**SAN FRANCISCO** — The final round of a cybersecurity competition run by the Defense Advanced Research Projects Agency (DARPA) will take inspiration in part from a Chinese hacking campaign discovered last year that burrowed into major U.S. telecommunications systems and their wiretapping platforms.
The final round of DARPA’s AI Cyber Challenge, scheduled to run at the DEF CON conference in August, will task seven teams with crafting an AI-powered system designed to secure open-source software that underpins critical infrastructure sectors like water systems and financial institutions. Teams will be expected to use AI to find and fix bugs in code that supports the functions of these critical infrastructure systems, working with both full code bases and smaller code blocks to mimic real-world debugging of computer system vulnerabilities.
Kathleen Fisher, director of the Information Innovation Office at DARPA, stated at the RSAC Conference in San Francisco, California, that DARPA is “100% inspired by the Salt Typhoon and Volt Typhoon stories, and needing to make the critical infrastructure software more robust from all those stories.” The Salt Typhoon hacks refer to the Chinese intrusions that targeted telecom providers in the U.S. and globally, which were discovered in 2024. Volt Typhoon represents a separate hacking unit infiltrating non-military critical infrastructure systems, such as water treatment plants, with intentions to disrupt them at the behest of China’s central government.
Fisher emphasized the importance of maintaining fairness in the competition while keeping specific challenges confidential. She acknowledged that they have been consulting critical infrastructure partners across different sectors about their threats to select appropriate software for the competition.
Her comments highlight the significant influence Chinese hacking operations have had on the design of the DARPA competition, which aims to help critical infrastructure owners and operators quickly locate and address vulnerabilities in their systems using agentic AI. Agentic AI is a subset of artificial intelligence capable of making autonomous decisions without constant human oversight.
Last summer, during the semifinal round of the AI Cyber Challenge, some simulated software flaws were modeled after known vulnerabilities. However, in recognition of hackers’ tendency to innovate, many flaws were newly created to resemble real-world scenarios. Salt Typhoon’s intrusion campaign, which persisted for about two years before its discovery in the spring, compromised at least nine American telecommunications operators. Modern telecom networks consist of a complex blend of outdated technology and contemporary digital infrastructure, with certain areas exhibiting robust security, while others bore vulnerabilities that the Chinese hackers effectively exploited.
Furthermore, Salt Typhoon breached America’s “lawful intercept” systems that manage wiretap requests designated for law enforcement surveillance of suspected criminals and spies. Under the Communications Assistance for Law Enforcement Act (CALEA), passed in 1994, telecom firms must architect their networks to accommodate such intercepts.
Fisher concluded by emphasizing the educational objectives of these events, stating, “The spectacle of these events is to teach people… about the risks and about the tools and techniques we could use to lower that threat threshold,” comparing software vulnerabilities to being defenseless against a missile attack.
