Why European politics students should care about cybersecurity (and vice versa):

Thoughts on Black Hat Europe 2022

EPS students Bianca, Julian, and Catherine share their thoughts on attending the Black Hat Europe conference in London in December, and highlight the growing importance of cybersecurity policy in Europe and worldwide.

Bianca Cunha, Julian Theseira, Catherine Wood

Last April, EPS students Bianca Cunha, Aria Guevara, Julian Theseira, and Catherine Wood competed in a cybersecurity competition hosted by the Geneva Center for Security Policy and Atlantic Council. Their team, Havel’s Velvet Underground, won the competition and, as a prize, received tickets to the Black Hat Europe conference in London in December. After attending the conference, Bianca, Julian and Catherine share their thoughts here about how it went and, most importantly, why people studying policy should care about cybersecurity.

What is Black Hat Europe?

The Black Hat Europe conference is the leading event for security professionals and researchers, featuring presentations on the latest threats and vulnerabilities and cutting-edge security solutions. It is part of the larger Black Hat conference series, which began in 1997 in Las Vegas and has since expanded to include events in Europe, Asia, and the Middle East. Attracting a diverse group of attendees from around the world, including security experts, researchers, government officials, and business leaders. The first Black Hat Europe conference was held in 2001 in Amsterdam, and it has since been held annually in various European cities such as London, Paris, and Barcelona.

During the conference, the keynote speakers, training sessions, and an exhibition hall showcasing the latest security technologies are explored by both participants and tech companies. This environment offers a unique opportunity for attendees to learn about the latest trends and developments in the field of information security, as well as network with peers and industry leaders.

The Atlantic Council, a leading think tank on international affairs, is the main partner to present the Cyber 9/12 Strategy Challenge in Geneva. The competition is organized by the Geneva Centre for Security Policy (GCSP) and is held annually in Geneva, Switzerland, and this annual competition simulates a cyber crisis and challenges participants to develop effective responses to real-world threats. The competition is designed to give participants a better understanding of the complex and rapidly evolving nature of cyber threats and to help them develop the skills and knowledge necessary to effectively manage and respond to these incidents. The teams are made up of students from various universities and backgrounds, which allows for a diverse range of perspectives and approaches to the problem.

During the competition, teams are presented with a series of simulated cyber attacks and must work together to identify and respond to the threats. This requires participants to analyze large amounts of information, make critical decisions, and communicate effectively with other team members. The competition also includes a public speaking component, where teams must present their responses to the simulated crisis to a panel of experts.

The Cyber 9/12 Strategy Challenge has tickets to the Black Hat Europe conference as a first-place prize, providing participants with the opportunity to learn from and network with some of the world's leading security experts and researchers. The challenge is an excellent opportunity for anyone interested in the field of cybersecurity to gain valuable experience in a challenging and rewarding experience that provides valuable insights into the complexities of dealing with a cyber crisis.

Team Havel heads to London

For three students of European politics, Black Hat Europe felt like being at a hacking conference. In the main conference hall, with its smoke machines, techno music, and flashy intro video complete with shots of lightning strikes over Tower Bridge, we were some of the few wearing blazers. One speaker we spoke with even advised us to wear hoodies next time to better blend in.

But for all cybersecurity professionals, whether ‘red team’ (offensive), ‘blue team’ (defensive), or ‘purple team’ (just a few of many terms we learned over the two days), there was one common thread through many of the briefings and keynotes: complexity. Opening the conference, Black Hat’s founder Jeff Moss brought this topic to the forefront from the very start when he discussed the challenges for cybersecurity professionals of managing their limited time when complexity is constantly increasing.

The first keynote speaker, Daniel Cuthbert, Global Head of Cybersecurity Research at Santander, also broached this topic, discussing the complexities of building a “defendable internet.” He also pointed out that currently, many efforts are focused on training non-cybersecurity professionals, but that this often unjustly puts the blame on employees who fail increasingly sophisticated security tests rather than encouraging cybersecurity staff to make their networks as secure as possible.

For the remainder of the first day, we attended briefings on a variety of topics. Some were highly technical, others less so. One briefing was on the ethics of penetration tests, known as pentests, which can include IT staff sending fake phishing emails to employees at a company to teach them to recognize cyber attack attempts. Ragnhild “Bridget” Spring of Orange Cyberdefense spoke about the unintended psychological consequences of pentests on employees who ‘fail’ them—and argued that companies need to be more considerate of this, because it leads to a bad learning environment, blame games, and staff being afraid to speak up and alert security teams if they fall victim to a real cyber attack.

We spent the rest of the day attending briefings on topics such as distributed denial of DDoS attacks (malicious attempts to disrupt website traffic by overwhelming a server with a huge amount of traffic) in the Netherlands, Czech Ministry of Finance cybersecurity operations since the war in Ukraine, and more. Afterwards, we attended a happy hour in the exhibition hall. While it was intimidating networking with people from cybersecurity companies and we felt a bit out of place at times, it was fruitful and all of us got several free pairs of socks, tote bags, and one of us (almost) won a Nintendo Switch.

On day two of the conference, Jen Ellis, a cybersecurity advocate and community convenor who sits on many boards and has testified to the U.S. Congress on cyber issues, spoke about the ‘next generation’ of cybersecurity in her keynote. With increasing government regulation, including in the EU, she highlighted the importance of cybersecurity professionals getting involved in policy making to help make their voices heard. Jen also made the distinction between profit- and politically motivated cyber attacks—something we found very relevant—as well as the need to address the ‘security poverty line’. Jen’s keynote, and her later briefing with Irfan Hemani of the UK’s Department for Digital, Culture, Media and Sport (DCMS), also mentioned the importance of the intersection of cybersecurity and policy. For team Havel’s Velvet Underground, that was the biggest takeaway of this conference.

The important intersection of cybersecurity and policy

Several briefings and demonstrations during the Black Hat Europe Conference showed how an increasingly connected and digitalised world also comes with increasing cybersecurity risks and vulnerabilities. For example in the briefing, “Fail Harder: Finding Critical 0-Days in Spite of Ourselves,” two hardware cybersecurity researchers Philippe Laulheret and Douglas McKee spoke about their work finding “0-Days” (previously unknown vulnerabilities) in various hardware systems such as medical devices and building control systems. Meanwhile in the briefing “Back-connect to the Connected Car: Search for Vulnerabilities in the VW Electric Car,” researchers Sergey Razmakhnin, Khaled Sakr, Alexey Kondikov, and Yuriy Serdyuk demonstrated their success in hacking and manipulating various systems in a VW electric car.

These research findings and demonstrations showed that cybersecurity is no longer just a matter of computers and mobile devices. As transportation, infrastructure, energy systems, and appliances become increasingly electronic and connected digitally, they also increasingly become vulnerable to cyber attacks. The prospect of electric cars or medical devices in hospitals being hacked and manipulated for malicious purposes raises various security concerns and contributes to the increasing complexity of cybersecurity evoked at the Black Hat Europe Conference.

In light of the increasing complexity of cybersecurity, the questions of what can and should be done were also raised during sessions and conversations at the Black Hat Europe Conference. Black Hat Founder Jeff Moss raised the question of policy as a necessary tool to respond to increasing cybersecurity threats as previous approaches such as placing the responsibility on individuals to educate themselves and act responsibly had proven inadequate. Indeed during the session, “The Black Hat Europe NOC Report,” the operators of the Black Hat Conference wireless network revealed how they had spotted some devices that were infected by malware at the conference while some conference participants were caught using the conference network trying to procure escort services, showing that even cybersecurity professionals and experts can get careless and succumb to human weaknesses. Hence, relying on individuals to take care of their own or their organization’s cybersecurity amid escalating complexity is likely to prove inadequate, and policy responses will also be needed. A policy that addresses cybersecurity is also necessary in light of the increasing annual global cost of cybercrime, that was estimated to reach €5.5 trillion in 2021.

An example of a policy to improve cybersecurity is the EU’s proposed Cyber Resilience Act. The Cyber Resilience Act will fill gaps in the EU’s current policy framework, in which most hardware and software products are not covered by legislation addressing their cybersecurity. Furthermore, existing EU regulations do not cover the cybersecurity of non-embedded software, even though vulnerabilities in these products are increasingly the target of cyber attacks that cause significant societal and economic costs. The Cyber Resilience Act, sets out four specific objectives:

1. Ensure manufacturers improve the security of products with digital elements across the entire product lifecycle starting from the design and development phase

2. Ensure coherence of the cybersecurity framework to facilitate compliance by hardware and software producers

3. Enhance transparency around the security elements of products with digital elements

4. Enable businesses and consumers to securely use products with digital elements

With the proposed Cyber Resilience Act, the EU is taking a comprehensive approach towards enhancing cybersecurity. Thierry Breton, Commissioner for the Internal Market, had highlighted that “When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain.” In an increasingly interconnected world, with cyberthreats that are not limited by national borders, it is unlikely that efforts by individual states will be sufficient to ensure cybersecurity. Hence, the significance of the proposed Cyber Resilience Act that will enhance cybersecurity for the entire EU, whose single-market is the world’s largest. Indeed, during the Black Hat Europe Conference, Hemani of the UK’s DCMS also spoke about the challenges the UK government faced with regards to cybersecurity policymaking after Brexit as the country now had to proceed on this regulatory agenda alone, despite the transboundary nature of cyberthreats.

Conclusion

The growing complexity of cybersecurity demands policy action. For us, attending Black Hat Europe 2022 highlighted this and also showed that there is still a gap of understanding between policy and cyber experts. Conferences such as Black Hat can help to bridge this gap by including speakers on policy issues, but they should also include more attendees from the policy side. At the same time, it is critical for those working in policies, whether at the national or EU level, to ensure they include a variety of cybersecurity voices.