To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.

To encourage openness of discussion, these sessions take place with Chatham House rules, where participants are free to use the information in the meeting but are asked not to directly quote or identify other participants (we also keep privacy in mind when preparing summaries of these sessions, like the one that follows).

The August call was held on Friday, August 15th. Topics discussed include:

• Highlights and takeaways from the various cybersecurity events in Vegas (Black Hat, Defcon) which had just concluded.
• General Discussion (OODA Loop research suggestions, etc).

OODAcon 2022

The meeting began with a reminder to OODA Network members to register for the upcoming OODAcon 2022.

The August monthly meeting began with a discussion of the cybersecurity conferences the week prior in Las Vegas, NV (Defcon, Black Hat, etc.).  Following are high-level notes from conference highlights shared by the group:

OODA Community HIghlights

• Bob Gourley thanked everyone from the OODA Community for getting together for a happy hour while in Vegas together for the first time in a long time due to the impact of the pandemic.
• Bob also shared: “A friend we had met, a Ukrainian cyber defender Victor Zhora, who is the deputy of their version of CISA in Ukraine. We were able to talk him into coming to the conference and introduce him around and it was fantastic. 100% of the people we introduced him to thought up other names of people he should meet. We got him with Jeff Moss, and they had a lot of private brainstorming time and were able to give him lots of ideas that he’s going to be able to apply directly. And then he told me personally, that it was a great networking event and he really appreciated coming and being able to interact with the real cybersecurity community.  Two weeks prior he had been in DC signing MOUs and things like that and doing the government-to-government stuff. But this was a way to learn the true community and make more friends more broadly.”

General Impressions of the Events in Vegas (DEFCON, Black Hat, etc.):

• It is great that we have a cyber security community, that the community can come together like that and work those big events because it really does help make progress. But we really need an IT industry that would build in security and work together in a collaborative way to reduce risk so much that we wouldn’t need a cybersecurity community.
• In the meantime, we are always going to have to go back to the desert for these events to work together collaboratively, to reduce risk and improve security. That’s an overarching lesson.
• The thing that continually surprises me is the utter and complete lack of progress in this field. This year primarily there was a lot of research about escaping from various containers and clouds.
• We have been talking about this being the first open-source or first commercial war with regards to the use of commercial technologies, making a big difference, commercial drones, and things like Starlink. Zora shared with the OODA Community broadly that these commercial capabilities have been a very impact on Ukraine.

Experience from the DEFCON Villages

• DEFCON really has become 36 conferences in one. The Quantum Village and RF village were highlights. There just was a lot going on in all the different villages that it was impossible to keep track of everything.
• The Caesar’s Forum was a highlight this year, which is a 25-year-long kind of brainstorming session that takes place every year and was focused on misinformation. A lot of great conversations around that and a lot of the thinking that I found interesting called for almost like transactions or penalties or costs associated with the use of social media and creating viral content. The track was very interesting because they were not thinking about AI algorithms for censoring or identifying fake accounts, they were thinking about making it more transactional. Do you have microtransactions for your tweets? And if you go viral, if there’s some sort of penalty is there some sort of cryptocurrency equivalent that you must stake to validate your account?
• One of the other interesting things on the cultural side: The Voting Village was a very different place.  It had a seriousness to it that it didn’t have in the past, you know, given what has changed in the US elections.
• As a community, DEFCON is, in general, a community where if we find things then generally we disclose them. DEFCON has been an audience that responsible disclosure hasn’t been the easiest topic to have a conversation about, and to see that natively coming back in the form of “how do we make this better while not creating unnecessary emotion or discomfort in the election process?”  it was a different conversation, a different maturity than you would have seen from the DEFCON audience 10 years ago.  The realization of the seriousness of the work we do was something that you wouldn’t have attributed to the DEFCON audience 10 years ago, even though it was having a similar impact.
• The election machine village or voting village, found itself at the center of misinformation campaigns during the conference, with people willing to attribute vulnerability to exploitation. And we have seen that. And that village ended up resulting in a media organization being banned for life from DEFCON based on the coverage and the approach that they were taking. But it really is creating that fine balance.
• Kim Zetter talked about it during her keynote as well: how do we, as a security research community, cover the vulnerabilities associated with these election machines without them being used for misinformation to discredit the integrity of the elections? It was an interesting juxtaposition:  It was incredibly quiet in there. It was very serious there.  Not a lot of interaction. And you saw in the aftermath of the weekend that what they were doing in that village was made into a misinformation campaign.
• This village is also not an ‘overnight success’, with the six+ years of effort by SJ Terpv on the topic mentioned during the discussion: “SJ has been throwing so much time and energy and brain power into it.” Now we’re starting to see the community come along.
• It was either in Wisconsin or Michigan that there was DEFCON research cited in the lawsuits after the 2020 election. That was probably a wake-up call for folks.
• It is troubling that every one of these discussions eventually goes to, “well, this is a tech problem.” And it’s not a tech problem. It is a people problem.  This was the first year they did the disinformation village. What you are going to see is a very rapid maturing process of how these discussions happen.
• The absence of the Rootz Village was notable this year. I think not having the true next generation of the security community around is a bit sad.  It has been a few years since they’ve been there.
• The Quantum Village was an agenda of topics around both quantum computing and quantum security, and the attendees were, most of them very experienced in state-of-the-art, quantum computing and or the post-quantum encryption algorithms that we need to apply. The village sponsored a capture the flag contest, the first ever using a quantum computer. So people who signed up for this capture the flag contest got time on one of the UK’s only quantum computers called Lucy. It’s an eight Qubit quantum computer. So not one that’s able to run a lot of algorithms, but it’s okay for learning and proof of concepts. And since this is the first real hackathon to capture the flag in quantum space, it was very basic. It was good seeing quantum hackers coming together and talking.
  There were appropriate for guys like me who want to continue to learn the state of the art of quantum. And some of the PhDs who spoke are very good at speaking plain English and telling you what is really happening.
  The motion we were debating was:  Is it time for enterprises to start preparing for post-quantum encryption? There was a short recap at the end and the audience gets to make points of information, points of order, ask questions and then there’s a vote.
• There were company presentations by:  presentations by SandboxAQ who famously spun out of Alphabet with most of their quantum capabilities, especially quantum security. There were presentations by Quantinuum which spun out of Honeywell. There were presentations by Quintessence Labs. OODA CTO Bob Gourley moderated a debate in the Quantum Village.

Technology insights from the conference and research, talks, and panel experiences

• There were a couple of fun announcements about SCADA.
• There was also an announcement about the DRM being broken for John Deere tractors.
• The entire industry seems to have settled into doing the same thing as last year and the year before because it is still working. Its people are still clicking on emails. It’s still a lot of ransomware.
• There was a new effort by several actors in the PRC to target people looking for work via LinkedIn.
• There was a lot of research done on how LinkedIn has become the primary method of fishing intrusion in the last year and a half, two years. But in a lot of ways, it was you know.
• Lots of interesting research, lots of old mechanisms, and the John Deere vulnerability were interesting.  The larger context is some of the stories that we talked about earlier in the year around John Deere bricking tractors that were being stolen from Ukraine. So it was interesting research.
• The Starlink stuff was interesting, including some stuff that required physical access to the device.
• Hubble Technology sponsored a party which was kind of their opportunity to announce to the world that they’re real and have capabilities.
• On the cybersecurity side, at Black Hat, the show floor was back not back like 2019 back, but it was back. There was a shift: XDR is still the headline. The third-party risk was not a headline anymore or way less than a headline. Every company in cybersecurity is now a tech service management company which was interesting.
• If OODA Network members are not at all familiar with the DISARM Foundation, if you haven’t seen it yet, take a good look at the work around mapping disinformation using kind of the attack framework and sticks and these sorts of things.
• If you are interested in seeing it, it is not up to the latest version of Disarm, but there is a version of AMITT that’s been implemented in Circl MISP (Malware Information Sharing Platform) Circl MISP is the computer incident response lab, Luxembourg. And they have implemented the sticks objects that the Disarm Foundation developed for countering disinformation. So hopefully it continues to get better.
• An OODA Network Member on the call ask the question: Was there any particular focus or attention on virtual worlds or the metaverse?  Was that a theme or just a side issue, or how was that discussed?  Another member responded:  It was a theme and it is growing stronger for the first time. They had an XR village, which encompasses all the virtual reality and augmented reality, and metaverse type things. I didn’t participate because I was so busy in this Quantum Village, but it sure had my interest, and I joined their discord server. Did anybody else attend the XR village? They also had people participate virtually, which may have been a first for DEFCON.”
• A participant on the call, who is a lawyer by trade, spent a lot of time in the policy con, which has been an evolving and growing area of cyber. There was also a cyber meetup for all the lawyers that were attending, which is always hosted by the General Counsel of Defcon.
• A member offered this direct personal history with BlackHat: “I’ve been fighting with BlackHat for over 10 years to be more startup friendly – since the startups today are their sponsors of tomorrow. Black Hat just did their first pitch competition this year.  And the word that I have gotten from talking to their folks is that they’re going to double down on it. And it will become an even more significant part of what they’re doing. I hope that that extends to also making it more affordable for early-stage companies to participate.
• I think some of this relates to the fact that, and it was news to me that INFORMA, the parent company of Black Hat and The Game Developers Conference, and some others – owns an analyst firm that I guess had been largely focused on telecom infrastructure business.  And they’re trying to jumpstart the cybersecurity aspect of that. So that was interesting. I haven’t gotten any reads yet on how the nascent launch of the privacy track at Black Hat went, but I’m glad they’re having one.
• Some talks at DEFCON were a little bit different, including Meta talking about how they created privacy-focused Red Teams within the organization. Some folks were disappointed that they didn’t get more of a cookbook on how to do it, but going forward, we may see some presentations with some data out them which would be stellar. They couldn’t do that this year.
• A member also noted this highlight: Some of the vendors and some of the dialogue were a little bit more focused on thinking about what it is you’re trying to accomplish before you go deploying stuff. No, one’s using the word strategy, but I’ll take it where I can get it.
• The CISO summit bombshell talk included the following anecdote: So CISO of a gaming company has a very popular casual game that was being built and run out of Ukraine on bare metal servers, no cloud, no VMs. He calls up the ops people in Lviv and asks them where are your backups. And they say, oh, well, they’re in the east. So he had to fix that straight away. But once he stabilized where they were, he made sure his people were safe and he realized he had a dev shop in Russia with the IP for one of their most valuable properties and had to figure out what to do. So he passed the dev spec op team to exploits and pulled all the penetration testing results for the past couple of years they had never fixed and handed it to this team.  They got on every asset, moved laterally within the organization, and then hit the button to blow away everything and kicked the people off.
  I’ve never seen that scenario in the commercial context, only in the military.   The two questions were:  What did your general counsel say? And the answer was, “Well, it turns out if it’s our stuff that didn’t matter too much.”  The other question was What did your insurance company say?” In the end, they said, “you’re protecting your IP.  And we can’t very well tell you not to protect your IP. And it was fine.”  So it’s the first public or semi-public discussion I’ve heard of in a commercial enterprise in a situation like this, actually having after the fact, because I guess there wasn’t sufficient enterprise management in place to just do it with their regular management infrastructure, but basically attacking and exploiting their own office to shut it down and delete IP.  A member concluded: “So that got my attention. I think more than any talk ever that I have ever heard at the CISO Summit.”

General Discussion (OODA Loop research suggestions, etc).

Is Quantum still five years out?  We’ve been hearing about quantum for over 30 years and it’s always five years away. It’s been five years away from the 30 years that I’ve been involved in it. So I just wondered in the conversations is their optimism that we are going to begin to see practical applications, or is this still going to be a lab experiment and we are still five years away – and check us out then?

So the best methodology I have seen to project when quantum computing will be delivering real results is to survey experts. And there is now a multi-year survey that has been running sponsored by the Quantum Technology Institute, which asks the Ph.D. researchers in quantum this question:  when do you expect a quantum computer to be able to execute Shore’s algorithm?

Of course Shore’s algorithm, is this very specific, widely recognized algorithm that when it runs will help you factor large prime numbers, which means asymmetric encryption can be broken. So when you ask these experts in this survey, you ask them, when do you think a computer, a quantum computer can break, can run shores algorithm. And when will it be able to break asymmetric encryption, you get a range of numbers. And increasingly they’re saying within five to seven years. So if you ask me for my estimate, I’m just going with five to seven years. Just three years ago, they were saying 10 years. So it is creeping up on us that said quantum computing is not the only benefit we’re getting from this second wave of quantum effects. There’s also quantum key distribution and there are many other quantum effects being looked at to improve quantum sensing, for example, so stay tuned, but I think we’re seeing a lot of progress.

The big three to watch are Google’s work, IBM’s work, and Microsoft’s work. There are some frauds to watch out for in the market as well.

Russia just announced that they’re opening an AI department within the government specifically to work on the application of AI for military purposes. So I think that will be a topic worth exploring.   They have an equivalent to DARPA research agency. They created a few institutes where they’re training personnel to do encryption, and to apply different AI models to surveillance.

The Rational Use of Tools to Sow Strategic Chaos: because of what’s happening in Ukraine, we can talk about malware and all of that, but from my experience, a topic is the rational use of opportunities to divide us and moments of potential crisis or disruption.   And I see the 2022 elections that are coming as an opportunity for them to demonstrate how our form of governance is ineffective with potentially a lot of different disinformation narratives.

The future of technology is trust. No one.  A member offered this perspective on the broad topic of trust:  “I think that’s why blockchain is so interesting to the younger generation. They’d rather trust an unknown Japanese Phantom than their government. I think the distrust of the government is very high around the world right now. And so people are looking for messaging architectures. They’re looking for custody of their assets their digital assets that are safe.  And I think that kind of technology is kind of a double-edged sword because anonymity breeds irresponsibility, but people are looking to go anonymous. They’re looking to go into personal custody.    They want to hide from the authorities. Not because they’re criminals, but because the authorities are criminal.   So I think that’s a new world and technology needs to think about that. Privacy is the other thing I used to say, you have no privacy.  Get over it.”

Links from the chat

• The Disarm Foundation:  https://www.disarm.foundation/framework
  On the subject of privacy, a good book:  https://futurecrimesbook.com/
• Misinformation Village @ DEFCON 30 (Co-hosted by MisinfoCon)