IATC - Public Service Journeys (To and From Hacking Culture)

uh so come on come on up uh aan Islam and Spanky now yay all clap now I am going to on purpose not introduce them very much because what they are going to talk about is going to function as their introduction and if I if I get into it I'll just wreck it all so I don't I don't to do that I don't they they've got a great story that they need to share and please pay attention because I think you will learn important things so let me turn on your mics no uh no pressure no pressure under pressure I think I'm on well awesome so you made it to the last presentation of the first day nice work and thanks for being here certainly appreciate your time some friendly faces in the room on top of that so um my name is Steve lazinski and I am so excited to be here with my friend aan and getting to be a part of this thank you Josh for gently prodding us into this good idea which uh the more we did it we're like yeah this is cool and uh absolutely getting to share uh our experiences so the whole idea of Public Service Journeys uh that are bringing all of you here and I don't think that's a surprise that's what this whole track is about exact and that's what we're you know things that we have done and being able to share that um I know so we were thinking back on and and we'll get into how we know Josh Bo others in the Cavalry and the things the Cavalry has done but my first exposure was uh a 10-minute lightning talk sharing the stage with Mr Bots over here Carolyn Wong and do you remember what year that was s 2017 exactly and Bo giving me the opportunity and whatever half-ass talk that I gave and he still lets me come back so this is actually my third time getting to be here so I'm very excited about that uh especially on this 10th year so yeah and it's uh special for me because especially on the 10th year U my journey actually started in 2017 um when uh I also similarly met uh Josh and Bo as an intern which you likely heard that multiple times this morning I I am that intern the intern movie yet to be made and to come out shortly just FYI but so and the beautiful thing is that that's how I was brought into this community and learned about I am the calvary besides Las Vegas as well as Defcon so it was um very much in open arms and learning indepthly about what what is a hack Community what they're all about and also what your needs are and how we could also do a uh a service in in Bridging the Gap between your technical expertise and bringing that to the the policy leaders decision makers and uh uh the the wonks that tend to also be live and breathe in Washington DC and also in other parts of the nation and the world yeah and I think the good part too that I've grown to appreciate seeing it and the different things that Ian will talk about and share with you is I I Define hacking personally there's what I would say a lot of you all that are the incredibly technical level that I listen to because I'm at least smart enough to know what I don't know and to go to that expertise but then there's the hacking which is like an Insurgency you work around the system you know the system and you can get things done so there's just as much of that and that's that's some of what we'll share today so if you want to start off with intro introductions after all of that absolutely so hi everyone uh my name is aan Islam and uh first and foremost starting off with where I am today I and then I'll work a little bit backwards but I currently work at the office of a national cyber director um as a director of cyber Workforce uh within the Executive Office of the President so I have the good pleasure of working for for the people and uh recently last week we launched the national cyber Workforce and education strategy um looking at how do we increase the Talent Pipeline and address the quote unquote shortage that keeps being discussed when the reality is there are a lot of good folks myself included back in the day we're trying to figure out how to break into this field there are a lot of folks who are very interested but don't have the access to the information or the knowledge or the opportunities to understand like what are the career Pathways what are the opportunities and also how to you know get into the very sh same shoes that you are and become your colleagues to to work side by side with you and um serve you know the great the great cause so but then to rewind how I got here is uh starting off with an internship at the well backtrack a cyber 912 student challenge that happened at the Atlantic counil um I was a graduate student uh at uh in law school and saw that there was an opportunity to have a better understanding and and an opportunity to learn more about cyber security policy and what does that mean in terms of the application of it uh through that experience and having to see firsthand how it's not an easy job it's actually like a team sport um there are also individual players who are extremely smart but at the same time at the end of the day um uh it requires also a lot of Hands-On deck so uh from there on then that's where it led me to uh an internship and that's that's also where I uh had the internship uh and being The Graduate intern uh having uh a great chance to also support and learn about the healthc care cyber security issues that are um happening across the board and the attacks on uh our uh hospitals our health healthc care providers um and uh and as well as um schools uh small businesses it's not just you know we we heard the presentations earlier today regarding the water and wastewater systems and as well as um the electric grid it's just like there's so much interconnectivity in our lives uh that I just felt that there was like this Mission oriented aspect where I could help and serve and give back and so that's that's where my sort of path into the the hacking Community occurred and then also having the great opportunity of supporting uh the first ever DC to Defcon where uh uh I'm the Cav brought over uh representative herd and LAN to understand and meet you know um the hacker community and to to say you know it's it's it's less of you hearing it through news articles you are creating crucial laws that are really making a difference in how uh folks do their day-to-day jobs and operate um why don't you actually like listen to these technical subject matter experts and understand how you can better create these laws without um duplic effort or giving them additional burdens so yeah and not it that's not have to do the full I have to do the full thing oh okay okay okay thought I could like share a little bit later on that and like sprinkle it in so as a result of interning uh at the Atlantic Council and having that opportunity of working on a lot of cyber security policy papers I was then able to leverage all of that experience and um transfer that over into the Department of Homeland Security and this is PRI isza the national programs and protection directorate uh yeah so MBD so having having a chance early on to see how uh the agency that had the a lot of responsibility of serving as a nation's technical adviser um but nobody really understood that they had a lot of the responsibility of both uh CR cyber security as well as physical security and the infrastructure security side of the house as well as um looking at the risks and determining what are the ways that uh both providers as well as um uh well not only just domestically but also internationally how it is all interconnected um not only through our Technologies but as well as the supply chain the business element the also the social elements how that impacts our um uh living and our Public Safety and Security uh so the skills that I again had learned early on through uh the exposure uh through the hacker Community I was able to bring that thinking that mindset and Ethos into the work and to help serve as a bridge builder I I realized that similar to what Spanky just said earlier um that I know what I know but also at the same time my ability to have an opportunity to speak to decision makers and seite folks who may not realize there is a business element there a reputational risk there's also bottom line if you need to speak the language that will like trigger them and realize oh this is this is what's going to impact me then how do I take what you yourselves do on a day-to-day basis and frame it to them not using fear and certainty and doubt no fud whatsoever but just giving them the critical bottom line of saying you know this is how it's going to help not only yourself but the business at large the organization and this is how it's going to help the constituents and the customers bottom line um so I had the opportunity of uh leveraging that experience working with so so many smart people which I see like a lot of uh uh sza colleagues in the room and then also um having to take that experience and work very closely with Stak stakeholders in the private sector as well um and there's also that opportunity where I got to meet Spanky through the um Aviation side of the house too like uh early early on so there is that Nexus that I didn't mention that um leave uh Spanky to talk about about how we I did mention earlier about the paper um which I supported uh Pete Cooper uh who is the author of the aviation uh cyber security white paper and then there was a subsequent one there after but having that experience then also opened up many doors for me where folks were like oh you you you wrote you helped you know research and um analyze and support the development of white paper oh great like we need that experience experience too uh so I um say that all to say that all of these like layered on experiences It ultimately serve the opportunity for me to take what you're sharing on a day-to-day basis the realization that I can only also do as much and as great if I'm constantly staying in loop with all the great presentations that come out here through uh I'm the Cavalry track as well as bsides and Defcon and other places um and taking that back digesting it and sharing that with others to say hey if you're looking for a subject matter expert I saw this great talk or I saw online or I heard from somebody else that these are you know this means to go talk to and get the ground truth awesome yeah so this background as we're sharing with you is on purpose just because of all the intersection SE and that's what we're going to focus on and and I know it's hard to talk about yourself I on the other hand so my name is Steve lazinski Steve Spanky any of those work just fine um I spent uh 24 years in Air Force flying so hence the talk about myself and wave my hands and tell airplane stories later on uh but I had a great time doing that um in the time that I was in the Air Force I had the opportunity to go off from flying assignments and getting into cyber security doing things with the Navy back before there was a cyber command and then working my last three years at the Pentagon my Penance for all the good times I had prior to that uh was where in government in the Pentagon seeing how government works seeing it from both the dod side as well as all the rest of government and things like that so before I go too far how many folks in here have never worked in government so we're kind of jealous in some respects so that's awesome and then how many have it worked in government at some point so yeah good mix so awesome this is this is perfect um so that that exposure that I got and the things that going on there and then they're like oh you came from a flying background oh and now you're in cyber security and I had enough knowledge to be dangerous but being able to talk to the technical folks and translate across to the policy makers and understand what was going on and hanging out with Tom Mal in the back row meetings and uh the things that we got to see and work on and that's where I got into the aviation cyber security side of things and like Guan said that intersection the first time working with the Atlantic council meeting Pete Cooper at a cyber 912 in uh New York City which was awesome and then Bo with the good idea machine of you know there's this report and Pete's writing the report and the things that got rolled out talking about it publicly so again these things coming together uh but then after that uh when I was in the private sector as a chief information security officer getting to see that but the fun part in my day job paying the bills was getting to hang out and help be a part of what is the aviation Village and now is the Aerospace Village so again the intersection that uh aan talked about um going back then with the opportunity to join siza so I jumped on that train going back into government now and working on the coid task force so we're going to talk about the village and the things that the cavalary helped establish and then also our shared time on that task force uh and again where the Cavalry comes into all of that and and then my current day job is as a consultant I'm happy to give you all kinds of good ideas and advice with critical infrastructure security and a number of other things that I work on but really the village is that's the big exciting thing and that's the fun time of being out here so uh and and if you need some PowerPoint I got some skills you can ask Josh so not to brag but there you go so all right how about uh when we first started working with the village yeah no when we started work uh started working with the village I was um at the time with siza and uh there was a rebranding and a and a need to have a relaunch of the aviation cyber initiative which uh is now a uh Tri departmental task force it's with uh Department of Homeland Security Department of Defense and Department of Transportation um and uh current L TSA is chair and representing uh the the DHS on that front um and while uh FAA is representing uh Department of Transportation but at the time um TSA did not have a cyber security office and equities so uh the responsibility initially was with siza with TSA being a very very close second counter Counterpoint and and um and lead and you know secondary co-lead in that respect so uh there was a lot of opportunities and seeing that similar to also the the current theme with I'm the I'm the calvary government needed to have a better understanding of what security researchers were doing and thinking and what they were seeing and what vulnerabilities or um uh potential issues were facing the community but come to find out security research were also having a hard time connecting with the very manufacturers um and uh uh uh software providers to essentially share the vulnerabilities that they had been discovering um and so the uh wonderful beauty of also serving as part of the task force and one of those initiatives was how do we create a paradigm shift how do we change the thinking of you know we don't understand this community there and since we don't understand we're not going to communicate with them and that's like that's not the case um and so with that bearing in mind uh siza um took it upon themselves seeing that there already was um an pre-existing coordinated vulnerability disclosure program and an opportunity where security researches come in and and have essentially a a third party IE government serve as a neutral individual and arbiter to help facilitate the conversations um between themselves and the um private entity that they were trying to communicate and share this information with uh so there were um back in the day like a number of presentations uh one specific to a uh uh satellite Communications U uh regarding um a particular manufacturers um uh uh you know if you think think back 2014 15 16 different things being published what the media is reporting black hat talk I remember Defcon 22 there was a huge presentation of this is why you cannot do this on airplanes with companies and pilots and talking so it was that was the the context of the things that I saw in the Pentagon that eventually Ian's working on and where it's grown to today but that was the situation at the time of what wasn't really being talked about and why having that Atlantic Council report and the work that Pete and Bo and others have done to start that pee rolling down the mountain that turns into a snowball of goodness today so yeah yeah and and essentially sharing um or dispelling myths and preconceptions um and uh of of who uh what you know communities were and stuff like there was distrust on the uh towards government of course there was distrust towards private sector there's distrust towards Acro Community there's just distrust all around and so the question was okay how do we um undo the these these roadblocks um and better communicate and understand how we we're all looking to you know address the same issue um but then at the same time um find trusted partners that could serve as a voice that could bring us all together so um thankfully that's that's where uh bringing those those thinking and the mindset helped also Foster multiple conversations AC cross cross the board where we could then turn around and say wait Aerospace Village is now being stood up and there's an also an opportunity to further engage with the community learn from the community receive inputs um ensure that we're not uh stepping on each other's Toes or duplicating efforts or inadvertently um you know shun maybe making you feel shunn when you shouldn't be so um that's that's where uh you know the the con the constant conversations and and and being a part of commun communities like this that are very organic helped and and the uh you know building on what Ian said what I got to see in the Pentagon right sometimes government talks to each other sometimes it doesn't then it's trying to talk to Industry that doesn't always go well but at least we both hate talking to those hackers over there there's our common enemy we can dislike them so getting past that like watching that firsthand going this I've read about this isn't a stereotype this really what happens so the fact that in that context when the idea of the aviation Village that's what we were in 2019 right so I know Pete Bo roro Alex Romero Katie there's uh jenel there's a whole crowd and I know I'm missing names but that crowd getting this thing going getting past that reluctance of yeah now you got two groups that don't really want to talk to those people at that crazy conference but when you have an agency coming in like Ian said that but before it was called siza but say is much easier to pronounce so uh when Chris Krebs is rolling in going what's up I'm here in the aviation Village we're like thank you and helping that conversation and helping get over those obstacles and when you have the government and I'm just going to keep pointing as A's government coming in being able to say yeah you got a disclosure let's talk about it again if you remember 2019 uh rapid 7 researcher Patrick Kylie had found a canbus vulnerability built a plywood cockpit to demonstrate what that vulnerability looked like because he' already coordinated it through sisa and revealed it and did all the right responsible coordinated uh disclosure and that was the beauty of these groups coming together getting past these things so talk about the cavalry's idea of taking diverse back backgrounds and groups and coming together to do good there you go that is a hacker approach to getting things done that you had not seen in the aviation example until that time so again a testament to the the great work of getting that going and and I won't go into the details too much but yeah there was some industry that's looking at like what are y'all doing there we don't think that's cool just a little bit of hesitation and on any given day there may still be some of that but if you come by and see our village at Defcon Friday Saturday and Sunday uh you will see a lot