediate vulnerabilities with minimal false positives.”
Sixteen companies responded to the solicitation, and twenty-six business days later, DIUx awarded a $5 million contract to prototype cyber reasoning in the DoD. One year later, DIUx has contracts with three more companies, and their tools are being prototyped in every military service. This effort has brought together some of the best vulnerability researchers in the nation, for the first time, to work from a unified platform and to share best practices.
DIUx has been charged to move at the speed of commercial innovation, and by prototyping commercialized DARPA tech back into the DoD less than one year after the conclusion of a Grand Challenge, we’re doing just that. In the sense of how Clay Christensen describes disruptive innovation, VOLTRON is disrupting DoD cybersecurity.