Hacking the Public Policy API

well thanks everybody for being here we're gonna talk about a very very exciting topic which is the United States Congress so we've got a lot of folks up here we've got really the the majority of majority if not a plurality of the folks that understand how technology works in the United States Congress and my program my organization Tec Congress we exist to help improve Congress's capacity to take on to take on tech issues to take on cybersecurity issues and so I think we're gonna talk a little bit about the nature of the problem which is which probably all of us instinctively know but we'll deep into it and then really want to have a provide an opportunity for QA about how

how you all can engage because we need more people that understand that understand technology and cyber security issues to be to be part of this conversation Congress desperately needs it so a little bit about the problem what is what a little bit about the problem the nature of the problem what is the what is the problem Chuck Schumer our majority leader in the Archies me minority leader in the Senate says he sends between four and five emails a year Lindsey Graham ran for president in the United States where is this a badge of honor that he doesn't doesn't use email this is the level of familiarity that you have in the United States Congress on tech issues and I should say

I think Chuck Schumer and Lindsey Graham are both great members of Congress they're pragmatists they're their institutionalists but they have very little understanding of how technology works who here watched the Facebook hearings question from the chairman of the Finance Committee well mr. Zuckerberg I don't understand how do you stay in business if you don't charge your users well senator we run at this is this is this is the level of familiarity in Congress with how technology works and at the staff level it's not better so there are 3,500 legislative staff in Congress exactly seven that have any formal technical background Jessica's one the house is generally speaking much much better than the Senate on this no it's at five five

of the seven or in the house tour in the Senate there are alumni of our program but what this matters right because tech isn't just a slice of the policy pie it's it's not health or education or finance it's the crust of all of this issue so our thesis is decent functional government in the 21st century requires this expertise in-house and this was born based on my time as a staffer working working in the house working for a member that was on the same committee as Jessica Snowden revelations in 2013 happened on like a Thursday I found myself running around trying to understand what is metadata of phone records I'm not technical what what what

are these NSA programs what are the implications of the programs so that I could advise my then boss representative Waxman what was going on and what what should be what what we should be thinking about that there weren't people in the building that could explain those things to me as a consequence I had to go outside of Congress and I went to a tech company and they were more than happy to walk me through their view many of these technical concepts but also their their point of view on the Snowden breach so our thesis is that this needs to be this needs to be in-house so that's what we've set out to do we place

technologists to work with members of Congress through this one-year fellowship we've got three of them up here and one alumni so they can speak to their experience the goal is that you'll bring you will bring in technologists first to give a really really great education into how Congress works so you can think of this as like a master's degree and in how Congress and government works second is to catalyze Congress to solve this problem for itself ultimately we're not going to solve Congress's tech deficit with with an with 50 fellows no Congress needs to prioritize and hire staff like Jessica so that every committee has a chief technologist in the same way that has a

chief counsel and third is we want to build a program that can cycle in new expertise on an annual basis as as technology changes as technology evolves the fourth thing we're trying to do is trying to build a sustainable model that we can take to government's everywhere and Catherine is our first great example of this so Catherine is a PhD students you can talk a little bit more about it at University of Washington studying neural privacy and our hope is to build parallel programs in Congress bringing in grad students and then step three is to take this program to states and localities the state of California for example they did they had 23 here markups and hearings on drone bills

alone last session not a single technical person on staff so we've done this by modeling on existing congressional fellow fellowships like the Robert Wood Johnson Foundation which was bringing doctors into Congress for over 40 years and I talked about our objectives at that some of our funders and our partners so a couple quick case studies into into the impact that some of our fellows have had and I should say we're hiring we're recruiting right now so JC was one of our first year fellows JC was an identity management engineer at Microsoft 20 years he went to go work for the health subcommittee in the house in a Ways and Means Committee and he worked on a couple things electronic

health record interoperability standards so our health record system should speak to one another in fact we spent nearly 30 billion dollars 30 billion dollars in the stimulus giving money back to hospitals and providers for EHR records to speak to one another the vendors there were there were not there was not good language about what interoperability should be and so in practice we don't we don't have interoperability he also worked on a proposal for unique identifiers on medical devices like VIN numbers we have a recall on pacemakers right now you have a faulty pacemaker guess what we can put it on the nightly news we don't have a way to tout to you directly so JC was a great

original case study Donna Costello went to work for the House Oversight Committee his big charge he led the investigation into the Office of Personnel Management breach anyone here a federal employee or have friends or family that are federal employees so now all of all of our information is is over with the Chinese dude waiting who knows what but John John looked into the root causes of the breach and what we should be doing doing about that he also set up a congressional tech staff Association as a way for staffers to get educated on issues by experts like you all in the room Suman Kim one of our fellows last year one of the things she worked on open

data standards the Obama administration issued some big federal open data standards she's worked on codifying that so she got that passed out of the Senate 89 to 8 last year Suman is also the working now full-time for Senator Schatz working on emerging tech as her specific charge and then Chris ago and some people did anybody in the room know Chris Chris was the chief technologists at the ACLU before the program Chris thought he could he'd come into Congress he'd get a bit of an education he'd come out and he'd be you know he'd be a better activist but within the first two months of Chris being in Congress he'd gotten half a dozen things done that

he'd spent the prior four years trying to get done at the ACLU so he got advanced email encryption adopted at Department offense advanced email encryption adopted at Department of Homeland Security he got signal approved and he got a number of senators using it he helped break a story about foreign intelligence services using fake cell towers in Washington DC stingray devices this is an issue that DHS knew about but was not doing anything about Chris last November when sexual harassment allegations were were all over Congress Chris walked into the into the office of compliance the HR office in Congress said look show me how you're recording these claims where you where are you where are you recording I'm

wearing her story I found they were being stored on a third party server off-site minimally encrypted no regular security checks by the way nobody knows how the John Conyers allegations got out got linked got leaked to a right-wing leaked to right wing blogger blogger won't say where he got the files from talk about a treasure trove if you're if you're a foreign intelligence service so fellows are able to do extraordinarily impactful work we're growing we've got some of some of our fellows up here growing that we can talk about and talk about the work that they're doing and with that I think we'll just kick it over to everybody and they can maybe we can start with Jessica just talk about

your work and how people can better kind of the nature of the problem how people can better engage with Congress sure and so first things first just to remind everyone I don't actually I'm not actually associated with the tech Congress program I do talk with Travis all the time to try and encourage him and explain how much I need backup I'm just a little bit about me first I'm a computer science and mathematics background from Syracuse University started working Congress five years ago for the Energy and Commerce Committee and that's a particularly interesting committee to work on tech issues with because it has such a broad jurisdiction healthcare auto electricity Commerce generally IT all of this falls into the

Energy and Commerce jurisdiction so I work on a lot of different issues when it when it comes to tech and I actually have to pause because I really need to give a shout out to my chairman chairman walden is actually one of the smartest members in Congress when it comes to tech he he was a big radio guy back in his home state before he came to Congress and he thankfully he gets it but Travis is right you know Congress struggles a lot I think you can see that sometimes in the hearings and the letters and other things that go out the quotes that are given when when these really complicated tech issues come up

and it's as a as a staffer as one of the few like like Travis said there's not a lot of us it's me on the Energy and Commerce Committee there's a representative LAN Japan's legislative director is another computer science major Chris over in the Senate and then some of the the fellows here but it's it's difficult when you're trying to work on tech issues and when you're trying to explain why they're important and why they're critical and why people should take time away from other issues to work on them if you can't really delve deep into the tech and why it matters and so the the more allies that I have in other offices which obviously we all have to

collaborate if we're gonna do anything the better it just it makes my life easier it makes the policy better it means Congress is more effective at what it's trying to do when it comes to when it comes to tack and so having having fellows like the tech hunger spell OHS is incredibly helpful and I and I do want to highlight Chris to go in because I have really been kind of stunned by what chris has been able to get done he came in and he targeted some issues that were really unexpected when it came to two issues that you think that somebody wouldn't want to work on Congress with he he works over in Senate side and he

has just been pounding the Senate in terms of their cybersecurity controls and it's not you know company you should go fix your cybersecurity because it's really poor he actually went and looked at the Senate and said we should probably clean up our own house first so he's been pushing and pushing and pushing the Senate to do better and it's working I mean Chris has gotten a lot of done when it when it comes to the Senate's own cybersecurity and I just I really think that's impressive and so I want to highlight to everyone in the room and everyone who might be thinking of coming to Congress of doing the tech Congress fellowship or just getting

involved however you want you can't you can make a really big difference and you can do it in ways that you don't expect and in ways that have a huge impact on all kinds of issues health care auto electricity all these kinds of things and we need all the help that we can get so please consider coming to Congress please consider helping us out and I think the other thing too that I would say just because I know sometimes there's a little bit of a question mark over the relationship between government and the security research community in a lot of cases I know that there's there's been certain instances where we haven't necessarily seen eye to eye but you know

if if Travis was hinting at this point earlier if we can't talk directly to the experts that we need in order to understand an issue don't assume that that means that we're not talking to anyone it just means that gap that that policy gap is being filled by trade associations and tech companies and other groups that have you know something that they they want to get out of it it's not tekneqs parties for technics proteases sake and so the the value of having unbiased objective experts that we can call up I really really can't overstate it sorry I'm kerning because I see Josh Corman sitting in the in the audience and josh has been pretty instrumental in the

cavalry has been instrumental and a lot of the things that I've been able to get done so I will stop rambling at that but just really to underline which house has been saying it's it's hard to overstate the value of having tech experts directly in Congress do Maurice do you want to actually maybe we could start with Maurice and then go just talk about your experience and what you're working on now sure thank you for inviting me I'd feel like it's a real honor to be able to share my experience and hopefully it'll inspire some people to to recognize they can make a difference despite how daunting the task might seem I've been interested in technology for a

little bit longer than I've been interested in government and I've been interested in government since I was in eighth grade I knew that I always wanted to work in government I went straight from high school and undergrad on the political science track and then went right into my master's in public administration so I really embraced the notion that I am a bureaucrat I don't think that's a nasty word I think that we do need people who are professionals that getting things through the legislative process and getting them implemented because government is everywhere it just depends on which level of government you want to look at and it takes people who know how to get things done in order to have these

services that we all really enjoy and sometimes maybe even don't even know that we get on the technology side I can say that it's been an instrumental in my life to be able to have this technical background while also pursuing government administration because there needed to be some experts in the room when we're having these conversations about policy and implementation because the worst thing that can happen is that you have much people who are really good at making policy but don't have the experience or the knowledge about really how things get implemented and they make a bunch of rules and then those rules are either misinterpreted or taken advantage of or just quite frankly counterbalanced toward one side and the

outcome isn't what people want and so I think opportunities like tech Congress are unique in that it brings expertise into a conversation that was been lacking expertise and during my time in the Senate last year I was on his gak which is a horribly sounding acronym for Homeland Security and Governmental Affairs Committee I wasn't would have an impact straightaway I really thought that okay this is the time where you know I can I can help out staff I can help out the member I can help out the committee really get an understanding of how technology as Travis is stating before is the crust underlying so many major issues it was a fantastic time to come

in and be a technologist in Congress unfortunately we had a lot of malware attacks and other issues like email servers that were up for discussion most importantly for me I was inspired by learning about election security so about this time last year came to DEFCON for the first time and went to the voting machine hacking village that changed the course of my life I can't underestimate that I think you know folks like Josh can appreciate it once you see a problem so acutely and you recognize the impact that they can have sometimes you just you literally feel inspired that you need to get in there and get your hands dirty and so that's what I'm doing now after my time in the

Senate I went ahead and joined the Center for Democracy and Technology and now I'm actually a technologist a position that didn't necessarily exist we have a chief technologist but now I'm a senior technologist at sea and I'm working on election cybersecurity because I feel so strongly about it I have a background of civic engagement so when I'm not at work I like to be involved in the community and I feel like elections are probably one of the few areas where just about anyone can get excited about you know it's kind of counterintuitive but just that notion that our democracy is built on a person having a voice in their government and that voice being expressed through

casting a vote for the representative and there's something very powerful about that and so I believe that we need to make sure that there's level of accountability that comes along with that and that's why I feel strongly about working at CDT because you know I could have a certain amount of power on the inside but I believe that that would have been limited to just speaking with staff or the member or the committee but on the outside as was mentioned before there are plenty of offices that are interested in engaging outside expertise and so I feel like if I can play a role at CDT and be the voice on the other end of that phone call or be the response

and they learn that email providing that expertise that makes for good policy but I can have an outsized impact and so that's where I really feel like I'm able to leverage my background in administration but also in technology to be able to help make those laws better on the implementation side now the only thing worse than having no laws about something is having bad laws about something because either way it takes a long time to get it changed so I try to do what I can to make it right the first time Kathir you want to talk for a minute or two about your experience and maybe one or two of the things you've been working

on her sure hoping to work on all right so my name is Catherine I am in Susanville Benes office in the house and I was very lucky to sort of have the opportunity to work with someone who actually has a tech background so she had a biotech startup she worked for Microsoft she actually understands and sort of has the speaks the same language as I do about privacy and security so my dissertation research is about neural security private information if you want to learn more shameless shada I'm talking at by hiking village on Saturday at DEFCON so you can come here about it there but through my work in neural security I've realized we're not going to pass a bill

right now in neural security but we can talk a lot about privacy in general so what are the ways that we can talk about privacy so that people actually understand it or how can we talk about technologies so that we can say there's disparate impacts of different kinds of technologies so most you probably read breadsmith the president of Microsoft his blog post from a couple weeks ago talking about how government should regulate the use of facial recognition by the government and so seeing as Microsoft is in our district we we decided that we should have an answer to that question so I got to sort of delve in and say what a social recognition what are the issues with it what are the

disparate impacts and what should we be doing with it so that moment went to the boss and we'll see how that goes from there but sort of taking an issue that suddenly comes to the forefront whether it's data privacy whether it's official recognition whether it's the robots are taking all of our jobs how can you frame it in a way that it matters to the members the members constituents so how can you make sure that it's something that they'll be interested in so that you're not sort of I guess you know taking time or trying to find a trying to find a home for it you're actually making it relevant so hi my name is John price I work for Senator

Cory Gardner from the great state of Colorado go Broncos I'm a prior Special Operations soldier and Intel community member I think for me I was always frustrated being on one one side of the the pointy end of the Spirit if you will and and trying to always get the right technology to the place that I was at to do my job and it was very frustrating to never do that and so to be able to interface with leaders and explain the types of technology that we need to get into our government to modernize it and to protect infrastructure is really an opportunity that I feel very fortunate for every day because you can see the tangible impacts by giving

people a platform not just talking yourself but people like Bo woods and and Josh Corman to come in and speak with the staff members because like we talked about previously there they're starting really from very much behind the power curve so it's a it's a really unique opportunity it's really a great point in time I think because a lot of people are are very receptive and even though Congress is very much behind this is something that I think is as Travis is has talked about before which is what you say like it's it's pre partisan yeah you know tech technology so a lot of these issues aren't aren't left or right you know so it's it's an education issue

and that's really a great opportunity to sit down with the staff and members Thanks so my name is Colin Anderson I work on the Senate side as a tech Congress fellow I I don't want to associate my scurrilous comments with with with my boss so I'll just leave it there you know I want to start with one thing which is what's what's particularly interesting is is that you know that my first time at black hat and DEF CON was three years ago in the fervor and panic around the Wassenaar arrangement export controls on on penetration testing or well rather intrusive survey in truce intrusion software ie government grade malware and certain malware products which then started to start started to

look like pen testing products and what's interesting is is that you know there tends to be every three or four years this panic in the cybersecurity community about oh god they're touching this thing this makes me feel uncomfortable and particularly given the substantial libertarian streak that exists in our community or anarchist streak or you know like these sorts of things this is especially compound to this this this general concern I actually I think that that you know it has been interesting and valuable for all of the reasons that have been expressed to have people with tech expertise in order to say okay you know maybe the core principle is something that we all agree on which is hey maybe we should have

some oversight over like NSO providing O'Day's for iPhones to like the UAE government which are going to be potentially used for human rights abuses or used to target you know the US Embassy which was the case in Mexico there are P Minh rights and national security concerns about that which might lead to a real reason for there to be some sort of control you know having tech people there in order to make sure that we can separate where possible these types of activities and not have a chilling effect is is great however I don't think that I think that's a I can make a harder sell or better sell which is ultimately what is fascinating is

that this is the US Congress this is a this is a powerful institution that speaks with a very loud voice and that's a platform and and what you've seen you know Chris Chris Sequoia has been mentioned several times what you saw is you had somebody who it was a civil society activist who loved to troll like whomever you know given the day you know Google over Android updates and security and how that related to vulnerable communities I take that skill set and that interest and operationalize it within the the the tools available within this environment and so I think the the better pitch is actually don't you don't have to pry yourself you don't have to go and like lay down your body

in front of the the Congress in order to like stop terrible legislation there's a real opportunity here there's a real opportunity to start to use things like you know one of the the ways in which we're going to get better IOT security is through putting stipulations on US government contracts in order to make sure that items that the US government buys at least doesn't have default passwords and companies are not going to they're not going to have a US government kit and then a commercial kit you're gonna raise everyone's level and so what you start to get through these or you know actually what I was surprised by was the the thing that I do most is I write

letters the things that I think most the people on this panel have done most is write letters and when you write letters those letters get paid attention to and so you get these like different toolkits procurement standards oversight letters publicity inquiries hearings questions all of that also towards people who would never talk to you in person you know like you you'd never get to in real life and they all become tools to pursue these sorts of kind of of ends which I think that we all agree on and and I think that this also bodes well for this connects wealth with the past the past presentation which is that there's a lot of opportunity for

somebody of the skill set that would come in or the interest that would come in to be sides and to start to leverage that it and be the the you know the reversal of that that pitch you know the the computer scientists going in with English majors and and and and and you know contributing their their valuable skill set but ultimately you you can go in for a couple of years and you can really start to see how these systems function and there's a huge opportunity to pursue things mine is I think mal mer malware should die and you know like building from that ethos you know what are the things that we can start to do

towards improving general security for the public and and and and kind of improving our defenses overall and I think that that's a tool and an opportunity rather than some sort of social obligation in order to you know defend the community against the ignorance of the US Congress was eight hundred you know pound gorilla in the room I've gone too long I'm sorry it's all good well chief marketing officer would love to open up a conversation about what Congress is working on when it's not working on where the opportunities are yet we'll go there and there didn't have so many old white man in Congress technology policy would be better and I don't know whether that's

true or not but it always just struck me as odd because there are certainly a lot of old white men in the InfoSec community that certainly know what they're talking about and a lot of the people who are advising these or Congress are is that really true I mean all of a sudden every member of Congress and every senator was 40 and from the technology community so in repeating that I guess for the for the sake of the live stream the question has to do with whether or not Congress is maybe a little bit older than we'd like in terms of technology policy since technology's a little bit newer at least cybersecurity is a little bit newer than

maybe some of the those folks are used to um speaking as I think the congressional staffer on the on the panel future have us can back me up as a former one here too I think one of the things that it's difficult to understand until you actually work in Congress is how much staff are relied upon and so your member any given member of Congress is a member of several different committees so they're on the Agriculture Committee the Energy and Commerce Committee the Armed Services Committee and they're probably experts in one of those areas but not all of those areas and so what happens is that they have a legislative assistant or somebody the one staffer who's a specialist in that

area and then they go to that staffer when an issue comes up and they they ask them and so I guess to answer your question would it be helpful if more members of Congress understood technology on a really deep level of course absolutely I think we've seen that happen in some cases with congressman Hurd congressman Landrum and who do have some of those tech backgrounds but at the same time I think the getting staff in who understand this at a at a really deep level is probably a more immediately impactful way to to really up the up the level of expertise I also don't know that it's an it's an age issue I mean we make laws in

order to make laws typically you're a lawyer there's not a lot of technical understanding in law school so they're kind of already put behind the power curve and that's why they have to rely on as was just explained to the younger staffers to make them smarter in Asia yeah I mean I think if you look at for example senator Ed Markey who's you know he was in the Congress he's been around for a couple of you know I think four years yeah yeah you know wrote wrote the ninety-six Communications Act he's he's tech savvy but he's not necessarily a technical expert I think that what you need is you need offices that give space and to cultivate those communities I

thought actually one of the most interesting set of questions although not perfectly executed and those are Coburg hearing was actually Roy Blount was asking about cross-device tracking and I was just saying I was like wow that you know like somebody knew to ask that and you know like prepared that and put together a good set of questions and a lot of that preparation is done at the staff level and so I think that if you were to rank them you know it sits in the one hand it might be like necessary but not sufficient but also I think it's more important to have the staff in place and in the right offices then necessarily to have you know senators

that are digital natives or are you know like experts themselves you just need the people that are really tracking it on a daily basis and especially are able to follow the fast change fast pace of change and to come out to these spaces and to be able to be that resource for for their boss at the end of the day when it matters I'd like to see more diversity on the Senate side and I know that the House tends a trendabl younger and so there is definitely more diversity as far as ethnicity and and also gender but I don't think it's an old white man problem I think it's more of an issue of least from my perspective

I don't like it when people seem to we're ignorant as a badge of honor like why would you only send four males late in a year it's like either you didn't use email you don't use email but to say like I send so few emails like I'm not sure what that's supposed to convey I prefer to see members who are more open-minded about what they know and what they don't know and actually be better managers from the standpoint of knowing what issues I think they can have an impact on or or are within their area within their jurisdiction of their committee and then say you know what we really need to staff up in X area or we need an expert

from this field to come join staff so that we can be more effective in our policy solutions right question there

which is a Jessica do you wanna do you want to feel that so then I guess the question and then told me if I paraphrase yeah sure sure so how to get how to get the proper information to Congress so that you know we we have the the information that we need so that our bosses have the information that we need um you know I think so this is a this is something that we struggle with this staff in general I think of what what issues we should be covering obviously things that make huge newspaper headlines or something that are probably going to land on our desks one way or another yes or no I mean I I think some that's just

the nature of the beast in a lot of cases is that Congress to a certain extent is always gonna be reactionary we're always gonna be looking at what the we're gonna be reacting to what the nation is reacting to that is that is the the nature of our jobs but in terms of what information we need honestly sometimes it's it's not what information we think we need we don't know what we don't know and what we should know and so I think maybe the the best example I can come up with is something that's been talked about a lot the last couple of days is software Bill of Materials where 2014 four years ago a certain I am

the cavalry member walked into our committee offices and brought up the idea of software Bill of Materials and I didn't quite laugh him the meeting but it was pretty close and then yeah I mean it's just it was a series of events I mean this the it was Josh for those of you who were able to guess that he he sort of kept up on it and over the course of four years you know there was enough of a groundswell of support for an idea that really was a common-sense idea that by May I guess when the the task force report came out for the big health care task force report came out it was just an official

government recommendation my committee came out in support of it a couple months later and now the NCAA is doing it and so sometimes we don't know the things that we should be working on and so if there's something that you're just incredibly passionate about and you think that we should be paying attention to an arm pain attention to it like screw what we think we need to be talking about like you come tell us a little bit to that from a more pragmatic approach if there's an issue you care about figure out which member is also caring about it and then also which committee may have jurisdiction over it and we weren't born knowing how to do it

so it definitely there by design Congress is opaque and you know what's up on a hill wish I knee buildings and all that and it's kind of inspiring but then in the day you realize you know it's it's got basements and people and they do work and so like machine kind of comes off of it if you spend a little bit of time in there but seriously like go check out the committee you know if you're interested in cars go find out which committee has some jurisdiction over cars and then and that's fine um it would be really overwhelming to try to track all cybersecurity legislation across committees on both sides so just pick a committee you know maybe it's

Energy and Commerce and then just take a look at their their calendar you know once a month once every couple of weeks and see when they're gonna have hearings or you know track them on Twitter or take a look at their press room and see which letters are they sending out which signals they giving out to the public to show yes I'm working on this issue because I care about it because my constituents care about it I don't know about senator Kaine but I've worked fairly closely with Senator Warner staff and they they have a standing rule where if if you are a Virginian you can walk in the office and set an appointment with it's more

common most offices from my experience at least have an open-door policy especially for constituents and so you know you might not get the most high-level meeting but you'll probably get a meeting and somebody will listen to you so and and it might even you know we will take meetings for non constituents as well on on certain areas and especially if they have expertise you know look for legislation also you know see who's what who's doing what who's sending what letters whose co-signing such letters you don't have to know the entire world I actually know less about what's happening in the house now how did I'm on the Senate side and it might be like some biases but but but

you don't have to attack the entire piece of the puzzle or the entire puzzle you just have to take a piece and and I think that you that that will be an enormous ly valuable contribution and ultimately what you want really what you what is a successful meeting is not a meeting in which you have written legislation it is a meeting in which a staff member now trusts you and might proactively reach out to you and might make connections and so you start to facilitate those sorts of relationships and maybe in an advance of a hearing you reach out and say hey I noticed that the NTIA head is going to be there here's some questions about software billable a

bill of materials that might be helpful and everyone wins in that situation because you've just gotten a set of questions in the staff member it looks like they're smart and this the the member of Congress looks prepared everyone wins in that situation that just you just have to start with that building up that trust relationship building trust it Josh right it's a hard question nine minutes later so and recognize that some of you listening to your answer of video or whatnot may not politically ideologically agree a couple you mentioned that IOT bill so I thought a lot with pops on the framing of the Iowa teach is detachable according this bulgar program probably shouldn't have a

fixed password like an admin he's a pretty common-sense things and yet there's revolt phonation and you know weeping and gnashing of teeth all sorts of violent reaction is from our friend if Park visited any legislation that the question is I guess if we can't agree on you shouldn't have a hard-coded password a password amongst this community how are there any changes or advice you would give this demographic has becoming the dip the dancer for twenty six years to be more he wants to be more strategic about these little win it's like how do we better represent the entire industry I'd like to talk to you some of our friends to talk to you but ultimately if

like an a-list actor said oh it's a terrible idea to get rid of the fall passwords it sent mixed signals so is there any advice or challenge you would give constructive challenge to the attitudes of the general yes so advice to give to the hacker community on how to better engage with each other when it comes to policy and better engage with policy makers and I would say two things I'm gonna say that the first one the second one first because it's a little bit easier and it's a little tongue-in-cheek but I mean it as seriously as I can be careful what you wish for when it comes to legislation it is incredibly difficult to get passed and it is nearly

impossible to undo once it's done so if you want to put something technical into legislation you better be damn sure that you've thought through all of the consequences because if you get if you convince the the Congress to pass something and you can and then it turns out to have a really horrendous consequences we're probably stuck with it for a long time so just patience and when it comes to legislation and just be very very thoughtful because legislation is a very big hammer and it can cause a lot of damage if it's if it's wielded wrong the the second thing that I would say is you got to be patient with with policymakers you got to be patient with the lack of

expertise that it's gonna come out of and you had to be patient with the process I mean I've been on the hill for five years now and I still get blindsided sometimes by how the institution works you can have a perfectly sensible piece of legislation that everyone can agree on but it just it hits the committee and then it in the subcommittee markup something goes wrong something gets said it gets misconstrued it manages to eke out of the subcommittee and then it goes to the committee and then it goes to the house but then it doesn't pass the Senate I mean there's so much that can go wrong and it's not because of the people it's

not because of the policy is bad it's just because Congress is such an in a unique institution and it has a bunch of unique institutional rules that are really hard to overcome and so I guess the the way that I would say it is you know in the same way that I think Congress and policy makers have had to really understand and reach out to the information security community and really understand what that is differentiate out what it means to be a hacker versus what it means to be a white hat or a gray hat or any of these other things coming around to the idea of coordinated disclosure instead of thinking that we need to to sue in those

kinds of cases we need the same of understanding reflected back at us in terms of the the barriers and the obstacles and the things that we have to deal with when we're trying to make good policy when we're trying to help with tech and it just it's not always as easy as it seems so I would say what again be careful what you wish for when it comes to legislation into you know just have some empathy first as we continue to struggle and we continue to try and evolve I think there's a couple of good examples from the Wassenaar discussion actually and what you saw was you saw a number of people from this community

like Katie Moo Soros and rapid7 stay engaged in a very very vitriolic conversation and I think the lessons out of that were you know sometimes you're not going to win it's it's kind of damage mitigation and that is a slow process and you're not going to get a hundred percent you might not even get 50 percent but at the end of the day being involved in the conversation is is immensely valuable and in terms of adding technical expertise but also some of the loud voices in this community are very toxic voices as well and lend to a toxic conversation and I think stigma to that stigmatizes the entire community for for staff and so for people to be

kind of able to engage reasonably amicably even when they're not going to get their desired outcome still ultimately benefit is beneficial towards the process is beneficial towards the thing after where it might not be so so zero-sum and I think that that I think that you've seen the community shift into more of that role productively I think through the work of I am the cavalry I think it's through some of the smaller companies so you know the the rapid sevens which isn't so small small anymore but I think that that kind of just like protracted engagement is as important as going on being very critical or V baring being very smart one time and then

ever coming back ever again luck with two quick points one politics is always in play like it's just you can have the best technical solution and you can feel it in your heart that this is the best way to solve a problem but if you're not considering the political aspects of it it's not going to go anywhere and the second is leading off of that that's where organizations that are off the hill also play a role like my modernization of CDT we are very happy to be in the middle and try to reach out to all sides of a discussion anyone who wants to be involved and we're happy to have those conversations on the record

or even on background there may not even be any sort of acknowledgement that those meetings took place because there are too sometimes where the conversation needs to be frank and open and some people aren't willing to have that political hit or they don't want to deal with the political ramifications of having that kind of discussion but just based on some of the institutional rules and the political rules those discussions need to happen in order for progress to happen so just be aware of that so let's let's take any remaining questions all at once we've got one over here

that you're all aware of that you think the best chance of succeeding what what my Congress actually passed what else yeah okay yeah yeah yeah great

8080 sorry there we're increasing next year this guy's here at 75 that's a great question any others why don't we start you all Toby on time two minutes one minute real quick real quick any immediate like 15 seconds what would Congress actually pass to be completely honest considering that at least in the house it's an election year and it's midterms and it's a very fractious political election and we have about three weeks left of legislative time nothing there there will probably be nothing but wait but but stuff still moves even if it's even if you kind of externally get the impression that Congress is dysfunctional which it might or might not be true stuff still moves

and so look at you know look at the National Defense Authorization Act or the omnibus spending package there is there was for a moment there was i OT on the NDAA there's a lot of cyber security look at the Russia sanctions bill that's coming up right now and so there might not be like things that stand out but stuff gets attached to must pass and that those bills are often very important and our opportunities and so it's still happening great that's how some men you got the open data bill passes through NDAA good point on the questions of money it's it's a problem I mean it's a real sacrifice and we are at we're at the

level that we're at because we want people if they want to stay to be able to move up Congress doesn't pay enough I mean these are bigger Congress has cut its own budget 35% real dollar terms in a lot since ten that that's a that's a real big and I don't know the answer to that but it does require a sacrifice what we can say in return is that you get to do a kick-ass job on on issues that you really care about with the direct line to a member of Congress that can they can really make things happen on the question of right skills or wrong skills right skills technical ability and ability to get things done and be able

to translate you need to be able to communicate that's the most important piece you'll see that these are all of these folks are excellent communicators that's really important wrong skills not willing to work well on teams you got to be able to eat super collaborative so listen I'll say for what I gave up in money I gained tenfold in relationships access and and those things will pay off later in life much more than one year's salary and that's why it's a tour we'll review it as a tour of duty model awesome thanks everybody for coming [Applause]