Hackers responded to the White House call by the thousands, including reporter-AI-hacker Ralph Losey, to try to break existing software in open contests. Ralph joined in the AI hack attack, but there were many other competitions to hack different systems. In this second in the Chronicle series we describe more of the details of the President’s policy, share some of the celebrity feds who came in person to make the President’s case and analyze the hackers’ response. In upcoming articles Ralph will report on the AI and other attacks at DefCon to find and kill computer bugs.
The cybersecurity leadership of the White House and Department of Homeland Security personally attended DefCon 31. That includes the Homeland Security Department Secretary himself, Alejandro Mayorkas. The feds came to help officially open the conference, and then, with black hats in hand, to ask for help from DefCon hackers, answer their questions, offer employment to some, and make several new policy statements on consumer protection and national defense.
It looks like DefCon 31 was a breakthrough political event for hackers and DefCon. Never before had a government leader, especially the President of the United States, made a public call for hackers to help the country. Never before had White House experts, along with the dreaded Department of Homeland Security, asked hackers to go to Vegas to hack software. They even promised big cash awards in future DefCons. In Def Con 32 and 33, in 2024 and 2025, they promise to conclude a series of ongoing competitions that will go one throughout the years, leading to semi-finals and finals at DefCon 32 and 33. They promised awards of millions to winning teams, including a top prize of $4 million for the team that “best secures vital software.” See, Hackers to compete for nearly $20 million in prizes by using A.I. for cybersecurity, Biden administration announces. I already know the answer – unplug it! – but I don’t suppose they will accept that as correct. After all, its vital. So hack we must.
President Biden on AI and Cyber Policy
On July 21, 2023, the day of a big meeting with the White House and leading companies in AI, President Biden delivered a short speech reproduced here on artificial intelligence. Surprisingly, I agree with most everything he says in this excerpt. For more details on the meeting itself and the commitment to regulation the White House managed to obtain, see White House Obtains Commitments to Regulation of Generative AI from OpenAI, Amazon, Anthropic, Google, Inflection, Meta and Microsoft (August 1, 2023, e-Discovery Team).
For more background on President Biden’s call for AI black hats to pen-test AI, see VEGAS BABY! The AI Village at DEFCON Sponsors Red Team Hacking to Improve Ethics Protocols of Generative AI.
The government leaders in attendance of DefCon 31 pleaded for hackers in many different seminars to try to break the alignment protections that AI software companies have created. This is a relatively new, and a very concerning problem that surprised people with the release of ChatGPT-3.5 then 4.0. The top feds also asked for hackers help to find and fix vulnerabilities and bugs in all types of software. They have done this in the past, but in very low key manner.
Top feds leaders attending DefCon 31 spoke openly of the government’s work in cybersecurity defense and regulatory policy, but at the same time, were careful not to reveal classified secrets. I could see them struggling with this tension at times. The feds of all agencies were also blatant in their recruiting efforts, to try to get in the DefCon community to work for them. The feds, including especially the many DOD related agencies, understand the urgency of the need for skilled Hacker experts to protect the free world from constant, ongoing cyber attacks.
If hackers find and report these bugs, the software can be fixed before criminals and foreign governments use the vulnerabilities against us. These hacker investigations are needed to find and fix the flaws. It is hard, distasteful work, but needs to be done.
Federal Government Leaders at DefCon Policy Events
President Biden’s invite to hackers was echoed in the opening ceremonies in a low key way by DefCon’s founder, Jeff Moss, aka Dark Tangent (much more on Jeff later) and with more enthusiasm by the Secretary of Department of Homeland Security, who joined Jeff on stage to kick things off. Secretary Mayorkas, a Cuban refugee, has had a distinguished career as a criminal prosecutor and U.S. attorney in Los Angeles. He moved to Washington D.C. to take on a number of roles in the Obama administration, ending with Deputy Secretary of Homeland Security. He is not a cyber expert, and seemed a little uncomfortable at DefCon, but he knows the tremendous dangers of America’s extensive cyber vulnerabilities. He too asked for help from the black hats.
The two seeming polar opposites, Jeff Moss and Alejandro Mayorkas, opened DefCon 31 by announcing that the Fed’s existing “Hack DHS” bug bounty program would not only continue, but would expand its focus to include artificial intelligence. Mayorkas went on to say he was “very concerned” about potential cybersecurity, civil rights and privacy issues related to generative AI. “You see things we do not see, you discover things, and we need your help.” A lot of truth there. The DefCon hackers are among the best in the world at finding software vulnerabilities.
The DHA and DOD agencies, just like most large corporations, have an obvious recruiting problem with cyber experts. There are now thousands of unfilled vacancies. See eg., How DoD is thinking ‘outside the box’ to solve its cyber workforce challenges (Breaking Defense, 8/22/23). Sending the top brass to recruit at DefCon is about as far outside of the box as you can get for federal recruiting, although it has been going on for years in quiet mode, with some small success. DefCon hackers are, after all, a largely crazy, punkish counter-culture group.
I have talked to ethical hackers who look for vulnerabilities for a living, red hats doing penetrating testing. Many think the red team community should not be asked to help the government find bugs without getting fair payment for their work. To make this new government pitch work, the bug bounty cash awards and conditions need to be real and doled out to all the little guys as well, not just the big corporate teams. Although the government talks a big game now, in fact, in the first year of the Hack DHS bug bounty program the DHS only paid out $125,600 total. Whoopie Doo! The U.S. spends about a Trillion Dollars on defense and security every year. The $125,660 spend for bug bounties is just a little over $1,000 per vulnerability found, substantiated, and reported for errors. This is a pittance considering the skilled time required, and the fact a red teamer only gets paid if something that qualifies as a covered error is found. They deserve better pay. No one wants the red hats to go to the dark side and sell the bugs they find to the evil back hats. The money and glamour can be alluring.
The corporations who make all of the defective software tested should pitch in and pay big supplements to the government program and add many more private bounty programs. Many corporations already have such programs, and they should be greatly increased. Let’s make the total public and private bug bounty program actual rewards at least $125 Million a year, not thousand, then we will see better results. The security of the free world will improve.
I heard grumbling from the hacker ranks about unfair exploitation of their time and skills. We really do not want these skilled workers selling out to true black hat criminals and terrorists, including foreign adversaries. Remember Vladimir Putin’s famous victory statement in 2017: “Artificial intelligence is the future not only for Russia, but for all humankind. Whoever becomes the leader in this sphere will become the ruler of the world.” Artificial Intelligence and Great Power Competition, With Paul Scharre, (Council on Foreign Relation), 3/28/23 . Putin has already hacked one election, don’t let him hack another. Unethical AI bots and social media easily combine to make powerful propaganda.
Insecure by Negligent Design
Another important policy seminar to mention was called CISA/ONCD Secure by Design. It was led by Jen Easterly, who is known as CISAJen on Twitter (aka X). She was also part of the opening remarks with her boss, Alejandro Mayorkas. Jen gets high points from us for her talks and for her cyber cool look. Jen, in addition to being a hands-on and policy cyber expert, is also a big proponent of mental health. That is one reason she went public on Twitter recently regarding her brother’s recent suicide. Very sad and compelling motivation for her charity work in this field.
On that side-point, note that throughout DefCon 31 there were signs with a phone number for help and support of any kind, including twice a day Friends of Bill meetings. The hacker community was well protected by the hundreds of friendly, albeit sometimes crazy looking, men and women, called “Goons.” They provided security and host services, answering all questions with a caring smile. There was no violence at this 24,000 plus event. All was peace and calm at Caesar’s Convention Forum, far safer than the Caesar’s Palace Hotel itself where some of us had coughed up big bucks to stay. The Casino was loud, smoke filled, over priced with big gamblers and a few scantily dressed women. Typical Vegas. Not many DefCon type punk nerds hung out at Caesar’s Hotel. They mostly stayed in the convention area or cheaper nearby hotels. Next time I’ll do that too, as I’d rather just hang out with them and avoid the gambling fools.
Back to the CISA/ONCD Secure by Design policy seminar. First, here is a translation of the acronyms and explanation of the title. The acronym ONCD stands for the Office of the National Cyber Director. This is the White House Office that advises the President on cybersecurity policy and strategy. Kemba Walden is the Acting National Cyber Director of the ONCD.
Acting ONCD Director Kemba Walden is a lawyer, formerly with Microsoft, digital crimes unit, so I bet she is good at recruiting all the hackers who got away. Here are a few video takes of her interview by the Dark Tangent himself, Jeff Moss, in another seminar, where, not surprisingly, Kemba distinguished herself well.
Back again to never ending fed acronyms, CISA stands for the federal Cybersecurity and Infrastructure Security Agency, the group at Homeland Security that Jenn Easterly leads. Secure By Design is a key program of the CISA, which is more fully described by a series of government articles here. The policy discussion concerned possible regulation of software design to require companies, like Microsoft, just for instance (but really they are all insecure), to design their technology so that it is more secure. The same design problems also apply to hardware, and to Internet providers and the internet infrastructure itself. We are in a real cybersecurity mess right now. Everyone is getting hacked and put to significant extra security expenses. Hackers and cyber lawyers at DefCon probably know more about this than anyone.
It may seem incredible, but this design imperative for the security of computer products, is not, like cars, legally required by manufacturers. Profit motivates tech companies, not your safety. The only exceptions are companies who sell add-on security software and services. Cyber security is not part of the tech bro culture, the make it and sell it fast, get rick quick kids. Big tech is able to maximize profits by not designing everything from the ground up for security. Instead, they do what shareholders and consumers both want, they design tech for consumer convenience. There are many reasons security is not as high a priority as it should be, including tech’s near immunity from liability for damages caused by its defects. The clickthrough license agreements and laissez-faire laws have over-protected them for decades.
This explains why the proposed safety regulations in Security By Design are controversial in Big Tech. Still, individual hackers at DefCon seemed open to the idea of putting it to the Man. You might wonder why, since in the long run safe by design, might cut into their income. They earn a living by fixing the never ending spew of bad code that tech bros make. But, that’s a speculative long term consequence. In the here and now there is plenty of work for them to do. Sure, they want greater pay, especially for volunteer find a bug work, but the job market now is good for employees. The job shortage in cybersecurity is real. Plus, hackers are a skeptical bunch. They doubt the new government’s algorithmic safety policies will create real results. Just government talk, they think. I hope they are wrong.
The policy discussions in CISA/ONCD Secure by Design pertained to these issues, but not for long. Most of the time was devoted to providing attendees an opportunity to make written comments to the draft regulations CISA is now working on. This seminar was swamped, with insufficient seats and pens. Revisions had to be made old school, on paper. I can only imagine how many of the hackers in the policy village were actually lobbyists scribbling away, not real hackers at all. We did not attend this event, but could watch it later.
We missed it primarily for scheduling reasons, not to avoid the funny use of dead trees at DefCon. We wanted to AI compete, not meet, and these many seminars overlapped. Typically DefCon would have five or six seminars and classes going on at the same time, not to mention the hundreds of competitions and demonstrations, etc. There were many complaints about that. More logistics criticisms at the conclusion of the DefCon Chronicle series.
Bottom line, security for many software and hardware manufacturers is an afterthought. All too often when software safety is mentioned – “bug-free, safe software” – it is just a bogus marketing claim, a big lie. The inherent flaws in software code are well known in the hacker community, and are, in fact, the basis for the whole thriving cybersecurity industry. (In fairness, user errors and vulnerability to social engineering are also a leading cause of cyber vulnerabilities.) The government needs hacker help to alert the fixers of these problems.
Time will tell if this new White House effort to make cyber safe will succeed. If not, you can count on the attacks to continue. The bad guys like Putin and his puppets will continue to use our own stupidity and greed against us. I for one hope that idealism wins out before we start having more planes mysteriously fall from the sky and other engineered disasters.
For background on the cyber war underway and the rush for Ai code superiority, see Ben Buchanan and Andrew Imbrie‘s new book, The New Fire: War, Peace and Democracy in the Age of AI. These are Georgetown scholars now helping the White House as advisors. I highly recommend their book and hope to do a more detailed review of it later. It is a must read to understand the global politics of AI and cyber. I particularly like the general analysis of the three groups in AI tech, the Evangelists, the Cassandras and the Warriors, as well as the explanation of AI as the new Fire having three sparks: data, algorithms and computing power. It is a good framework to help anyone understand the fast changes now underway and the opportunities, dangers and politics involved.
For good background reading on hackers and the inherent insecurity of code and the internet today, see Fancy Bear Goes Phishing (5/23/23, Farrar, Straus and Giroux) by Scott Shapiro. This is another great book, which I highly recommend. I especially liked his carefully researched, beautifully written re-telling of five of the most famous hacks in history. Scott is a Professor of Law and Philosophy at Yale and was a presenter with Jenn Easterly at another DefCon Policy seminar called Lions and Tigers and Fancy Bears, Oh My!: A Cautionary Tale for our Cyber Future. This is another seminar that I wanted to attend, but could not due to logistics. DefCon31 described the seminar as a discussion on “how best to understand the challenge of information security; what we can learn from looking back; and how the decisions we make today to prioritize security by design will shape our future.” I hope to do a more in-depth book review soon.
Stay tuned for the next episode of the DefCon Chronicles, coming soon!
Ralph Losey Copyright 2023. — All Rights reserved