The Senate Commerce Committee approved last week what could prove to be an essential piece of legislation for cybersecurity researchers: The Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems, or Cyber LEAP Act of 2020. Sponsored by Commerce Committee Chairman Roger Wicker (R-MS) and Senators Cory Gardner (R-CO) and Jacky Rosen (D-NV), the bill establishes a national series of Cybersecurity Grand Challenges so that the country can \u201cachieve high-priority breakthroughs in cybersecurity by 2028.\u201dThe challenges set up under the legislation will offer prizes, including cash and non-cash prizes, to competition winners, although the prizes aren\u2019t yet spelled out. The legislation directs the secretary of commerce to set up the competitions in six key areas:Economics of a cyber attack, focused on building more resilient systems while raising the costs for adversariesCyber training, to give Americans digital security literacy and boost the skills of the cyber workforceEmerging technology, to advance cybersecurity knowledge in emerging technologies such as artificial intelligenceReimagining digital identity, aimed at protecting the digital identities of US internet usersFederal agency resilience, to reduce cybersecurity risks to federal networks and improve the federal response to cyberattacksOther challenges as determined by the secretary of commerceTransforming society's approach to securityThe legislation further says the commerce secretary should consider the recommendations of a 2018 report produced by the National Security Telecommunications Advisory Committee entitled NSTAC Report to the President on a Cybersecurity Moonshot. That report recommended an approach called the \u201cCybersecurity Moonshot\u201d named after NASA\u2019s efforts to send a man to the moon.Unlike a moon landing, the cybersecurity moonshot outlined in the 2018 report seeks societal transformation rather than one big, recognizable triumph. The moonshot approach outlined by NSTAC should also result in a clear, strategic \u201cwhole of nation\u201d framework to help the government, private industry, academia, and civil society achieve the objectives of the moonshot, according to the report.The NSTAC report was an industry-led initiative, spearheaded by executives from Unisys and Palo Alto Networks and governed by a committee of industry and government representatives from AT&T, Microsoft, Raytheon, CenturyLink, McAfee, Neustar, NSA and other organizations. The use of competitions or challenges to achieve strategic goals is \u201ca well-established model for accelerating whole-of-nation innovation in critical areas,\u201d Ryan Gillis, vice president, cybersecurity strategy and global policy, Palo Alto Networks, tells CSO.Grand cybersecurity challenges are a recent phenomenon. The first and, so far, only big Cyber Grand Challenge (CGC) was created by the Defense Advanced Research Projects Agency (DARPA) and culminated in a final contest in 2016 at the 24th DEF CON in Las Vegas. The goal was to host the "world's first automated network defense tournament,\u201d modeled on the hugely popular capture-the-flag contests held at most major hacking conferences, including DEF CON.The original Cyber Grand Challenge (CGC) offered a $2 million prize to the ultimate winning team, $1 million for the second-placed team, and $750,000 for the third-placed runner-up. The CBC teams were competing against one another to create machine learning-based systems that could simultaneously exploit flaws in the other teams\u2019 systems while patching vulnerabilities on their own systems.ForAllSecure, a cybersecurity start-up that had its roots in the academic corridors of Carnegie Mellon University (CMU), developed the winning system called Mayhem. The importance of ForAllSecure\u2019s breakthrough was validated even further earlier this month when the Defense Innovation Unit awarded it a $45 million contract to perform cybersecurity testing on Defense Department weapon systems\u2019 applications.Cyber Grand Challenges will be "authentic"The lead for the ForAllSecure team during CGC, and the company\u2019s CEO, is David Brumley, a professor of electrical and computer cngineering at CMU and the faculty advisor to the school\u2019s hacking team, which has walked away with five championships at the top hacking competition held each year at DEF CON. Brumley thinks that games, and in particular the branch of mathematics called gaming theory, can help the US government protect the nation by advancing knowledge in offensive and defensive cybersecurity.\u00a0\u201cI\u2019m pretty excited that congress is getting involved because I think that is the right level. That\u2019s definitely even a bigger step than the Cyber Grand Challenge, which grew organically,\u201d Brumley tells CSO. \u201cBut they have to be careful in the way that they run it so that it inspires innovations.\u201dTo Brumley\u2019s way of thinking, one key to the original CGC\u2019s success was its leader Mike Walker, who is now at Microsoft but back then was spearheading the competition at DARPA. \u201cHe was authentic in the field. In particular, he was authentic in the hacker field,\u201d Brumley says. \u201cIf you bring in a CISO from Walmart and you bring in a CISO from Symantec, none of the people who are out there in the field exploiting stuff or out there in the field defending against it are really going to care.\u201dAnother model that underscores the value of how federal government-backed contests and competitions can advance cybersecurity is the President\u2019s Cup Cybersecurity Competition, which was established by executive order in 2019 and was run out of the newly created Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security. The first President\u2019s Cup contest was held last year and drew more than 1,000 individuals and 200 teams. The individuals and teams were given a series of challenges to solve with the winners snagging $25,000 in prize money.The President\u2019s Cup did not, however, achieve its objective to come up with cybersecurity innovation, Brumley says. \u201cI think what happened with the President\u2019s Cup is that it was very inauthentic,\u201d he said. \u201cThe people who ran it had never entered a hacking contest before, had never won a hacking contest before, so the best teams did not participate.\u201dA key element in guiding a real cybersecurity competition toward success is figuring out to transition from science to practice. \u201cSo, we struggled for a little bit after CGC, and I think the government did as well with \u201cwhat\u2019s the transition plan?\u201d Brumley said. \u201cHow do we bridge the valley of death between science experiment\u2026showing the art of the possible and something that people can use.\u201dIt could be a while before the contests reach that stage because the Cyber LEAP Act of 2020 still has a way to go to before becoming reality. The bi-partisan bill has moved from Committee to the Senate floor where it will await passage, no sure thing in the current crisis-driven legislative environment.