DEF CON 24: What a Security Contest Means for the Future of Connected Devices

As Chief Information Security Officer of Uptake, where I’m responsible for corporate and product security, staying up-to-date on the latest thinking in the world of digital security is crucial to my role. Last week, I attended my 17th DEF CON conference in Las Vegas—the world’s largest annual gatherings of hackers—to connect with folks in security and learn.

During my nearly 20 years in security, I’ve worn various hats—from penetration tester to incident responder. Hired throughout the years by Wall Street banks, hospitals, and global retailers to attack their systems and identify/exploit weaknesses then share a clear solution for how to tactically fix those weaknesses and transform their security strategy to prevent future vulnerabilities.

I was particularly interested in one of the questions at the show: will autonomous machines beat out good, old human hacking skills? 

This question is particularly relevant to Uptake because we provide predictive insights to organizations with large deployments of industrial internet devices. Researching ways to discover vulnerabilities of these devices at scale and dramatically reduce the time it takes to fix the issues is important to our success.

Beyond Uptake, this has been an ongoing question in the security industry for many years. DEF CON 24 shed some new, intriguing light on the subject.

The consensus has always been: computers will find known vulnerabilities faster and much more thoroughly than humans; however, humans will discover unknown flaws much better than computers. Many also believe that humans are better than machines at thinking through the process to fix the security flaws.

This year a single contest changed everything. This wasn’t your typical DEF CON contest. Usually, such contests are run by small, dedicated teams of volunteers organized around 6’x8’ tables. This contest was run by DARPA, the research branch of the Department of Defense. They spent more than $50 million on the organization, management, and technology needed for the event, along with about $4 million dollars in prize money.

In short, this was a serious competition in which the successful teams had an opportunity to change the world.

The contest included seven teams, each assigned a server rack with a super computer armed with more than 1000 cores and a massive amount of RAM.
The rules were simple: each team was provided a system with a handful of exploitable software packages. They needed to discover the vulnerabilities, develop patches for them, and hack the other systems using exploits they also developed. They were given points for both offensive and defensive successes.

The very task of approaching an unknown piece of software, finding a critical flaw, and developing both a fix and an exploit could take a single human security team hundreds of hours to complete. In the DARPA competition, this took place over little more than a single human work day.

The winner of the competition, team Mayhem—run by a startup known as ForAllSecure—used an approach that chief information security officers (CISOs) and other people involved in operating risk-based security programs employ every day. When Mayhem discovered a flaw in software, it calculated the likelihood and impact of the other teams exploiting it. Presumably, if this was below a certain threshold it would opt not to fix the bug. Mayhem knew that by fixing an issue there was a chance that something could go horribly wrong and take down their system. As many people in our industry know, sometimes applying a security patch creates serious performance issues. Other DARPA contestants found this out the hard way.

In the end, Mayhem was so far ahead of the competition that it didn’t even cost them the prize when their system stopped working for nearly half of the event.

To me, this validates that with the right analytic models and enough machine horsepower, complex problems are completely solvable—with today’s technology.

At Uptake, security is top of mind. A future in which machines will detect and fix security issues with less human interaction is a large part of my vision for our program.

The world is about to undergo rapid changes in how we approach critical problems—including those that, until recently, seemed too difficult to solve. At least, that is, without dozens, hundreds, or even thousands of humans working on them.

Today, a complex problem—such as the one attacked in the DARPA competition—can be solved without humans guiding computers to make decisions.

As environments continue to gain in complexity, human resources will be spread even thinner. We will need solutions like Mayhem to help us autonomously discover and fix the world around us.

The good news is that we are clearly on a path to making autonomous security systems a reality. For people like me who are responsible for layers upon layers of security for Uptake and our partners, this is a huge deal.

Nick Percoco is the Chief Information Security Officer at Uptake.