Black Hat USA 2023 and DEF CON 31 Wrap-Up: The Critical Role of Cybersecurity in the Future of AI
Black Hat USA 2023 wrapped up last week with more than 20,000 cybersecurity professionals and 280+ vendors attending from all over the world!
Following Black Hat, of course, DEF CON 31 kicked off with around 30,000 attendees. This was the first year the CrowdSec team attended DEF CON and we have to admit, we were in complete awe at the number of people attending, the sparkling conversations, the inspiring talks, and the overall energy of the conference.
Let’s take a look at the most interesting highlights.
The Omdia Analyst Summit
On Tuesday, 8 August, prior to the big opening of Black Hat USA 2023, we had the privilege of attending one of the most gatherings in our industry, the Omdia Analyst Summit. The theme for the third annual Omdia Analyst Summit was Maximum Attention, Minimum Budget, with a strong focus on the emergence of proactive security. In their presentation, Eric Parizo, Managing Principal Analyst and Andrew Braunberg, Principal Analyst at Omdia, defined proactive security as the “technology that seeks out and mitigates likely threats before they pose a danger to the environment.” Parizo and Braunberg also characterized proactive security as a game-changer for cybersecurity technology and strategy and a critical element of enterprise cybersecurity architecture.
One of the most interesting presentations of this year’s Summit was Investigating Acronym Soup in Cloud Security by Ketaki Borade, Senior Analyst Infrastructure Security, and Rik Turner, Senior Principal Analyst Emerging Cybersecurity at Omdia. In their presentation, Borade and Turner discussed the reason behind the need for so many acronyms in cybersecurity as well as the real priorities of decision-makers. The presentation was followed by a fireside chat with CrowdSec CEO and Co-Founder, Philippe Humeau. Watch Philippe’s chat with Ketaki Borade below.
The future is AI
Starting off at Black Hat on Wednesday morning, the first keynote set the tone for the entire conference with the Founder of Black Hat and DEF CON, Jeff Moss, talking about how easy it has become for people to get their hands on predictive AI and the need to transform IT problems into prediction problems in order to get the most value out of AI. However, AI comes with certain challenges, most notably the everlasting struggle of distinguishing and identifying the valuable and authentic data we need to train our AI models.
The main keynote speaker, Maria Markstedter (also known as Azeria), talked about the maturity — or lack of it — of the current AI models and the inherent risks of AI.
AI is not a new technology per se; however, it was only after the release of ChatGPT last year that the technology really took off and attracted the attention of major players in the tech industry. But why is everyone so eager to invest in AI now? Historically, following major technological breakthroughs, big corporations race to dominate the market. This creates several security risks as security was often seen as hindering factor to progress, and product releases were very common to happen with no or minimum security features. Companies did not often decide to invest in security on their own — rather, they were most likely to be forced to do so by hackers. It is only relatively recently that businesses have started to understand the value of robust security.
Apart from security, Azeria identified the inherent risks of AI as being economical, technological, sociological, existential, geopolitical, and philosophical, all of which will have a major impact on how we design our new threat models. The business dream is an autonomous AI agent that can take over workloads. But have we considered the multi-level ramifications of a truly autonomous AI system, authorized to make decisions? And how do we approach data security, how do we process external data or deal with data exfiltration? Can we solve these problems with data alignment? How do we protect ourselves having the entire internet as an attack surface? Asynchronously following this line of thought, in his talk, Ben Smith urged us to stop thinking of AI as an easy button and begin to understand that information security is essentially a subset of risk management.
Ultimately, will AI replace security professionals? “AI may not replace you, but security professionals with AI skills will,” said Azeria. The problem is not AI itself but rather the lack of people with the right skills to help us prepare for and tackle the challenges that come with AI.
The need for collaboration, the need for skill, the need for involvement
While AI was undeniably the main theme of this year’s Black Hat, the need for collaboration and involvement of the hacker community in the policymaking space was another prominent topic. In the closing keynote of the first day at Black Hat, Lily Hay Newman hosted Jan Easterly, Director at the Cybersecurity and Infrastructure Security Agency and none other than Victor Zhora, Deputy Chairman at the Ukraine State Service and Special Communication and Information Protection, for an engaging discussion on the collaboration between Ukraine and US in matters of global cybersecurity.
The need for collaboration was among Azeria’s closing notes as well, highlighting the fragmented nature of the cybersecurity community and the importance of events like Black Hat and DEF CON in bringing the community together. Yet another topic Azeria touched upon is the need to rethink the necessary skillsets in cybersecurity. “We had no manuals to help us fix our previous problems. We are all self-taught in one way or another, now the industry attracts creative minds with an attack-on mindset. So, we know how to study new systems and find creative ways to break them. This is our chance to reinvent ourselves, our security posture, and our defenses.”
But what is the ultimate drive behind the need for security professionals with AI skills and the need for collaboration? In the opening keynote, Jeff Moss noted the need for cybersecurity professionals to enter the space of policymaking and help steer the future of AI in particular, and global cybersecurity in general. In the day two keynote, Kemba Walden, Acting National Cyber Director at the Executive Office of the President, talked about the shift of cybersecurity experts and hackers toward becoming part of the national security policy. Walden also emphasized the need to view cybersecurity not only under the scope of national security but embrace cybersecurity as a synonym for technological innovation and economic prosperity.
Hack the future
The need to involve cybersecurity professionals and the hacker community in decision-making and policy-making processes was strongly represented in a number of sessions during DEF CON as well. Most notably, the discussion with Dr. Arati Prabhakar on why the Congress and the White House are supporting AI red teaming was illuminating. “We absolutely have to harness the power of AI but to do that, we first need to mitigate its risks,” said Dr. Prabhakar, who also highlighted the need to build a future where we have robust and rigorous red teaming. In order to make this future a reality, we need to pull talent from the hacker community.
AI has been an urgent a critical focus for the White House over the last several months. According to the Blueprint for an AI Bill of Rights, big companies within the US have voluntarily committed to:
- Internal and external red teaming
- An agreement to work towards watermarking. External red teaming plays a critical role here as it can ensure that companies are not integrating their own watermark
The White House is also working on a follow-up Executive Order that will outline the need to harness AI by first mitigating the risks of cybercrime, fraud, and discrimination.
Closing the discussion, Dr. Prabhakar made a statement against a future of authoritarian AI and called all hackers to participate in building the future of AI: “If you want to make a difference as a hacker in the AI space, consider contributing to public services.”
The reality of internet censorship
DEF CON 31 was packed with so many interesting talks and discussions but we have to admit, there was one panel that really piqued our interest and became the number one topic of conversation not just for us in the CrowdSec team, but for every group of people we happen to pass by! On the panel Internet Censorship: What Governments around the Globe Have in Store for You, Jeff Moss welcomed Roger Dingledine, President and Co-Founder of the Tor Project, Chris Painter, President of the Global Forum on Cyber Expertise, and Joel Todoroff, Office of the National Cyber Director for a discussion on how censorship affects our work and how government censorship and surveillance in other places will undoubtedly affect us all.
Currently, in more than two-thirds of the world, citizens have their right to free information repressed or censored. We often see technology as a panacea but the reality is that if governments are unbounded, we cannot solve this with technology alone. It is important to understand that the cyber world is not a binary of good and evil, as it is very commonly represented. In reality, even the good guys can go down the dark path for a number of reasons — because they are scared of terrorism, unwarranted surveillance, or their rights being repressed. But what is even scarier than that, is the difficult truth that even democratic regimes that are far from following repressive methods can have a hard time defending democracy against market forces.
The UN treaty for cybercrime can be considered a step in the right direction. However, the treaty has its issues. First and foremost, the fact that this is a non-technical document is part of a major problem — trying to address very complex and highly technical topics in a non-technical manner introduces the risk of misinterpretation and alienates the highly technical community which are the de facto practitioners of cybersecurity. A second issue with creating a very high-level document that outlines vague policies is that companies cannot correctly interpret their rights, responsibilities, and limitations.
Last but not least, the panel addressed cyber sanctions imposed on countries, with the most recent example of Russia. Contrary to common belief, sanctions on countries do a disservice to the cause of open and secure internet as they help repressive and authoritarian regimes isolate themselves and their citizens, further promoting the cause of such regimes and aiding them in their quest for isolation from the “evil west”. Instead of imposing sanctions on countries, we need to do a better job of sanctioning specific individuals instead.
The panel closed with the simple yet powerful notion that cybersecurity and human rights are two sides of the same coin.
Black Hat USA 2023 and DEF CON 31 are in the books!
All in all, both conferences offered a unique experience, tons of knowledge, and infinite opportunities for sparking discussions and new connections.
On behalf of the entire CrowdSec team, we want to thank everyone who dropped by our booth at Black Hat as well as all the incredible humans we met at the Packet Hacking Village at DEF CON. We wish you all a lovely end of summer, and see you soon!