 Hey thanks everyone for coming to this session. We're going to keep this very conversational and informal. I'm Will Roper. I do Air Force Acquisition. I'm Jack Cable. I'm a hacker with the Defense Digital Service. I'm Jack Cable. I'm a hacker with the Defense Digital Service. And I'm Will Roper. I do Air Force Acquisition and we wanted to chat a little bit back and forth about why we're here, why we're bringing defense equities to DEFCOM, what we hope to get out of it, and then you know what we're concerned about. Like why is this more than just a conference to us? So if you're in the Air Force you really worry about vulnerabilities and for decades we have taken systems out to test ranges. We have flown them against our simulations of threats trying to understand if things we put a lot of money into like stealth and radar and jamming capabilities whether they really work. And we're pretty good at that when the things that we're testing are based on hardware not so much when they're based on software. And so one of the things that's been an increasing area of concern for us is that our future depends on having really good software in our airplanes. We want things to be able to work together to share data, to network, and the kinds of stuff we imagine for the future like collaborative systems and swarming. They only work if the software is credible and difficult to thwart. But we don't really do the same red teaming, the aggressive testing of the software in our systems. And so part of the reason we wanted to be here at DEFCOM and to work with really smart people like Jack in Defense Digital Service is to start bringing the talent that we know exists to probe our systems and tell us what's wrong with them so we can fix them. Yeah thank you. So yeah I've been a part of the Defense Digital Service now for a little over a year. I got into it through the Hack the Pentagon program. So that was the United States government's first bug bounty program launched in 2016 and it was the first way for hackers to work with the government in a friendly way which didn't involve them working directly for the government. Say 10 years ago it could have been arrested for hacking into the Pentagon. I got to do it in high school and I got paid for it. So that was pretty great and I did a few more challenges. One called Hack the Air Force eventually got started talking with people from the Defense Digital Service and now I'm trying to make the experience working with hackers better for the United States government. So we've launched a variety of challenges with our bug bounty program. Three with the Air Force, a bunch of others other departments and we also have a vulnerability disclosure program which allows hackers from all across the world to report vulnerabilities to the Department of Defense. So since it's launched in 2016 we've received over 10,000 vulnerability reports from hackers from across the world thousands of hackers pretty much every country and the great thing is is we don't even pay them for that. There's people out there who want to help. So we want to expand those connections and make it further than just right now it's only websites. We want to take that further and make it so if you find a vulnerability affecting anything within the Department of Defense you can report it to us and we can fix it. So we're here with a bunch of different systems for testing and we're going to keep expanding it and making it so we continue testing our security. So Jack this is a big move for us because in addition to like networks and base defense systems which are pretty safe things to hack I mean they're important to us but it's not like it's a war fighting system that like is going to go into the battlefield today if called upon. We've brought some like no-kidding war fighting systems or at least ones that support them. So we've got a download system for an F-15 that's here. It's a system that moves data back and forth between the ground and the airplane and it doesn't sound like it's something that you really ought to worry about because the airplane's on the ground it's safe right but this is a system that has access to our airplane and it tends to be an afterthought for us in terms of having like really good cyber survivability and resiliency. So Jack what should we do we've brought a system here today but what should we do in future to get more people like you where they have an opportunity to to access our systems and help us and how do we do it safely? Yeah so what we need to keep doing is stuff like this. So be at DEFCON this is one of the first times that the U.S. government the military is here asking hackers to hack systems and we need to keep doing this we need to make it as easy as possible to test the system so bringing stuff to hackers next year we're going to try to get an actual plane here to hack on and do whatever we can to make it easy to test for vulnerabilities especially in places where might not otherwise be able to test how often can you get your hands on F-15 probably pretty difficult so keep doing that and really just fostering these relationships with hackers and that goes beyond the bug bounty programs it goes into actually bringing hackers to the Department of Defense to work on really great projects so I work with the defense digital service who has hackers on hand and is starting to see that we need to do more of this so really doing whatever we can to make it so if you come work for the government you're not going to be sitting in a room doing nothing but you'll actually be working on projects that matter and you'll be able to make an impact making systems more secure so finding places to best put people where they can have a big impact is a big part of it and something that we want to keep doing it's cool and one of the things that we're really excited about is that if you think of the air force you probably think of like fighters and bombers and things like that and they're really cool airplanes but we also buy a lot of commercial airplanes that we modify to do different missions for us so the airplanes that move stuff around like logistics support they're really commercial airliners that we modify our tanker is a Boeing 767 that we modify so one of the things that we think would be cool to do is to really probe the vulnerabilities of our commercial modified systems and if the things that we find are military unique vulnerabilities well that's great we need to fix them so that our pilots are going to be safer but we might actually help commercial airlines make their products more secure and since most of the companies that make airplanes have a relationship with the air force and there's a good amount of trust there we're hoping we could build on that trust to improve the safety of commercial airlines as well so Jack if we wanted to do that I mean how should we start the next defcom is it show up with a tanker or a Air Force 737 and pull it in here and let people hack away at it what should we do yeah really doing anything that we can to enable finding more vulnerabilities so especially on the commercial side something I want to emphasize is that say if you report a vulnerability to the Department of Defense through the vulnerability disclosure program you can be assured that it will be used only for defensive purposes so for testing commercial planes what's going to happen is that if you report a vulnerability it'll be fixed in the systems we have but also be sent to whoever develops that software so that everyone who's using that plane can make it more secure so we really want to make sure that with these programs there's as much of an assurance for hackers one that you won't have any legal troubles in helping us make our systems more secure and two that anything you find will only be used to make systems more secure so we have the duty as a vulnerabilities equities process anything found in the VDP is not subject to that's only defensive and that's something that's really important for working with government we want to make it as simple and as useful as possible so having a way for say the work here can also go and make aviation everywhere more secure so we really want to emphasize that well jack I'm going to do my best to get a like a commercial plane of some type here I think it'd be really awesome and if you don't really think of vegas as an air force place there are two major air force bases that are near here there's Nellis and Creech so it's actually an area that's pretty easy for us to get stuff in one of the things I wanted to pick your brain on is that the government historically has been pretty bad at software right we really haven't changed the way that we code since the 70s most of the code we have was developed under the old waterfall process there's a lot of nested and embedded code all worst practices and so when we do vulnerability testing we've got a really unpacked different layers and you know that takes a lot of time right time at keyboard so can you give me a sense of like if we're working on legacy systems we probably have one model if we're working on a system in development where we have all of that software open in a laboratory we're probably doing something very different so what should we do for both yeah so when we test say legacy systems with the bug bounty program we find of course really critical vulnerabilities and we do our best to patch those systems so they don't don't come up again but the truth is that we can keep testing these systems all we want but unless they're developed from the ground up to be secure it's not going to get that much better so what we want to do is start developing software with security in mind and traditionally that hasn't happened in DOD it hasn't happened in industry and we really need to shift how that works so a few initiatives the defense digital service is starting some projects across the DOD one with the marines to focus on how software is being developed and build using much more modern software development practices continuously test the security of its systems and consider possible security implement implications when developing the software there's also new with the air force a fast track authorization to operate which involves more modern agile development methodologies that have much more of an emphasis on security and also running bug bounties say in development before systems hit production and that's really important to catch flies earlier the earlier it is the easier it is to fix the vulnerabilities less of an impact that they could have had so really drilling down that we need to get earlier earlier into the development process and a big part of that also is making sure that developers actually know what they're doing when it comes to security so increased training for developers and giving them resources so even if they have just a little bit of knowledge of the security implications that their code can have that they're able to consider that and when they write something that looks a little fishy they can dive into that and really make sure that most of the vulnerabilities that get into the code don't hit production because we're testing them before then so jack if we were to say go up to probably the place for writing code the fastest so we've got a team of eight hundred people that are up in boston they uh they call themselves kessel run so i you know i've got to really give them you know credit for a name that really inspires one the geek side of me but also speed so they write really great code today for what we call our air operations center it's what helps us coordinate all of the operations in the middle east and around the world so they take some about six weeks to go from a new war fighter request to code that's on the battlefield doing mission so could we work at that pace with the hacker community if we need to be able to do vulnerability testing in days for code that needs to deploy in weeks definitely because kessel run is a great example they not only develop software faster but they're developing in much more modern way and actually that's much more conducive to positive security and they're also integrating testing earlier into the process so a lot of systems we might have across the dod take years and years to approve and to get authority to operate but the truth is without actual security testing and without actually making sure that the systems can hold up in production manner that security won't have the same it just won't be as effective as adding continuous testing into the development process so we can have both the fast development and fast improvements as we've seen with the fast track ato so we can really make sure that software is getting tested continuously and from the start and by doing that we can really do it in a quick manner as well and so but jack what do you think what do i say to the pentagon bureaucrats who say well there's no way that you can do this securely so as awesome as it is to stand beside an f-35 fighter or a b2 bomber or mysterious x-37 space plane all really awesome things that we have in the air force they're unique and that only we have them and we don't want adversaries to know much about them so how do we make sure that the people that are helping us find vulnerabilities really are the the good guys that want to help us for good reasons and not people who are trying to get in and exploit for bad so with the vulnerability disclosure program we do have it open to the entire world and that's because we know that if people are telling us about it they want to help and the fact is there's people attacking our systems every day whether we like it or not so we need to do the best we can to engage the people who want to help and if they're coming to us and offering their skills to make us better then we should accept that help and another thing is that going back to the idea of building software really quickly and also making it secure a lot of the fundamentals of security are really simple and it's important to make sure that those are in place before trying to go out and do something that may or may not really affect security so if we focus on the basics and focus on what really matters then we can make sure that our systems ultimately work much better and are more secure so I think that going forward it's something that we need to as the entire department as industry also we need to get better at looking at the fundamentals and focusing on what we've known to improve security rather than something that might say after the fact make it a little easier but really the basics that we've struggled to get down we've struggled to really improve from there so ensuring that we have a sound foundation is a big part of it and jack how do we get access to the talent so we are historically really bad at getting people on board in the government I think your example is one of the worst case stories I've ever heard of months and months of paperwork and bureaucracy it's just horrible I'm going to imagine that we'll have some people who will say yeah I really love this idea of defense digital service I want to sign up I want to be able to hack some things that only there that I'd be able to touch but I'm going to guess there'll be others who will say I'd be interested in doing an event or two per year how do we need to engage to get talent where they don't have to fight through they're basically hack the hiring process before they actually hack the system yeah so yeah definitely there's I'd say one part of it is that within government traditionally it's seen as somewhere where of course with the giant bureaucracy it's hard to get stuff done so by giving people access to roles where they can really have an impact from day one for me at least that was a really great way to see that there's a lot that can be done in government working with DDS but that might not be for everyone and for people who don't want to go through all of the hoops to get hired all of that there are still other ways that they can work to help make us more secure so I think the bug bounties are a great example of vulnerability disclosure program we can pay people competitively to test our software and make it really easy for them to do that rather than having to go through the entire hiring process they just get approved to hack one system and they can go at it so making it as easy as possible for people to test these systems is a big part and I think that it's we've seen some really great results with hackers who would have never otherwise worked with the government but now they're working directly with us to find vulnerabilities in these systems and tell us what we're doing wrong so we can get better and Jack that's my experience too so when I when I left academia I was a string theorist it took forever for me to actually join up with the government but I've been so glad that I've come in because you get to do things you just wouldn't be able to do anywhere else and work with a lot of people a lot of operators that are just really thankful and grateful for the help that you give hey let me let me do one pivot and let's take a couple of questions for the audience so if we think forward in the future right if we want to be a presence here at DEF CON a really like collaborative member in this community and we can bring airplanes each year what do you think about going a little bigger than just aviation so we're an aerospace force we have a lot of satellites that I'm going to guess have the same vulnerabilities and by the way space is a booming industry most of the venture houses are saying we're going to have at least a trillion dollars of the economy in space by 2040 maybe three trillion so should we be going after those vulnerabilities just as aggressively and do you think we can leverage a forum like this to do it I think definitely yeah the Department of Defense has all sorts of systems from aviation space ICS everything that you can imagine the DOD runs as biggest enterprise in the world so we need to be testing all of those and I think this is a great place to start that process so yeah say with satellites the less we test systems the more likely it is that there are vulnerabilities that have just escaped under the radar for too much time so by making that accessible and giving hackers say putting them right next to a satellite and seeing what they can do we can uncover some really great vulnerabilities so I think going to whatever lengths we can to bring it here and bring it to the hackers I think that'll have some really great results that's cool well it gives me a lot of things to take for actions I have to get an airplane here next year a satellite to hack and by the way satellites are a great area for us to hack before we deploy because you can't get them back so whatever we put up we live with the ground station you can fix so I think the bottom line for me is you know having 60 billion dollars of Air Force programs underneath like I'm super excited about our future the Air Force is pretty adaptive is pretty aggressive in trying to change and it's really embraced making software as important to it as air and space but we've just gotten to the starting block like we've gotten good enough to know that we suck and that we need to get a lot better so what I hope that we can do is make sure that if talent wants to work with us that it's not hard and that's a really different model than what we had say last century in the Cold War when technology changed so slowly that you waited on it and now technology's saying so fast that we ought to be able to update systems on a daily weekly basis but the only way you can modernize and update that way is if you've got the right talent to support you make sure that you make smart choices and if you make dumb choices have people like you that can advise us how to fix them and fix them quickly let's take a couple of questions so DDS is based at the Pentagon where our main office is there we also have an office in Augusta, Georgia that we just recently opened up but yeah so but DDS is based at the Pentagon but we don't do all of our work there and we go wherever the work is so if there's someone anywhere in the world who's struggling with technology we go in there and help them make it better so yeah DDS is really operating across the Department of Defense we use them a ton so they've done reviews for me on the b2 bomber on satellite ground stations and a lot of other things that don't come to mind now so they get employed really broadly and I think what's pretty awesome about it is that you never know what you're going to be working on next and they also get to work with a lot of people that are kind of their counterparts in the Air Force at least in my service that are responsible for writing that code so it's great having like the person that's the developer getting to work with the person that's going to be their troubleshooter or red team so the cool thing is that it covers so many cool technology areas any other questions well with no other questions let me turn it over to Brett Goldstein he's the director of defense digital service who had the audacity to invite the Air Force with him to DEF CON so I'm really glad you did Brett I'm glad we're able to get some cool stuff here the simulators for people to use the things for people to hack so we're excited with the direction you're going but I know you need a lot more people to do your job true thank you will and I think it is completely crazy that we're here with the Air Force at DEF CON so thanks everyone for listening so I'm Brett I am the director of DDS I am completely the new dude here I have been on the job for two and a half months and I need to tell you I never thought I'd work at the Pentagon on you know I come from the private sector I was one of the people who built a company open table you know when when I was saying what would I do next it wasn't DOD so and every year when I've come to the to DEF CON I never thought that I would be up here with a big Air Force flag and a DOD thing so thank you again for having us on DDS has a crazy mission we are the SWAT team of nerds that deals with tech when technology is gained in the way of national defense we are the team that they call and you know we're able to have amazing partnerships like the Air Force on and as Jack said we go where the work is like I gotta tell you I've now spent a piece of my life in Afghanistan that is something that wouldn't have happened at open table so I've learned a ton it is probably one of the most awesome missions that someone could have on something will and I and of course Jack are pushing is we need to get out there as DOD and embrace other communities I have come to DEF CON for a long time and this is a world that we need to work with you know many of us are already part of it there are a lot of people that want to help us do our job better on so we want to do a better job of coming out and talking to folks and you folks can help us raise the bar because it's important and we can't do things the old way so thanks for listening I have a whole bunch of folks here from DDS we have Jack, Roro, Claire somewhere, Megan we have a whole bunch of folks that would love to talk to you about the projects the projects that we're working on and then we have a bunch of Air Force folks that are you can raise your hands so we work on really cool things we want to tell you about it and we want to hang out so please feel free to approach afterward but thank you again and everyone have a great DEF CON