Skip links

Ransomware can mean life or death at hospitals, but DEF CON hackers have a plan

Interview As ransomware gangs target critical infrastructure – especially hospitals and other healthcare organizations – DARPA has added another government agency partner to its Artificial Intelligence Cyber Challenge (AIxCC).

AIxCC is the two-year competition that DARPA announced last summer at Black Hat which challenges teams to build AI-based tools that automatically secure code used in critical infrastructure.

The new government agency partner is the Advanced Research Projects Agency for Health (ARPA-H), an independent research entity within the US National Institutes of Health.

By joining forces with the Pentagon’s research arm, ARPA-H aims to promote the development of AI-based tech that can find and fix critical vulnerabilities in medical devices, biotech, and hospital IT systems, thus preventing destructive cyberattacks against life-saving equipment and facilities.

“Healthcare is both acutely being targeted, and it’s been more and more targeted over the last few years,” ARPA-H program manager Andrew Carney told The Register. “It’s also uniquely sensitive to disruptions compared to many other critical infrastructure sectors.”

He points to the things that we all take for granted in our homes such as clean water and electricity. “If there’s a boil water advisory, we can handle that for a few days,” Carney said. “If there’s a power outage, we have ways of dealing with that.”

Water and power are critical infrastructure, and if they are disrupted – whether by a cyberattack or a car driving into a power line – it will be unpleasant and unsustainable long-term if the problem doesn’t get fixed. But in general, for a limited duration, we have the infrastructure to address the issue and assist those in need via emergency shelters, for example, or from other government or community-provided services.

With hospitals, things are different.

“When we’re talking about providing care to patients in a system that is already under heavy utilization, taking resources off the table, making things harder for clinicians, making things less comfortable, less safe for patients – these negative effects are pretty significant,” Carney said.

“And so maintaining the uptime, maintaining and defending these other critical infrastructure sectors indirectly assists our healthcare and public health sectors.

Criminals put healthcare in the crosshairs

Most of America witnessed this first hand over the past month as a ransomware infection shuttered Change Healthcare’s IT systems in February, knocking many pharmacies offline and preventing patients from receiving medication and other care.

“While the repercussions of this incident have been primarily – though not wholly – financial, what keeps me up at night is the possibility of a similar widespread attack directly affecting patient care and safety,” US Senator Mark Warner (D-VA) said earlier this month. 

According to the FBI’s most recent figures, ransomware infections cost victims more than $59.6 million in losses last year, with both the number of network intrusions rising 18 percent and losses growing by 74 percent compared to 2022.

Critical infrastructure was especially hard hit, and the FBI received 1,193 complaints from organizations in this category in 2023, up 37 percent from the year prior. Of the 16 industries that the US counts as critical, healthcare and public health suffered the most, with 249 organizations reporting ransomware infections last year.

This is where DARPA, partnering with APRA-H, comes into play to boost AI-enabled technology to secure healthcare systems — and sweeten the monetary rewards.

Artificial Intelligence Cyber Challenge

Competing teams receive challenges based on real-world software used in critical infrastructure systems. Bringing on APRA-H as a partner will help ensure the competition addresses critical flaws in healthcare. Plus, the research agency has committed an additional $20 million in rewards for the contest.

AIxCC has two tracks: the Open Track and the DARPA-funded Small Business Track. While registration for the latter has already closed with AIxCC announcing seven small business winners, participants can register to compete in the Open Track up until April 30.

After the submission deadline closes, teams will compete in trials to determine which ones will advance to the semifinals at DEF CON this summer. At Hacker Summer Camp, seven of these teams will be awarded $2 million each, and also advance to the final competition at DEF CON 2025. The winning team will be awarded a $4 million prize, while second place earns $3 million, and third place wins $1.5 million in prize money.

While Carney can’t give away too much about what the contests will involve, one that’s already been announced is the Linux kernel challenge project [PDF]. “We know that the Linux operating system powers a lot of the devices and systems in many – if not all – of our critical infrastructure sectors,” he said. 

This example challenge reintroduces a real-life vulnerability, CVE-2021-43267, in the Linux kernel’s Transparent Inter Process Communication (TIPC) subsystem, which allows communication across clusters on a network. The challenge vulnerability is a heap-based buffer overflow flaw.

“And successes that we have against that challenge are implicitly very representative of the software that we would need to secure in these sectors at large,” Carney said.

“And then specific to healthcare, if we start looking at medical devices, 60 percent of all medical devices run some flavor of Linux operating system,” he added. “So once again, as competitors find and fix vulnerabilities in that example challenge, that translates into real-world safety, and better defended, safer systems.” ®