BSidesSF 2023 - Keynote: Hacking Policy and Policy Hacking - A Hacker Guide to... (Dr. Amit Elazari)

I just want to go ahead and announce that today's keynote is Dr Amit elizarry speaking about hacking policy and policy hacking a hacker Guide to the universe of cyber policy so without further Ado welcome to the stage thank you hi everyone I wanna I wanna like see who we have here in the room how many of you have been to my besides 2018 talk about legal safe harbors okay so not all the room but a couple that's good no worries I'm going to give you a preview here too how many hackers how many lawyers how many Regulators hey Jack you're both all of them so kidding um you'll you'll hear about Jack too um well I'm really excited to be here my

name is Dr Amita lazari keep the doctor uh just a meat you might know my sister Karen elizari founder of co-founder of of besides Tel Aviv largest hacker convention in Tel Aviv coming at you this June end of June doing cyber week uh mark your calendars we all know how much we love our b-sides and is are we are we making progress here okay great um

okay presentation oh you want to load from the PDF team besides team I don't know why it's not sorry this is still the Intel machine so I'm like you're getting all the Intel vulnerabilities here here we go we heard that noise yes Dean we got it um I just need the clicker here we go good sorry about that uh those of you know that those are sisters no it's a fast ride anyway but since we are 15 minutes behind you better yeah strap on for this ride um for those of you coming in uh whoever is going to come in is going to get a direct upgrade to the front row seat uh free uh which is kind of cool when you

present here um well this is as I said I'm a meta lazari this is going to be a fast ride into the universe of cyber policy law but I first want to tell you why I'm here so a little bit about me I'm actually a lawyer but I'm not your lawyer today is not legal advice but I'm also technical at an Intel uh which I'm gonna leave by the way mesh first is my last day at Intel um I'm also a principal engineer so it's a bit confusing I guess I'm a little bit of all my background is legal and Technical obviously I'm Israeli I spent some time in the Israeli intelligence forces where I hack things that I cannot

talk about then I I moved to work in another semiconductor industry a very important one photovoltaics were a designed solar power stations then I decided that I loved the law so much that I have four degrees three of them in the law Y is a very good question I agree with you all you're going to hear a little bit about it today but I went to reichmann University where I still teach Cyber Law today in the master program and then I decided that I also need to practice law because that's the process in Israel and I became a big law and M a lawyer so I went I helped startups and this is of all size one of my biggest

Acquisitions was Annapurna he had a cheap company yes there is a theme in my life I like I guess I love hardware and I help them with their acquisition but then an opportunity arise to become I guess the first Israeli student that got accepted to the direct tract doctoral law program in Berkeley now why Berkeley because it's full of hackers so I spent most of my time at Berkeley with hackers it's also the best technology Law School in the world and 2018 I graduated at Berkeley with the help of all of you here and you will learn how so my passion is this intersection between policy engineering innovation technology hacking and law and I know

these are a lot of words but my goal today is to show you how all of you right here some of you in the room are already policy hackers right and what does it mean to engage in this universe of Cyber Law and cyber policies and why you should embark on this complicated Journey so this is as I said a journey into space we're going to land on a few planets and as I promised in the abstract we're gonna have some guests speakers because when you go into space you don't know which aliens which Adventures which laws you're gonna come into okay so I already told you that I'm passionate about law and I spent some

time in that beautiful University at Berkeley but I didn't tell you what I did there so first of all I decided that it's very cool to see how hacking methods and operating systems of Android can potentially at scale find Copper violations so Copa is a Privacy Law who here saw the Silicon Valley episode on Coppa forty thousand dollars per violation she has something some knots um it's a very important law it protects children privacy online um it's gone for summer Visions but one of the biggest complexities that we have in the policy and law landscape is how do we enforce it and here's the first area where we see the aid of technology and hackers hackers are helping us to

enforce the law in fact technology is a strong enabler and a positioning of policy and laws and Technology as Lawrence lessig tells us and code can be policy too so I spent some time working on that uh that's how I got my first bug Bounty it's not my own uh this was co-authored with some brilliant Hackers from ixy Professor Serge egoman team resulted in ten thousand dollars from Facebook and meta and five thousand dollars from Google but also a settlement with Google by the Attorney General of New Mexico in 120 million dollars so I guess the combination of technology and enforcement can get a little bit powerful but the cool stuff is we took the five fifteen thousand

hundred dollars and we went to Tao and we skied there and that's what I did after RSA 2018 and guess what as opposed to my friends uh experience I did not break any knees and any bone so that was really cool if you want to check that out that's absensis but this is where I first got to kind of know the joy of working with hackers and what can we achieve if we do if we take policy and hackers and computer scientists on the same paper obviously I was an academic so this is a paper too it got the usenix I think paper award as well as the pets paperwork and that's pretty cool but

what's most important it taught me about the value of back bounties so this is my first Bounty is actually a data abuse back Bounty which made me think already in 2017 about this interesting concept Sven where are you raise your hand I told you guest speakers coming at you Defcon 2023 hopefully the biggest hacking event for AI ever yes an algorithmic bug Bounty guess what we can bring back bounties to algorithms because the part of the crowd is not confined to security and we're going to talk about it when Harley is going to talk about anti-hacking laws and you will see that a lot of the case law and papers coming from security research have a lot in common with algorithmic

Auditors with researchers that are uncovering issues in privacy and in data so I invite you to think about security and Cyber Law as a piece in a much broader domain enabling the crowd the hackers the thinkers and above all openness and transparency but of course I'm a lawyer so not Thriller but a lawyer so I fell in love with contracts and I wrote my entire dissertation at Berkeley on very long contracts in fact 2018 I studied I stood here and I said yeah I'm that person that reads those terms of use guess what I also have a hacker sister and my sister tells me all about the power of hackers as she said as she

standed on the Ted stage in 2014 by the way friend Mentor inspiration my best friend in the world many thanks to Karen who is the reason why I'm in cyber so it's a very important lesson she tells me about bug hunters and their challenges she tells me about hackers and the power of security researchers and since I'm already obsessed with very long contracts I start to investigate this phenomena of bug bounties right so how many bug hunters in the room I know a couple don't be shy yes you yes how many security researchers that got a bounty maybe not full-time couple bug bounties are this amazing phenomena where we as corporations organizations all the way

from Intel to Starbucks to Silicon Valley Giants in the 90s to the Pentagon and I see you here my friend jack cable one of the first Teenage hackers to hack the Pentagon to U.S government to the European Union Leverage The Power of hackers at scale to not only allow them to report vulnerabilities and get time and get money for their time but for me create the first legal more legal environment where hackers can truly celebrate their skill set with maybe just a little bit less of being legal threatened so I get to know and I I'm impressed and I'm I just get fascinated by these amazing human beings like this friend of mine right here chat cable

and the power that that Community can have and what they find and how it inspires them but above all what we can learn from them and what lawyers and policy makers can learn from them and guess what what lawyers and policy makers should be doing for them and maybe how they can also become policy makers so naturally after you read a lot of contracts of bug bounties and you read a lot about cyber crime and computer crime laws you get to know this law the cfaa the Computer Fraud and Abuse Act The prominent federal law in the United States for anti-hacking with criminal and civil liability for unauthorized access there are a couple more like the

DMC you're going to hear all about it from my friend Harley here is one of the best lawyers and policy people in the world for that and I discovered that back Bounty contracts create a little bit of liability at the time this is 2015. for hackers why because the sandbag Bounty program contractor tells you please hack and I will pay for the vulnerability refers to the end user license agreement that says what don't hack me not the great solution so obviously you know remember I'm a law student what do I do I write a very long paper with a lot of footnotes and it has to be 50 pages because I'm writing my dissertation in

the law that's what I do but is it enough to do change no I am talking with Karen and as a true aspiring hacker I create a guitar page now I have a guitar page and in my Gita page I have contracts guess what yes it's a repo with contracts and then as a true hacker I create a hall of fame for what for bug Bounty contracts that have slightly better protections for hackers we call that the legal set Harbor that's enough that's like me I meet you know I'm doing papers that's not enough for a difference and Taylor tells me come to Defcon meet Casey meet Wendy me Jack me Jason meet all my friends meets

van the hacker community you have something here you're just a student but maybe they will help you so I do a little bit of that and as I enjoy speaking I start doing the show and I tell the hackers we need to fix this this is not enough and I come to besides my first talk ever it's embarrassing you should hear my accent too fast not the best Peak not the best speech not the best talk check it out online 2017 this is Defcon first question I get but at me this is so theoretical who would ever want to sue someone who is participating in a bug Bounty right they're in a bug Bounty who would ever threaten illegal you know

who would ever send the legal letter to a hacker in a bug Bounty well you can check out the 2018 I told them in the room don't wait for it it will happen guess what it happened that's a preview check out the full talk if you want to hear about it but I come here to b-sides and this is why I'm telling you all of you in the room are already policy hackers because when I was a student I came for this room for help and the room has provided the community came together and when I sat here and I said and we need to change this and you have the power to change this policy reality

and the details don't matter that's not the message there you can go online and find all the Nuance somehow the cfaa and the dmca and the contracts and over that all that created the situation here's what matter the community has the power and if we engage in the conversation if we open and educate and make everybody aware and explain to them where are they at why policy and laws matter they would engage and this with the power of Casey disclose IO and all of you in the room has garnered some results so this is Mr student look at me with my gear Beckley law through Defcon you know hacker t-shirt my sister told me never

wear a suit for hacker conference no I'm joking she told me be yourself and celebrated and I'm doing this today with my red jacket but you can check it all online but here's what's interesting and I'm actually going to take a moment to do this because I think it's a very interesting illustration let's see if it works

you probably can't hear it you know you can't hear it okay so you're just gonna have to trust me on this check out check out this presentation and what I said to this room in 2018. I said here's what I Envision I Envision a future where hackers will not hack if there is no Safe Harbor I Envision a future where from four programs with Safe Harbor one of them the US government DOD by the way very cool work work by Charlie by rural by Katie I'm depending on many others Leonard Bailey of course there is no talk about cfaa about that doesn't mention how much he was a great inspiration in this field I told them I imagine the future where

this was the standard and I told this community I was a student I told this community this is up to us the people in this room you can make this work the community has the power to changes today and you don't need policy reform all you need is to feel a little bit more inspired and engaged to think about policy and what it matters and then people like me like others like Jack everybody here in the room to open up and share from the knowledge and then we simplify access to this area so this worked and I got the attention of a few very great great hackers like Casey like Jensen like Jack and they're

like oh you're not gonna hack until you fix this and they were here in this room and then I convinced the platforms fast forward a couple of companies adopted Safe Harbor this includes Elon Musk that's how I met him and Defcon actually got a challenge coin from him one of 30 or 40 in the world uh yolino yawning Amon good friend from Tesla made that happen not for hacking the Tesla but this is a challenge coin I love it uh but for fixing the program and guess what they did something very cool I think still one of the only maybe 10 in the world right now on this they figured out the problem with hacking

Teslas is access to Teslas and that people don't want to test their own Tesla because there is a problem there is a accident Academy Missouri's term um yeah you need to fix it and it's not free because the hacking would buy a valet guess what another contract the warranty so they fixed that and if you have a Tesla people you can absolutely register as a pre-approved security researcher on the website hacker Tesla and if something happens they would fix it for free this is the power of policy and law so a lot more uh researchers now have access to test this but here's where it gets really interesting Casey here um took the challenge and invited with all his prior work and

my work and others to co-found this close IO and open source initiative aimed to increase awareness to this problem of contracts stifling research because of interactions with anti-hacking laws and this was I want to say 2017 just to give you this is discloseio and I just want to inspire you to think about the trajectory here 2018 16 sorry I start my research only 17 companies in the world with the bug Bounty that says if you hack me I will not pursue legal action in the bug Bounty contract 2017 we start legal Safe Harbor as I told you I had like four com four I had to check it out on the talk I had four

companies when I came here to speak we formed this close IO we start talk about it we get the support of the hackers 2018. how can one and background change their default terms thousands of companies using their services including in the private bank Bounty Market that we don't have access to start to adopt your language tens of thousands of hackers are more protected because of that language this is contract this is not cfaia reform yet this is just a contract that is applicable at scale think open source license think creative comments for thousands of thousands of hackers 2020 friends in sisa and DHS Cameron Jack others decide it's a good practice it's a public policy imperative to help the

hackers when they help us and provide vulnerability reporting they issue a binding operating directive saying all federal agencies not only will you have a vulnerability disclosure program you will address or try to address or mitigate the legal risks of the hacker and provide a safe harbor this is still 2020 we get Van Buren you will hear about it from Hawley first Supreme Court case on cfaa in 20 years dealing with the issue of authorization the entire security research Community Auditors generalists everybody scraping everything is at stake in the Supreme Court the Supreme Court gets free opinions we call it the Mikus briefs from third parties referring to this problem including one from disclosed IO with the

support of hundreds of hackers and tens and hundreds of companies guess what 2021 the research this is by the way for me I did some stuff in my life this is my proudest moment the Supreme Court cites this work in contracts when it makes the decision we still have problems with Van Buren but to narrow a little bit more the interpretation of cfaa and anti-hacking laws impacting all of us here in the room remember 2016 this is an academic paper this is four provisions of contracts with four companies this is the power of policy 2023 disclosure thank you Jack is referred to in gen easterly director of sisa DHS Department of Homeland Security major Agency for critical

infrastructure and cyber protection speech and cardigan 2023 disclose they all check that out secure by Design best practices all of your critical infrastructure operators all of you manufacturers current vulnerability disclosure programs but with what with safe harbors four researchers what else we're going to see in 2023 I'm going to make a prediction the EU cyber resilience act if I have time and we'll talk about it in my hopes in my dreams all manufacturers selling products to Europe not only having vulnerability disclosure programs so hackers can know where to report to issues but with legal protections European Parliament coming at you 2027 we'll see if I with your support and hardly support make that happen I hope so so this is a story on

how you are already a policy hacker because guess what when I came here to 2018 2017 to Defcon to besides Las Vegas to business San Francisco when I spoke on this issue this community has provided this room has provided and I tell you no way this is this would ever happen with us without the support of anyone in this room and the support of the community this is the power of the crowd you too can engage and should engage in this space and world so let's hop in I already said it's not legal advice I'm gonna say a few words about you know how this landscape is complex and what is changing in it and then I'm

going to invite Harley to tell you a little bit more about anti-hacking laws white matters and how you can engage a little bit about security policy again strap on fast fast ride here what do we see in the environment policy makers react to vulnerabilities like Society every key vulnerability and attack brings a way of neurologists Cyber Law is perhaps the most complex Dynamic impactful piece of domain legislation in my opinion that we have today the Mirai botnet how many of you aware we are we have a couple events huge botnet partially happened because of default passwords right the bot taking the devices not because the hacker wants to Spire someone toasting or coffee making right abilities but rather take all

these Bots into a major Network that will cause a denial service attack default passwords iot devices that's a problem policy makers agree a wave of iot security regulation California Singapore nist FTC Europe UK all of that a lot of it inspired by Mirai log 4J open source security what do we get even more traction to the concept of the software bill of materials from the executive order even more focused on the important problems for open source security solo wins what do we get Colonial pipeline ransomware payment we have now a federal law on incident reporting and ransomware payment reporting they are all connected when we see something in the Cyber attack versus surface it impacts the way regulatory

thinks where they pay their attention and how they hacked okay what are what am I talking about when I talk about security policy security policy is not your own company policy but also this landscape of Regulation standards contracts and code and design it's a complex area but it's also an inspiring area because remember this closed IO disclosed IO is an initiative that use contracts so policy is not just laws and change can happen through code and through contract what are some of the key principles in this space there is one thing I know about hackers and attack right it varies it's not just lawyers saying it depends hackers say that too right because it depends on the stack it

depends on the environment sometimes the OT physical sometimes it's a small iot device or maybe it's the grid maybe it's the cloud environments matter so we have all these different segments and business models and the software and the SAS but we also have all this jurisdiction it's a complex planet right exactly like in our space kind of thing where you have all these aliens but they all come together to the Star Wars cafe and somehow they all kind of understand each other although all these aliens right are coming from different nations and different policy spaces and some are doing standards instead of doing policy and several hackers that's what's cool about this planet which I hope you come

and join us too we have all these Global interaction and we have this convergence of security and Ai and privacy it just means that when it comes to policy in cyber we have a lot of principles we think about leveraging standards and Technical documentation we think about flexibility and this idea of design neutrality why if you put in the law the concept of passwords guess what I hope passwords become a thing of the past maybe you should think about using the term authentication cool that's a little bit more future proof all these different considerations is what come in mind when me and my fellow peers are speaking with regulators and policy makers I invite you to learn more about it and

check this out but without further Ado I want to invite Harley Geiger good friend inspiration mentor to take the stage and invite you to participate in the hacking policy console [Applause] hi thank you very much so hello besides and thank you very much for inviting me on here I really appreciate it so I'm going to talk a little bit about hacking law and policy sort of how it has changed and how that is the result of community action and before that though like like me I'm a lawyer but this is not legal advice please do not get me in trouble with my Law Firm if you need legal advice then you should get a lawyer because they are really great

um so I'm going to talk a little bit about the cfaa section 1201 and state laws and how they've changed just in the past few years some of the progress that has been made and then some of the challenges that are still left uh so by now I'm sure that all of you know the vast majority of our computer crime laws were created in like 20 or 30 years ago and this has led to a chilling effect because it gave a lot of organizations companies government agencies leverage over security researchers to say that what they're doing their security research or their vulnerability disclosure is somehow illegal and it gives them the power to stop it the cfaa it was a big one right

so that is our nation's Premier anti-hacking law and it restricts accessing a computer without authorization but obviously in the past 30 years what qualifies as authorization has changed quite a bit it's become a much bigger gray area and for a while a lot of courts were were issuing opinions that stated that if you were violating terms of service that you were exceeding your authorized access You've Lost Your authorization and this is a federal hacking crime but for security researchers that's what they do all the time right like they use computers in unexpected ways to get unexpected results and so cfaa in terms of service violations being an anti-hacking crime suddenly became a big problem for them

section 1201 that law says that you cannot circumvent security safeguards to software even for software that you license yourself right so if you own a device yourself and you have it there you own the device perhaps but you're only licensing the software and if you're circumventing software security safeguards without the authorization of the software manufacturer and who gets who gets the authorization from the software manufacturer first if you're doing it independent right then you have violated section 1201 and although the cfaa gets a great deal of attention probably most of you are from some State here in the United States every state has its own version of the cfaa the CFA is not a preemptive law it's a federal

law but each state has its own computer crime law and most of those laws are actually more broad than the Computer Fraud and Abuse Act believe it or not if you'll look it up you'll see it's the same sort of verbiage but they also include other Provisions or they take away other require environments that make them in fact more Broad but in the past seven years and I'd say especially in the past three years there's been a tremendous amount of progress you've heard a great deal of it from a meet here already right but so section 1201 now has a pretty robust security researcher exception for it it covers a lot of security research the

cfaa there was the Van Buren decision that is the Supreme Court decision and the Supreme Court rather definitively answered a lot of the the terms of service question stating that if you have authorization to access a computer for one purpose like personal or employment use then if you are using it for another purpose that is perhaps not authorized this is not a CFA violation so that personal or employer computer if you're authorized for it for that independent security research is not by itself going to be a CFA violation in addition right after that Van Buren decision the Department of Justice issued a charging policy change saying that their prosecutors would decline to prosecute good faith security

researchers and it was based on the section 1201 exemption the state of Washington actually had as an exception for white hat hacking is a carve out from their computer crime law and then some nations are following suit Belgium recently issued a Safe Harbor from its Nationwide computer crime law for security researchers and then globally we're seeing a lot more adoption of coordinated vulnerability disclosure and vulnerability disclosure policies which will help a great deal by avoiding misunderstandings and conflicts between researchers and the organizations that they are disclosing their vulnerabilities to how did we get here how did all this happen it's like like Amit said communicate the the community has been absolutely key this has not

been by a single driving force there's no single single lobbyist or single organization or single security researcher that has made all of this happen it has been Community engagement from the ground up it has been organizations in the nonprofit sector government officials who are friendly and motivated and passionate about this a lot of Industry figures a lot of academics and I think most importantly countless decentralized in individual interactions between the community and policy makers that's how it happens this is very much a ground up sort of effort but there's still a lot to do I expect you to read all of this uh so this this is just a the charging policy so the charging policy that the

doj had issued what it says essentially is that an attorney for the government so a prosecutor should decline to prosecute a uh somebody who is acting a performing good face security research and they Define good face security research so you are doing it for good faith testing investigation or correction of a security flaw in order to strengthen the security for uh for users or for the class of machines that you're working on and you're not doing it in a way that can cause harm to the public but there's limitations it's not going to protect you if you're doing something like extortion right so it's just for good faith security research there's a glimpse of the researcher

exception under dmca it's virtually the same thing this has become the sort of the definition of good faith security research that we're seeing kind of uh percolate throughout the law right now um same thing if you're accessing the computer for purposes of investigating and correcting a security flaw and doing it for just that purpose you know and you're you're doing it uh in a way that's going to avoid harm to the public there's Washington you can see there in the in the highlighted portion um that is your white hat security research exemption uh in the state of Washington for their computer crime law so a lot of progress and these things are are meaningful it's not often that a

class of professionals like this gets carve outs from the law specifically for them and it shows the power of that Community engagement some of the things that still need to happen though greater adoption of coordinated vulnerability disclosure I mean it's still a minority of organizations that have vulnerability disclosure policies the Cyber resilience act so this is this is a proposed law in Europe it's going to be huge you're going to we're going to be talking about it the way that we talk about gdpr right now but it'll take a while to get through but one of the provisions of that law states that you must if you have a x a vulnerability that is exploited without authorization which

again is that funny concept which includes good face security research right if you're doing it without authorization that exploit or that vulnerability must be disclosed to European government agencies within 24 hours to 24 hours it is not likely to be mitigated so you're imagine this is and this applies to all software in Europe so imagine a rolling list of software packages with unmitigated vulnerabilities that will make vulnerability disclosure a lot less welcome right if you're disclosing it to it to an organization and they have to go through all that uh state anti-hacking laws I mentioned so the state of Washington wonderful that they have a an exemption however that's the only state that I know of

that does right so there are tons of other states out there with very brought into hacking laws they have not evolved the way that the CFA has there's no Van Buren for the states there's no charging policy like the doj did that was just for the CFA does not apply to the states uh State uh dmca so there's that researcher exception it protects the act of research but it does not protect making your your tools public so this actually applies to all penetration testing services believe it or not as well as making your exploits public the dmca actually prohibits this and we're all just kind of whistling past this regulation but it's there and there is

no security exception there's no possibility of a secure a security exception for it without an act of Congress and then ofax sanctions we don't believe that vulner receiving a vulnerability disclosure from an ofax sanctioned entity ought to be an OPAC violation and to address some of these issues we made the hacking policy Council uh thanks um so the hacking policy council is a group of companies uh that have gotten together to make a more favorable legal policy and business environment for vulnerability disclosure good faith security research penetration testing vulnerability management right now those the group of companies is Google Intel bug crowd hacker one integrity and lewdest security and together we're working on the issues that I just

discussed so the Cyber resilience act there's that article again don't expect you to read it but feel free to take a picture it says article 11. if you have contacts with European government I suggest that you reach out to them this is a terrible policy we think that this raises intelligence concerns it's going to require vulnerability sort of disclose to perhaps dozens upwards of 50 government agencies each time ofac right so as we increase security cvd throughout the world it's going to result in more vulnerability disclosures to more organizations and we don't think that that should be disrupted that is a good thing for the community we want organizations to get their vulnerability disclosures we don't want sanctions to

be one of those things that gets in the way we have an export regulator or an export exception for it we need one for ofac now and then just an example of a state law that is in dire need of some reform this is Maryland uh home of the NSA and if you even attempt to identify a valid access code if you if you even attempt to identify a hard-coded password in an iot device or a default password in in Products that come out like a friend of mine he built the defaultinator right then apparently in Maryland this is this is not this is not legal very outdated and then despite all that even even if

we get through those things and despite the progress that we have still made right there are still going to be instances where security researchers are facing legal threats for good faith security research so the hacking policy council is taking on policy advocacy the security research legal defense fund is supposed to help take on the Judiciary in a way right so this is a this is a defense fund that will be able to provide financial assistance to security researchers that face legal threats for good faith security research like that like the doj charging policy it's not interested in protecting you if you are engaging in something like extortion but for a lot of hackers that receive sort

of bogus threats and cease and desist letters the security research legal defense fund can help you pay for your lawyer to combat that so this is my last slide then I'll turn it back over to you and me going forward right there's still a lot to do I don't want people to think that because we have made tremendous progress as a community that we can that that's the high water mark and now we will just kind of take it easy I don't think that we can right so as as cyber security laws ramp up in many different sectors and throughout the world these same issues are still going to be there um I would encourage you to focus not

just on federal but also State local International right a lot of the federal law gets most of most of the uh most of the attention but your your States it would be a great place to make your voice heard and that will be the key to continued progress is community engagement and making your voice heard hopefully one of the things that these presentations have taught you is that it works policy advocacy does work but it works best when the entire Community is engaged and the entire Community shows that it's a priority all right thank you thank you thank you I have my up can we make this work yes okay cool um the good news

and the bad news I'm still talking uh the bad news we won't have time for questions uh but I'm gonna stay around um so thank you Harley and the Venable disclaimers um I'm gonna fast forward uh this this issue on product security all I'll tell you is this remember what gdpr lead to privacy and compliance remember how we all talked about it the EU cyber resilience Act in progress is the most comprehensive holistic complex regulation and it's going to apply to all products coming into Europe this is very important so try to engage but in the beginning of this talk I told you that I'm living Intel and you're probably asking yourself why or maybe you're not asking maybe

it's pretty clear but Intel has been amazing to me and taught me a lot and in the last four years I've been handling the cyber security policy and today I had the cyber security policy at Intel and I also chair a couple of committees like the ITI committee and the open source security Foundation committee all these trade associations and with these trade associations the coalitions we have done a lot but you just heard from Harley that we are asking you to engage but how and where not just in conferences not just here in the room how are you going to be really truly empowered to engage how are we going from a number of companies and trusted

members of the communities and advocates and all these people here that want to make that change into reality well that's my next big thing open policy we are still a little bit in stealth but you are getting a preview right here hopefully the video is not going up soon my goal is to democratize policy and truly engage with all entities from all sizes seed startups hackers individuals unicource with policy makers to get educated to understand to make this important relaying of cyber policy and Beyond open to more and more and more parties that want to engage and impact that change but we all know for True openness we need technology so hopefully but I've used I'm going to attempt to

disrupt lobbying and I'm not doing it alone but I'm pretty excited open policy is going to be access to policy powered by Tech keep it a secret yet uh we are a little bit in stealth but that's my next big thing so stay tuned May 1st [Applause]