Feds to hackers in Vegas: Help us, you’re our only hope
LAS VEGAS — The annual gathering of cybersecurity researchers and industry executives who came here for a trio of conferences this month — colloquially known among the infosec crowd as hacker summer camp — had plenty of visitors this year carrying credentials from all levels of the federal government.
And they came with one resounding request: We need your help.
Hacker summer camp — made up of BSides Las Vegas, Black Hat and DEF CON — was once the destination for misunderstood hackers to find their own tribe, researchers hoping to wow technical crowds with their findings and technophiles looking to test their skills and occasionally pull off some high-profile pranks. In the early years of camp, especially at DEF CON, federal officials were so rare, attendees would be challenged to “spot the fed.”
This year, however, they were easy to find. The feds appeared to be everywhere — presenting on stage, hosting gatherings, running workshops, operating hackathons and generally mixing it up with all the attendees. “We’ve come a long way from spot the fed at DEF CON,” said Jeff Moss, founder of both DEF CON and the more corporate-friendly Black Hat conference, at Black Hat in Las Vegas.
The White House has even gotten into the action in Vegas with its own red-teaming exercise at AI Village during DEF CON and badge contest with some of the challenges hidden on the White House website. “So it is now going to be archived as a part of the National Archives,” said Beau Woods, head of the DEF CON policy group and leader of the I am The Cavalry initiative, at the conference closing ceremony. “How cool is that?”
In total, some 75 global policymakers attended, six to eight officials who hold Senate-confirmed positions and 10 policy announcements were timed for DEF CON, noted Woods.
At policy panels, meetups, and, of course, in the hallway tracks at DEF CON, officials from the Office of the National Cyber Director, White House Office of Science and Technology Policy, United States Agency for International Development, the Cybersecurity and Infrastructure Security Agency, and the Transportation Security Administration were in full force. Among the top officials included DHS Secretary Alejandro Mayorkas, Acting National Cyber Director Kemba Walden, CISA Director Jen Easterly, and TSA Administrator David Pekoske. Some former officials like Chris Inglis also made the scene.
(And following DEF CON tradition, many of the first time speakers took a shot before speaking.)
“We need you. We need you to help us,” said Mayorkas during his opening statement at DEF CON. “You see things that we do not see. You discover things that we do not. And we really need your help.”
Walden’s message was no different: “Here at DEF CON, we have a whole staff here who are here to talk to you to help us design better policy,” she said. “We are in the White House for a reason and that is to provide strategic cybersecurity advice to the President. You need to help me do that. I would be grateful for that.”
The ask wasn’t theoretical either. At the policy village, ONCD and CISA officials held an “red-pen workshop” for a draft policy document on secure by design guidelines, which is a key push by the administration, the Messenger reported. While the actual document itself was off the record and under Chatham House rules, the unusual panel is emblematic of the help sought out by hackers from government officials — a long cry from the first congressional hearing with members of the L0pht hacking collective in 1998.
At Black Hat, the ONCD announced a new request for information on securing open source security. “How do we make it more secure is the fundamental question,” Walden said at Black Hat. “I need reaction from that, particularly from you. So we made sure to publish it so this community can plug in and help us make smart, realistic policy around how we make open source technology more secure.”
Similarly, at a panel at the ICS Village at DEF CON, TSA Administrator Pekoske announced the launch of a research program dubbed CHARIOT, or the Critical Infrastructure Hardening to Achieve Risk Reduction in Information and Operating Technology. (“It’s a long one,” he told CyberScoop in hallway con.)
The main objective is to find out, Pekoske said, is “how do you assess risk and degrees of risk within a pipeline system or a rail system?” He said TSA would like to develop CHARIOT into a regular “dialogue with with the hacker and hacker research community.”
Hackers, Pekoske said, “will see things from a different angle than we see. Which will be hugely helpful to us to make sure that we put out a product that test the owners and operators of critical infrastructure systems in a way that reflects reality.”
And it’s clear the federal government needs cybersecurity help. In a White House memo sent this week first reported by CNN, national security adviser Jake Sullivan told Cabinet secretaries that many federal agencies are failing to adhere to a 2021 executive order on cybersecurity standards and “leaving the U.S. Government exposed to malicious cyber intrusions and undermining the example the Government must set for adequate cybersecurity practices.”
He went on to say that “the Biden-Harris Administration has had a relentless focus on strengthening the cybersecurity of nation’s most critical sectors since day one, and will continue to work to secure our cyber defenses.”
Yet not all the hackers at summer camp were thrilled with the abundance of feds in Las Vegas using the conferences a recruiting event for Washington.
Cybersecurity journalist Kim Zetter noted on X, the site formerly known as Twitter, that “Defcon has morphed from a community event to a government event in many ways. The policy and voting villages, for example, are dominated by government or companies now, and people who worked on issues for decades are missing from the conversations or feeling unwelcome.”
It was a comment that sparked a lengthy conversation about the changing nature of DEF CON, which has become more mainstream just as the cybersecurity industry itself has evolved as well.
“A decade+ of DEFCON has taught me that it isn’t what it was. That’s okay. Seasons,” replied Patrick Kelley, a cybersecurity executive and former DEF CON volunteer.
Corrected Aug. 20, 2023: This article has been updated to correct the name of the I am The Cavalry initiative.