Black Hat at 20, DefCon at 25: Not just about breaking things

CERT-LatestNews ThreatsCybercrime ThreatsEconomic ThreatsStrategic VulnerabilitiesAll VulnerabilitiesMicrosoft

Original Article Here

The end of July saw the twentieth staging of the conference known as Black Hat USA, a massive mid-summer pilgrimage of information security professionals to Las Vegas.

Ironically named for the criminal hackers that cybersecurity pros spend their days – and quite a few nights – defending against, the Black Hat Briefings quickly earned a reputation for excellent technical content.

Black Hat is staged right before the original Las Vegas hacker conference: DefCon. Indeed, Black Hat itself was spawned from DefCon as a “respectable” mid-week event for which security professionals could more easily obtain corporate travel approval than a wild and crazy weekend called DefCon.

In 2017, DefCon itself turned 25 and rolled over Caesar’s Palace in a tide of dark hued t-shirts and cargo pants. How many thousands of people attended? I don’t know, but let’s put it like this: at random times there were long lines just to get on the escalators that let you out of the event area.

One way Black Hat has prospered is by becoming the venue of choice for security researchers seeking to showcase new ways to hack something interesting, like cars, an ATM, or insulin pumps. But these events are not just about breaking things; in this post I point to one of several briefings this year which made that point quite effectively.

(If you want to read up on the hole-punching, vulnerability-exposing side of Black Hat, my colleague and fellow attendee, Cameron Camp has you covered, just scroll down to see all five blog posts. And to be clear, you can learn a lot at Black Hat about how to defeat the new threats, even as they are being presented.)

Where in cyberspace is Norm?

If your job involves protecting sensitive information from prying eyes, or making sure that the right data is available to the right people at the right time, then Black Hat can make you feel burdened and beleaguered. So many threats and so many attack vectors, versus your organization’s meagre security resources. Of course, all of that would be less of a problem if cyberspace were populated solely by law abiding digital citizens who abided by civilized norms.

I’m not talking about guys called Norm, but norm as in “standard of acceptable behavior”. Of course, as one of my favorite musicians famously said, “Progress is not possible without deviation from the norm”, yet it is also true that, without norms, progress cannot be sustained. But what are the norms in cyberspace, and who is going to enforce them?

“One look at any recent cybersecurity news feed will tell you that the world has not yet agreed on what the norms are in cyberspace.”

One look at any recent cybersecurity news feed will tell you that the world has not yet agreed on what the norms are in cyberspace. Stealing intellectual property and exposing private information are apparently cool in some circles. Getting large scale agreement that these things are not to be tolerated will clearly take a lot of time, plus some very bright minds. And that is where there is some good news.

Earlier this year, a bunch of bright minds came together to address these issue. The Global Commission on the Stability of Cyberspace (GCSC) was launched in February, 2017, with the stated goal of “helping to promote mutual awareness and understanding among the various cyberspace communities working on issues related to international cybersecurity”.

About the GCSC

The GCSC folks are an impressive bunch, including the three co-chairs: Michael Chertoff, Secretary of the US Department of Homeland Security from 2005 to 2009; Marina Kaljurand, former Estonian Foreign Minister and Ambassador of Estonia to several countries including the US and Russia; and, Latha Reddy, the former Deputy National Security Adviser of India.

The GCSC is confident that it can make a serious contribution “to an essential global task: supporting policy and norms coherence related to the security and stability in and of cyberspace”.

The Commission was initiated by two independent think-tanks, The Hague Centre for Strategic Studies (HCSS) and the EastWest Institute (EWI). Founding partners include the governments of Singapore and The Netherlands, as well as Microsoft. Sponsors include the Internet Society (ISOC) and the government of Estonia.

So what has this got to do with Black Hat? Well, early supporters of the GCSC include Black Hat, and they hosted a meeting of the commission during Black Hat USA, 2017. This included a Black Hat Briefing titled “Challenges of Cooperation Across Cyberspace,” and featured five commission members: Marina Kaljurand, Joseph Nye, Bill Woodcock, Khoo Boon Hui, and Wolfgang Kleinwachter. The panel session was moderated by Jeff Moss. Better known in some circles as DT or Dark Tangent, Jeff is not only the founder of both DefCon and Black Hat, but he is also a lifetime member of the Council on Foreign Relations and a member of the World Economic Forum’s Global Agenda Council on Cyber Security.

Of skepticism and hope

key to hope

All of the panelists presented their views on the prospects for establishing and enforcing norms in cyberspace. All expressed hope, albeit at varying levels, that international agreements to reduce cyberconflict and deter cybercrime could be reached. Several cited the fact that, for hundreds of years, humans have used treaties and conventions as a strategy to limit harmful behavior and promote good behavior. While there have been many failures and treaty violations, the net effect has been positive in areas such as chemical weapons, anti-personnel mines, and nukes.

As Microsoft President Brad Smith observed earlier this year, the Geneva Convention has definitely helped to save civilian lives in times of war. This implies that efforts to agree upon and enforce norms in the cyber realm are at least worth contemplating.

I don’t think anyone on the stage was in any doubt as to the level of skepticism with which any of their proposals to bring law and order to cyberspace will be met. I have experienced this skepticism myself when, at various conferences and networking events, I have floated the idea of a “malware test ban treaty.” I’ve heard everything from “ain’t gonna happen” to “good luck with that.”

Needless to say, I will be following the GCSC closely and reporting on new developments. There may be opportunities for industry experts, researchers, and the general public to get involved. If so, I will report them here and on my Twitter account: @zcobb. If you want to follow the GCSC yourself, check out

Author Stephen Cobb, ESET