After witnessing the raw power of a machine that can fix its own software security flaws at DEF CON 24 more than one year ago, the Pentagon has officially purchased the revolutionary technology from a small, Pittsburgh-based firm.
The makers of a supercomputer designed to automatically detect, patch and exploit existing software vulnerabilities were recently awarded a seven-figure contract from the Department of Defense to apply the cutting-edge technology to military systems, including U.S. Navy ships and aircraft.
The Pentagon’s startup-centric office, named the Defense Innovation Unit Experimental (DIUx), is currently overseeing the venture.
The two-year contract is part of a program dubbed “Voltron,” which will offer the technology to a variety of different defense agencies in an effort to find coding flaws in both operating systems and custom programs used by the U.S. military.
Voltron represents a multi-contract effort — which includes but is not limited to the aforementioned deal — with the mission of leveraging breakthrough artificial intelligence in order to discover issues in military software. While this type of intensive security research would typically require a team of specialized experts, Voltron will allow for faster results without a dedicated workforce, U.S. officials familiar with the program told CyberScoop.
David Brumley, CEO of ForAllSecure, the company behind the innovative technology, said the DOD is largely interested in the supercomputer, dubbed Mayhem, for the “self-healing” capabilities it posses. The technology is “extremely scalable,” as it functions on LinuxX86, a popular operating system in the U.S. government. It will soon also work on Microsoft Windows.
The advantage Mayhem presents, Brumley told CyberScoop in a phone interview, lies in its ability to create, test and apply patches in real time onto unique systems that are critically important and cannot crash.
“The Defense Department understands the value of autonomy and they have for a long time,” Brumley said. “Last year, when they saw the GCG, I think that was really the first time they saw autonomy in cyber … the reception since then has been incredible.”
Although the capability has the potential to be used for offensive hacking purposes, the contract as it’s currently written only outlines specific defensive use cases, including realtime and continuous penetration testing and custom patching. A “patch” can be described as a specialty software update that is used to cover holes or flaws in software, which could be leveraged by a hacker.
The Pentagon’s contract with ForAllSecure was awarded two weeks ago. CyberScoop is the first to report on the details of this business deal.
Mayhem was originally created to compete in and eventually win an international hacking competition organized by the Defense Advanced Research Projects Agency (DARPA) in 2016. Held at DEF CON 24, this high-profile tournament, known as the Cyber Grand Challenge (CGC), opened the door for Pittsburgh-based ForAllSecure to showcase their machine: a system capable of automatically healing a friendly system while simultaneously scanning and attacking vulnerabilities in adversary systems.
Brumley said that a handful of foreign military organizations had reached out to his company since the competition in order to acquire or otherwise partner with ForAllSecure to leverage Mayhem. He declined these advances, but is already currently supplying the technology to a cohort of prominent, U.S.-based private sector technology firms.
As the product is rolled out to the Pentagon in the coming months, ForAllSecure will initially conduct some training, but the hope is that the system can eventually be operated by individuals without cybersecurity training. Ultimately, the purpose of the contract is to provide the U.S. government with a tool that is equally effective and cuts costs, said Brumley.