Once you’ve attended DEF CON more than a couple of times, you’ll notice that each year there comes a distinct tone, flavor and theme to the convention. In recent years these have become explicit subtitles and this year’s – “Rise of the Machines” certainly rings true on many levels.
Every year the media engages in hyperbolic hand-wringing over DEF CON, as the clickbait-titles go into full force; rest assured I have no interest in covering that same territory.
“Rise of the Machines” was the subtitle for this year’s DEF CON and like the Terminator-franchise film that text is borrowed from the convention’s artwork and trimmings lean heavily on images of aggressive, ambulatory automatons. The machines in question cover a wide spread – embedded machines in cars, households and industry. Learning machines that may herald the future of security automation. And, yes, even the political machine.
None the less, the reality emerges as indisputable that over the last decade we have spun a vast amount of computational progress away from dedicated computing devices and into invisible, ubiquitous code-executing devices. Twenty years ago, there were perhaps one or two general-purpose processors in the average household, now there may be hundreds.
And all of them need securing.
Automotive Security, Mobile Devices and the Internet-of-Things once again occupied a broad percentage of talks, a trend that has been building at DEF CON the past five years. When DEF CON was much younger, the talks were about securing (and gaining access to) large-scale information and telephony networks, about protecting access and integrity of ephemeral information. Over time, that evolved into protecting financial information (currency itself is more digital than physical now) and now finally as custom-designed embedded systems make way to inexpensive general-purpose processors, we reach a point where every device on the planet is a target for exploitation and malicious repurposing.
So, we fix technology with more technology – the realization that there are more computation devices on the planet than humans now, means we have to accept that the old model of human monitoring and intervention in security issues has to undergo a sea change.
From this point on, the idea that security information about a device will ever be examined by a human analyst is woefully hubristic. DARPA is no stranger to casting an eye to the future at the first sign of a change in the status quo emerging, its Cyber Grand Challenge this year was the Title Match of this year’s Defcon, a challenge to put Machine Learning/AI Systems up against each other and human opponents and see who could be more effective at penetrating and defending information systems.
What’s important about this “Rise of the Machines” in the Grand Challenge, is that they aren’t just applying operational techniques, finding existing vulnerabilities, and applying existing patches. They are discovering new vulnerabilities on the fly, and writing their own new code patches for those vulnerabilities. If the world at large is coming to terms with how automation is replacing humans at all lower levels of skilled work, information security professionals shouldn’t rest on their laurels thinking that their work is foundationally unsuited for automation. With that said, we shouldn’t prepare for an overnight replacement of a highly skilled workforce with a savvy investment in software…not yet.
While the competing AI’s in the Grand Challenge produced some impressive results, Carnegie-Mellon’s AI “Mayhem” won the challenge (and a $2 million prize for the team behind it) with a tangibly significant lead. The opportunity to put it up against some of the best humans in the world was in the next room over at the Defcon CTF competition. Mayhem went up against the human teams in the CTF, an event so well-developed in DefCon’s history that is it now essentially the World Cup of competitive systems cracking.
The results? For a while, Mayhem looked like it might not finish last, holding a second-to-last place for some time. Finally in the closing hour of the CTF, Mayhem’s systems fell. We are not yet at our first “Gary Kasparov defeated by Deep Blue” moment in history for cybersecurity yet, but it’s not much further out.
While the AI’s couldn’t defeat the pattern matching and creative reasoning abilities of the human mind yet, they undoubtedly did measurable work that would bolster any human team’s capabilities – finding previously unknown vulnerabilities and creating patched binaries for them on the fly.
- This is the first post in a two part series.