SAN FRANCISCO — The final round of a cybersecurity competition run by the Defense Advanced Research Projects Agency will take inspiration in part from a Chinese hacking campaign discovered last year that was found to have burrowed into major U.S. telecommunications systems and their wiretapping platforms.
The final round of DARPA’s AI Cyber Challenge, scheduled to run at the DEF CON conference in August, will task seven teams with crafting an AI-powered system designed to secure open-source software that underpins critical infrastructure sectors like water systems and financial institutions.
Teams will be expected to use AI to find and fix bugs in code that undergirds functions of critical infrastructure systems, working with both full code bases and smaller code blocks to mimic real-world debugging of computer system vulnerabilities.
Kathleen Fisher, director of the Information Innovation Office at DARPA, told Nextgov/FCW at the RSAC Conference in San Francisco, California that that DARPA is “100% inspired by the Salt Typhoon and Volt Typhoon stories, and needing to make the critical infrastructure software more robust from all those stories.”
The Salt Typhoon hacks refer to the Chinese intrusions that hit telecom providers — both in the U.S. and around the world — and were discovered in 2024. Volt Typhoon is a separate hacking unit that has been burrowing into non-military critical infrastructure systems like water treatment plants, preparing to disrupt them and cause widespread panic once commanded to do so by China’s central government, officials say.
“I don’t want to say too much about the specific challenges, because I don’t want to leak too much. Running a competition is super challenging because you need to be fair to all the competitors and such,” she said. “But we have been talking to the critical infrastructure partners from all the different sectors about the threats that they’re seeing and choosing the software to run the competition based on the feedback from all of those people.”
Fisher’s remarks signal how Chinese hacking operations have played an outsized role in the design of the DARPA competition, meant to help critical infrastructure owners and operators quickly find and fix vulnerabilities in their platforms using agentic AI — a subset of artificial intelligence that can make decisions autonomously without constant human intervention.
Last summer, in the semifinal round of AIxCC, some of the competition’s simulated software flaws were inspired by already-known vulnerabilities. But in the spirit of real-world scenarios where hackers frequently modify and innovate on their techniques, many of them were newly-created.
Salt Typhoon, whose intrusion campaign had lingered for around two years but was only discovered last spring, accessed at least nine American telecommunications operators. Modern telecom networks operate as a complex mix of antiquated technology integrated with contemporary digital infrastructure. In certain areas, security measures were robust, but in others, outdated practices left vulnerabilities that the Chinese hackers identified and exploited.
Salt Typhoon also breached America’s “lawful intercept” systems that house wiretap requests used by law enforcement to surveil suspected criminals and spies. Telecom firms are required to engineer their networks for intercepts under the Communications Assistance for Law Enforcement Act, or CALEA, which passed in 1994.
“The spectacle of these events is to teach people … about the risks and about the tools and techniques we could use to lower that threat threshold,” Fisher said, using an analogy of a missile launch. “Leaving the vulnerabilities in our software is the equivalent to leaving ourselves vulnerable to that kind of [missile] attack.”
