Thousands of hackers are spending the weekend trying to break generative AI models like ChatGPT — all with the blessing of the White House and the tech companies behind these models.

Driving the news: The DEF CON hacking conference in Las Vegas is hosting a highly anticipated Generative Red Team Challenge throughout the weekend.

• DEF CON is organized into a variety of "villages" that focus on different cybersecurity topics, such as aerospace, cloud security and critical infrastructure security.
• The AI Village will host what's likely the largest public security test of large language models to date.

Why it matters: AI operators hope to avoid the mistakes of past innovators who moved quickly to roll out their technologies without fully considering the consequences or preparing them for adversarial users.

The big picture: The White House announced its support for the AI Village's test back in May and has been helping to design the challenge.

• A who's who of major generative AI developers — including Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI — are also participating in the DEF CON challenge.
• The AI Village organizers have previously piloted this challenge at South by Southwest and at a recent Howard University event.

How it works: Organizers are expecting roughly 3,500 participants in the challenge, and each one will get 50 minutes on one of the event's 156 closed-network computer terminals.

• The challenge categories fall into five buckets: prompt hacking, security, information integrity, internal consistency and societal harms.
• Participants will receive a list of challenges to try and will be randomly assigned a large language model to test out.
• Organizers will also provide participants with a sheet of known hacking prompts and a locally hosted copy of Wikipedia so they can fact-check any misinformation the models spit out.

Between the lines: Much of the competition focuses on what the organizers are calling "embedded harms" that highlight the flaws that naturally occur in the models, rather than tricking the models into doing bad things.

What they're saying: "One of the challenges with this technology being so expensive to produce at the frontier is that it means that unfortunately, a lot of the knowledge and experience with these models is locked up within a small number of well-funded private companies," Michael Sellitto, head of geopolitics and security at Anthropic, told Axios ahead of the challenge.

• "The organizers for the challenge are bringing in a really diverse group of people that are not the kind of normal people who work on the technology," he added.

Catch up quick: 2023 is far from the first year that AI has been a focal point of DEF CON — the AI Village started back in 2018.

• But this year's interest in the village and the red team challenge has "just exploded," Sven Cattell, founder of the challenge, told reporters earlier this week.

Yes, but: The challenge organizers don't plan to release the results from the weekend right away to ensure they don't release any private data or unpatched vulnerabilities into the wild.

• However, approved researchers are expected to be able to access the data for their own projects once the organizers security-proof the results.

A federal cybersecurity investigatory panel will probe cloud service providers' security practices and how the government can safely use cloud technologies, Homeland Security Secretary Alejandro Mayorkas announced this morning.

Why it matters: The Cyber Safety Review Board's investigation will include a review of last month's suspected Chinese breach of federal Microsoft email accounts.

The big picture: Anxieties over Microsoft's cybersecurity practices have been boiling over in Washington following last month's breach — the second such incident in which Chinese hackers have used Microsoft's systems to target key government systems.

• In last month's breach, suspected Chinese hackers are believed to have gained access to the inboxes belonging to Commerce Secretary Gina Raimondo and top State Department officials.

Zoom out: The Department of Homeland Security created the Cyber Safety Review Board early last year to study some of the country's most consequential cyberattacks and data breaches and provide recommendations for avoiding future problems.

• Previous investigations focused on the widespread Log4j vulnerability and a string of hacks conducted by the Lapsus$ hacking group.

Details: The latest investigation is intended to study how the government and cloud service providers approach identity management in the cloud, according to a press release.

• The board considered studying the Microsoft incident "immediately upon learning" about it in July, the press release noted.
• The board's investigation should result in a list of recommendations for tightening the security of government cloud systems.

What they're saying: "Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure," Mayorkas said in a statement.

• "In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one."

Yes, but: The board doesn't have the power to compel companies to participate in its reviews, and its investigation won't hold any regulatory weight.

• Typically, such investigations instead provide recommendations for new laws or regulations.
• Microsoft did not immediately respond to a request for comment.

What's next: Mayorkas is participating in a fireside chat at DEF CON in Las Vegas later today, where he's expected to discuss the agency's thinking.

The country's top cyber defense agency has yet to see any significant foreign threats to the 2024 elections — but the office is anticipating a wave of foreign-led disinformation in the next 15 months.

Why it matters: Keeping U.S. elections safe and secure requires at least a year of preparation.

• Election officials have to get ready for potential hacking threats against election infrastructure as well as mis- and disinformation campaigns that question an election's legitimacy.

What they're saying: "I full well expect we will see increasing confusion in the information environment over the next year and a half," Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told reporters at the Black Hat cybersecurity conference.

• "But I think at the end of the day, Americans can still trust the integrity of elections based on all the work done by state and local election officials to put a variety of measures in place," she added.

Between the lines: Securing election infrastructure in the U.S. is much more complex than in other nations because the system involves many layers of government — municipalities, counties, states and federal jurisdictions — each with different procedures and ways of voting.

• Victor Zhora, deputy chairman and chief digital transformation officer of Ukraine's top cyber agency, told reporters during the same press conference that his country has a much easier time securing elections since he manages only 10 national elections and Ukraine relies heavily on paper ballots.
• Zhora and Easterly participated in a keynote session Wednesday at Black Hat.

Zoom in: However, Zhora has had a front-row seat to Russia's disinformation machine in the year and a half since the war in Ukraine began.

• Most Russian disinformation campaigns appear to be floating around Telegram channels and other social media platforms, Zhora said.
• His office has worked on amplifying information in the "classical" media to get ahead of any disinformation.

The bottom line: Easterly said that during the current election cycle, CISA intends to continue to promote reliable information from state and local officials, which the agency considers the "most trusted voices."

@ D.C.

🏛 The Cyber Safety Review Board recommended after investigating the recent Lapsus$ hacks that U.S. regulators penalize telecom firms with lax security practices and that Congress consider programs to steer teens from cybercrime. (CNN)

🤖 The Defense Advanced Research Projects Agency kick-started a two-year cybersecurity challenge at the Black Hat conference for new AI-enabled tools that can defend critical infrastructure. (Axios)

🖊 President Joe Biden signed an executive order restricting U.S. investment in high-tech sectors in China deemed national security threats. (Axios Pro)

@ Industry

🧳 Cybersecurity giant Rapid7 plans to lay off 18% of its workforce, or roughly 400 employees. (TechCrunch)

@ Hackers and hacks

🔌 Authorities in the U.S. and Poland took down a popular "bulletproof" hosting platform used by cybercriminals. (The Record)

♠️ All someone needs is a malware-laced USB to hack one of the most popular card-shuffling machines at casinos, researchers at the Black Hat conference found. (Wired)

📡 A Russian cyberattack on satellite company Viasat ahead of the Ukraine war had a broader impact than previously known and was carried out by hackers who knew the company's systems well, a Viasat executive shared at Black Hat. (CyberScoop)

When Black Hat and DEF CON are happening, there's no escaping cybersecurity vendors in Las Vegas — even in the airport's baggage claim area.