Huawei tried to acquire technology from the winners of the Cyber Grand Challenge
After seven supercomputers hacked each other on stage at a prominent cybersecurity conference in Las Vegas in August 2016, a Chinese corporation approached U.S. researchers responsible for developing the cutting-edge technology in hopes of acquiring it.
The previously unreported but concentrated interest by Huawei Technologies, a company once at the center of a federal investigation and which has come under scrutiny by U.S. spy agencies, came in the form of phone calls and emails sent to select individuals involved in engineering machines that competed in the 2016 DARPA Cyber Grand Challenge.
ForAllSecure, the company whose team won the challenge, was among those contacted by a representative claiming to be from Huawei. ForAllSecure ignored the advances, according to company CEO David Brumley. The decision was partially driven by a common understanding that Huawei is closely connected to the Chinese government and as such, a relationship with Huawei may negatively impact ForAllSecure’s ability to do business within the U.S.
Another researcher, part of a different team, confirmed he was similarly contacted by a Huawei representative, who indicated their interest in speaking about the source’s technology. The researcher spoke on condition of anonymity to discuss a private conversation that was never reported back to the larger group because “it really went nowhere.”
The CGC — a competition organized by the Defense Advanced Research Projects Agency (DARPA) that included participation from multiple leading collegiate computer science programs — represented a historic moment in the broader cybersecurity field as it showed for the first time how a computer is able to automatically, independently and intelligently create, launch and simultaneously defend against cyberattacks.
A DARPA spokesperson told CyberScoop it had issued no guidance forbidding tournament participants from entering into business talks with foreign governments or companies as long as they followed the rules of the technical competition itself.
“From the CGC announcement up to and including the final event, the teams could engage with whomever they wanted as long as the Entrant complied with the rules,” a DARPA spokesperson said.
By nature, this type of supercomputer technology can support both offensive and defensive cyber operations, as it can be used to either find software vulnerabilities in different platforms for the purpose of fixing or exploiting those flaws.
“First and foremost, much of the work was for automated defense, and that is beneficial to everyone,” said James Alves-Foss, a University of Idaho faculty member who competed in the CGC under the team CSDS. “Some tools can lead to automated exploit generation, and of course that is a concern to us, and of interest to some state luring our own.”
ForAllSecure is now working with the Department of Defense through their Silicon Valley office, known as DIUx.
Not all of the CGC teams were contacted by Huawei. In one case, the company appears to have been able to acquire the technology developed by a CGC competitor without contacting the creators.
The Chinese tech giant downloaded an open-source framework made available by third-place finisher “Shellphish.” The team was made up of researchers associated with the University of California, Santa Barbara. Elements of Shellphish’s technology — the software underpinning the supercomputer itself — is publicly accessible and available for download.
“Our technology is fully open-source, so nobody had to approach us: the stuff is available for the whole world to use,” said Shellphish team member Giovanni Vigna. “Many companies use ‘angr,’ our open-source binary analysis framework, to do research and analysis. I think that includes Huawei, CISCO.”
CGC teams Disekt and CDSS, said they too were unaware of contact made by Huawei with their team members.
“After CGC, we had some U.S.-based companies approach us for consulting work, and some of our members indeed joined companies based in U.S.,” said Dr. Kang Li of team Disekt. “Beside that, we are not working with any other state-controlled companies.”
“No state actors reached out to us to acquire our technology,” explained Alves-Foss. “I do not know if they contacted the university directly, but no contract was entered.”
Foreign policy experts told CyberScoop the apparent interest shown by Huawei underscores two relevant themes.
The first being that China’s private and public sectors have become increasingly interested in how artificial intelligence can be applied to cyber operations. And second: Beijing’s continued ability to exert its influence through domestic companies can make for opaque business deals.
“Beijing has gotten on the AI bandwagon in a big way over the past year, following the lead of its commercial giants such as Alibaba, Tencent, and Baidu,” said Paul Triolo, an expert on Chinese tech policy for The Eurasia Group, a D.C.-based consultancy. “Investment in AI is heavily concentrated on commercial applications, but the government-backed cybersecurity community in China believes that leveraging AI algorithms to discover vulnerabilities in software will be a major force multiplier in improving the country’s cybersecurity.”
Triolo continued, “China’s ambitious National AI strategy issued in July, alludes briefly to this issue, calling for strengthening AI cybersecurity technology research and development.”
“At the heart of China’s desire to harness AI is the need to find new areas of growth and, most importantly, resolve vulnerabilities stemming from China’s rapid ‘Informatization’ – or application of information technology across all sectors of society,” explained John Costello, a senior analyst focused on East Asia with U.S. intelligence firm Flashpoint.
“China seeks to harness AI and machine learning to help domestic security keep control, and this is certainly true in the cyber domain,” Costello said. “It is likely that AI’s will first find its footing in cybersecurity by further enabling China’s growing techno-legal controls over digital technology and online content.”
In January, China hosted it’s own computer versus computer hacking event— mirroring the CGC — but it was focused on the technology’s offensive capabilities. A person familiar with the event’s planning described it had been inspired by the CGC. At one point, organizers hoped to include some U.S. participants.
Huawei’s attempt to court ForAllSecure comes during a period of hyper-balkanization in the larger cybersecurity industry. In the last several months, for example, the U.S. government moved to ban the use of Russian anti-virus maker Kaspersky Lab in federal agencies.
Former U.S. intelligence officials allege that Kaspersky’s software is used as an espionage platform by the Kremlin. Huawei saw similar charges with regards to its work with the Chinese government. In both cases, however, evidence of such collusion has yet to be made public.