Salt Typhoon Hacks to Influence Final Round of DARPA's AI-Cyber Competition
In a bid to bolster the nation's cybersecurity defenses, seven top teams will soon face off in a high-stakes competition designed to craft an AI-powered system capable of detecting and fixing open-source vulnerabilities in critical infrastructure. The final round of DARPA's AI Cyber Challenge, scheduled to take place at the DEF CON conference in August, promises to be an epic battle for cybersecurity supremacy.
The competition is inspired, in part, by a recent Chinese hacking campaign discovered last year that burrowed into major U.S. telecommunications systems and wiretapping platforms. The "Salt Typhoon" hacks, which were found to have lingered for nearly two years before being discovered in the spring of 2024, accessed at least nine American telecommunications operators and breached America's "lawful intercept" systems.
A Growing Threat Landscape
The discovery of Salt Typhoon and its subsequent impact on U.S. telecoms has sent shockwaves through the cybersecurity community. Modern telecom networks operate as a complex mix of antiquated technology integrated with contemporary digital infrastructure, leaving vulnerabilities that hackers like the Chinese operators can identify and exploit.
"The spectacle of these events is to teach people... about the risks and about the tools and techniques we could use to lower that threat threshold," said Kathleen Fisher, director of the Information Innovation Office at DARPA. "Leaving the vulnerabilities in our software is the equivalent to leaving ourselves vulnerable to that kind of [missile] attack."
A New Era in Cybersecurity
DARPA's AI Cyber Challenge aims to address this growing threat landscape by empowering critical infrastructure owners and operators to quickly find and fix vulnerabilities in their platforms using agentic AI - a subset of artificial intelligence that can make decisions autonomously without constant human intervention.
In the final round, teams will be tasked with crafting an AI-powered system designed to secure open-source software that underpins critical infrastructure sectors like water systems and financial institutions. They will need to use AI to find and fix bugs in code that undergirds functions of critical infrastructure systems, working with both full code bases and smaller code blocks to mimic real-world debugging of computer system vulnerabilities.
A Unique Approach
While previous competition rounds have used simulated software flaws, the DARPA challenge will incorporate elements from the real world. Teams will need to use a combination of machine learning algorithms and human expertise to identify and fix vulnerabilities that are both known and unknown.
"We have been talking to the critical infrastructure partners from all the different sectors about the threats they're seeing," said Fisher. "We're choosing the software to run the competition based on the feedback from all those people."
A High-Stakes Competition
The final round of DARPA's AI Cyber Challenge promises to be an epic battle for cybersecurity supremacy. With a $1 million prize at stake, teams will need to bring their A-game if they want to emerge victorious.
As Fisher noted, running a competition like this is "super challenging" because you need to be fair to all the competitors while also ensuring that the challenges are realistic and relevant to real-world scenarios.
"The specific challenges we have in store for the teams... I don't want to say too much about," she said. "But rest assured, they will be tough."
The DEF CON conference in August promises to be an exciting event for cybersecurity enthusiasts and professionals alike. With DARPA's AI Cyber Challenge at its center, the stage is set for a thrilling competition that could potentially change the face of cybersecurity forever.