Inside the U.S. competition to create AI security tools
Add Axios as your preferred source to
see more of our stories on Google.
/2024/08/12/1723487987988.gif?w=3840)
Illustration: Brendan Lynch/Axios
Generative AI's promise to automatically detect and patch security flaws in code is nearly a reality — as seen during a government-backed competition at the DEF CON hacker conference over the weekend.
Why it matters: Critical infrastructure organizations, including hospitals and water systems, are being bombarded with unsophisticated but debilitating cyberattacks.
- Automating simple cyber practices — like scanning and remediating bugs in code — can go a long way in squashing the deluge of incidents.
Driving the news: The Defense Advanced Research Projects Agency announced the finalists for its AI Cyber Challenge (AIxCC) at DEF CON on Sunday.
- The challenge awards prizes to cybersecurity teams that want to train large language models (LLMs) to detect and fix vulnerabilities in open-source code.
- Google, Microsoft, Anthropic and OpenAI provided credits to participants to help offset the costs of using their AI models in the challenge.
How it works: About 40 teams submitted projects in mid-July as part of the AIxCC's semifinalist round.
- DARPA and the Advanced Research Projects Agency for Health, a research agency within the Department of Health and Human Services, ran the program.
- DARPA and ARPA-H ran each submission through various open-source coding projects that had vulnerabilities injected into the code and scored the tools based on their ability to both identify and remediate any security flaws.
Yes, but: AIxCC operators ran these challenges in a sandboxed environment, meaning none of the vulnerable open-source projects they created ever existed in the wild.
The intrigue: The semifinalists' LLM projects discovered 22 unique vulnerabilities in the test and patched 15 of those automatically.
The big picture: DARPA believes it has a unique role in the development of AI tools for cybersecurity, Kathleen Fisher, office director for the agency's Information Innovation Office, told Axios.
- Tech companies often need buy-in from executives and board members to make hefty investments in new AI tools — and they face steep financial consequences if those investments don't pay off.
- As a research agency, DARPA doesn't have those same constraints, Fisher noted, giving it space to experiment on its own and invest in other research.
- "Government research, a lot of the times, is doing the super-high-risk research that could totally fail," Fisher said. "Companies typically don't do that super-high-risk [research]."
Zoom in: To draw attention to the AIxCC, DARPA stood up a walkable city called Northridge within DEF CON that was under siege by a hacker, who used the moniker "Rat."
By the numbers: DARPA said Sunday that its village brought in more than 12,500 visitors.
- The agency has also invested at least $2 billion in AI projects since 2018, Fisher said.
What's next: Seven finalist teams will compete in the last round of the AIxCC at next year's DEF CON conference.
The bottom line: Government officials hope the systems submitted to the agency's challenge can soon be applied to real-life critical infrastructure.
- Anne Neuberger, deputy national security advisor for cyber and emerging technology in the Biden administration, told Axios that the White House is currently working with the Department of Energy to find ways for the energy sector to deploy some of the tools to open-source code within company networks.
- Neuberger also said the administration is hoping to build trust with companies so these projects can eventually be applied to their proprietary code too.
- "The goal we have is using AI for defense faster, or at least as fast, as adversaries use AI for offense," Neuberger said.
