Every August, the cybersecurity community gathers in Las Vegas for a week of conferences at Black Hat and DEF CON. This year's Black Hat drew more than 20,000 in person, with another 1,700 signing up for on-demand access. DEF CON 32 said it expected 30,000 attendees at its conference later in the week; meanwhile, BSidesLV, The Diana Initiative and other events drew the thousands that gather for Security Summer Camp every year.

Only a few weeks before the conferences, a global IT outage affecting Microsoft Corp. Windows systems was precipitated by problems with a CrowdStrike Holdings Inc. update. The incident was a dominant theme, but it wasn't the only cybersecurity event of the past year to leave a lasting mark in Las Vegas.

The global CrowdStrike outage that affected Windows systems occurred at a consequential time in the industry. It led to a discernable emphasis in Las Vegas (also affected by a significant 2023 cyberattack) on a range of concerns — from the critical dependence of IT and cybersecurity on a few widely adopted providers, to the implications of the high level of privilege and access often necessary to secure targeted assets, as well as the processes and practices involved in delivering protection. As unavoidable a topic as this incident was, it was far from the only top-of-mind issue during Black Hat/DEF CON week. Other priorities included the continued advance of AI, its potential for leverage by adversaries, the role of government in regulating cybersecurity and more — all contributing to setting the tone for Security Summer Camp 2024.

Context

Conference attendance reflected the practitioner-centric nature of the events. Black Hat and DEF CON have long highlighted the evolution of adversarial tactics, but participation is significantly driven by defenders seeking to benefit from the learning experience. This has also drawn a substantial number of cybersecurity vendors. The Black Hat business hall had 400 exhibitors this year and was well represented by innovative startups, including the conference's inaugural Innovators and Investors Summit. This year, though, a main topic of conversation, more broadly, was the consequences of the dominance of two of the largest vendors in cybersecurity and IT.

Events that shaped the week

The CrowdStrike incident was a prevailing theme, but DEF CON had to deal with an unexpected event of its own. After 25 years at Caesars Palace, the venue canceled its contract for hosting DEF CON 32 in February, chalking it up to a "strategy change." The cybersecurity community, however, noted that the cancelation followed the widely reported Scattered Spider/ALPHV attacks of 2023, which targeted Caesars Entertainment Inc. and MGM Resorts International. DEF CON organizers quickly rallied to relocate to the Las Vegas Convention Center, with workshops and training at the Sahara.

Inevitably, CrowdStrike would take home this year's DEF CON Pwnie Award for Most Epic Fail. Company President Michael Sentonas accepted the trophy in person, saying it would be prominently displayed at the firm's Texas headquarters as a reminder, and to demonstrate the firm's openness to conversations with the community.

The Black Hat main stage

Microsoft was the most immediately impacted among the estimated 8.5 million systems affected by the CrowdStrike incident. Its presence at the event included a Black Hat keynote from Microsoft Deputy Chief Information Security Officer Ann Johnson and Director of Threat Intelligence Strategy Sherrod DeGrippo, discussing AI's transformative impact on cybersecurity.

The Black Hat keynotes were kicked off by Jeff Moss, who founded the conference in 1997. Moss made an appeal to consider geopolitical conflict in resiliency plans — citing factors such as developers being drafted in conflict zones, or sales engineers unable to leave their country to provide on-site support. His overarching message was that in a technology world that is fully globalized, these problems are increasingly likely, and must be considered in risk management planning. He also pointed to interesting new avenues in diplomatic relations between countries, such as "app store diplomacy" (i.e., negotiating what applications are available in a home country's app store, such as those for mobile devices).

A panel that saw the return of Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, alongside UK National Cyber Security Centre Director Felicity Oswald and EU Agency for Cybersecurity COO Hans de Vries, discussed the well-worn topic of election security. There are some 50 countries holding elections in 2024, so discussion of this topic made sense, but the panel did not break much new ground concerning recent advanced threats to free and fair elections. At the country level, the challenge can be unique, such as the fact that in the US, every state runs its own elections — as Easterly said, familiarity with one state's election infrastructure still leaves 49 others to understand. Easterly noted the hundreds of physical and cybersecurity assessments that CISA has already conducted on voting systems, as well as training sessions delivered to elections personnel.

Moxie Marlinspike, the creator of end-to-end encryption found in popular messaging apps such as Signal, gave a wide-ranging Black Hat keynote that touched on the misalignment of vision and practicality in engineering, along with the increasing abstraction of functionality from underlying infrastructure and dependencies, which has created new hurdles to quality software development. Security engineers will be more challenged to understand the fundamental layers where vulnerabilities and weaknesses can arise. Future security engineers may face greater barriers to understanding the environments they protect. We expect to address some of these points in upcoming reports, as well as cover the expertise that will be needed by cybersecurity teams.

The DEF CON experience

DEF CON features the coordination of a distinctive group of passionate volunteers, with minimal vendor/commercial support. The "vibe" of the conference differs from typical security conferences, given its goal is to promote learning through hands-on experiences, presentations from experts dedicated to their craft and peer interactions — all happening in a positive, fun atmosphere. While the overwhelming number and quality of the talks were significant, much of DEF CON's value comes from person-to-person interactions in villages, waiting in lines, after-hours social gatherings and spending time in common areas.

Although the event is billed as a "hacker" conference, which implies an undercurrent of dark activity for some, its spirit is to showcase real-world hacking and defensive practices that are applicable throughout the cybersecurity spectrum. The educational aspects cannot be understated. That entire families attend the conference, and numerous activities are designed for kids, speaks volumes.

Unsurprisingly, AI was in the spotlight throughout. Venues ranged from the AI Cyber Challenge "city" to the various villages (cloud, payments, internet of things, policy, and crypto privacy, to name a few), and many AI-themed talks focused on generative AI exploitations. Particularly germane was a session delivered by the Coalition for Secure AI, an OASIS Open project announced in July. CoSAI was founded by a coalition of sponsors including Amazon.com Inc., Cisco Systems Inc., Alphabet Inc.'s Google, International Business Machines Corp., Intel Corp., Microsoft, NVIDIA Corp., OpenAI LLC and PayPal Holdings Inc. It aims to define AI standards around software supply chain security and to prepare defenders for a changing security landscape and risk governance while still relatively early in the adoption cycle.

A constellation of conferences

Several adjacent events, some coinciding with Black Hat and DEF CON 32, showcased the collective desire for professional growth or entry into the cybersecurity disciplines. The Diana Initiative conference on the Monday before Black Hat was organized as a more inclusive event for underrepresented groups in cybersecurity. The number of women speaking at Diana exemplifies this emphasis, providing encouragement for participants and for the future of the cybersecurity industry.

At DEF CON, meanwhile, the spaciousness of the Las Vegas Convention Center allowed thousands of conference attendees to engage in informal conversations. Line Con and Hallway Con are nicknames for these common attendee experiences. Villages represented an array of security interests including payment systems, AI, reconnaissance, social engineering and lock picking. Attendance, moreover, is anonymous.

The more commercial atmosphere of Black Hat recedes at DEF CON. Although the community has naturally high levels of healthy skepticism, it is not necessarily hostile to authority. Former National Security Agency Director Paul Nakasone, as well as the Defense Advanced Research Projects Agency's AI Cyber Challenge, provided incentives to collaborate and solve common security challenges. Biannual competition AIxCC, launched at DEF CON 31, offers nearly $30 million in prizes to contestants who can use novel AI systems to accelerate the hardening and defense of critical systems and software.

After the crowds of summer have gone

Security Summer Camp endures, despite the desert heat of August in Las Vegas, not least because of its focus on practitioners, as well as what participants take home from the relationships and networking that are only found during these always-exceptional few days for the industry. The industry, on the other hand, will need to take more than new relationships and learnings away from the summer of 2024.

Those directly involved in the CrowdStrike-precipitated outage must sustain a concerted response to the issues that have been exposed. Microsoft announced it would hold a Microsoft Windows Endpoint Security Ecosystem Summit in September in which "Microsoft, CrowdStrike and key partners who deliver endpoint security technologies will come together for discussions about improving resiliency and protecting mutual customers' critical infrastructure." The industry, and those responsible for seeing that it functions in the best interests of the public, will be watching the largest players in cybersecurity and technology for how far they go toward mitigating the risks revealed.

^{This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.
451 Research is a technology research group within S&P Global Market Intelligence. For more about the group, please refer to the 451 Research overview and contact page.}