BSides LV 2023 - I am the Cavalry - Tuesday

[Music] maybe you'll give me five years I'm gonna butterflies [Music] fly [Music] baby [Music] [Music] oh oh oh [Music] [Music] [Music] foreign [Music] foreign [Music] [Music] [Music] thank you [Music] [Music] thank you [Music] foreign [Music] [Music] [Music] [Music] foreign [Music] [Music] [Music] foreign [Music] [Music] [Music] thank you [Music] [Music] thank you [Music] [Music] foreign [Music] foreign [Music] [Music] foreign [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music] [Music] thank you [Music] [Music] foreign [Music] questions [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] [Music] [Music] foreign [Music] foreign [Music] [Music] foreign [Music] thank you [Music] [Music] foreign [Music] foreign [Music] foreign foreign [Music] thank you [Music] foreign [Music] [Music] [Applause] [Music] foreign [Music] thank you [Music] [Applause] [Music] [Music] thank you [Music] baby [Music] [Music] don't leave me alone [Music] don't wanna overthink it baby [Music] giving me Wind and Rain some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music] [Music] maybe you'll get me [Music] away [Music] [Music] some kind of butterfly foreign [Music] [Music] oh [Music] my God [Music] [Music] all right [Music] [Music] [Music] okay thank you [Music] [Music] moving up [Music] thank you [Music] foreign [Music] [Music] [Music] [Music] [Music] thank you [Music] foreign [Music] really so um community and Government after thoughtcon and 20. okay hi I'm Andrea matrician I'm a professor at Penn State in the law school and in the engineering okay testing testing all right welcome to the I am the Cavalry track 10th edition say happy birthday for a decade [Applause] um I am not Jen Ellis so you might have seen when you were deciding to come here that Jen Ellis is going to be the lead speaker but sadly Jen got stuck in the UK and we're all sending her hugs she has recorded a little bit of an address for us and uh Beau and I will do our best to augment the things she did not say um but uh this track uh is gonna we're gonna basically do a little bit of reflection on where we were 10 years ago what's happened over the last 10 years and maybe what could be the next the future here in this first opening orientation but also we're going to um try to give a little bit of a preview of what you would see if you come here and if this is your first time in the Cavalry track some people come and go a la carte some people really benefit from the contiguous experience because several of the talks were chosen and sequenced to build upon each other and cross-reference each other so um I will probably go last um but I'm Josh Corman I'm Beau Woods and Jen Ellis will introduce herself um via video but um yeah 10 years ago here we gave birth to I am the Cavalry the idea that Cavalry isn't coming the co-founder was Nick broco at the same time Beau was given his own talk and we met in a lot a green room afterwards but the ideas are dependence on connected technology was growing a lot faster than our ability to secure it in areas affecting Public Safety human life that was my raison d'etra Nick was pretty concerned about the increased criminalization of research and snow Ninja's happened so you know it was uncertain times where I both felt that we were powerless and at risk of being further marginalized but also that the world needed us more than they ever did and we asked if people would work together and try some radically uncomfortable experiments to use empathy and a Long View and meet people where they are in safety critical Industries to try to make the world safer sooner if we work together we had a slightly bigger scope than we ended up in deploying but we said if you like this idea meet us at Derby Con in eight weeks and we'll do a uh constitutional Congress to identify our Mission Vision goals so we're not going to do the entire history here I just went through quite a bit on the upstairs keynote um but we do want to make sure you understand what why we're here today uh and what we're going to be doing today and tomorrow and to do so um if I can get this thing working again um Jen couldn't be here in person but she does want to share her thoughts this is not Jen this is Andrea and Bose seeing this for the first time so he may disagree with everything that Jen has to say okay fingers crossed High B ciders I'm so sorry that I'm not able to be there with you but I hope you guys have an amazing time out in Vegas um not sure that I'm envious given the current Heat Wave and everything but I hope it's a good time for you guys um I just want to really congratulate everybody uh 10 years on the Cavalry is amazing um when I think about some of the Milestones that you guys have had or that the cavalry's hair in that time and some of the impact that's been created I just I think it's really phenomenal and I think when you look past to 10 years and like what's changed in that time I do think you can see the sort of sticky Fingerprints of and the Cavalry members on um on some of that Evolution that is so important and impactful for how we think about um security risk across Society um so for those who don't know I'm Jen Ellis hi um I work really closely with governments around the world and non-profits around the world to um try to think about how we create behavioral change the reducer security risk on a societal level um and like weirdly I've been sort of in the background involved in the Cavalry since the very very beginning but it was all a bit of a coincidence on timing really so like I'm with me as we go back back through time um so 10 years ago I was working for security vendor and I was um supporting a security research team and working really closely with them and one of our research leads was threatened with legal action for a research projects that I've been really closely involved in with him and it was all a bit stressful as I've imagined that you can relate um and it didn't sort of lead to anything terrible but the whole process was so stressful that he sort of said I don't know if I want to do research anymore and I was kind of like yep I get that but at the same time there's a sort of consumer rights issue here because you know research is the thing that arms uh consumers to make informed decisions to manage their own risk right and and I was like what are we gonna do if researchers feel like they can't do research and so I started to look into it more I learned about the Computer Fraud and Abuse Act I learned about the Digital Millennium Copyright Act I learned about State hacking laws and what impact all of this was creating um for researchers in the US and then sort of anti-actionals around the world that are very similar that are also creating a chilling effect on researchers and I was like something's got to be done and even though um I have no party background no law background and in fact I'm not as you probably gathered from my accent actually American I decided that I was gonna be the one to go and change it um and so I started to talk to some other people who kind of maybe felt strongly about this too and tried to sort of think about how we could go and engage policy makers and that all started 10 years ago um and weirdly at the same time Josh was going through his own sort of um process of like realization and Awakening around the risk that existed in society where um physical and virtual meet and have the potential to create harm I'm sure we've all heard Josh say uh where bits and bites meet Flesh and Blood um a thousand times if you're playing Josh Coleman bingo I am here for you um so we were at a conference and Josh and I were just catching up and he was talking about what he was doing and I was like oh that's kind of weird because I've also started doing government engagement recently on this thing and what we realized was that the two initiatives while separate and and had come from separate places were going to be super super complementary to each other um you know every time I went and I met a policy maker and I said hey um security research is being chilled by the current legislative landscape they would look at me and it was a little bit like I'd said um we need to build a rocket ship to the moon and they were like what's the Moon um and my ability to answer that question what is security research and why does it matter was really aided by the Cavalry right I was able to go well for example when you look at cars uh let's think about how much software is in cosm and and most people don't know these things right they don't think about things in these terms and in fact at the time when we started automakers weren't thinking of themselves as technology manufacturers they told me directly they weren't and so you know having the conversation around cyber security with people who don't think of themselves as software companies is is really hard and and talking to legislators about that kind of stuff is really hard but every time I met a researcher through the Cavalry who was working in one of these areas of you know potential harm and like the thing that's cool is you know obviously it's terrible the level of harm but they're very relatable areas to talk about if you talk about a medical device or you talk about a car or you talk about a plane everybody knows what that is everybody's interacted with them in some way shape or form they've seen them on TV they're very tangible and they can understand the potential for harm in a way that when you're talking about for example the confidentiality part of the CIA Triad it doesn't engage people outside of security in the same way it doesn't get them sort of like going oh I see what the impact of society is going to be so being able to to talk to researchers in the Cavalry and and like learn from some of the work that they were doing and the conversations they were having in the sectors and then pulling that over onto the policy side to talk about the impact of research the importance of research why research was actually hugely valuable to society was really really helpful and I and I hope and I think that the conversations that we were having there about that role of researchers and the importance of research has also sort of fed the cavalry's ability to engage with them we open like lots of doors and sort of try to say hey you should really meet these people I took a number of people who were involved with the Cavalry in to meet with policy makers um and then over time there have been many many many many more touch points that have been created which is amazing and I mean if you look where we're sitting today besides has now for a long time had policy makers coming and participating I think I was one of the early people all to drag policy makers with me to come speak with me um but now it's like quite a habitual thing and I know that you've got sort of members of the FDA who'll be speaking the Cavalry track I imagine they're probably there's some people coming over from the UK government who are talking about related topics um I think you'll have many others from the government sitting in the audience if not speaking as as part of the the talks and Common Ground often has um policy content but that's not all right black hat has a dedicated policy track Defcon has policy at Defcon which is huge this year really huge like two separate tracks and then a round tables room like it's uh it's loads and we're seeing it now spill out into other areas one of the things that Cavalry has always been a part of and as fact has been hackers on the hill an initiative to help security people get experience of going and briefing um policy makers and those touch points are critical because you know at the end of the day cyber crime is estimated to cost the the global uh Global economies around seven trillion dollars a year right which is like almost three times the GDP of the UK just to give you an idea yes the UK is much smaller than the us but still um it's quite a big number and so like you know the governments are going to be paying attention you know the government's going to be trying to do stuff on cyber security and cyber crime and cyber risk and so if we can put the people who live and breathe this every day the people who are doing the research who were doing the jobs who are working on the front lines of this in touch with those policy makers and then we can try and avoid unintended harms or outcomes we can try and make the policy fit for purpose as much as possible so I think it's really critical that there is this relationship and that the Cavalry has engaged with uh governments in the way that it has and the Cavalry has taken a position of leadership around so much I mean you know things like the patch Act um the some of the things that have been done that weren't direct policy engagement but they helped influence policy engagement things like um the the um uh the the five-star Auto for example you know those kinds of things have then kind of been fed into sector-specific people I mean the work that the Cavalry has done with the FDA has been phenomenal and huge props to the FDA team on the other side of that who have just shown astonishing leadership over the past 10 years on these on these topics um so you know I don't I don't want to sort of you know believe the point but I do want to just say I think when I look now you know 10 years ago people like policy makers don't want to hear from us and I could see why people felt that way right and now I look at things I look at the landscape and I'm like yeah there are still problems it's still hard to know who to talk to and when to talk to them but no one can say policymakers don't want to talk to the security Community anymore there is demonstrable evidence that they do because they're coming to us like coming to our conferences and they're doing that so they can meet more people and talk to more people and I think that engagement and that potential to create impact is incredible and it really speaks to some of the work that's been done and the and the trust that's been built and the solid foundation the groundwork that's been established to show how productive those relationships can be and also to show that we can be trusted Partners right we can collaborate we don't have to be just you know trolls on the internet that criticize and have no interest in working on making things better and I think that is all really really positive one of the things I love about the Cavalry so much is it's not just about pointing out problems it's about finding Solutions it's about that collaborative effort working forward together so I just want to say again a huge congratulations to everyone who's worked on that the work is not done there is more to do but there's also so much more opportunity now to engage and to create influence and I think that's amazing so I hope that all of you will feel really inspired to go on and to continue and to think about how you can play a role and um and I say good luck and I look forward to it and let me know how I can help enjoy the rest of peace signs thanks very much bye okay so that's Jen we'll take feedback to her she can't hear you right now even though it felt like she was in the room um and fun fact as we pivot to Bose Reflections uh Jen did not see the call to action even though she knew what we were building and kind of helped advise on what we were building she was across town at black hat doing a super secret meeting that never happened uh establishing trust with people about hacker lawfulness um so she never heard the call to action and has been one of the top contributors for a decade now that takes some stamina uh and uh we treasure her so someone else who did not see the call to action but has also been in the top Trio of making the worldly safer place is bow why didn't you see the song yeah so uh I at the same time I was in a different room giving a talk uh about how to let go of responsibility and like go travel around the world um which was fun for a little while but this is a lot more fun and more meaningful uh so uh I guess I let Josh convince me to uh quit doing that and and to come in and out of curiosity how many people in here uh we're also not in that talk that first year at besides it's a majority of people I think the lesson we can take from this is that there's a lot more people who were not in that room who were helping to change the world yes uh which is awesome I think and it's a testament to how far we have come um and I don't know we didn't plan this by the way uh because you know we kind of had some last minute stuff but do you uh you pulled something no no you know you have something okay you you should take about the same time she did so okay um so as I've been thinking back in the last 10 years like 10 years ago what did we tend to hear about when you had you know the so-called adults in the room talking about stuff it was Banks and uh the electric grid and that was basically it films I think uh Sony had just gotten hit because of the Seth uh the the film about North Korea um and that was that was a lot of it like if you if you talk to policy makers or anybody about uh oh I see you're doing a montage you can ignore it um look how young he looks oh camels um if you talk to policy makers uh or others like they hadn't really thought about security implications of Internet of things that really thought about they didn't realize that computers were in cars um so a lot of the things that we had to do back then uh to make things relatable today that situation has totally changed um so it was was it when did uh cybermed Summit happen in the hotel room the year no harm the first Do no harm yeah um I think it was your two or three of our birthday yeah yeah so this would have been like 2014 2015 um we have some very awesome doctor friends of ours who are also hackers uh they given toxic Defcon and also save people's life in the emergency room and uh they're like hey we should just like have a conversation about medical device security about Healthcare security like there's some really serious issues there it's going to get people killed uh and we're like all right cool what do we want to do like well let's get some people together I was like all right that's cool you know Tuscany has great big hotel rooms we could just do it in my room next thing I know I see a tweet go out like hey Tuscany this room everybody just show up and I'm like oh so I'm like okay I guess we gotta prepare for this um so I like uh emptied out my bathtub I hadn't showered in it and put a bunch of ice in there went and made like 10 trips to the ice machine getting a bunch of beers and threw in there and we had probably 20 people sitting around in a hotel room just having some really really uh interesting conversations about medical devices Healthcare security some really really good people in there who uh still to this day are doing amazing things in medical devices and we um formed an idea uh to do what we call the cybermed southern I'm just going to wander and ramble on this um and uh we we came up with this idea to do clinical simulations where you put doctors in a room to treat a patient the doctor doesn't know what's going to happen to them they don't know it's going to be something cyber security related but they've got to support staff that has a script you've got a patient who's a professional actor who does these things all the time um and so we we did this really amazing thing where we killed someone on stage we killed someone in an operating room but not for real but we simulated it um and it was incredibly powerful uh if you've if you've never seen what happens in an actual emergency room it's worth going and finding some of these videos online uh we had that first year we had Nightline did a story about it um so like y