Hacking the Government - Terrell McSweeny

very good okay now now now we're on oh now I don't know which one it is the red one okay that's because there's just entirely too much drinking involved in this talk so hi I'm Terrell McSweeney I am your mystery speaker tonight I am going to make a presentation about how to hack government I am NOT a technologist I'm not a researcher and I'm definitely not a hacker so just a little bit about what this talk is actually about why am I here gonna start with the disclaimers it's not a Tech Talk I'm not dropping any exploits or providing you any useful knowledge about technology and I'm I'm not a hacker or researcher but I am a former government

regulator so I recently was serving on the US Federal Trade Commission which is essentially the Data Protection Authority for the United States it's also an antitrust competition enforcement agency and has been in the news a lot lately because it has a lot of the major US tech companies under orders for previous privacy or data security violations and I'm also a policy person and a lawyer but one of the things I've really been working on in the u.s. is incorporating more hackers into policymaking I think the hacker community has incredibly important knowledge that needs to be brought to bear on policy makers so what I wanted to talk about today with some of the ways we've been

doing that and try to convince you that you have a meaningful role to play in helping policymakers understand technology read one okay I'm going to be using a lot of Star Wars analogies because of the theme of today but also because of course I'm a Star Wars fan so this is actually an important quote from one of the original human to cyborg relation specialist c-3po remember that of course and these are actually some of the questions that were asked by United States senators recently in hearings that were on the Facebook Cambridge analytical scandal this was when Mark Zuckerberg famously was invited to testify before before the Senate and you know so there's some interesting knowledge gaps

here if you're emailing within whatsapp for example so okay maybe just misspoke Facemash which was actually well there's like a mic now cool which was actually a joke saying that Mark Zuckerberg Giggs invented while he was in college no longer exists and this is my favorite question which was actually by Senator hatch and this is literally Mark Zuckerberg expression when it was asked how do you sustain a business model and which users do not pay for your service and there's this like pause if you watch the video of it and Zuckerberg kind of looks it in with this face as like is it a trick question it's like ads is that the answer yes of

course it's the answer so yeah this is funny and I can and I've actually done versions of this talk before where I had different silly things politicians had said and political leaders had said about technology it's pretty easy to find it's a target-rich environment and it's easy to laugh at it and I think we should laugh at it a little bit but what's important to remember is that a lot of our elected officials it's certainly true in the US government but I suspect it's true in most governments around the world are basically normal people who are elected to represent their constituents and most of their constituents don't know very much about technology either so none of this should

be very surprising to us but what is really important I think is to remember that even though it's a little bit funny that they don't know these things they are also in the position of writing the laws about them and the laws that not only govern the technology that is everywhere in our lives but also can have a direct impact on the kind of research and other work that you all are doing in this space so I think it's important to remember that they have a kind of power and we need to help them use it responsibly so how do we do that this is my my approximation of the point I was just making he's holding a thermal

detonator you can imagine it's senator hatch who's holding a thermal detonator because he can write a law that could affect just about everything on the internet so this is a word cloud I love word clouds because there are a lot of words on this page it's a funnier way to look at them but it represents a number of the technology policy issues that were hotly debating at least in the United States but that are being debated around the world as well these include of course privacy and data security cross border data flow control choice transparency data portability interoperability the security of the IOT the security of stuff that some of some scholars and others and the u.s. have

started calling the Internet of bodies which i think is a really good terminology for medical devices but also implants and other enhancements that are coming online soon government access to data surveillance encryption backdoors whether those are a good idea I think the hacker community has a huge role to play in explaining the risks of those kinds of technologies and those kinds of mandates from governments intellectual property and copyright which have everything to do with the kind of research that can be done on code and exceptions to those kinds of laws can be incredibly valuable for doing research the right to break things and and probably just as importantly the future technologies cryptocurrency not so futuristic at this point blockchain

increasingly autonomous technology machine learning and AI whether it's specialized or generalized or however you want to think about it and of course really importantly how computer crimes are prosecuted and who gets thrown in prison for doing things on computers with code so these are all really important policy areas I suspect that they touch on almost everybody's work in the room and the people who are in charge of thinking about how to write the laws about them are the people who are asking those questions of Mark Zuckerberg so if that doesn't sell you on the need to integrate what you know into the policy conversation I'm gonna keep going so ok you can you can argue

that ok fine we need to help the government understand these things because the government doesn't really understand them and in G&I here I am telling you to engage with policymakers and find people who will listen and whatever but but you may feel that this is more or less an impossible assignment and that in truth it it won't really make any kind of difference so I wanted to offer a little bit of important hacker history that that sort of makes two points one for those of you who aren't familiar this is a photo from May of 1998 this is a time in which the world wide web was some something people surfed mostly on America Online right so it's a very

different time in in history and this is the loft group so this is Mudge and Brian oblivion well Pond space rogue kingpin and others who were thinking and working on vulnerabilities at the time and they were invited to testify they use their hacker names which was pretty cool there's much in the middle who is looking looking like the Dark Angel or something and in this and there's some great video of this hearing in which senator Thompson who is also a movie star so he sounds great as the senator is told like by much like almost everything that is connected on the Internet we can break and we can totally take everything offline and like about

30 kliks or something I read some I'm making it up and Senator Thompson goes well we should fix that like that's it that's the rejoinder okay so so so Congress didn't fix it obviously I don't have to tell anybody in the room that we have massive security problems that's what this entire day is about and all of all of the conference's around these issues are about and certainly we're continuing debate how to fix fix all of the security problems and in the US but what did happen after this was the laughs group decided to start publishing vulnerabilities and if you think about it as we fast-forward 20 years later it's now well-established that responsible disclosure programs and

having an ability to respond to Vons when they're disclosed to your organization is a part of good security practice and in fact it's a part of good security practice that my former agency the Federal Trade Commission has incorporated into its guide for what constitutes reasonable security and all of that comes out of this effort to make previously relatively invisible world more visible to the people who are thinking about writing laws and making policy so I I like this example because I think it shows that of course government moves slowly and of course technology outpaces it but in fact getting involved and and starting to surface some of the issues and being vocal about them can in fact change

industry practice and change best practices even when whole new laws aren't written so it's important ok so that but I wanted to talk about with this slide was essentially the ways in which I've seen really good engagement from the government again I'm using a lot of us examples because I'm the most familiar with them but I suspect that for a lot of folks it is possible to identify the parts of the government that are interested in hearing from you and I suspect those are the parts of the government that look very much like a consumer protection agency or that have a mission that is sort of aligned so my former agency the Federal Trade Commission for example is again

primarily a privacy data security enforcement agency also competition enforcement agency it's an agency that protects consumers from unfair deceptive acts and practices in the marketplace which is a relatively broad mandate but it has over time started to form closer relationships with the research community and with technologists because consumers are using technology in their daily lives and the security of it or the settings that allow them to navigate the privacy on it very much matter in their daily lives so the FTC for example has hired technologists it also has established its own in-house research shop ootek which can create its own research but importantly recreate research if it is given information about research or see as a presentation at a conference like

this so that can be very valuable for bringing case against companies that have insecure practices or are not doing what they purport to be doing with people's data but it also has been holding conferences there's an annual conference called privacy con which invites researchers to come and present new research on both privacy and security and it's been very successful the last three years we've added an element to it which is also bringing in US government agencies that have research funding to do brown bags with researchers so that they can connect directly with folks who can help fund research and I think that's an important area as well there's also around the US government been a variety

of different ways that the government has gotten creative with engaging with hackers the digital service which was started in the Obama administration which is about bringing technologists into the work of the government in a meaningful way there was the office of Technology Science in the White House which actually started having its first chief technology officers its first chief data scientists and bringing those kinds of real experts in technology not in not just into the White House but into every different government agency there have been challenges that have been run by DARPA but also the FTC and other agencies the FTC for example ran to towns as DEFCON to create better tools to fight robo calls which are

those annoying telemarketing calls that bother you all the time and DARPA ran the cyber Grand Challenge a couple of years ago which was a cyber autonomous capture the flag game at DARPA which was terrific I also just wanted to mention that their fellowships and now there's a new call to bring tech advisory group back into Congress especially following the performance of a lot of the members of Congress during the Facebook hearings there was a real recognition for the need to bring technological in expertise into that part of the government as well so what we see in the United States is recognition across the government about the role that technologists need to play and really new models of trying to

engage even the the grey hat hacker community even the Pentagon now the Department of Defense is running in hack the Pentagon and other challenges as well so I think these are really promising developments and recognitions that we're seeing that seen in the US and I suspect we're seeing them in other places as well so I wanted to make sure that I ended with some really clear takeaways because we've been covering a lot of ground the first one is you know I think an important one which is find a way to present your research to policy makers and enforcers and again I but say we're responsibly here because I think all the laws are different we want to make sure

people are not putting themselves in legal jeopardy but also find the parts of the government that are interested in this information and develop relationships with people in those parts of the government form partnerships with consumer protection and data protection agencies and help them understand what you know I think that's a really important element I suspect you'll find a lot of people who are public servants are deeply interested in these areas and a lot of them are in regulatory agencies that are dealing with industries that haven't previously experienced a lot of these problems so if you think about in the US for example the Safety Administration that regulates vehicles is now thinking about autonomous vehicles the Aviation Administration

that does planes is thinking about drones the FDA which does medical devices is thinking about IOT so we see a range of these government agencies that don't have a lot of technological expertise that really need it and they need it quickly and they have to get up to speed so a lot of them are looking for ways to engage become a tech translator okay I can't emphasize this enough now that might not be the right role for everybody in the room but if if you can explain to your mom what you're working on then you are qualified to be a tech translator okay now this is a challenge but but a lot of us myself

included who you know either have been in positions to it's laws or enforce the laws don't really know all of the codes and buzzwords of the hacker community and I think it's awesome to have your own vocabulary and your own language and I think it's powerful and cool and have your own community I think that is also awesome but remember if you're trying to explain someone something to someone who is not in that community help them understand it if you want to have an impact and if translation is not your thing then find someone who is a translator and see if you can tell a story about the technology or help them tell that story in a way that people can

understand it examples are great real-world translations like I'd loved the the talk just now about I was thinking like in my head the Internet of yacht's oh my god rich people problems like which was great but you know as you're sitting there thinking about it the way to translate it as like hey of all these routers and satellite links on these boats are like super insecure like they're running like really really bad security policies and there have got you know stuff coded into them that you cant encode and passwords in plain English like things mom you wouldn't do yourself at home anymore so just having an ability to kind of explain some of those things sometimes really matters I've

seen this matter also operationally when I've been reviewing companies who have gotten run into problems with the law around their data security practices very often some cyber security personnel or even a CSO explained to relatively high level executives that there was a vulnerability that needed to be patched like it was on the a wasp list and then the executive was like okay cool you know I just didn't do anything with that information that resulted ultimately in a fine from from an enforcer problem so they should have and they should have known better but part of the problem part of the problem right there was just the translation out of very specialized information into into more generalized

information so this is a vital role and we need to find people who are good at this and deploy them everywhere and lastly if that fails you can always rely on using the force so I see my time is up and I wanted to of course leave you with the parting wisdom that the laws and regulations and agencies that are enforcing these laws are having a global impact because the Internet is a medium that connects us all globally our connectedness is growing you all have specialized knowledge and skills that are vitally important to protecting consumers individuals privacy data all of these things that are going to matter to us as human beings and we need to get

you into the mix fine parts of the government that you can work with help people who are policy makers make decisions and and speak up as much as possible thank you very much [Applause]