This year at DEF CON 24, the big attraction was the Cyber Grand Challenge, sponsored by the Defense Advanced Research Projects Agency AKA DARPA. It was a Capture the Flag (CTF) type hacking contest which is typical of DEF CON, where you simultaneously try to defend a server and hack your adversaries. However, the difference in this contest is that all the contestants were software programs, designed to defend and hack back all on their own with no human intervention. That’s right, autonomous hacking software drones. Or at least that’s the way I saw it.
If it seems a bit odd that the DARPA would be a major sponsor of DEF CON, the original counter culture hacking convention, it was. They basically took over a whole area of the con and put on the event like a spectator sport, complete with commentators, lit up, custom designed racks for the computers and a huge prize purse of 3.7 Million dollars. Consider that the entire door receipts for the convention probably didn’t exceed that number and you’ll realize that this display was decidedly non-DEF CON.
As far as the actual contest went, it was not quite as exciting to watch in real time as the commentators and lavish production would have wished. However, it made me wonder about the underlying concept. Software bots that can defend and attack all by themselves is a pretty impressive feat. But to what end? If it were just a bunch of sleep deprived hackers working in teams for a black Uber badge, I would say for the same reason that any DEF CON contest is put on. Just for the fun of it. But software robots don’t have fun. And military funded research organizations definitely don’t do anything for fun. I mean sure DARPA invented the Internet and gave us a lot of great things like GPS and Tang. But make no mistake, they expect some pay off for their investment, maybe not now, but in the future. While the contest organizers took pains to assure us that the code was not “weaponized” and could not escape into the wild or be used for any malevolent purpose, I definitely could see where they were going with this. It could be the answer to a basic problem that the US government has in cyber warfare.
Other governments have been hacking us for years, sometimes covertly, other times not so covertly (think the North Korea Sony hack). Our adversaries generally have less scruples than we do, when it comes to actively raiding our corporate and governmental coffers via cyber-attacks. The problem is, being the good boy on the block as well as wielding very BIG sticks in the conventional war arena, it is hard for the US government to respond, at least officially to such slights. Sure, we’ve made some noises about considering cyber-attacks to be the same as real kinetic attacks, but so far, there has been little response on the cyber-front, mainly due to the danger of escalation into a real shooting war.
However, if we had software drones patrolling our virtual borders and someone was to attack us, the drones could fire back and if it just happened to attack a location in downtown Beijing, we blame the robots. Opps, let us fix that line of code. Sorry. But maybe, that group, whoever it is, is less likely to attack us so obviously in the future if the big dog on the block is going to bite back automatically.
Perhaps it just a conspiracy theory, but I think sooner or later, whether we do it or some other country does, software attack drones will be an important part of the future of cyber warfare. And if throwing a couple of trinkets to the DEF CON nerds (3.7 Million is beads to the military) helps the US get there before the other guys, I think they wouldn’t hesitate to do it.
As far as the rest of DEF CON 24 goes, I’m starting to wonder if what was once a crazy little hacker conference has truly jumped the shark. First of all the serious money has arrived (see above). Not just in the DARPA CyberGrand challenge, but the vendor booths which are getting significantly more “boothy” (think giant inflatable animals) versus the vendor tables way back when that were actual folding card tables, with odds and ends of a dubious technical nature that used to make up the DEF CON vendor area. Also, 25,000 attendees is way too many to pretend that you don’t need online pre-registration. It prevents them from planning room sizes for talks, having enough badges for the attendees and many basic convention management tasks. It makes me think that either A. the founder Jeff Moss is using it as a huge tax dodge (cash is great for that), or more likely he’s packaging it up to sell off just like he did with Black Hat a while back. Either way, I can’t expect that it can continue in this form too much longer. It probably needs to be split up into several conferences; one big one focused on the large corporation and government employees that seem to dominate it now (#FEDCON?) and then a smaller one that can feel free to be quirky, crazy and free from government influence like the old DEF CON used to be. All good things come to an end and I expect that DEF CON, in its current form has peaked.