In this episode of The Security Ledger Podcast (#107): Hacker Summer Camp takes place in Las Vegas this week as the Black Hat, DEFCON and B-Sides conferences take place. We’re joined by DigiCert Chief Technology Officer Dan Timpson to talk about the presentations that are worth seeing. And, in our second segment, The Department of Homeland Security launched a new Risk Analysis Center that sounds a whole lot like some programs it already runs. Is this bureaucratic overkill or is DHS on to something?
Black Hat: Algorithms are not our Friends
The Black Hat Briefings conference kicks off this week in Las Vegas. The annual event, jokingly referred to as “hacker summer camp,” has long been a proving ground for top researchers and a stage for headline grabbing hacks and exploits.
What are the big trends at this year’s show? To find out, we invited Dan Timpson the Chief Technology Officer at DigiCert* back into the Security Ledger studios to talk about what talks and demonstrations caught his eye, and about the most important themes to emerge from this year’s show.
Dan said that the security and integrity of machine learning systems and the algorithms that are dictating security behavior is a major area of interest and concern. He recommended the Raffael Marty’s talk on Thursday on “Why Algorithms are Dangerous.”
Dan and I also talk about DigiCert’s latest foray into the BlockChain scene as a new member of the Linux Foundation and also the HyperLedger initiative. While BlockChain is no (clear) replacement for traditional PKI deployments, there are many potential applications of the technology. “There is some magical thinking (about) blockchain topic. It’s in the point of time where its still being proven,” Timpson told me. “But on the legit side, I think we see opportunities with electronic health records or supply chain management.” Blockchain, he said, could be used to track food within complex food or technology supply chains and DigiCert sees opportunities to use its background as a Certificate Authority and managing digital identities to further Blockchain adoption.
Some other presentation that Dan and I discus:
- Understanding and Exploiting Implanted Medical Devices
- Over-the-Air: How we Remotely Compromised the Gateway BCM and Autopilot ECUs of Tesla Cars
- Deep Neural Networks for Hackers: Methods Applications and Open Source Tools
- Applied Self Driving Car Security
- Breaking the IIOT: Hacking Industrial Control Gateways
- From Bot to Robot: How Abilities and Law Change with Physicality
DHS Déjà Vu
And, in our second segment: against a backdrop of dire warnings about electronic incursions onto the U.S. electrical grid and other critical infrastructure, the Department of Homeland Security last week announced that it was standing up a National Risk Management Center. That should come as a relief to those who worry that the federal government is letting state sponsored hackers from countries like Russia, China and Iran get the better of our nation’s critical networks. But is it a relief? In our second segment this week we speak with two experts on critical infrastructure security who say the new Center is – at best – a start and at worse a distraction that risks sapping funds from existing cyber risk and coordination centers.
Emily Miller is the Director of National Security and Critical Infrastructure Programs at the firm Mocana. She’s also the former Chief of Process Management, Measurement and Exercise Planning at The Department of Homeland Security. Our other guest is Jeffrey Slotnick. He’s the President of Setracon Enterprise Security Risk Management Services and a chair of ASIS International’s Critical Infrastructure Protection Working Group.
Both Emily and Jeffrey agree that it is way too early to know whether the new National Risk Management Center is the fix for the nation’s cyber security woes. But there’s reason for pessimism.
For one thing, Miller notes that The Center, which has long been proposed as a way to bring together government experts and industry partners to develop a strategic approach to cyber threats, doesn’t have its own budget, but will be expected to make do with money provided by two existing and, perhaps, overlapping response centers within DHS.
The other issue, Emily notes, is the challenge of getting experts in process control to help shape the government’s response to threats to critical infrastructure. “If we’re talking about a process control challenge, we need process control people,” Miller said. Still, most of the people engaged in critical infrastructure defense at the federal level are IT professionals with scant experience managing operational networks.