Today's top stories

Cyber LEAP Act aims for innovations through Cybersecurity Grand Challenges

New bill seeks to set up competitions across the US to spur security breakthroughs.

hackathon contest computer competition hacking
Getty Images

Today's top stories

Show More

The Senate Commerce Committee approved last week what could prove to be an essential piece of legislation for cybersecurity researchers: The Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems, . Sponsored by Commerce Committee Chairman Roger Wicker (R-MS) and Senators Cory Gardner (R-CO) and Jacky Rosen (D-NV), the bill establishes a national series of Cybersecurity Grand Challenges so that the country彩票信誉平台 can “achieve high-priority breakthroughs in cybersecurity by 2028.”

The challenges set up under the legislation will offer prizes, including cash and non-cash prizes, to competition winners, although the prizes aren’t yet spelled out. The legislation directs the secretary of commerce to set up the competitions in six key areas:

  1. Economics of a cyber attack, focused on building more resilient systems while raising the costs for adversaries
  2. Cyber training, to give Americans digital security literacy and boost the skills of the cyber workforce
  3. Emerging technology, to advance cybersecurity knowledge in emerging technologies such as artificial intelligence
  4. Reimagining digital identity, aimed at protecting the digital identities of US internet users
  5. Federal agency resilience, to reduce cybersecurity risks to federal networks and improve the federal response to cyberattacks
  6. Other challenges as determined by the secretary of commerce

Transforming society's approach to security

The legislation further says the commerce secretary should consider the recommendations of a 2018 produced by the National Security Telecommunications Advisory Committee entitled NSTAC Report to the President on a Cybersecurity Moonshot. That report recommended an approach called the “Cybersecurity Moonshot” named after NASA’s efforts to send a man to the moon.

Unlike a moon landing, the cybersecurity moonshot outlined in the 2018 report seeks societal transformation rather than one big, recognizable triumph. The moonshot approach outlined by NSTAC should also result in a clear, strategic “whole of nation” framework to help the government, private industry, academia, and civil society achieve the objectives of the moonshot, according to the report.

The NSTAC report was an industry-led initiative, spearheaded by executives from Unisys and Palo Alto Networks and governed by a committee of industry and government representatives from AT&T, Microsoft, Raytheon, CenturyLink, McAfee, Neustar, NSA and other organizations. The use of competitions or challenges to achieve strategic goals is “a well-established model for accelerating whole-of-nation innovation in critical areas,” Ryan Gillis, vice president, cybersecurity strategy and global policy, Palo Alto Networks, tells CSO.

Grand cybersecurity challenges are a recent phenomenon. The first and, so far, only big Cyber Grand Challenge (CGC) was created by the Defense Advanced Research Projects Agency (DARPA) and culminated in a final contest in 2016 at the 24th DEF CON in Las Vegas. The goal was to host the "world's first automated network defense tournament,” modeled on the hugely popular capture-the-flag contests held at most major hacking conferences, including DEF CON.

The original Cyber Grand Challenge (CGC) offered a $2 million prize to the ultimate winning team, $1 million for the second-placed team, and $750,000 for the third-placed runner-up. The CBC teams were competing against one another to create machine learning-based systems that could simultaneously exploit flaws in the other teams’ systems while patching vulnerabilities on their own systems.

ForAllSecure, a cybersecurity start-up that had its roots in the academic corridors of Carnegie Mellon University (CMU), developed the winning system called Mayhem. The importance of ForAllSecure’s breakthrough was validated even further earlier this month when the Defense Innovation Unit awarded it to perform cybersecurity testing on Defense Department weapon systems’ applications.

, which was established by executive order in 2019 and was run out of the newly created Cybersecurity and Infrastructure Security Agency (CISA) at the Department of 购彩信誉平台land Security. The first President’s Cup contest was held last year and drew more than 1,000 individuals and 200 teams. The individuals and teams were given a series of challenges to solve with the winners snagging $25,000 in prize money.

The President’s Cup did not, however, achieve its objective to come up with cybersecurity innovation, Brumley says. “I think what happened with the President’s Cup is that it was very inauthentic,” he said. “The people who ran it had never entered a hacking contest before, had never won a hacking contest before, so the best teams did not participate.”

A key element in guiding a real cybersecurity competition toward success is figuring out to transition from science to practice. “So, we struggled for a little bit after CGC, and I think the government did as well with “what’s the transition plan?” Brumley said. “How do we bridge the valley of death between science experiment…showing the art of the possible and something that people can use.”

It could be a while before the contests reach that stage because the Cyber LEAP Act of 彩票信誉平台 still has a way to go to before becoming reality. The bi-partisan bill has moved from Committee to the Senate floor where it will await passage, no sure thing in the current crisis-driven legislative environment.


购彩信誉平台 © 彩票信誉平台 IDG Communications, Inc.

The 10 most powerful cybersecurity companies