Barely Legal: The Hacker's Guide to Cybersecurity Legislation

e

[Music] sure moving okay okay

uh I think it's just it's

small testing

testing all right are you good for me to get started I'll be I'll beting right there yeah um since we're yeah we we have 90 minutes so I think we're probably good make it work all right uh I'm I'm going to get started um so just a note of apology up front um I have somehow injured myself uh so I may end up sitting um but I'm going to try and do this standing as much as possible um and we'll see how we do uh so thank you for coming um so my name is Jen LS uh at the moment I also go by Hopalong and uh possibly the gimer um I work at rapid 7 and I work with is there any

chance close the door sorry um I work with a a huge number of security researchers both within rapid 7 and across the community and um and that's relevant because it's going to come back to like how I got into cyber security legislation and what I'm doing there um I'm not a lawyer that is kind of important you do need to know this because nothing I tell you is going to be legal advice um and I'm I'm not even really a lobbyist uh and and worse than that I'm British um so uh so the first time I turned up to DC uh with my sort of Mr Washington naivity um I asked whether Congressman worked for senators it was a

good day um so I I really have no credentials to talk to you whatsoever except for the fact that I am doing stuff and in fact this is me testifying to Congress yes this is my moment of uh um self-aggrandisement um so yes this is me testifying um I testified about six weeks ago um and I testified about the impact of the computer frud and Abuse Act on security researchers we talk about that a little bit more um uh through the talk so yeah embarrassing picture there it is um and the CFA is basically my G my gateway drug um so this is how I got into legislation and then we'll talk about some of the other

isation that I I work on um so during the course of this talk and we have a a long session we have uh about 90 minutes um we're going to talk about what some of the proposals are what some of the current law is um and some other sort of non-legislative developments um and then we'll talk about how you guys can get involved my goal is to spend the time sort of half and half like me talking at you and then lots of time for questions so please do kind of think about what your questions will be and and and get ready to ask them a couple of things um I'm going to be focused on security not privacy uh

they do obviously overlap and and there will be times when I talk about privacy issues but mainly my focus is on cyber security um and I'm also not going to touch on vertical specific regulation things like fsma that kind of thing um I'm going to just pause now in case anyone wants to get up and like hurly get out the room oh all right good um and just another uh sort of context setting moment um I'm going to be using the word cyber you guys are probably thanks thanks hi Todd yeah um and I know that that doesn't always sit very well with um security audiences and and and I understand why uh it's because you know

what the internet is um but at the same time this is the language that is used in DC and since this talk is all about what's happening in DC I will be using the word cyber deal with it so um before I get into the sort of ins and outs of what's happening I kind of want to address some uh some context around you know our community and how our community thinks about legislation um I work really actively in DC trying to build collaboration between the security Community um and the and the DC Community um with a view to the fact that they're paying attention to cyber security right now and that's not going to change it's going to continue and it

affects our lives and we have the ability to shape that there is a lot of discourse in our community about the government being idiots um not knowing what they're doing being out to get us I'm not going to be indulging in any of that and so if that's the talk you're looking for not the talk for you um the reality is they they know their world they don't know our world because it's it's not their world um and it's our job to help them understand so what I'm going to be talking about is like how we can do that and what what a role you can play in that um I'm trying to make this

sort of actionable and constructive I'm a big believer in uh trying to be part of the solution not just jumping up and down and pointing out the problem so oh the other thing I should warn you about is I really like audience participation sorry so um does anybody want to take a guess about what this is what this number represents number good guess nice guess it's it's not so the guess was that it's a number of an act um so congress.gov lists all of the pieces of legislation that are proposed and passed um you should check it out if you are interested in what the legislation is so I put uh cyber security in as a

search term on congress.gov and clicked the button that said legislation and there are 519 pieces of legislation in congress.gov library that have the word cyber security in them so basically the gist here is that cyber security is a very Hot Topic in DC it's not going to stop being a Hot Topic in DC it's going to continue to be relevant in a lot of people's lives and we are going to see a lot of people coming up with proposals in fact in the 114th session which is last year into this year we've seen 64 um pieces of legislation proposed just in that session and that's just a vast number and so like everybody on the

hill at the moment understands that they need to have some sort of agenda around cyber security it's not going away and it impacts our lives and we need to know more about it to sort of take control of our own destiny a little bit so as a sample because you know there are 64 pieces and I can't put them all up here but um this is just a sample so how many people have heard of one of these most people in the room great how many people have heard of three of them okay has anyone heard of all of them I've worked on all of these this year in some capacity or other um so

these are all things that are being actively discussed at the moment um so what are they about what do they what do they mean so they basically break out into a few different main themes the biggest theme at the moment in um in legislation around cyber security is around information sharing um now there are there is a certain amount of dialogue in our industry that the reason for this is that the government is trying to find a way to get information out of us I I don't know if that's true or not um my conversations with people have not really revolved around that I think that what the government is trying to do is um the government is desperately trying

to find a way to address the cyber security problem with sort of a limited amount of background and experience and context and doing that and also within the framework of government which in and of itself is limiting there's only so many things you can do and to make legislation like incredibly prescriptive for example is really limiting because it takes a really long time to change law so they're trying to look at ways that the government can actually play a role information sharing is interesting because there's a a perspective that increased transparency um helps us it sort of it's it it raises the tides that rises all ship I can never say that the thing with

the tides and the ships um so we will get better by knowing more things yeah don't use phrases you can't say um so tide raises All Ships that guy that guy has it the rising tide raises All Ships uh R of course for you thank you so that's their basic principle but the reality is that uh you know very few organizations are actually set up to take advantage of information sharing or participate in it maybe like 5% right so like really big financial institutions really big retailers um people in the Intel community so the government is looking at this and thinking you know the government can play a role by basically taking the work that the 5% is doing which includes the

government itself and then helping to disseminate that information to the other 95% that's that's the general thinking that's not actually that bad a goal that's such a decent goal the challenge is how they Implement that and the problem that you have with it is around privacy concerns that's typically the number one problem um government abuses is another concern that people have then there's sort of a lot of discourse around um counter measures or hack back or defensive measures and that's another concern that people have so where we are with information sharing right now is that um uh the there was a cyber week during RSA funnily enough they're now looking at doing another one this week um and

during that cyber week uh there were two house information sharing bills that went to a vote on the floor and and they they won they were overwhelmingly passed um one came from the house Intel committee and one came from house homeand security and those are actually decent bills they're they're pretty decent for for the goal they're trying to achieve they're they're they're good um now we're at a stage where the Senate has their own bill and that bill is called the uh cyber security information sharing act ciser has anyone heard of that great cyer is a little scary um and actually like you know this is something that I think a lot of security people do care about um because there

are some concerns in the implementation and the wording of ciser um a couple of those are uh that there's been concern over uh there's a piece in there that basically says you give your information to the government and oh I missed a really important piece about information sharing so the basic Foundation of information sharing bills is that if you share information you will have liability limitation this is part of the reason they're they're actually like trying to introduce a law to do this so the idea being that if I'm an organization who's had some sort of attack and I take the information from the forensics on that and I share it with the government so

that other people can learn about the attack style and somehow a piece of pii gets mixed up in that that I'm not going to be liable for the fact that I've shared pii provided I took reasonable measures and where a lot of debate comes in is around around the concept of what reasonable measures are um and how you should protect pii and whether it's okay for it ever to be shared so that's one of the issues that comes up in ciser another issue that comes up in ciser is around the idea of um you give your information to the government and then they can use it and share it how they like now that is actually pretty

concerning and there's been a lot of of debate around it um and right now there is a managers amendment that is being proposed why do I keep bouncing down um that right now there's a managers Amendment that's being being proposed for ciser uh that would address that piece around how information can be shared and would try and limit it um and as I said defensive measures is another thing that people are looking at that is creating some concerns around the potential for abuses so there are definitely some issues with CER um there's been talk of it hitting the floor this week um we will see it definitely hit the floor this year and there is very very very strong

commitment um amongst uh certain groups to see it past so um this is something that is probably like on the top of the list for most uh Congressional staff in terms of cyber security legislations it's an important one to be aware of yep what happened to the antitrust red balloon that was beinged about all these inform Shar um I so the question was what happened to the antitrust red balloon that was FL I so I uh I think that actually the way that um the information is being shared uh the the way that they've up for the information to be shared address the antitrust issues um and this keeps bouncing around um but but I would need

to like go and talk to people specifically about it but I'm I'm pretty certain that's what happened is there's limits on or there's descriptors of how the information is shared that that deals with the antitrust issue um so breach notification um so there's been a number of people who've come out with breach notification bills both on the House and Senate side this year the general principle here is that we have 47 different state breach notification bills um for an organization who is you know operating across States that's that's kind of a headache to deal with um for consumers it's hard to know necessarily where you stand and it creates a sort of um disperate level of

um of response to breach situations so what the government's trying to do is come out with basically one ring to all the all um so there's been some debate around how we do this and generally speaking the debate revolves around whether we um preempt the state laws as a ceiling or a floor so the idea being that either you set a minimum standard that everyone has to achieve and then any states that are above that they get to keep their state law um or you set a a standard and you say this is the standard this is it and no no state laws exist outside this uh or no state laws apply out outside this um the civil

liberties groups are very active in this area because of the potential impact for consumers and their argument is that um the the state laws that are stronger should stay in effect and the reality is that um state law moves faster than federal law it can be changed faster so that's that's the basics of the argument around breach notification um I think it's probably unlikely we will see a breach notification move this year I may be wrong um but I I think that's fairly unlikely oh no there's a member of the government here um okay so then the next three I will group together so data protection liability limitation and cyber hygiene the basic gist of this is again we need to do

something about cyber security what can the government do how can we get involved how do we prevent cyber attacks so they're trying to set a bar for how organizations think about um protecting data the kinds of things that they do to the kinds of Technologies they use the kinds of um tactics and policies they put in place um they're looking at limiting liability as a way of incentivizing good behavior and uh the the language that's being used a lot is around cyber hygiene the biggest challenge with any bill in this area is the idea of how you do this without making incredibly prescriptive and how you create a one siiz fits-all approach um I think it's again pretty

unlikely that we'll see something in this area move this year but it's it's worth sort of taking a look at in terms of the kinds of bills in this area just going back up so um um the Cyber Supply Chain management and transparency act would fall into uh that bucket that would probably be cyber hygiene the um protecting student Privacy Act Spy Car Act safety act um and uh the cppa oh consumer privacy protection act those would all fall into that bucket um I think the ones that have the better chance of passing are probably the ones that are narrower in scope so something for example like the Spy Car Act which focuses really specifically on security

and privacy relating to cars that might have a better chance of passing than something that's a little a little bit broader in Impact so then this takes us to the last category law enforcement in authorities um so there are a number of of things oh sorry you had a question yeah since technology moves so much faster than law why you regulate St legislation is likely to resolve technical limitations that's so so the question is that since technology moves faster than law um why are legislators is trying to get involved basically um the reality is it's their job to get involved and to try and find Solutions but you you've hit the nail on the head that is exactly

the challenge that they face and that's why it's really hard for them to create law that's prescriptive and so like even something as simple as um if you look at the breach notification laws a lot of them will have something in there about um you being exempt from liability if you have or not exempt from liability exempt from from notification if you have strong stand standards of encryption applied to the data that's been accessed and yet the language around that is is hard because what is a strong standard of encryption today will not necessarily be the strong standard of encryption in 5 years time so they definitely are aware of that being a problem and they're trying to create a

framework that is prescriptive enough to be meaningful without being so prescriptive that it's limiting and becomes obsolete before it's even passed

yeah um there is also a lot of focus on so the question was that um in other technical areas like Telco um there are agencies that deal with it that can move faster so there actually are pockets of that kind of thing happening um there is uh there are pockets of of non-legislative approaches and there's also Pockets where if you look at the Telo sector there's agenes that um that basically run it day-to-day and decide what needs to be done but then there's legislation that says and this agency will own it and it will do this so that's basically the model they're trying to deploy so for example in a cyber hygiene bill they might say you should follow nist that

kind of thing and that you know nist framework comes out of the Department of Commerce um and is able to be adapted on an ongoing basis which the legislation probably isn't to the same extent is that answer question and then you had a question all right um the the Capitol Hill trying to pass all these acts and all that you mentioning how you're you your job is trying to steer the right way how much and he also said that technology moves faster than so my question is is is how would you make it so cuz if they don't understand that much and it's Keys getting and they're trying to control it the a how just how

are they how do they know what to do so what like they're they're going the right way that's what you're saying but how do they know what to do so that's where like people in this room come in this is where so the question was um given the complexity of the topic and the fact that they're not experts how they figure out what to do um so that that's really where we all can play a role um and really it's about us helping educate them so they're only ever as good as the information they're given by the people who are trying to talk to them and this is why you know people are very cynical about government is because

there are big companies that have big lobbying budgets and those companies are the ones that are influencing legislation because the the staff are talking to them but that's not because the staff don't want to talk to other people that's opportunity that's the opportunity they have so if there are people who want to get involved and are you know prepared to actually sit down and have a conversation then the staff generally will be very very open and receptive to that and actually grateful for that so it's a question of like how people can connect those dots to help with that process and a really big part of it is making it simple for them you know the average

staffer works on a vast number of issues so um I'll brief anecdote so the first time I did a trip to DC to to do any of this stuff um as I said I had packed my suitcase headed to DC like Mr Washington and I uh I get there thinking that we're going to have these great meetings and I'm going to be really impressive and compelling and people are going to pick up the rights of the security researcher and burn the cfaa to the ground and um what actually happened was the day I got there was the day that healthcare.gov fell over and um and I literally like sat in meetings while people watch the

news over my shoulder and I was like okay um and you know and and regardless of like which party you were in you you cared about that news either because it was it was a bad day for your party or because it was a great gleeful day for your party um and so there was a like a high degree of distraction that day and it couldn't have been a better thing for me to see it was the best point in my education that I had in the entire process because it was the moment when I realized that for staffers they have so much going on at the same time they were talking about immigration they had a

bowler at the same time and I was like sat there going so security researchers feel that they're getting a hard time and they were like have you heard about the people dying from Ebola so it was kind of good for me to have that moment of being like Oh yeah there is other going on in the world and um and it's important for us to think about the fact that staffers are trying to cover a vast number of topics and they're they're doing their best and so we need to help them and we need to make it as simple for them as possible um so law enforcement authorities there are a number of options in this area but

the main one that I will point to is around CFA reform and we're going to talk a little bit more about that um uh in the next section so I I'll pop that there but um the the number one bill in this area is the international um cyber crime prevention act um so basically in January President Obama said Cy security is a huge issue we just had the Sony hack we need to do something about it and the White House came out with three proposals that they said they would like to see turned into um legislative drafts one was around information sharing one was about breach notification and one was about extending authorities for law

enforcement and the information sharing we already talked about it got picked up there are a number of bills C is going to happen breach notification we talked about there are a number of people who have something that looks like that so the last one the law enforcement one has been the slowest one to come but there are now people working on it and it's coming out of Senate Judiciary and it is it's called the international cyber crime prevention act and basically it does a bunch of things it updates a number of existing laws and it does things like it gives law enforcement the authority to shut down botn Nets um it applies Rico to um cyber crime um so for

people who don't know that's an organized crime statute it basically means that if you are part of a criminal organization and you commit a cyber crime then they can sort of dot they can they can dot the connect the dots and they can go after to other parts of the organization um it does things like it has um specific sections in it for how trade secrets are treated and how um the sale of uh financial information internationally is treated um there's uh something around critical infrastructure and the protection of critical infrastructure but the really big section in it is a piece on updating the computer for Abuse Act so I'll talk about that more but you guys should

definitely definitely check out the icpa I highly recommend you take a look at it um there is an old copy of it available on the cdt's website because it's not fully public yet so there's a leaked old copy of it there um you should check it out so current laws that affect security uh does anyone know what this is yeah what CFA it's the cfaa yeah I talked about it enough um so I got interested in does everyone know what this reference is by the way yes thank you um okay so the reason that I have a Warg games picture up here is um and this is not a joke unfortunately tragically uh The Story Goes that um President

Reagan watched war games and said oh that's quite scary we need something that deals with that and thus the cfaa was born um and so I got interested in it um I I as I mentioned in the beginning I work with a lot of researchers and uh one of the researchers I work with a guy called HD um he and I had been working on a research project for about N9 months now um in full disclosure he had been working on a research project I just kind of helped him tell people about it um and we'd done a bunch of disclosures um we we disclosed some pretty interesting stuff things that impacted millions of people um some some some

real issues there was uh one thing that meant you could blow up churches in England why is it always England um and so you know it was a Bonafide research project with some pretty good outcomes it had a web page it had a way of opting out um it it it was uh it was pretty legit and HD has a pretty decent um reputation in the security Community he's worked with law enforcement um you know he he kind of fits the criteria of what a Bonafide researcher looks like so imagine our surprise when um it turns out that a prosecutor is going to investigate him um and that prosecutor actually investigated him for three months despite the fact that the FB I

said no no no we've taken a look and we think it's all kosher um the prosecutor investigated him for 3 months and that was a incredibly stressful three months in hd's life um and so at the end of that when the prosecutor decided to drop the case uh HD kind of said um I'm sort of done I don't I don't really want to do research anymore you know it's too much of a risk to my family and um and I couldn't really say don't idiot we should carry on doing the research it's great uh cuz it was his risk and not mine and um and so I was like okay fair enough and then I kind of

got thinking about it so my shameful confession is that I am not very technical sorry besides room not a good time to tell people that um and so I kind of went away and I thought about it and I was like here's the thing right is that as somebody who's not very technical I kind of rely on the work that researchers do I rely on the discoveries and the insight and the ability to make informed choices as a result I have an iPhone because somebody told me that Android's not that secure and um and I would never have like been able to figure that out for myself so for me I feel like security research is

a consumer rights issue um and a consumer protections issue and so after I thought about it a little bit more I kind of said to HD you know I get that the risk is really bad but I think that the work that you do is important I believe in the value of security research and um and so we met with a phenomenal lawyer Marsha Hoffman who I highly recommend for anyone who's in need of um legal counsel in this area and I I remember really clearly it was at it was at black hat a couple years ago and we were satting sat in Caesars and she was telling me the story about how Reagan watched war games and decided

that he needed a law and she said you know it was it was passed it was written in ' 84 and passed in ' 86 and I'm sitting there and like the words are filtering through my haze of you know black hat hangover and I kind of like look at her and I'm like hang on a second the main cyber crime law in the US was passed in 1986 she was like yep I was like so it has been updated it's been updated a number of times uh not adequately um and so there are there are a few issues uh one it is out of date regardless of it having been updated um when I say it's

out of date an example would be that when it was written there was this sort of um distinction in there about accessing protected computers at the time a protected computer would be a great big physical thing stored in a secure building with a fence around it now does anybody have a protected a computer that is not protected anybody in this room have any kind of computer that is not protected in some way all right so the distin the the the distinctions are out ofd and it basically means that um it's hard to know like where the clear boundaries are second issue is that it doesn't Define things very well so the cfaa uh basically hinges around the concept of

authorization um it's either that you have access something without authorization or that you have exceeded authorization in accessing something um and yet authorization is not defined anywhere in the cfaa that is a problem so frequently what happens is we will go to Marsha and say we would like to do a piece of research is this okay and she will say I can't tell you that because there are no clear boundaries and so it's hard to know whether it's okay or not third problem with it the third major issue with the cfaa and this is a doozy is that the cfaa contains both criminal and civil action and how many people have ever been threatened with legal action that

relates to security lot of hands went down then um okay uh so of the people who've been threatened with um with legal action how many of you have been threatened by some kind of law enforcement okay so the rest of you I'm guessing it was civil action right so this is a huge problem the by far and way the broadest application of this law is by um private entities who take a fairly defensive stance over research disclosure and they use the um the law as a sort of Handy stick to beat off researchers it was a weird choice of words um oops uh so you know I and and again another awkward confession um I have a

background in reputation management which means that I am that idiot in an organization who has previously gone oh no I don't like this this looks scary we should make it go away what can we do um and and so the reality is that when you are in an organization when you're in a in a technology provider you have a responsibility to your employees and your shareholders and your customers to stay in business stay profitable stay on track deliver what you promised that kind of stuff so you take an approach where you think that you have to do the things that are going to keep you productive and when a researcher comes to you and says your baby is ugly not

only are you kind of slightly offended and defensive about it but you actually also have an issue whereby you can't really afford to take resources and put it into fixing the issue and you're not even sure that your customers really want you to so I get all of that that is the context in which we live unfortunately because of that because we have that culture at the moment and we haven't yet moved in a widespread way there are outliers obviously that have bug bounties Etc but in in a general sense we haven't moved to a point yet where there is a cultural shift and organizations are on a broad level embracing research so as a result the

fact that they have this handy stick called the CFA is a problem um so a lot of what I do is I basically try to convince people that we should SE some kind of Reform attempt for the cfaa dmca is the next slide so um what I would like to see is I would like to see greater definitions and clear boundaries that would be a basic start it wouldn't exempt research it wouldn't solve the problem in the broad scope but it would mean that there would be less uncertainty it would mean that you guys would like actually know where the line is and it would be easier to tow that line if you can actually spot it I have a weird belief

that laws that affect people or govern them I should say should be understandable to those people um so that's the basic thing I would like to see second thing I would love to see is I would love the cfaa to be criminal and not civil that would address a huge amount of the issues um and the third thing if I was you know if I had a genie standing in front of me I would exempt security research the problem with that is um there's no clean way of doing it because by its very nature uh security research looks like bad guy Behavior can you just refer to intend to do hard no they have tried and and

that's and that's one thing I do want to tell tell you is that there are people who are actively trying to do this there are people who we talk to all the time who are trying to write exemptions and they're really smart people who work in government agencies who understand the issue and care about the issue and care about research and it's just not straightforward to do because any attempt at doing it around intent basically creates a back door for bad guys and so there's there's so the a couple of suggestions that I've had as I've been going through this process that people have said to me or that I've come up with we've worked on one

registering researchers so exempting a group of people who likes the idea of being registered yeah and it and actually fundamentally it doesn't solve the problem because it doesn't allow for accidental Discovery um two uh exempting Behavior based on best practices so if you follow this list of activity then you're okay anyone like that idea yeah it changes its context and the problem is as soon as you create that box it basically means anything outside that box becomes bad activity which is is not right um so that's difficult intent very very hard to draw a line around in this context um and by the way the cfaa is actually an anti- trespass law if you talk to anybody in the legal

profession they will not describe it as an anti-hacking law they will tell you it is an anti- trespass law and trespass law by its very nature is intentionally broad because you want to have a catchall for any situation where somebody like encroaches in your space without permission and so when you talk to lawmakers about narrowing it they're not keen because it is meant to be very Broad and trespass law also doesn't include intent so that's that's some of the challenges with the CFA I'm curious have you looked at the regulations that stand behind these laws because I I had to go into a situation where I learned a whole new set of laws because I was in a new

verle hi there um I had the experience of going into a new vertical so I had to new learn a whole new set of laws and then I jumped into the regulations and I found that The Regulators may have written something into the regulations which have the force of law but it's completely different than what was actually in the black letter law yeah have you looked at cfaa and seeing if it's expanded inside of there um so there are uh there's there are no that I'm aware of regulations that their that that basically impact this but there are other attempts at law that would impact it so at the moment and and it might change but there to the best of my

knowledge there are not regulations that speak to this piece because the the cfaa is not about how organizations protect privacy or what they do themselves which is what regulation would normally speak to it's about how um law enforcement um attacks or not attacks that's the wrong word um how law enforcement pursues um cyber criminals um but there are other bills that affect this so for example some of the things that are being proposed in cisa which we already talked about um they would potentially impact the cfaa um so it is sort of all very interwoven and overlapping and it does create a massive headache in trying to understand a lot of pieces of legislation and again I'm not a lawyer

um any any other questions on CFA there there will be lots of time to ask questions at the end as well yeah CF uh are you aware of any exist you want me use that are you aware of any existing specific proposals about uh defining better defining authorized access and server uh essentially uh uh machines that provide services which is now pretty much every machine yeah in the world um yes so there are there are a number of lawyers and law professors legal experts who have debated it um orer wrote um a paper that's kind of well known in this area that talks about authorization um and uh I I actually recently like went on a bit of a fact-f

finding mission on this because I wanted to propose language um there is there's a lot of dissent within the communities that relate to this area and talk about this area on on finding a good proposal and that is is actually part of the challenge like generally speaking when you talk to um Hill staff if you can make a recommendation and you can make it sort of easy for them and you can explain why it's valuable and important they will really really entertain it whereas if you go to them and you're you're just sort of complaining about a problem it's much harder for them to know how to deal with it particularly is like this is a

complex area so when I talk to people about it and they say well how should we change authorization and then I go well let me let me send you 60 pages of different um suggestions from people that's where they're kind of like I mean if you guys can't figure it out and agree amongst yourselves then what are we going to do um so that is definitely work that I think our community needs to be focused on and trying to um Identify some sort of compromise and we are not by Nature a community that Embraces compromise all that well organiz uh okay there is the the American Bar Association actually has a Federated identity and authorization

task force I'm a part of it if you want to know more about it um because we have some state level laws that are starting to virgus has come up one with one on Federate identity so um there is and we would we would love to have more computer scientists uh participating in the task force that's awesome that's good to know and I will definitely be talking to you afterwards yeah so um yeah there are like I said lots of people working on it it's good to hear that um the American Bar Association is working on it maybe not so good well again it comes down to us to help with that right real quick um have you heard of

the project Fork the law sorry have you heard of the project Fork the law no um they don't look like they've been particularly active but they have made some efforts in revising the CFA oh great and you might find any their past progress use yeah I'll check it out uh maybe bringing this forward yeah that would be great thank you I will check that out um and there are like you know I think probably how many of you have heard of Aaron's law okay so I mean aon's law is the most famous um CFA um reform attempt um it actually wouldn't necessarily help us I mean it would in that it creates a better definition so

it gives us a stalker line but the issues that erens Laur is really to address isn't aren't really around security research um and so it's not necessarily the best proposal for us um it's also realistically never going to pass so um we should look at other attempts okay so dmca um does anybody know what the dmca is Okay who wants to volunteer to say [Laughter] it thanks uh so yeah the dmca is the Digital Millennium Copyright Act um so this is another one that affects security research I clearly am a little bit biased towards research issues um and um the interesting thing about the dmca is that it is owned by the Library of Congress which makes no sense

whatsoever um so basically the idea of the digital Copyright Act is that it will uh much like it sounds it will help protect copyright and basically it's trying to say that um you cannot um circumvent technological Protections in um and that that is a violation of copyright um and for researchers that's problem so if you're looking at uh researching a thing like a car maybe seems to be a Hot Topic at the moment um then you are probably violating some part of the dmca now the thing that's interesting about the dmca is it has exceptions and exemptions confusing helpful um the exceptions say that you can do things like you can um you can reverse the the hardware uh for

the purposes of security research um you can look at the encryption of data in transit but you cannot do stuff like uh look at the firmware um which is great because like software never has bugs so um the other thing that's that's the exceptions now the exemptions are interesting because the exemptions basically when they created the the dmca they said okay technology moves fast how can we future proof this bill and so they have a threeyear rulemaking window what that means is every 3 years you can apply for an exemption you apply to the Library of Congress and you create um language that would be your exemption and they take all of these in and they go through a

process of public comments and then they have hearings where people testify about them and then they um some time later they they think about it and they come back and they say we will grant this number of exemptions in these areas and when you get to the next threeyear marker those exemptions go away we go back to zero and we start again which if you've had an exemption in is really frustrating because you have to go through the battle every 3 years so we're currently in the middle of one of these rulemaking processes and there are some security research uh exemptions that were filed um so there was one for cars there was one for

tractors there was one for medical devices and then there were a couple that were just like broad reach security research if it impacts life we should care about it kind of stuff um the issue with this that is frustrating for a lot of people is that security research should not be an issue of copyright and the Library of Congress actually really shouldn't be involved in determining this question it's it's actually kind of completely beside the point it kind of misses the core of what we're talking about and here's the thing there is copyright law it's not like this is the only copyright law so this is a law to protect the existing copyright law which

kind of makes no sense so um personally I would like to see major dmca reform in general um but at the very least I'm hoping that we will see some great exemptions for security research come out in the next rulemaking we're expecting to hear back from people in the fall um so uh that's that's when we're expecting to hear back from the Library of Congress and we'll know what has and has not made it through but generally speaking with dmca this is a topic that you should care about if you do any kind of reversing and um really we want to see dmca reform um there is a bill that has come out that would reform

the dmca um particularly specifically to help with research uh it's very very unlikely to move anytime soon um and it's called breaking down barriers to Innovation act so um that's I'm that's the legislation stuff I'm going to focus on you guys can ask me questions after um at the end um but in the meantime I thought I would talk a little bit about non-legislative approaches some of the stuff that's going on um so generally speaking a lot of this is around um trying to build better collaboration um the reality is is that for us to solve these problems we all need to work together and as we already discussed legislation may not always be the right approach to solving these

problems um the technology moves way faster than the legislation can um so there are a number of people who have initiatives that are non-legislative uh to try and create better collaboration and solve some of these problems um one of them will be talked about in a talk later today from the Department of Commerce um Alan Freeman who's speaking on that is actually sat at the back of the room room waving um and Sir Allen joined uh do recently as the Director of cyber security in um ntia and his goal is to try and create better collaboration with the security industry his his goal is to basically try and find ways of tackling some of these big

challenges that we're all talking about so the first project that Nia is going to be leading off with am I actually stealing your thunder by talking about this no okay I asse no one this I'm sure they all will I think it's also public information right so uh so the first project which will be a multi-stakeholder project public pro project will be around vulnerability disclosure and trying to develop best practices on both sides of the house so like how should vendors handle vulnerability disclosure and how should researchers handle vulnerability disclosure so that's one example of a um Kumbaya moment um another is uh there is a group that I work with who have been working with the Department of Justice

um for a year actually we first met for uh to start this project um at black hat last year and our goal has been to try and help cips understand some of the issues and to try and look at whether we could maybe create something like prosecutorial guidelines or some sort of best practices that would be endorsed by the Department of Justice um and at the moment like we're still sort of you know figuring things out working together looking at what can and can't be done again legal framework is very limiting and and there's only so much that can be done but the dialogue and the consistency of the dialogue and how long it's been going on has been fantastic

and and very promising and it means that when people on the hill go to doj and say hey we're hearing about research is this really a thing doj says yes it's really a thing and actually it's a serious thing and you should care about it and I've seen that like firsthand represented in how some of these bills are forming and and being um updated um the FDA I think has recently announced that they are working on a project uh they want to better understand how the agency should handle cyber security particularly looking at things like how people push updates and that kind of thing vulnerability disclosure again um it's you know that actually is a huge departure and super

proactive of the organization and you know for us in the community who've been talking about security issues for a long time we have a tendency to get frustrated over the lack of action in the government and to feel like they're behind on talking about this have I like do I smell really bad this entire area has cleared out you guys are lucky that was it that was it Kum they were really worried I was going to start holding hands I understand um but yeah so actually you know the fact that there are um federal agencies being really proactive about this and like trying to get a grip on it and wanting to talk to the community is

fantastic um as another example the FTC is in Vegas they're speaking at black hat I believe tomorrow um and they're talking about how you can work with the government unfortunately the title of the talk is how you hack the government which is a little sensitive in in recent light but um I think it probably wasn't when they submitted the talk uh but yeah so you should go to that talk and you should you know think about how you could work with the FTC and help educate them um okay does anybody know where this is nope yeah thank you yes it is Al well done um so the vasar arrangement has anybody here heard of the vasar

arrangement all right um so this is one that I care about quite a lot because um rapid 7 supports the metas project which is apparently the poster child for the vasar arrangement um so vasar is an export control Arrangement um amongst 41 nation states um the US has been part of this since 19 98 and the vasar arrangement covers um weapons and dual use technology that's what it was created for um in December 2013 the um the members all met and they agreed to add two new categories one covering surveillance technology and the other covering intrusion technology now a lot of the surveillance technology conversation came out out from um things like Finn Fisher gamma

group hacking team um and I think actually generally speaking within our community it's not that much debated I think most people are kind of on board with the surveillance piece um this getting to the point where I might need to sit down um so I'm not going to talk too much about the surveillance piece on the intrusion side the original goal was really that uh they were concerned about the sale of zero days and they were worried again from a human rights aspect about how zero days were being used by um non-democratic governments um against their own people and potentially against um the the governments that are members of uh the arrangement the the challenge with this

is that um I think B you um I think there was a little bit of a a lack of comprehension of how complex intrusion software is um and the fact that intrusion software is not by offensive and so um there there was a a thought that they would be able to draw a line between defensive and offensive how many of you think that that is realistically [Music] possible um all right so um the pesky int problem it does it comes down to the pesky int problem yes so so this has been a challenge so a number of the member states have rolled out um vasar with with actually very little response um and very little Focus but the US um

recently pushed a proposed a proposal for it which actually like firstly I think we should just acknowledge the fact that the US didn't just roll out like the other member states that have rolled it out they just pushed it out right they were just like we have it we're going to do it it's this but the US wanted to get it right so they created a proposal they actually had a comment period last year then they C created a proposal off the back of that they put the proposal out they opened another comment period and the proposal has some pretty major issues um the the major issues would uh make it pretty much um well so it make

it very very expensive for anybody making um security testing tools to uh to do so it would uh make it difficult for any multinational to um do security testing across all of its assets internationally um and it has an impact for security research again there I am beating the drum about research but it it does have a serious impact and and a completely unintentional one in fact in the language of the rule they expressly say that they don't want it to in infect research but again this comes down to the complexity of the topic that we're dealing with and the fact that these are people who deal with export controls they're not Security Experts and so the

good thing is that during the last comment round um the Bureau of industry and security got 200 comments in and those comments gave them a lot of food thought so their plan is to come out with another proposed Rule and open another public consultation period which actually is a really unusual thing for them to do and it's it sort of demonstrates their commitment to working with the community and trying to find a solution to this um there is a lot of Engagement I would like strongly urge you to like get involved if you're interested on this topic and if you work for an organization that might be impacted which as I said is pretty much

every organization um I would like try and help your organization understand the impact because you know this one this one actually could have some some nasty unintended consequences um again I I think people will probably ask questions on it so I'm not going to sort of blather on about it too much so how can you get involved in all of this um well as I said at the beginning I think that it's really important that we have a collaborative approach and that we want to work with people so this probably not the best idea um and actually we see a lot of this so like vasar is a perfect example where there were many people with pitchforks and

flaming torches and it really doesn't help of the 200 comments they got the first 100 or so were just people ranting at them angrily with not a great deal of understanding of what was what was really happening with the export control and like again why why would we know right like we're not export control lawyers we don't necessarily know the complexity of that an export control law is unbelievably complex as somebody who's had to spend a lot of time looking at it recently it's it's a pain a right right but on the other side they're not security people so we should also have a little bit of compassion a little bit of empathy here and realize that we

actually can only get to the right outcome by working together so that said what does that mean and I'm sorry this is where my slides get wordy um so the first thing is there are there are people who do know about these things uh when I worked on vasar to begin with I talked a lot to export control lawyers so I could get up to speed on that when I started working on cfaa I worked with um civil liberties groups I worked with lawyers um I talked to anybody who would talk to me who knew something about this topic um I even talked to the guy who wrote it um so talk to people who are already engaged

talk to people who have more experience who know what they're doing um figure out what they're doing and figure out how to get involved there are lots of pockets of activity happening and generally speaking there are people looking for other people to help look for commment opportunities and participate um a lot of the things that I've talked about today have had comment opportunities vasar has had one dmca has had one there are people writing letters about um ciser and the concerns there you can um sign on to relevant letters you can sign on to petitions you can start a petition you don't have to start one on the the White House website if you don't want to do that but you can

start your own own thing throw up a website and have a letter that people can sign on to um there are lots of ways you can do that kind of stuff um identify relevant contacts this is I mean they're public servants so it's actually not that hard to find people you just need to go online and start looking the best way to do it is to understand if there's a bill you're interested in which committee does it come out of so for example um with ciser uh it came out of the Senate Intel committee so in that situation you might look up who are the other people on the Intel committee that are not the sponsors of the bill and you

might think you would kind of contact their offices and share your concerns with them now in the case of ciser it had a um committee vote that passed um uh uh 8 to1 12 to1 uh whatever the number was one person said no um and so in that case you might look at that and think all right so the committee is not going to be the best place to go so where do you go so you look at the topic and you think about who are the other core committees that are going to be interested and I'll tell you for cyber security there are four main committees that I would look at uh eight if you

consider House and Senate side so there's Intel is a big one for cyber security issues a lot of things uh come out of them but they're really focused in areas that relate to the intelligence sector so probably not like broadreach stuff like research that kind of thing Homeland Security this one is pretty self-explanatory they care about about issues that relate to security um so anything that you can tie a national security angle to it which there is a lot of with cyber security at the moment you can get them interested and there is there is a lot of interest and discussion there Judiciary and anything that relates to Crime Judiciary care about in fact they

own it so if you're looking at the cfaa that would be the Judiciary Committee that's what they care about so that's who you should go talk to but they also care about how law enforcement uses other existing laws or new laws so for example going back to information sharing because there's a law enforcement angle there Judiciary is going to be paying Co attention they're going to want to understand how law enforcement would be using it and then the last one is energy uh not energy commerce sorry which on the house side is Energy and Commerce um so Commerce care because they have to think about um one how how uh organizations are behaving and two what the consumer

protection issues are around that so you can you you can look at that and think if you're talking about something like cars that that they're going to care about that stuff and you want to get involved with that um so uh if you are unsure having talked about all of this stuff reach out to your local representative they have a responsibility to listen to you and they will um it actually sounds very cliche but it actually does work um and the last thing is uh the eff has an action center that gives you some tips on this stuff go go and check that out and talk to the efff about how you can get involved with stuff okay um so if you're

going to do something where do you start what do you do there are some Basics um as I said do your research really get to grips with what you're talking about talk to other people who know about it generally speaking the people who are engaged in this sphere will always help other people who want to get engaged because ampli amplification of sound is good for all of us but if you are going to get involved you need to be on message or it can pull in the other direction so that's the first thing um the second point I would say is a little counterintuitive for a lot of people here uh the reality is if you just go to

them with your Pitchfork they're not going to really want to talk to you they're going to want to hide under their desk whereas if you acknowledge the things that they got right even if it's only an intent that they had so uh when I first looked at the um International cyber crime prevention act I thought there are quite a lot of issues here but I understood what they were trying to get at and I actually supported what they were trying to get at so I said I like the fact that you're trying to shut down botnets that works for me but you might want to consider how you could do this piece so it doesn't do that thing and so that's the

thing is if you frame it so that you show empathy for what they're trying to achieve then they're much more likely to feel like you have common ground and they're much more likely to want to work with you on it make your feedback actionable wherever you can provide re uh recommendations don't just say this sucks I don't like it it but say you might want to strike this piece of language or narrow this this definition um again when I went through the icpa I was very prescriptive in the in the changes I suggested where I could be which is not everywhere as I said I don't have a good definition for authorization yet um avoid jargon this

is tough uh we do not like to drop our technical language but we have to use Simple language um we're in the habit of laughing at people in DC for the language they use uh they use that language because they're talking to the public and they use the language that resonates with the public you want the public to care about these issues use the language that's going to help them do that um be courteous and helpful I I you know I would hope that you generally try and be courteous and helpful with everybody but if you want to work with people in the DC this is kind of a must uh nobody's going to want to work with

you if you behave like a child and um recognize that they are Experts of what they do not what you do this is a really really big thing I don't know very much about drafting law I'm not supposed to they know about drafting law if I can help them understand our stuff they can take care of the drafting the law piece that's the way to think about it is like you need them it's a symbiotic relationship okay so um I typically have an Archer slide and I didn't have one before so this is my you can ask me questions

[Music] questions hi uh who is the primary lobbyist that you're seeing for lest security legislation sorry who's the primary lobbyist I'm saying that you're like which Industries are primarily lobbying lawmakers to make these laws um okay so um there are security companies most of them are lobbying for um things that actually impact their ability to sell um and to do business so um they want information sharing they want liability limitation that kind of stuff it's all relatively self-serving um and those security companies tend to be sort of primarily in the intelligence spaces or the instant response spaces that kind of stuff um then there are and there are exceptions to that but that that's the

majority um then in the private sector I would say [Music] um a lot of the financial institutions and the big retailers um they Lobby because like anybody who is a really big organization that is a high value Target and that is struggling with cyber security is going to be um lobbying to try and like address some of their issues particularly as they face liability um so Financial retail um sort of you know huge manufacturers those kinds of people and then the last one is um technology companies like so particularly people like sort of Google Facebook Yahoo those kinds of folks um they tend to be more focused on um all right I'll make a reference uh they tend

to be more focused on privacy issues uh the the Heckle that I just got was Oracle so um Oracle is very active in DC they do not speak terribly publicly about their activity um and generally they would disagree with pretty much everything I just told you uh they are not not keen on reforming the cfaa to help security research um so yeah uh but hopefully that might change over time um yeah I have a second question um you mentioned the vasar convention uh in 20 December 2013 they had this discussion how long generally does it take for things to be added because you mentioned that was in December 2013 or now August 2015 did the controversial

proposal that the US push did that ever get committed or right so um um the way it works is with vasar that the committee meets um and they vote on something and I mean they can discuss it at plenaries like for a extended period of time um I believe that the way it works is that the vote has to be unanimous so it actually something can be raised at the vasar meeting for like years and not be voted in um until it becomes unanimous but I'm like I've never been in one of the meetings so I don't know um but once it it's voted in it's then like it's then part of vasar it becomes one of the

categories that vasar covers but each member state has they basically their own timeline to figure out how they're going to implement it you know we have by being part of the vasar arrangement we've made a commitment to sort of abide by their their the rules that everybody votes in and and and if they've been voted in then we should support them but at the same time we have to do that within the framework of our own legality and economy and so um that's where the nation states basically take it away and then they figure out how to make it work and the timeline on that can vary I don't think there's a hard and fast timeline like I don't

think there's a hard deadline but I do think at the same time that if you have made a commitment to be part of something then there comes a point at which it becomes a little embarrassing to keep going back to the meetings and being like we're still working on it so my guess is that bis would like to get to some sort of resolution soon but I think they would also like to get to the right resolution so it wasn't sorry it was not I think it was unanimously approved because I think that in order for it to become part of the arrangement it has to be unan unanimous but I'm I'm not 100% certain

on that again not a lawyer um the other people the other um countries that just sort of implemented that part of w where we went forward and we've put through two common you know that's the one law that I'm working on right now and um do you think that the other countries are going to take a look at what they put forward once they realize how how different what we what we end up at cuz I I know the revisions we've gone through and it's going to keep going think they're going to revisit I think there's a couple of things that will happen um firstly I believe that the challenges that the US has faced will force a conversation I I

don't necessarily think that the US will go back and say you know we have to get rid of this and tip the table but I think that they may go back and say we should revisit the wording and look at how to implement it in the right way um that's the first thing the second thing I think is there is a great deal of scrutiny right now I know for the fact that the EU is looking at how the US is dealing with this and is trying to understand what the implications would be and so I think that we will see a lot of countries like really struggling with this that said I also think that the US

has a number of unique challenges with this because the sheer scale of the US economy coupled with the fact that pretty much all of the um companies that make penetration testing software are based in the US coupled with the fact that the US has more um multinationals headquartered here coupled with the fact that even if you compare like an economy like the US to the entire of the EU you've still got a situation where in the EU you don't need license licenses to export within the EU you don't and when you apply for a license you're applying to your your government your your nation government not the EU and so like just if you look at it this way the

sheer number of license requests that b is going to have to process is just like it's actually kind of terrifying I think they're probably wondering how they were they're going to do that so I think there are some like pretty unique situations that make the uni the US's implementation different that has created much more pressure on the concept of the the

rule kind of a lot smaller question you were saying that was a lot more likely for um like the Spy Car something like regulated like very small industry getting pests soon how terrified should we be that that's going to be something that's like a wedge that then gets broadened later um so I I think it's always good to be vigilant about how lore evolves and I don't think it's ever a case of like it being one and done that you can just be like oh we worked on this bill and now it's it's done and we don't need to to care anymore that said I think that with something like spy car um the intent is

fairly narrow on it the focus is fairly narrow it's unlikely that they would sort of update it to make it spy car and fridge um uh but you know you never know I think that said I do think that something like spy car would create a basic template that could be applied to other areas but I think that they would only apply them where they felt like there was serious implication to do so so you know potentially medical devices or critical infrastructure systems where it's kind of a case of life and death um but I I think generally you know it isn't really the desire of lawmakers to make our uh to to sort of create lots

and lots and lots of volume of law um they have enough issues to deal with frankly um but yeah I I do think it could be a [Music] template okay have we got no other questions then um okay have you looked at all at how the EU NIS initiative the network information sharing initiative that's pretty close to being done yeah is going to interact for multinationals in the no but that's really interesting um and I so I basically focus on the US and I basically focus on federal at the moment um it's a scale issue I'm I'm me um so uh and and I and I have a day job um so I I I primarily focus on that stuff but

I think that in time we will be looking at those things and I I I definitely think like the reality one of the biggest challenges that lawmakers have at the moment and the reality that we live in is that creating these laws in a um nation state context when you're dealing with something that is not nation state specific um is is a huge Challenge and we're seeing that now with something like EO for example you know how how do they deal with law enforcement accessing information that is housed overseas um and we're just going to see those challenges come up more and more and more and more unless all of a sudden we decide to um bulane

the internet which I really hope we don't um so yeah so uh for those of you who are interested in these topics I basically pulled out a number of um other talks that I think might be relevant to you um I highly recommend uh some of the I am the Cavalry track which is all day today um Allen's talk this afternoon at 3 we'll be talking about that NTA ntia initiative around vulnerability disclosure um for those who are at black hat um there are a number of talks that look great and I would strongly recommend coming to hear the doj speak about the cfaa um tomorrow at 11:30 um and uh and I and just for what

it's worth like it's I think this is actually the first time they've ever done this where they've um like sent somebody to a security conference to talk about this law um so it's a great opportunity to come and ask questions um and then uh DHS is speaking about information sharing at Devcon thank you very much for coming I appreciate it