An army of volunteer hackers to help protect American water systems, schools

Posted by Admin August 9, 2024 Tech

LAS VEGAS — DEF CON, the world’s largest hacker conference, is trying to put its legions of experts to work by creating a volunteer army to help protect America’s vulnerable water systems and schools.

The project is part of a larger attempt to harness the talent of the roughly 30,000 hackers who now make the annual pilgrimage to Las Vegas. It also aims to help the broader public access the cybersecurity research the hackers produce during the conference each year.

“There’s a very small number of people that can do this,” said Jeff Moss, who founded DEF CON in 1993. “So how do we best help them help other people?”

The project has two main elements. The first involves publishing a detailed report of what hackers disclose at the conference, in the hopes that the information can be used to better U.S. cybersecurity policy.

The second is connecting hackers with places that are in desperate need of cybersecurity help, starting with water and wastewater facilities and schools.

The project’s title — Def Con Franklin — is a nod to two of Benjamin Franklin’s distinct accomplishments: annually publishing Poor Richard’s Almanack and co-founding the first all-volunteer fire department in the U.S.

Moss said he’s “really excited to see what the response is” to the new project — and whether it’ll inspire others to replicate their efforts to help.

“Does real work get done? Maybe the finding is, it’s really valuable,” he said. “Then, other people copy the idea and more people do it. That would be the great win, that we’ve figured out a new way to allow hackers and creators to connect and help.”

Water is a clear first choice. While cyberattacks are routine against every industry that’s connected to the internet, the network of the roughly 50,000 independent water and wastewater facilities spread across the U.S. is particularly vulnerable. Larger plants typically can afford a dedicated security team, but smaller ones often run with only a handful of employees. Even if they only use a few automated systems, those can prove enticing victims for malicious hackers.

U.S. officials have repeatedly warned that they believe China has tried to position its hackers to be able to conduct cyberattacks against U.S. critical infrastructure if it believed conflict with the U.S. was imminent. A group of Iranian hackers broke into several U.S. facilities last year without causing significant damage. The Environmental Protection Agency found in a survey last year that around 70% of inspected water and wastewater facilities didn’t meet basic cybersecurity standards.

With no easy way for the government or industry to solve the problem, having an enthusiastic expert volunteer to help may be the best way to harden the country’s water security, said Jake Braun, a longtime DEF CON organizer and lecturer at the University of Chicago’s Harris School of Public Policy. The school is overseeing Def Con Franklin’s efforts to coordinate between hackers and water companies that need them.

“We find a utility or school district that’s interested, we find somebody who makes sense to be their volunteer, but then we stay involved for like a month or two to help them figure out what to ask for,” Braun said.

DEF CON has partnered with the largest water facility trade group, the National Rural Water Association (NRWA), to help match facilities with hackers.

“This is the kind of common-sense, hands-on approach that we know works in rural and small town America. We are excited to partner with them and bring our collective expertise to bear on this challenge,” said Matt Holmes, the NRWA’s CEO.

Def Con Franklin’s other arm, the Hackers’ Almanack, aims to seriously chronicle hackers’ major findings at the end of each conference. The conference highlights more than a dozen dedicated specialty areas called “villages” — Aerospace, car hacking, payment, telecom — where experts set up real-world systems and invite hackers to try to break them.

After the Voting Village began taking detailed reports of what its hackers did each year to Capitol Hill, since 2018 Congress has repeatedly approved enormous funding bills to help states pay to replace old, paperless voting equipment.

“It’ll be the findings from the different villages we think are interesting: the AI village, the hack-a-sat village, the biohacking village, and so on,” Braun said. “So we’re actually capturing what’s happening here.”