DEF CON Franklin project enlists hackers to harden critical infrastructure

Voting village reports have been so successful, says Jeff Moss, that the whole of DEF CON will now be included

Def Con With an average of 30,000 attendees per year at the DEF CON security conference in Las Vegas, it's safe to assume at least one or two hackers attending have some necessary insights to secure critical infrastructure. Now a new initiative dubbed "Franklin" hopes to capture some of that infosec pro expertise in a policy-friendly format. 

Launched at this year's DEF CON event over the weekend, the Franklin project has two objectives. First, the initiative expects to publish a yearly "Hacker's Almanack" of critical infrastructure-related security issues discovered at the conference, by which they hope to give hackers a spot in national security and foreign policy debates. 

While the format of the Almanack has yet to be decided, Franklin Chairman Jake Braun told The Register that the report is being designed to mimic the success of the annual dossier published by the DEF CON voting village of its most critical discoveries. 

That report has contributed to enhanced election security, and Braun anticipates the Franklin Almanack (named in honor of US founding father Benjamin Franklin's annual Poor Richard's Almanac) will have the same level of success in informing proper infosecurity policies in the US and beyond. 

However getting hackers to work together on such a large project is easier said than done. 

"We're great at hacking things," DEF CON and Black Hat founder Jeff "The Dark Tangent" Moss told us in a joint interview with Braun. "We're not so great at documenting things." 

Moss told us that there's a lot of planning which still needs to go into the Almanack, including translating technical findings for a broader audience, getting researcher input on what they were thinking, particulars of the exploits and vulnerabilities they discovered - and, of course, lots of reading and vetting research.

"It's the first one," Moss said, adding that he has no idea when the first Almanack might even end up being published. "We still don't know what the findings are, or how easy it will be to work with the people who [made the discoveries]." 

Braun, who left a job in the Biden administration as acting principal deputy national cyber director in late June to both head up the Franklin project and return to teaching at the University of Chicago's Harris School of Public Policy, said he has a squad of his public policy graduate students darting between DEF CON villages to scope out research and get some face time with hackers who might be hard to pin down otherwise. 

"They've been talking to village heads and speakers for talks we thought were particularly interesting," Braun said. "They're literally just going around the villages saying, okay - what are you doing, can you explain this to me … who's doing the most interesting shit here?" 

The ultimate goal of the Almanack is to create a resource for lawmakers and policy experts that will inform the next batch of cybersecurity laws for critical infrastructure.

"By bringing evidence-backed, empirically researched findings to policymakers, Franklin will enhance the impact of the hacker research community on the global digital world," DEF CON said in a press release announcing the project. 

Do dark tangents dream of electric policy?

With the Franklin project's focus on policy, and the US presidential election mere months away, this vulture was curious what Moss and Braun would wish for if they had the ear of the next Commander in Chief.

Moss is primarily concerned with confusion at the federal level, both in terms of who needs to be responsible for what elements of critical infrastructure, and where the money is going to come from to address its cybersecurity needs. 

While much of that is ultimately up to Congress, Moss noted, he hopes the feds "get better at delineating roles and responsibilities," and he wants policymakers coming to hackers to get expert information. 

"We're here to help. How do we help? If there's money, let's do the thing," Moss said. 

Turning back to DEF CON's years of stress-testing voting equipment, Moss said the work that's been done in Vegas has ignited a public conversation that may not have happened if those initial reports weren't written. 

"Everything was fine with election [hardware] manufacturers selling their products until they got taken apart, right? And then they had to kind of improve," Moss explained. "Then we got to have this great public debate on how election systems work. So much public education came out of it.

"I would rather have this conversation now - before we have a crisis," Moss said, referring to other areas of critical infrastructure that are already being targeted by foreign adversaries and cash-hungry criminals. 

Moss also said he wanted DMCA exemptions that allow security researchers to poke around in copyrighted software to be made permanent instead of having to be reviewed all the time, and he hopes a more efficient system will be put in place to expand, adapt and change DMCA exemptions to incorporate the latest technology. 

"There was a carveout for election systems, and that's why we got such great results," Moss said, but he's worried a lot of commonly used tech doesn't have those same exemptions for security researchers. "A lot of the same [industrial] controllers are used in multiple systems."

Braun, on the other hand, expressed hope that policy initiatives that began under the Biden administration to protect water infrastructure that serves military installations and computer systems in K-12 schools can keep running. 

"We started a program right before I left the White House at the cyber office to better secure [those] water utilities because those are the ones China is targeting," Braun said. "I would hope whoever the next president is continues that, and puts more time and resources into it." 

Braun said he hopes programs at the DHS to fund the Multi-State Information Sharing and Analysis Center (MS-ISAC), and ones that help ensure schools are using Protective DNS continue to receive funding as well.

Where there's no money, there may be volunteers instead

The second of the DEF CON Franklin's objectives focuses on the very areas Braun said were his policy goals – water infrastructure and K-12 cybersecurity – and seeks to recruit an army of volunteer hackers and infosec professionals to step in where budgets have come up short. 

This, too, pays homage to Ben Franklin, who also organized the first ever volunteer fire brigade in the United States - and nothing needs volunteers to fight digital fires like underfunded critical infrastructure. 

"There's 50,000 water utilities and 120,000 schools in school districts [in the US]," Braun noted. "I don't know how big [Franklin] is gonna get, but it certainly won't be big enough to cover all of them, so the government does need to step in and do more."

Additional critical infrastructure sectors may be added later depending on the success of the program. 

Moss hopes the volunteer framework designed for Franklin will serve as an inspiration for other volunteer projects. 

"Other people can copy [it] into other schools - we really want to enable the people who want to help, but maybe don't know how," Moss told us. "Once they see how, maybe it'll take off." 

Signups for the volunteer program opened at DEF CON, and while there aren't any numbers to report this early, Braun said talks about Franklin were well attended, the audience spent a lot of time photographing the QR code that directed them to the signup page, and folks have already started committing. 

"I have been thinking a lot lately about what I view as an epic struggle between Team Rule of Law and Team Authoritarian over Team Undecided," Moss noted of the program's launch. "Franklin is DEF CON's attempt to have a voice for the hacker community in support of Team Rule of Law via this report and civic engagement program." ®

More about

TIP US OFF

Send us news


Other stories you might like