Start your day with intelligence. Get The OODA Daily Pulse.

One final curated post for the year of the insights and innovations we thought wold be of interest to our members and readership from the annual cybersecurity gatherings in Vegas. 

Cybersecurity Dive | White House details $11M plan to help secure open-source

National Cyber Director Harry Coker Jr., speaking at Def Con in Las Vegas, says federal assistance must be bolstered by more ownership among the community.  The Department of Homeland Security plans to invest $11 million toward improving security in open-source software, a key area of focus under the Biden administration’s national cybersecurity strategy…the investment will back a program called the Open Source Software Prevalence Initiative, which will assess the prevalence of open source software used in operational technology settings by critical infrastructure providers. 

Fact Sheet: Biden-Harris Administration Releases Summary Report of 2023 RFI on Open Source-Software Security Initiative 

The RFI summary report consolidates submissions received from the open-source software community and details twelve activities that members of the OS3I plan—or have completed—in 2024-2025. These activities include:

(1) Advance research and development;
(2) Secure package repositories;
(3) Partner with open-source communities;
(4) Promote further development and implementation of the use of Software Bill of Materials;
(5) Strengthen the software supply chain;
(6) Establish the first U.S Government Open-Source Program Office;
(7) Assign vulnerability severity metrics;
(8) Increase education and training tools;
(9) Expand International Collaboration;
(10) Enhance security and replace components of legacy software;
(11) Advance public-private partnerships; and
(12) Use formal methods.

Read the full National Cybersecurity Strategy here.

Read the full OS3I End of Year Report here.

Read the full 2023 National Cybersecurity Strategy Implementation Plan here.

Read the full 2024 National Cybersecurity Strategy Implementation Plan here.

Read the full Back to the Building Blocks Report here.

A sign that reads “Go Fake Yourself” outside of the AI Village at DEF CON in Las Vegas on Saturday, Aug. 10.
Image Source: Sam Sabin/Axios

Inside DARPA’s deepfake generation experiment at DEF CON

Sam Sabin from Axios was able to create his own deep fake while reporting on the DARPA demo at DEF CON 32:

“Generating a plausible deepfake video that swapped my face for Meghan Markle’s took about 10 seconds and showed how easy it would be to pretend to be someone else in a live video.

Why it matters: The deepfake experiment on the sidelines of the DEF CON hacker conference also came with a silver lining: Technology is getting better at detecting deepfakes, too.  Participants in the DEF CON hacker conference over the weekend had the opportunity to create a live video deepfake in a lab held by AI Village in partnership with the Defense Advanced Research Projects Agency (DARPA).

  • The AI Village worked with Brandon Kovacs, a senior red team consultant at cybersecurity services provider Bishop Fox.
  • The team used an open-source tool called DeepFaceLive to generate participants’ celebrity dupes in real-time.
  • DARPA-backed Semantic Forensics (SemaFor) then ran its own deepfake detection tool — trained on years’ worth of research from DARPA and several academic research partners — to see if it could spot the fakes.

For more of Sabin’s reporting on the DARPA deepfake experiments presented at DEFCON, go to this link.  

National-security workforce needs young people, former NSA chief says

Presidential election interference, a once-in-a-generation pandemic, the SolarWinds Orion hack and Russia’s invasion of Ukraine are just a small sampling of what Gen. Paul Nakasone witnessed during his time leading the National Security Agency and U.S. Cyber Command.  In taking the position in 2018, he set “wake-up conditions” for when an on-duty officer would call him during an emergency that would require attention from the president or secretary of defense. In his first year, he got 3 calls. In his final month on the job, he was phoned over 10 times.  “It’s for you. It’s them. Good luck,” he recalled his wife telling him whenever a call came through. His description of what became a routine habit for the Nakasone family elicited laughs from an audience of hackers and security practitioners at the DEF CON hacking conference here.

“The scope, scale, sophistication and speed of what we’re facing is tremendously different” versus five years ago, he said.  To Nakasone, it means that younger people need to have a seat at the national security table, he told reporters on the sidelines of DEF CON. “Gen Z will be the No. 1 sector within our workforce. Okay, that’s great. But it also requires that knowledge and skills and ability that have just left us — whether or not they’re baby boomers like myself or millennials — you’ve got to be able to pass that information on,” he said.  He hopes to begin addressing the issue through a new Vanderbilt University national security research institute launching next month. “We’re talking 25 for 2025,” he said, as part of an effort to put 25 Vanderbilt interns into governmental national-security roles to help kickstart the effort. 

Security Boulevard | The Supply Chain Security Crisis 

This year, the software supply chain was a dominant theme [at Black Hat], reflecting the industry’s growing concern over vulnerabilities in both open-source and proprietary software. The shadow of recent high-profile disruptions, such as the CrowdStrike update issue that led to widespread outages, loomed large over many sessions. While this incident wasn’t a cyberattack, it highlighted just how fragile the software supply chain can be and the potential for catastrophic impacts if these systems are compromised. CrowdStrike’s prompt and effective resolution of the outage was met with praise, as they minimized the disruption and reinforced community trust in their capability to manage unexpected challenges.

A particularly insightful session was Danny Jenkins’ talk on “Understanding and Reducing Supply Chain and Software Vulnerability Risks.” Jenkins, the CEO of ThreatLocker, explored the intricate web of dependencies in modern software development and the myriad ways in which these can be exploited. He emphasized the urgent need for organizations to adopt more stringent security practices, such as continuous monitoring and supply chain audits, to mitigate the risks posed by third-party software components.

Innovations and the Business Hall

The Black Hat Business Hall was a hive of activity where vendors showcase their latest tools. Many vendors, such as CrowdStrike and Trend, had interactive kiosks where attendees could try their products for themselves. This year, the emphasis was on practical solutions to emerging threats, with many vendors highlighting tools designed to enhance AI-driven security operations and improve supply chain security. In startup alley, emerging companies and innovations such as VulnCheck had their own section of the business hall to promote their offerings.

The Innovators & Investors Summit was a new addition that drew significant attention. This summit provided a platform for startups to pitch their solutions to a panel of investors and industry leaders, with the aim of supporting innovation in the cybersecurity space. The Startup Spotlight Competition was particularly exciting, with emerging companies showcasing groundbreaking technologies that could shape the future of cybersecurity. 

Convergence:  AI-based Innovation and Business Models at Black Hat USA 2024

HPE Infuses AI Into Network Detection and Response Platform

Axios | Election security officials try to grow confidence in 2024 election system at Black Hat, DEF CON

The security of the 2024 U.S. elections [was] one of the hottest topics on the floors of Black Hat and DEF CON this week. Why it matters: With less than three months until Election Day, government officials and election security experts are eager to grow confidence in state and local government’s ability to accurately and safely tally legitimate votes.  Driving the news: The DEF CON Voting Village is running a simulated online election this week and asking hackers to try to break the system.

POLITICO | The nation’s best hackers found vulnerabilities in voting machines — but no time to fix them

A hack that would disrupt the election is unlikely, but experts are worried that any vulnerabilities could provide fodder for those wishing to question the results.   Some of the best hackers in the world gathered in Las Vegas…to try to break into voting machines that will be used in this year’s election — all with an eye to helping officials identify and fix vulnerabilities.  The problem? Their findings will likely come too late to make any fixes before Nov. 5.

In one sense, it’s the normal course of events: Every August, hackers at the DEF CON conference find security gaps in voting equipment, and every year the long and complex process of fixing them means nothing is implemented until the next electoral cycle.  But Election Day security is under particular scrutiny in 2024. That’s both because of increasing worries that foreign adversaries will figure out how to breach machines and because President Donald Trump’s unsubstantiated allegations of widespread fraud in 2020 undermined confidence in the vote among his supporters. 

As a result, many in the election security community are bemoaning the fact that no system has been developed to roll out fixes faster and worrying that the security gaps that get identified this year will provide fodder for those who may want to question the results.

BLACK HAT USA 2024 Post-con

DEFCON 32 Post-Con

Additional OODA Loop Resources

https://oodaloop.com/archive/2024/08/30/information-warfare-social-engineering-and-ransomware-a-global-situational-awareness-and-threat-vector-survey/

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has caused regional issues that affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic’s reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: Numerous disruptions complicate situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its data collection methods, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the IT department’s or the CISO’s responsibility – it’s a collective effort involving the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront unpredictable external threats. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. Regardless of their size, all organizations should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Tagged: Cybersecurity
Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.