A trio of cybersecurity conferences — BSidesLV, Black Hat USA and DEF CON — kicks off this week in Las Vegas in what’s collectively known as Hacker Summer Camp, bringing together policymakers, executives, experts, hackers and enthusiasts against a backdrop of some of the most unsettled international events of recent years.
Thousands of cybersecurity professionals will gather on the Vegas Strip nearly six months into Russia’s war in Ukraine, two-and-a-half years into the COVID-19 pandemic and less than two weeks after U.S. House Speaker Nancy Pelosi’s historic visit to Taiwan triggered a wave of cyberattacks.
Russia’s use (and non-use, depending on who you ask) of cyber tactics in its war and the rise of information operations going both ways are a key theme of the moment, as well as China’s continued aggressive hacking campaigns around the world with the specter of an invasion of Taiwan ever present. Hacktivist campaigns and those that just want to look like them are back in full swing, and barely a week goes by without news of another group popping up to boast and promote their latest bounty.
All of this, in addition to the looming risk of COVID-19 infections, will drive much of the conversation at panels, workshops, in the hallways during the conferences, and we’ll be there to cover as much of it as possible.
Here’s a look at what we’ll be tracking throughout the week:
Policy themes: The big picture
With the midterm elections around the corner, this year’s iteration of the DEF CON Voting Village will focus on hacking infrastructure and other election vulnerabilities. Speakers reportedly include a recent former White House National Security Council official, Election Assistance Commission leaders and officials from Maricopa County, Arizona. White hat hacker and former CISA Election Security Technical Adviser Jack Cable also will join a Voting Village policy panel on Election Security Bridge Building with Trevor Timmons, the longtime Chief Information Officer of Colorado.
DEF CON will host a large number of other policy conversations, including a “Hacking Aviation Policy” panel co-hosted with the Transportation and Security Administration (TSA) and featuring TSA official Timothy Weston and a panel featuring Columbia cyber scholar Jason Healey on foreign policy for a fragmented internet. The Atlantic Council’s Trey Herr and colleagues will be presenting on open source software and security.
Black Hat also will feature the Atlantic Council Cyber Statecraft Initiative leaders with a session on measuring international vulnerability research. Black Hat will host an in-depth discussion of the Cyber Safety Review Board, featuring a key architect, DHS official Robert Silvers alongside a senior Google security engineer. There will be keynote speeches from former CISA head Chris Krebs and investigative reporter Kim Zetter.
Both Black Hat and DEF CON will devote significant stage time to cyber in the Ukraine-Russia conflict. For example, SentinelOne’s Juan Andres Guerrero-Saade and Tom Hegel, senior threat researcher at SentinelLabs will host a Black Hat session about espionage, DDoS, leaks and wipes in the Russian invasion and a session with ESET Senior Malware Researcher Robert Lipovsky on Sandworm targeting the Ukrainian power grid.
Senior government officials will mix with hackers, especially at DEF CON, with Cybersecurity and Infrastructure Security Agency Director Jen Easterly, National Cyber Director Chris Inglis and Deputy Assistant Attorney General for National Security Adam Hickey all making appearances.
Hacking in the time of COVID
The DEF CON crowd will be enforcing one of the stricter masking policies around, requiring them for everybody. Proof of vaccination, however, will not be required. DEF CON spokesperson Melanie Ensign told CyberScoop that last year both proof of vaccination and masks were required, but after seeing that most of their community is vaccinated, organizers decided to relax the rule requiring vaccination proof. They were not comfortable getting rid of masks, Ensign said.
“This is a conference of hackers,” Ensign said. “I know whether or not you’re ready to mask. I don’t know whether or not the vaccination card you’re giving me is legit.”
Asked about the relatively tough policy, Ensign said, “COVID isn’t over.”
Black Hat currently has no mask or proof of vaccination requirement, but organizers say plans could change if COVID numbers jump.
Election security in the age of the Big Lie
Harri Hursti, a pioneer in election security research and co-organizer of the Voting Village at DEF CON, told CyberScoop this week that this year’s Voting Village has two themes: Hackers fighting misinformation, and how actual professionals conduct forensic study of electronics.
The themes are a direct product of the last two years, as former President Trump and his supporters around the country — including some elected elections officials — insist against all evidence that widespread hacking and manipulation upended the 2020 election. Good faith security research has been hijacked as part of the movement, forcing hackers used to battling election equipment vendors and officials into defending the systems and overall integrity of elections.
The Voting Village — launched at DEF CON 25 in 2017 amidst the revelations surrounding the Russian interference operations in 2016 to give hackers access to machines and elections officials in hopes of improving security — is the industry’s opportunity to recapture the narrative around election security vulnerability research.
It’s “extremely important right now,” Hursti said Monday. “Rogue operators across the country, driven by misinformation, are offering unauthorized access to non-professionals” with a “complete lack of skills and understanding of professional procedures.” Disk images have been self-contaminated, he said, which can then be used to “build a rogue server to create false ‘evidence’ of wrongdoing which never happened in the real world.”
Hactivism is having a moment
Guacamaya, a Latin American hacking group, announced Monday that it had stolen five terabytes of emails and files from Colombia’s attorney general, showing that “Colombia is a narco-state supported by the prosecutor’s office.” The release is the third hack and release from the group since March, and just the latest example of consequential hacktivism from around the world.
“The world’s on fire in more ways than one, and the powers that be either aren’t doing anything or they’re moving too slowly to stop the legal and illegal corruption that are destroying it,” said Emma Best, the co-founder of DDoSecrets, a transparency advocacy site that hosts hacked data in the public interest. “In too many cases, those powers enable that corruption — both directly and indirectly — and sometimes even willfully. Hacktivists, leakers and other whistleblowers can’t wait for others to save the world. Not anymore.”
The organization has posted at least 10 terabytes of Russian-related data of data since the invasion, Best said, primarily from anonymous sources. The Belarusian Cyber Partisans, a hacktivist group made up of disaffected Belarusians, has targeted that country’s rail system and the government more broadly with the open goal of complicating Russian troop movement and toppling the Lukashenko regime in Minsk.
A flurry of pro-Russian groups have also emerged, with varying degrees of connections to the Russian state. And separately, in the Middle East, a plethora of supposed independent groups apparently aligned with either Iran or Israel are launching attacks back and forth.
Hacktivism even made an appearance during Pelosi’s trip to Taiwan, when pro-Chinese hackers DDoS’d several government sites and displayed anti-American messages on video boards at 7-11 convenience stores.
A village for misinformation
DEF CON includes a network of more than 30 “villages” — akin to themed mini-conferences — surrounding the main event. Villages will be devoted to a variety of topics including quantum, social engineering, radio frequency and passwords, among many others.
A misinformation village will offer content on varied topics including disinformation strategies embraced by autocracies; gendered health misinformation; and how to detect fake news.
Speakers include Deputy Assistant Attorney General for National Security Adam Hickey and Swapneel Mehta, a scholar whose research into how to control misinformation on social networks uses simulation-based inference and causality tools.
A history of Russian cyber and information warfare will be available for those who want to study the topic through the lens of the current conflict. For those looking for something more technical there is a session on user spoofing and another on how to assess disinformation operations with OSINT and SOCMINT tools and techniques.
Who and what to watch for
DEF CON is famous for being one of the world’s most important hacker conferences so it stands to reason that “Hacker Jeopardy!” featuring some of the world’s savviest hackers is an annual highlight. It’s played just like regular Jeopardy! only the winner gets “25,000 units of some foreign currency! From Dark Tangent himself!” Categories include “Famous Narks” and “UNIX Bugs.” Organizers say “feds can play,” but only if they truthfully reveal their job title. Trivia lovers should head to Caesars Friday at 8 p.m. to check it out.
Security expert Tarah Wheeler will oversee a poker tournament at Bally’s at noon on Friday (free poker clinic for beginners at 11 a.m.). It takes $250 to reserve a seat and all proceeds go to benefit the digital rights organization Electronic Frontier Foundation.
The DEF CON party aesthetic is as hip as it can be raucous while at Black Hat the parties are more corporate and swanky — and sometimes luxuriously cheesy. One company has hired ‘90s acts Vanilla Ice, Tone Loc, Young MC, Sugar Ray and Rob Base to perform at their Black Hat bash. Another sent an email to journalists touting that they’d have Smash Mouth performing.
Daytime content may have slightly less sizzle, but there will be plenty to keep the crowds’ attention. White House National Cyber Director Chris Inglis will be interviewed by investigative reporter Kim Zetter at 11:30 a.m. Friday in the DEF CON Villages. At 5:30 that day, CISA Director Jen Easterly will appear with DEF CON’s Jeff Moss to discuss the importance of collaboration with the hacking community. In true DEF CON fashion, the session is entitled “Walk This Way: What Run D.M.C. and Aerosmith Can Teach Us About the Future of Cybersecurity.”
What’s happening at BSidesLV
Black Hat has head-to-head competition on Tuesday and Wednesday from the BSides Las Vegas event at the mellow, off-Strip Tuscany Suites and Casino where infrastructure security will be front and center.
Josh Corman, founder of the nonprofit security organization I am The Cavalry and a former CISA senior adviser, will appear along with David Batz, the managing director of cyber and infrastructure security at Edison Electric Institute discussing security vulnerabilities in a variety of sectors. There also will be a session on lessons learned from the CISA COVID task force health care attacks; a discussion on securing artificial intelligence in the real world with the chief scientist at Sophos; and a presentation from the lead security researcher at Rapid7 on how neural network models apply to defensive cybersecurity problems.