IATC - Kickoff & Panel - Joshua Corman & Beau Woods

welcome can ever to hear me alright so a little bit of late start but that's okay a lot of the cavalry is improvising as we go raise your hand if you were here for the cavalry launched five years ago all right cool raise great up this is your first time you don't know what the heck I am the cavalry is even better alright alright so we're gonna use this first block is a little bit of a reflection on the first five years it's amazing to me that there have been five years very few hacker initiatives escaped their initial launch and achieve escape velocity but more importantly I think what we really want to do is figure out what the next five

years have to look like so it's a little a little bit of visuals to assist here it's mostly also to frame the track for the next two days we are supremely grateful to besides for giving us a home for our launch for giving us a home every year for giving us a bigger home every year because we are trying to make the world a better place and it's not easy to do it's so much easier with support from such a family as b-sides has been so before I jump into a bunch of stuff I'm Josh Corman I'm one of the founders of in the cavalry org here five years ago actually on August 1st is our

technical birthday well I'm Bo I think some of you know the story but Bo did not even see the launch and the call to arms he was giving a talk about how to be a digital vagabond and avoid US taxes and have fun something like that is that close okay pretty close and we met over some boos in the speaker lounge and you said after exchanging what talks everybody's like I'm in and I think it's undeniable Bo has been the most diable player and the most ardent contributor and the most patient and the most flexible and so grateful to have that means our friendship is five years old now see didn't even know each other so bow is

tirelessly put together this track I'm gonna try to give a little bit of framing of the origin and what we've been doing there are there is press in the room we are recording this I tend to keep a lot of cards close to the best I'm gonna be a little more open this year out of necessity spend five years but mostly i what i want to challenge in this is a maybe a thing I was gonna say later so I'll keep it to myself but one thing we're gonna do is pass around unless you're not 21 one of our cavalry teammates found cavalry bourbon whiskey alright if you just mentally delete the line that says last stand and you read

the back it is stunningly consistent stunningly consistent with our zeitgeist and what we attempted here especially with the bottom line of now is the time or never so we have some number of little plastic shot glasses and we have a bottle of this so I'd like to thank the people who made this possible but we're gonna pass this around whoever wants to get started if you're not 21 do not touch it alright alright so I don't want to slide us to death and it's gonna be more of a guideline than a script here but basically said some people don't know you're you're you're like born to do this right the the initial launch had a

little bit of a different flavor than anything but let me just quickly jump to kind of our core zeitgeist here when we launched and I'm gonna show that'll actual won one of the launch slides we said look we're deeply concerned about our relationship was between technology in the human condition the line I used was our dependence on connected technology is growing faster than our ability to secure it and I got really worried about that and I was worried across a couple of dimensions body mind and soul body was Public Safety human life mine was the ability to do research without criminalization and soul was the relationship between technology and civil liberties of how people treat each

other and but really one of those biggest contributions was really convincing me that we really had a major and one of those we really had a major on Public Safety human life and really was one of the things that first captured my attention but what I think we've really done if you abstract is when we said the cavalry isn't coming was the name of the talk would even have a name for the group we basically just said if you think someone's gonna come fix this for you they're not right we're who do you thinks gonna fix it you know we kept looking for the adults in the room and couldn't find any so part of

the name was if the cavalry isn't coming if no one's gonna save you then it falls to you right you get to be the thing that's missing so what we said is you know answer the call and personally declare I am the cavalry I'm any part of that solution and the idea was to be a helping hand not a pointing finger it was to be an ambassador a translator a teammate to reach out of the echo chamber into public policymakers the public and public safety industries like cars medical devices etc and we had a lot of really good research from folks like Jay Radcliffe and others that were like looking into this stuff they just

weren't getting heard there was no bridge there was no trust between the hacker community knowledge base and the general public we wish to serve we didn't really know it at the time but we were really creating a safe space for a subset of the hacker community I like to talk about the five piece of good guy motivations right there's protectors that want to make the world a safer place there's puzzlers that do it for challenging curiosity there's prestige that do it for glory and you go to be the first to do something the best at something the one on the news there's some sort of profit or professional development we can make a living off this or personal gain

there's some sort of politics protest or patriotism some sort of ideology and you know hackers are complicated no one of us has like only one of these things I tend to be a protector first in a puzzler second so I want to do things that matter but I also want to be really hard things we kind of created a safe space in the cavalry for the tribe that wants to protect and by accident we also attracted the tribe that wants to do puzzling right that still has that that curiosity and that that the ability to take things apart and put it back together but really kind of what we try to do whether we meant to or not was

kind of build the superhero class it doesn't mean we're arrogance I mean we think we have all the skills it just meant that we really felt like the world was heading it direction and maybe we could do something about that I've met Stanley a few times the last time I met him was just after his wife died so a tiny maybe meandering anecdote but they said they all said basically do not ask him about his wife do not say you're so sorry he'll just start crying he'll leave the room this is his last comic-con tour and everyone's like what do we say instead and he said we'll say some way he's touched your life right so he this long

line of people to sign stuff and I'm trying to think what do you say to Stanley and probably his last tour when he's really hurting and I don't remember the exact words I said but what I really realized I wanted to say that anything that I ever the I do in my life that is even remotely heroic that he gets part credit for that and you know we're not gonna get a conversation about starting high in the cavalry or changing public safety policy or having the FDA do the first recall in history because they understood how important this was to preserve the trust of the public I wasn't gonna get in any of those anecdotes with them but basically what I

realized is if you've ever met like a first responder or soldier or a firefighter or ER tech there's just something about them where they live a heroic life and for most people you know you just go about your life doing your stuff you don't really think about the impact of your actions on others one of these we're trying to tap into this movement was you know if you can taste a moment of heroism it's pretty good life right if you can have a vocation or a profession where you're heroic every single day that's freaking amazing but the thing I loved about Stanley wasn't either of those he was another order above that which is that he

inspires heroism and I think what I've been most impressed with all the teammates we've gathered through the years here is that we took people who had power who had good to give who had some talent or some way to contribute and we inspired that heroic gene and that's been inspiring and turn to us right because every time we get beat up or sad or frustrated or or whatnot we we look at something one of you in this room did so I'm gonna do a little bit of the unauthorized biography here a few of you know the real story I'm gonna give a sanitized version the story especially like I said it's recorded what not does anybody remember when

Jericho and I researched anonymous and the rise of activism okay so that was some pretty risky stuff but we felt it was important we saw large groups of post national youths opting out of social contracts rebelling taking direct action online using primitive hacking skills maybe just DDoS maybe just a little bit of you know Metasploit here and there but I was really worried that was the first wave of something more worrisome so we started researching started writing governments took notice the international community took notice the UN took notice we started getting asked to do briefings it's like how do you get hackers to go into intelligence community briefings but we found this wait a second why are

you asking us shouldn't you be telling us what's going on with this stuff but they didn't know and I started realizing the real power and the real knowledge was really in the talent pool that comes to DEFCON every year and that was kind of scary so anyhow through all that work Jericho and I wrote one last little like epitaph to that piece of research is like two and a half years of research on what cyber war would probably look like not you know kitten killing you know oh my god Fear Factor fun stuff but like what would electronic warfare really look like and that became something that got very popular in the intelligence community so there was a

not classified but sensitive briefing where I got to pick five of my favorite so I got your security minds I said cyber I'm gonna say it a lot don't worry you're drinking bourbon and we got to bring them into Fort Meade for two days to do a direct meeting with John's and ER at the time on how do we voice our concerns for Public Safety human life national security level issues so arguably one of the most powerful people in the world now not everybody trusted that we weren't gonna be put in jail out or whatever heading into Fort Meade but we assembled you know some pretty interesting people but one of the more interesting parts

was think how amazing someone like an HD more is there's how amazing someone like Dan Kaminsky is on their own but what was even more powerful is how strong they were together the idea is bouncing off each other the interaction with fairly important folks and in the course of doing that discussion over two days there's really two forks story but the short version is by the time we were done answering challenge questions and here's this an example of one of the challenge questions Donna out general Alexander said if you could add one sentence of legislation that would have the most material impact on public safety human life and national security what would that one sentence be it's

pretty awesome question fact I always like to hear what your answer would have been without going into tons of detail my answer at the end of two days because I was thinking like a hacker and domino effect was anything sold but the federal government must be patchable you're gonna see that come up elsewhere sometimes but but at the end of the two days after every question we answered for all these challenges essentially what he said is I can't do this one can't do that one there's no authority for that there's no political will for that until someone dies this won't happen and we just went down the list of brilliant ideas ideas that only a

combination of hackers and his team could have come up with couldn't do any of them and at the bar that night we were licking our wounds and I said to them half of the answer oh is it time to do a shot I didn't say siren all right so let's take a moment here raise your glass if you got one to five years of making the world a safer place together

that's my first taste I was gonna wait until I liked it before I asked him if I get up a lifetime supply okay but when I said at the bar that night he didn't say guys the cavalry isn't coming no one's gonna fix this for us and it was it was a dark evening it was sad evening doesn't mean we gave up but it just kind of let half of the equation sit there for a while in the other part I think I can do quickly but it gets personal in between day one and day two of this two days at the fort I came back to my cell phone in the car can't bring

anything in I find out I had 18 messages telling me my mom was gonna die so kind of messed me up now I didn't want to reveal that to my friends just want to focus on the mission but we hospice there for a couple months after that through her funeral the last time I took her to church was the Sandy Hook shooting weekend bad timing so her preacher over and over and over just kept saying why is there evil in the world why is there evil in the world and it really made me furious I couldn't put my finger on why it just was angry so then when I went back to the same exact church for her funeral being in

the same room again and not wanting to be angry at my mom's funeral I started just trying to channel it into something positive something and what I remember it is that she was my science teacher in seventh grade some somebody got hurt or sick so she got to fill in and I learned three things from her the two things that I applied to this this funeral basically said look last time we were here we talking about Sandy Hook as a father I was mortified as a citizen I was mortified someone losing his mom I was mortified we kept asking why is there evil in the world it didn't sit right with me so I think I finally put

my finger on why and what I said is many things she taught me as a science teacher one is that darkness isn't a thing it's an absence of light and cold isn't a thing it's an absence of heat so maybe it's not just the presence of evil but the absence of good if you see something missing in the world maybe it's our job to put it there so then I asked my whole extended family so what's the absence of Murry it's my mom and no one knew how to answer obviously but I said you know what we don't get to find out because now it falls to us to do what she was doing and in that moment I

finished the other half of the question right so the cavalry isn't coming we got to do it so I don't know who you're waiting for and that was the call so I licked my wounds healed up a little bit came to the desert for besides for DEFCON we didn't know if it would work at all we didn't know if we get laughed at from being cynical we didn't have a talking slot Banshee and Jack made it happen so in a room full of very wounded very frustrated post-snowden anger and anxiety with a lot of people thinking I'm gonna take my skills the dark side we wanted to create an opportunity to be light to be heat to be

good and that was that Trinity right if something's missing let's put it there and many of you answered the call we didn't know who's gonna work at all look the idea was if the cavalry isn't coming maybe we should try something anything talked about fuzzing the chain of influence we talked about focused on body mind and soul Public Safety human life which would appeal to the mass market to our neighbors to policymakers instead of saying hey packing his First Amendment free speech and sounded like a bunch of whiney brats maybe we said if we can demonstrate a vital necessary missing public service and public good that but we are both uniquely willing and able to do maybe

they'll protect that ability to do research and I'm seriously gonna bite off more than I could chew but Bo convinced me not to but we were also really concerned that technology was changing the way we treat each other and I think it's undeniable it is I even have an unpublished essay on how social media is destroying society which I almost finally seven years later decided to publish during the Facebook hearings but so these were the things that we said look instead of waiting for someone to go fix them what can each of you do I was never meant to be a spectator sport was meant to be a personal declaration now folks like Jae Hee were already on

the way you were researching the devices you were just having a hard hard time so it wasn't just trying to fill the void it was also being smarter because hackers tend to be solo actors we tend to you know go at this on our own we don't like teamwork we're not good at teamwork you know we think you have to have permission to do stuff you have to be come up the right way do the right things in the right order you know we're not good at teamwork so the other thing is we didn't just wasn't important what we were gonna work on it was also important how we conduct ourselves and one of things we said is look we're

terrible at empathy we suck at empathy so instead of us being that pointing finger we're gonna be helping it and instead of saying all the things I did wrong in the past we're gonna make sure they do things right in the future so we want to take all the good work Jay had done but you know front end it without we get better devices into his hands or when he's broken it how do we find a way to fix it or when we have all that packaged up how do we talk to the FDA in a non-threatening way how do we build that trust and instead of hacking a single flaw in a single device and

getting one recall we want to hack the system to save all devices right so we just said let's do what we do best and start thinking like hacker identify the chain of influence map it fuzz it try things fail fast iterate didn't know if it would work at all but I think anybody been tracking us without giving a laundry list of our accomplishments and we have been very bad at sharing our accomplishments we've been keeping a lot of them very very quiet for good reasons we have safe lives we have gotten in front of these things not theoretically we've actually had pronounced impact and if you don't get a chance you have our planning to

get a chance please do go look at this this new interface that we've set up with the the policy folks with the Hewlett Foundation you can directly interface you're gonna hear from some of them that are in this room that see the cavalry has their primary teammate and doing policy work and the executive branch and legislative branch so with that I'm gonna shift quickly so ultimately we were told so I'm like she cuff yeah we switched to together right yeah okay so I'm probably not skip one thing but we kept being told no one's gonna do anything until somebody dies first all right and that may have been true we took that as a given possibly I

don't she's in the room yet other she's possibly one of our proudest moments without giving a timeline we first focused on the first year mostly on automotive on automobiles there's lean it's like 20 car companies so we figured if we can get some muscles built on how do you reform just 20 car companies then we could pivot to something harder like medical devices and food and drug administration we were told FDA is really hard to work with didn't prove to be true but we were told they were really hard to work with but one of things we were told is um you know until there's bodies you know no one's gonna listen but our goal right from day one

was if you wait for that you've already failed because if there's a crisis of confidence in the public to trust these connected technologies you know we're gonna hurt more lives right the in general these technologies and breakthroughs are much better much safer much more effective at care than their alternatives we don't want to just blindly trust them we want to make sure that the trust we place upon them is merited so at a minimum we were trying to build those trust relationships and in roads such that when something really bad happened we could have a prompt in as a response so tongue-in-cheek this is a joke for people on camera I kind of got impatient after a couple years and

said you know what I'm gonna do what every good self-respecting hack we do if people have to die first let's just kill some people so ultimately we did kill people in Arizona last summer last May or June June and in a hacking simulation with full partnership with the FDA and DHS and HHS and all different sorts of things but I'm gonna give a fictional story of the first confirmed fatality and tell me if this is science fiction or if this is just fiction I usually play a song first but I'm not gonna do that there's a Bob Dylan song I like called who killed Davey Moore anybody know it okay nobody go listen this song

basically he's a huge boxing fan that was a boxer named Davey Moore dies after a boxing match and the question became who killed him was it the other boxer was it you know the fight promoters that hyped it up was it his fault forget in the ring when he was sick in the begin with was it the crowd cheering them on and egging the mom was the referee who should have called the fight just kind of walks you through who's to blame for killing this boxer right and it's a tough song so I'm gonna talk about who killed Davey more with cyber Edition so I got permission from him don't get don't get mad don't be tweeting this

that I did this it all started with a piss everybody know abyss online well he likes to tweet he likes to get upset about you wanted to show us something on show Dan right board one day hope surroundin showed in find something really dangerous he wanted to show us how to get busy notices a ton of busy box instances while the vulnerable busy box interested in instances on shoutin and in the janitor don't know if you guys remember the janitor wrote the brick or by janitor decides you know I'm gonna come out of retirement because that's really embarrassing ly bad vulnerability I could just brick all those devices right why not did it before for Mariah I can do it again

but the problem is do you know who else uses busybox way more medical devices than you're comfortable with so rest in peace Davi more and we now have our first confirmed kill of bedside infusion pump running busybox naked on the Internet exposed because of poor network security and most hospitals so the question becomes who killed them whose fault is it in a longer session here maybe we can talk about this one easier question is who's likely to get blamed is it gonna be this maybe janitor it's gonna be the creators of show Dan it's me the hospital who should have filtered that at the gateway is it gonna be the device manufacturer for using such a crappy old thing is it gonna be

the FDA for not having been tighter on busybox earlier on is it gonna be the people who actively resisted common-sense legislation because you know hackers hate legislation so let's fight it all you know is it gonna be the Chamber of Commerce who hates any attempt to make cyber better and is it going to be the companies who fund it like who's to blame when we have our first fatality and what it's the fallout and the consequence is when we had our first fatality and you could talk about this being Fudd but I think the real fear and certainly denial comes when we've been too cavalier for too long and that's why we knew we couldn't be that's

why we had to simulate these types of events in the cyber med summit we had met two hacker / med students now physicians at the first anniversary of DEFCON christendom eff and Jeff Tully and we couldn't believe these two young guys were in med school and hackers it was completely awesome so he said we know we got to do something and I think we talked about this and showed a little video last year from some of those hacking simulations so we did three different hacking Sims in an ER with unwitting physicians to see could they tell they were hacked did it affect patient care did they ask for an autopsy after instead of just hacking

something and saying would be terrible if you got a pacemaker hacked one of the first tough love sessions I had with Christian was he's like you know what would happen in ninety five percent of people who have a pacemaker hack they'd get tired you guys need to improve your aim if you want anyone to listen I said well does that mean we should just pack up and go home because everyone's safe because oh no you could do some real serious damage if you hack the medical device you just got to know how the actual hacking interfaces with human physiology and we can help so that's what we did we took three demonstrable hacks of three different medical devices

that aren't science fiction and we put them in to see how would it affect physiology and the results were terrifying and we can show those videos but more importantly without giving the greatest hits Bo and I worked the cavalry is a very large group we have a couple hundred and slack alone which is the only measurable one we got a lot of supporters elsewhere and we won't even put Guppies or anyone who's FOA able into our slack servers so we're guessing we have around 500 folks actively participating but a couple folks went real hard into Public Policy land but when I even left the private sector for a bit to go in a non-profit think tank

and push even harder on what we call cyber safety we tried to put cyber safety into the for a we've had a couple dozen major breakthroughs pop probably most profound was our work with the Food and Drug Administration but we put out things like on our first year anniversary we said all systems fail cars are now computers on wheels maybe you got to be this tall to ride the Internet of cars right instead of making an ISO standard with way too much stuff we just said all systems fail here's five ways to avoid failure and we published this in an open letter to the car makers and it started our deeper collaboration with the broader community

in the Society of Automotive Engineers and department transportation in Congress and what not a bit later and possibly with more fertile soil we published both took those great principles and translate it into very medical language with our Hippocratic oath for connected medical devices you know we don't to tell this demographic to care about Public Safety human life they already do right the answer was translating into familiar language that is these medical devices increasingly play a role in delivery of patient health care maybe the devices too should support that intent we did things to workshop with people say don't just blindly take the NIST cybersecurity framework we keep saying IOT is no different I have to use way different

maybe it's not different if you really want to get pedantic but we made it frameworks like six dimensions of difference for how safety critical IOT doesn't conform the normal best practices right things like different adversaries with different motives things like different consequences of failure like an availability attack on a web server yeah availability attack on a life-saving device death right availability attack on a pressure sensor an oil and gas pipeline explosion different context and environment different composition of hardware firmware software different economics and massively different time scales so we make these little frameworks as a honest broker we bring them to Congress we bring them an executive branch between the regulators or bringing them to Europe and we we try to initiate

conversations that you know cybersecurity and health care is not HIPPA that's your privacy of your records we care about your life I make jokes like I want to be I care about my privacy I want to be alive to enjoy it or that we incentivize a corpse or their privacy intact over preserving patient care life and nobody can disagree with those things right and then we we noticed that even though we're demonstrating all these great things it took the Mirai botnet taking out the internet for a day to really get some public policy attention and that's when Rick orbot and the janitor started doing their stuff but that trust we started to slowly build with folks like the Food

and Drug Administration you know when Congress finally asked for let's take a really serious look at health care cybersecurity myself and I in the calorie were asked to officially play a role in a congressional task force and we got to have hacker eye view and ground truth put into the zeitgeist we got to point out how dangerously underprepared we are in modern hospital environments and I'm not gonna go through this one but the idea that hackers have not only a voice but are sought after for their counsel and for their knowledge to be an active participant and some of the stuff is just really night and day from five years ago you know we'd have tried bumper stickers

which we might groan at or even make fun of in the past it's not an actual bumper sticker but we try to synthesize down like how do you change the zeitgeist a little bit don't just connect everything to everything else you know I might want to drive a tractor trailer truck but I'm not qualified to do so so maybe we shouldn't just blindly assume every hospital with zero security staff is qualified to run a connected operation and back to the Stan Lee stuff they like this one a little better a little less threatening but also in scary moments really scary moments really hard moments probably one the hardest moments of our lives was the Mother's Day weekend when

wanna cry hit right we've been talking about this stuff when preparing for this stuff I don't think Bo and I slept for like five six days straight don't want to cry hit you know here we are hoping that our national security apparatus is prepared to deal with such an event and they're calling us and they're asking our friends like can you help us figure out what the heck's going on or how do we warn hospitals and again that's scary but if that's a role that we can play this room helps play that stuff you guys do matters the ability to mobilize a network of folks that know stuff we don't to be able to answer questions we

can't to provide people who can and will act upon it u.s. got very lucky in a lot of cases but some of that luck was Irish luck right hard work hard II worked I've luck here you get so a lot of this stuff was putting us in a position where we were close enough to be confused for people that know what they were talking about and could help in moments like this I already mentioned the cybermen summit but it's also worth noting that we while we don't want this to be you know something because we weren't the prestige group that wants to brag about the kind of things we do we tend not to talk enough about the things we do but

you know in a world that thought hacker equals criminal just five years ago I want you to reflect for a moment that we've now had like I think four or five documentaries pointing out superhero hackers or good guy hackers or hack helpful hackers or hackers saving lives in hospital environments I think has been - on CNN one an ABC Nightline we're starting to turn the tide on this kind of thing and even though it's controversial which is part of my plea here for the next five years we are actually you know engaged in the scaffolding and architecture of public policy reform there's a bill for IOT cybersecurity there's a lot of fighting over it but it basically says

things like any IOT sold the federal government must be patchable that one sound familiar I shouldn't have hard-coded credentials and fix passwords every one of those vendors should have a coordinated vulnerability disclosure program inviting researchers act in good faith to report issues to them without fear of legal reprisal that's not Congress calling hackers criminals that's not only recognizing the intrinsic value of this demographic it's begging for it to be put into law that you can get safe harbor for doing these kind of things and there's two other provisions but these are like really simple common-sense ways to make sure the next Mariah doesn't happen or that the next Mariah isn't comprised of medical devices and one other thing that you

should pay attention to is they used to call on witnesses as the CEO of McAfee or the CEO of Symantec or the CEO of fire I you know they're calling on now they're calling on your hacker friends not it not exclusively but this is changing in fact I want to hone in specifically on art Manion down there in the corner this was the the specter meltdown thing and if you haven't watched it go watch it the Senate chairman of the committee and the ranking minority both without flinching are seamlessly and correctly articulating the value of coordinated vulnerability disclosure and chastising Intel and others for not using hackers better like take a moment to reflect on

how we felt five years ago post Snowden with fear over criminalization or research I want to pivot real fast so that we can tee up the hard questions so in general what we've been trying to do with your help responding we're needed on cars on medical devices on hospital preparedness on oil and gas on aviation you're gonna see later on high-speed rail on maritime is we become kind of the trusted ambassador to public policy domestically internationally this morning over breakfast talking to somebody I think I don't know if I how I feel about this but she basically described us as the the professional association for hackers no we are not a professional organization but you know we get we play

the role of if they want a trusted independent voice of reason on cybersecurity issues they come to us first reminding me one of our you know identified teammates it might just be that they know that we can point them in the right direction and that feels pretty good I feel like we've done quite a quite a bit I'm also here to tell you that we got to do so much more I mean I'm blown away by the kind of things we did over the last five years with your help I'm terrified at how much more there is to do and how hard it's been to scale because what we did to get us here isn't gonna get us to the next

level and I also fear at times you know Jen Ellis is not in the room she'd kill me for saying I'm gonna say it ain't no I I flirted with the idea of calling this talk the cavalry is cancelled not because we haven't done a good job but because we have right but we don't want to do is say okay the cavalry is on top of it you know I support the cavalry there are so many unsolved projects and so many missed opportunities where we could have commented on a public policy document or we could have engaged in a workshop or we could have started a new initiative but we don't want to do is

have this thing get passive I think the question was will this crazy experiment work does this blueprint actually have impact the answer that is hell yes the question becomes you know what do we do with that blueprint do we just kind of slog along and say the cavalry is working on stuff or do we create a vacuum where other people can fill it and we don't want to are we truly pull the plug some people don't know when to stop but I think the spirit of what I wrestled with with the instinct of saying okay we had a five year run it's great we know the blueprint works I'm so excited to see what each of you guys do

with that blueprint it's not to like stop what we're doing in fact we have to accelerate what we're doing but really what the instinct was is how do we amp up the individual participation in this room beau is in human superstar there's only one ball and we're only gonna go so far and the question becomes how do we get more logistical help more delegation more formal you know we've resisted public publicity on some of the things we've done we've resisted taking money we still have not taken a penny five years we've massively disrupted the way policies done in the technology community but to go further maybe we have to actually look at some sort of

formal structure but I really want to start asking those uncover elections of instead of just slogging along for the next five years can we be very deliberate about how we reinvent ourselves maybe cavalry one not always over maybe this five year run is done maybe we should have an explicit Constitutional Congress like we did at Derby con again to decide what the next five years look like so that we make a conscious choice how to organize how to execute how to engage differently for that road ahead so I wanna end a little bit of this just focusing on some of the things but when I talked about over scotch the other night when we first

launched we said we were concerned about public safety human life with of which there is still a ton of work to do we talked about preservation of security research which has made huge strides but is not over and we talked about soul the relationship between technology and human edition which is very very different interest group than some of this stuff but if you look at the tensions we're having globalization with social media with our inability to tame trolls or extreme groups I think we've kind of adopted technology for its immediate and obvious benefits but we had never done the cost-benefit analysis and I think technology has shaped us instead of us shaping our use of it and

that's a different demographic than some of the people that might have been attracted this room but but when I talked about at least two differences besides structural one maybe it's time that we start expanding and having parallel capital R es templates or movements to more deliberately tackle some of these things that we initially orphaned to have more focus in scope and number two orthogonal that I mean we start getting more overt about the things we do we've benefited from our security we did not want to raise the attention of would be adversaries we wanted to get a lot of stuff done when no one was paying attention but maybe we should start arguing and talking more

what I asked him what his top five accomplishments were in the cavalry and he asked me mine and when we compared knowledge like I completely forgot we brought two sitting congressmen in Congress to Def Con last year or I completely forgot we did the first clinical hacking simulations and we're kind of forgetting about things that other groups may never accomplish and it had served us for a time but maybe we need to energize this group to be more excited because we haven't shared enough of the CS as we've had so we have a lot of trade-off questions so to work through but mostly like if we started to prove that yes this template works and

yes you don't have to be defeatist to Instagram in the darkness that bold positive experimentation and open heart and leading with empathy can add results we did that initially with a small group we now have a large group but I think we expand to what Brian Kieffer first said we need a guild right so we've done some five dungeon it five million done in radians we gotta if you want to take down the Dragons we got to find the next level of scale the next level of participation and I don't know how to get there but I know that you guys can help us so let's not cancel the cavalry but let's ask ourselves if this first five years

proved the model worked and I think it has what should the next five years be and what you're gonna see in fantastic content throughout today and tomorrow is some of the ways we've engaged with media positively some of the ways we've engaged with government stakeholders positively some of the ways we have solved problems some of the unsolvable it's you or someone within your sphere of control and influence don't look at this as a track to watch look at this as a catalyst to start something drive your own project and we will be that platform that communication ambassador translator platform that amplifies your passion because if you look at what we did with cyber safety if you take the cyber

safety out of it what we really built is a trusted network of hacking professionals that can interface with the outside world towards high affect in a very short time so with that I'm gonna stop talking and show a very short video

eventually

all right hoping the audio works this was filmed here last year during the track by Bob Dylan's son cybersecurity all this software in productivity is defining modern culture is a pretty concerning thing when you add software to something you make it weaker you make it packable and when you connect it to other things you make it exposed vehicles medical devices Impossibles high-speed rail aviation power plants our dependence on connected technology has grown faster than our ability to secure it particularly in areas affecting national security my life and Public Safety global GDP in the economy these are not merely theoretical we've actually now seen some types of cyber attacks that have had profound impact want to cry and Petra and what we've

recently seen with the ransomware it compromised an entire ecosystem I had thought naively that if I can get as high in deep as I could to the decision makers in government that they would just fix our problems the cavalry isn't coming I'm the calories of completely grassroots volunteer organization we brought together hackers and regulators and device makers industry and government towards the outcome of meaningful policy reform or smarter engineering choices before you have high consequence failures if you just say you're a hacker it resonates deep inside people as a negative if you say you're an information security researcher it's a bit different either way you're doing the same work I think there are more hackers out there intending to do good

and to help we share information a lot we share techniques a lot our focus is on things that are gonna impact humans right human life public safety our heaviest focus has been health care followed by transportation connected vehicles well we have projects on maritime packing you can spoof GPS and divert chips into piracy shipping lanes there's a high-speed rail or positive train control vulnerabilities and Amtrak's we're also looking at tractors which could affect the global food supply it involves both a reactive and proactive approach the reactive approach is making sure your infrastructure is as secure as it can be and then the proactive approach is actually doing threat hunting we had a lot of medical device

hackers and ones a diabetic and he hacked his own insulin pump he found he could give a lethal dose of insulin without authentication the manufacturer went public with the research to make sure that people were aware that there was security vulnerabilities in that device and how they could protect themselves against it this is not going to be to hackers in her basement trying to change the world this is going to be a community effort working with Josh Corman and with Bo woods and I am the cavalry helps bring that type of cohesiveness to the ecosystem which hadn't been there in the past it's not just a u.s. thing anymore there's people that live in Europe in Asia and Latin

America who all say that they're members of the cavalry it holds the most promise working among those different stakeholder groups to be safer sooner together

you know I get I feel very conflicted about last five years but I am so inspired by every single one of you that has helped in any way shape or form we had no idea if this is gonna work and we have so much more to do but it works you don't have to be angry all the time the next stage is gonna be figuring out how we wrestle with our own demons how we hold our nose and get used to talking about cyber and talking to policymakers and don't look at all policies bad it's like fire good fire bad but we we engage those teammates and there's some incredible government allies in this room and then if you if it looks like

you know the spot the Fed used to be like the first to watch out for I want you to spot the Fed here and thank them because they are hackers too and they have done breathtaking things I can't even name the top five or ten things that I'm proud of with this movement and the things we've done but we're not just theoretically saving lives we are actually doing so it's just so satisfying so back to that Stan Lee thing you guys are my heroes let's figure out how to be better heroes together and inspire more heroism thank you for those five years I'm so excited by the next

you