With software vulnerabilities being exploited at an alarming rate, the Defense Advanced Research Projects Agency's (DARPA) AI Cyber Challenge (AIxCC) enters its semi-finals stage, and the healthcare sector is taking a keen interest in the outcomes of the competition.
AIxCC brings together experts in AI and cybersecurity to create novel AI systems that can safeguard the open-source software critical to modern life.
Ultimately, through AIxCC, DARPA is exploring whether AI can help find and fix software vulnerabilities more effectively and usher in a future where we can stop attacks as fast as we can detect them.
The competition was first launched in 2023 and will award a cumulative $29.5m in prizes to teams with the best systems.
Speaking to Infosecurity, DARPA's information innovation office director Kathleen Fisher confirmed that the Advanced Research Projects Agency for Health (ARPA-H) joined in supporting AIxCC in February 2024.
“They are super motivated because of the ransomware attacks in the healthcare sector and how much technical debt there is in hospitals and in medical devices. If one of the technical hypotheses [of AXiCC] proves out it could be applied to [healthcare] technology to find and identify fixes that then get pushed out to the healthcare industry.”
Fisher said she has been talking to representatives of critical infrastructure sectors and one of the things they were saying in response to the AXiCC competition is that they are pleased that it not only aims to identify bugs, but it also looks to provide fixes.
The exploitation of vulnerabilities as an initial access step for a breach increased by a staggering 180% between 2022 and 2023, according to Verizon’s 2024 Data Breach Investigations Report (DBIR).
Fisher noted that the challenge could still fail in its technical aims, but if successful she said DARPA would look to speak to potential customers about how they could use this technology.
At the launch of AIxCC in 2023, DARPA confirmed Anthropic, Google, Microsoft and OpenAI would make their technologies available and bring their expertise to help the competitors.
Fisher said having the backing of these companies was important because a key hypothesis of the program is that state-of-the-art AI models paired with cyber reasoning systems would allow to find and fix the vulnerabilities.
“The access to those models is a critical part of testing out the technical hypothesis,” she said.
Critical infrastructure software is of particular focus for the US Government.
Read More: CISA's Jack Cable Discusses US Push for More Secure Software
US Government Focus on Secure Software
The competition aligns with many other US government initiatives and pledges that aim to deal with the scourge of software vulnerability exploitation.
Alongside this, the White House’s 2023 National Cybersecurity Strategy explicitly looks to shift the security responsibility away from end users to those best placed to shoulder that burden, including software manufacturers.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) developed a Secure by Design initiative in April 2023 to explain how software manufacturers can ensure security is built into their products.
A Secure by Design Pledge was then announced in May 2024, encouraging manufacturers to commit to making progress across a range of secure by design principles.
Fisher fervently agrees with the principles of secure by design and DARPA is aware of what other agencies are working on but said that DARPA does not necessarily always align with other government agencies with regards to roadmaps.
“DARPA doesn’t really do coordination very well. We’re aware and sometimes provide feedback, we go to meetings… but DARPA doesn’t do roadmaps, DARPA does technical innovation that blows up other organizations roadmaps,” she commented.