WASHINGTON -- So far, the cybersecurity war has been a lopsided rout. And it's the bad guys who are on an epic winning streak.
They've hacked into retailers, looting credit card information from Target and Home Depot, and have stolen sensitive patient data from major health insurers. They've hit Hollywood, the news media, the Pentagon. And in one of the largest attacks against the federal government, they recently rooted around in the databases of the office of personnel management.
But now the Pentagon research agency that invented the Internet is trying to figure out how to protect it.
The agency's conclusion: We're doing cybersecurity all wrong.
Today, most network protective systems are like fire alarms; they sound when there's smoke, and then the firefighters arrive to extinguish the flames. But the Defense Advanced Research Projects Agency, dubbed the "Department of Mad Scientists," envisions a giant, automated computer system that not only detects the smoke, but prevents the fire -- or snuffs it out almost immediately.
"The computer security industry is basically a bunch of automated detectors set up to let us know when it's time to call the cavalry -- those people who can do the job computers can't," said Michael Walker, a Defense Advanced Research Projects Agency program manager. "And when we call in the cavalry, most of the time we've already lost."
To build a fully automated, computer-driven system that would find bugs in software and patch them on its own, the agency has invited teams from all over the country to compete in a cyber battle it calls the Grand Cyber Challenge, with a $2 million first prize.
The goal is to level a playing field that today is wildly in favor of hackers, Walker said. If a computer system could be envisioned as being 1 million miles long, he said, hackers have to find only a single crack, while "the defense has to guard the entire wall."
Only a computer system is capable of the immense task of finding all of the cracks and patching them before they can be exploited, he said.
The Defense Advanced Research Projects Agency started with more than 100 teams when it began the program a year ago. On Wednesday, it announced the seven finalists chosen to compete in the competition next year. They are an eclectic band of cyberwarriors, ranging from academics representing university computer science programs to well-known hackers and defense industry heavyweights.
Perhaps the most unlikely finalist is a two-person team made up of a computer science professor at the University of Idaho and a postdoctoral fellow, They had applied for Defense Advanced Research Projects Agency funding but were rejected "because we didn't know enough about this field," said Jim Alves-Foss, director of the university's Center for Secure and Dependable Systems.
At first he thought building an automated cybersecurity network was impossible. But it was an interesting challenge, so he tinkered with the program on nights and weekends.
Their idea was to take the software's pre-existing code and add the security techniques to it. They failed. And failed again.
But then in October, while scribbling ideas on a white board, "we had an 'ah-ha' moment," Alves-Foss said. And during a practice round in December, the team finished in second place.
Another of the finalists comes from Raytheon, the giant defense contractor, which has recently invested more than $1 billion in building up its cyberbusiness. The maker of the Patriot missile and other weapons systems wanted to protect its weapons from cyberattack. But it also has seen an opportunity to apply its expertise to commercial uses.
Cyberdefenses have become increasingly important in an age where cars, refrigerators and medical devices are all connected to the Web.
Tim Bryant, Raytheon's team leader, said the goal of the program is to ultimately "put the attacker out of business."
But just as it took years for IBM's Watson and Deep Blue computers to take on the world's best humans in Jeopardy and chess, it will be a while before a computer is ready to play cyberdefense on its own against the best hackers in the world.
And it may be impossible to build a system that can't ever be hacked.
The competition, though, is an important step in that direction, Walker said.
"The great thing about trying to kick off an industry revolution," he said, "is we're trying to make people believe that this is possible and set them on that course."
SundayMonday on 07/12/2015