← All talks

IATC - Difficult Conversations

BSides Las Vegas1:30:4943 viewsPublished 2024-09Watch on YouTube ↗
About this talk
I Am The Cavalry, Wed, Aug 7, 13:00 - Wed, Aug 7, 14:30 CDT We do not live in the best of all possible worlds. Effectively considering the future of AI, software safety, and security risk starts with building a shared language – one that is understandable both to the security community and policymakers. Professor Matwyshyn will guide the attendees through a series of definitions, then begin a session called “Difficult Conversations,” where we will unpack some of the tough policy and legal questions that have historically presented obstacles to meaningful improvements in security. What is “safety” in the context of software? What is resilience? Which software-reliant systems are safety-critical from the perspective of users (and who is responsible for their maintenance)? How should we evolve our approach when failures in digital systems bring real world harm? How do we create more robust structures of accountability? People Andrea M. Matwyshyn
Show transcript [en]

okay excellent so I'm just G to plug this in here to share a few slides which are intended to just be vaguely conversation guiding not at all um dictatorial of the conversation um and with your permission I will that is not the right slide back same thing happened in the other room here we go

yes I think it's cycling through this happened in the other room too hopefully there will soon be something on the screen but basically the there we go okay so if you were kind enough to come to uh my keynote you know that in my list of four things that uh I think uh inevitably need to happen to advance progress in the next 25 years of the security industry and the economy um to make sure the bad things happen less uh one of those items is as Josh said to help clarify for for people's who for people who are not part of this community and who do not possess the sophisticated level of knowledge that all of you do in this room who is it

that they can actually trust on these matters of security and Technology safety the regular folks the normies really don't understand what to look for in terms of good sources of advice they fall victim increasingly the elderly in particular fall victim to scams on regular basis that try to allegedly help them but they they can't really tell I I know from my own parents who were in their 80s I and they're relatively suspicious of all things to their credit which is partially how I ended up being who I am we can give them credit for that um just because you're paranoid doesn't mean you're not right um they still regularly send me descriptions of phone calls they've gotten or they send me

forwards of communications from their Bank Etc and so okay and and I write back in all caps do not contact right but not everyone has that same access to someone who ostensibly has a relatively good read on whether something is is scammy and so part of building these infrastructures means starting with a trusted current inter of folks who can be an easy focal point of research and connection to build that Army of the trusted and um this doesn't mean that one size fits all this doesn't mean that it needs to be a particular model and I wouldn't presume to tell the community how to self-organize but what I can offer I think is various different mod models

that different professional organizations Industries Affinity groups have used and help offer a few of the variables that differ across them and hopefully that will stimulate some conversation in this room and Beyond this room as to where those shared baselines of Interest commonality of concern overlap in possible steps forward exist exist and how that can be taken to some new level so why do professional organizations get created so the first is to tell your own story to Brand yourself to present yourself to the world in the way that you want the world to perceive you there's a really powerful so this is the psychologist part of me saying this there a really powerful um self-actualizing self-efficacy

um and uh human element to being able to tell the story of who we are as individuals and to change that story across time so in um as a Indulgence I'll tell you that the article that I'm finishing right now is basically raising that concern that hyperaggregation leveraging and merger of databases paired with body devices that create live feeds are fun Al generating this patina of hyper legitimacy for the technology and the data streams that could sit in direct contrast to how the person the human wants to tell their own story that is bad we need to have the freedom to self-express to build ourselves into the next generation of self not be limited with the baggage of

the past versions of self that we have worked hard to to grow out of so it's very concerning if we're building a world and I haven't have not yet fact checked this but I did see multiple publications of perhaps not great credibility so I would appreciate a fact check if anyone can fact check me on this uh I saw an article yesterday that a supermarket chain in Japan was triing a facial wreck body monitoring technology that allegedly was following 450 indicators to standardize The Smiling Behavior behavior of employees that's not the world I want to live in and it's not a world that is compatible in my understanding of what the founding generation wanted for this

country so we are reasserting baselines in very sort of boring ways we're traditionalists and just wanting these things of um having um spheres of um self expression per the First Amendment spheres of Freedom that are in law that are in entrained in the Constitution but when we see technology start to Chip Away consciously or unconsciously I'm not ascribing malicious intent even to any of the companies it's just things build on each other and the Venture Capital ecosystem Builds on itself and the incentives are strong and so what this group is really key to and what we all I think have a moral obligation to do as people who perhaps understand a little bit more of what's

under the hood of our society is to teach other people in ways they can relate to and to be the people to help pick up the pieces when things inevitably fall apart in one way or another so what this effort to self-organize in ways that are constructive in your mind would help it's preserving that self-narrative professionally for you but also helping to create those lines of Defense organizationally as to the the first set of folks to to turn to when things um are looking Bleak um so Industries when they mature they form professional societies partially for that kind of Baseline credibility maintenance because if everyone is viewed functionally interchangeably on the surface of things and the normies can't tell people apart

as to someone who is highly invested highly ethical highly committed to certain um guiding principles in um never hurting with their special skills you can't tell that person apart from someone who is a little more flexible let's call it in their ethical compass then you end up in uh baselines of not just safety functionally of the systems but also the emotional safety of the population crumbling and that's when civil LR happens so to preserve quiet functioning structures in our society preserve democracy keep everything just running along um it is very beneficial to lead here if you're willing and in creating those Next Generation trusted uh kernels of experts so that's the market quality High trustworth Point the other thing that

organizations tend to do is they create mentorship networks they create very structured points of entry for people who want to be like that person when they grow up and that's part of what this conference is all about and it already exists but there are a lot of different possible security roles that come out of this conference and so the next step when you graduate to being a full professional is to co-mentor each other so um I can tell you that both of my hats both the lawyer hat and the psychologist hat we have little friend a that we talk about in our peer groups and that's true in the security Community too but having the ability to

formalize some of those groups around um the the extra uh credibility of a group saying something about a baseline of Ethics or conduct that protects each individual member from some of the individual level consequences perhaps if it's an unpopular but correct opinion there's a benefit to having that buffer an organizational buffer but also it lets other people come in and hold themselves to that higher standard there's a a risk of Neal ISM that Creeps in when um in many professions when Junior folks come in and they run into this senior person who is very helpful to them in some ways but who has seen just a little bit too much and kind of kicks the joy out of

them you have to have a little joy in your life right so the primary Mentor may not be that Joy point but maybe this this organization however it's crafted that's most relevant to this person could offer some of that Joy you know even Good Humor on point you know the the magic XKCD that comes out that's directly speaking to the interest of the group little things like that it just makes people feel Not Alone um so there's also an interest in protecting shared interests so let's say that there is um a policy maker who is let's put it charitably suffering from a fundamental misunderstanding about a key point of Interest to your profession beliefs shared ethics

Etc having a formal intervention from a group looks far more impressive because when the staffer sees that staffer doesn't know how many people are in that group Stafford needs to go research and kind of figure it out but still that has more of an impact than a single individual voice also depending on how many people there are in a particular group there are other avenues like targeted lobbying which unfortunately is a reality in in DC um AARP such good lobbyists really good organization that represents people who need to be protected right you can also form alliances and you don't have to pay for the lobbyists but if you share as an organization values with another

organization they will share their existing lobbyists potentially and resources right so there's this responsibility for Creative bridge building across communities and to then teach each other the language of the community so the goal is always to speak multiple languages the same way that it is um you know even if you're in in in London certain words are different right so if you want to be sure to get a uh uh cookie if you say cookie you're going to get a very particular thing in London but if you want say uh more you know tea cookie kind of thing you're asking for a biscuit right so it's the same idea slight variation different people use different words but you have to

understand all those variations and then you can get in on that precision and you build that shared vocabulary organizations working together can do that but also you can create Community buffers so I know that there is um a concern especially now with uh some resets in some companies with volatility in employment for some folks so some of the professional and um uh other associations offer shared resources that serve as social buffers too and this community is has one with a history of helping each other so here's another way that you could create one of those structures to support each other in those times that someone may need a little help okay so that's why it happens now

I'm going to briefly share a story that if any of you were in my um Talk last year at we at uh Defcon policy Village apologies for the repeat I'll make this short some of you undoubtedly know this the history the success story of Hoover Dam um you visited it it's an amazing engineering feat but you may not know what came before and so here we have the story of uh the St Francis Dam who that was very much the vision of one particular guy and this guy did not take advice William milholland did not take advice from uh experts who were warning him about certain design issues the engineers who were on site working at the St Francis

Dam saw damage they warned they were ignored cracks happened a flood at least 500 people were dead or missing initially the death total kept escalating and so this Stam just was not fit for purpose it was not suitable in the way that it was ultimately built changes happened and there was a lack of warning and lack of care in the way that uh the incident was the way the dam was built the way the was handled and the standards that had been used all along the way and so it was this incident in uh this incident that was uh very influential in stimulating the creation of engineering professional societies and shared values across Engineers so the formalization of the

engineering profession happened partially because of this disaster and so it was arguably a perfect storm of factors but we all know that happens unfortunately frequently just slightly different perfect storms so the point is to have these contingency plans of distributed support not only for yourselves as professionals but also for society as Josh was referencing earlier um and there was a formal legal process and there was a finding of responsibility on the part of M Holland so a corer and inquest happened and um the there was a determination legally the construction operation of the dam should never have been left to a single person's judgment and by having more loud voices including through associations of professionals weigh in

you help to push back against an imbalance in a policy process in a way that um each of us as individuals just doesn't have that same uh voice amplification so we got the code of engineering ethics partially because of this incident uh coming to that uh famous liberal Richard Nixon um he is to thank for the EPA and Josh tells this story I'm sure you've heard it the kayoga river with um a river literally on fire and so when we think about the resources that we protect uh they social or individual organizations when we think about the uh the information the data the bits as water um it flows it flows unpredictably it can cause destruction it can give

life it's a volatile commodity that can also be tainted as we know from the some of the current challenges with um data quality and integrity issues that are showing up in training data sets right so things got so bad that ultimately a coalition of Grassroots folks got together multiple coalitions and some magic individuals who led them and just kept pushing and it was the the group effort across multiple formal organizations and all of these folks who finally convinced Congress and President Nixon that uh we can't live in a world where the water is toxic and the air is toxic seems kind of intuitive um but this threat to life was nevertheless not a sure thing for

remediation um and so the way that Nixon thought about it was as a form of debt and so this is why I've been framing the conversation around security liability and safety problems as a form of legal Tech that functionally equivalent to what Nixon saw in this environmental circumstance so that's how we got the Clean Water Act the Clean Air Act and the kyoga river has improved dramatically and so this is a success story but the counterveiling story is a story of fire and so we are going to be in a position and I think we are right now in making that choice between uh the kayoga story or this story from Calia Pennsylvania where you had certain

engineering projects of an uh a decommissioned coal mine and a city dump and things were built in a way where they did not play well together so assuming no in intent to hurt anyone on the part of the individual builders even assuming that within the four corners of their Lane they made no mistakes using state-of-the-art of what existed at the time an emergent effect resulted in the elimination of that zip code the whole place being unfit for human life and with steam coming from underground fires that continue to burn this is not the only place in the US where underground coal fires are burning uncontrollably and we're not quite sure what to do about it so this is a story where we

didn't have a happy ending so sad endings are possible we have to choose toward the happy and hence my dumpster fire down the river um so back to the professionalization conversation having these vocal Focus points of expertise helps to ensure that we head toward the kayoga outcome and away from the Calia outcome so let me tell you briefly the story of packages in the US Post Office so the post office goes back all the way to the founding Ben Franklin my favorite founder totally underappreciated fun fact as some of you and dly know we're on our second Constitution the first one they tried that's when Ben Franklin was in France he wasn't around for that one they

messed that one up Ben Franklin comes back sits in the room we've still got our second Constitution coincidence I think not so the post office was a Ben Franklin idea but they very consciously limited it to the conveyance of mail so letters Etc they weren't doing packages they instead allowed for private sector industry around package distribution to to flourish and so there were private sector package conveyors and they uh service some parts of the country very well the problem is that they didn't feel like doing that last Mile in rural areas because that was more expensive it was more inconvenient and they didn't get the same return on investment for that so the charges for package

conveyance were dramatically unaffordable for some members of the public and it meant that certain kinds of Industries couldn't exist such as catalog sales which promptly emerged after the post office also started providing package service so by injecting a govern government uh like touch intervention to push private sector competition in ways that benefited the public you ended up with a more robust ecosystem that allowed for the creation of uh whole new generation of businesses around catalog sales and of course the catalog sales industry is the low-key predecessor to the internet and so all of our current wins and losses I guess are somewhat uh attributable to this Innovation nudge that came from the public sector not from Private Industry

where there was this bottleneck where there were very clear losers among the public in ways that we looked at and we said hey you know that's not really fair everyone should have access to packages okay so this is one of the roles where um you again can have um a nudge from private sector organizations toward those light touch interventions that will make things better um the so the photo on the left is a whole house that was sold by Sears catalog and that was shipped through the post uh Postal Service um on the right we used to ship babies we don't do that anymore but that was a thing um so my point is that

Technologies evolve sometimes you're not serving rule communities sometimes you're shipping houses sometimes you are temporarily shipping babies which you rethink and you take a step back it's okay to have that Evolution happen but the point is to check in and make sure that we are building economies in ways that serve everyone okay so this is where my future homework is and so maybe I'll come back and chat with you all another time about this there were three kinds of bottomup um safety efforts that have slightly different histories the history of ambulance services the history of fire departments um and the history of police force development and they all evolved in slightly different ways but each of

them was a Grassroots effort where people got together worked out some Kinks and then uh ended up formalizing into the structures that we take for granted today but they weren't a given um relatively recently in the case of ambulance services and when you look at say Mexico today you see a stage of competition among private sector ambulance servic is that for some folks um who are coming at this from uh defaults of uh certain uh uh transparent ambulance um behaviors and uh expectations um that are not quite aligned with what the defaults are in a different context um it can be surprising so um recognizing that we were in that same place not that long

ago I think is is useful in demonstrating that Evolution bottom up is just as important as Evolution top down um so just to wrap up here are some professions and industries of skill that each have slightly different self-regulatory models and so we can talk about particular uh models uh BD sorry stands for Brook dealers um so broker dealers investment advisers both Financial Services professionals different models of self-regulation different duties of care so when you are stepping into a broader perspective where cosmetologists and tattoo artists are more regulated than the people who are ensuring that our critical infrastructure has trustworthiness in it uh and is free from major confidenti it integrity and availability issues one might argue that

there's kind of an imbalance in in oversight but you know there are still incidents that happen in cosmetology and tattooing where there is public harm so it's not to say that that's necessarily in all cases overzealous some may be a little overzealous some may not but the absence of that second set of eyes the absence of that public conversation um is not the best of all possible way worlds I think we can all agree we don't live in the best of possible worlds right now so each of these societies has some of those factors that I mentioned before some have insurance programs some have um uh formal mentorship tracks some have apprenticeships with very tiered things

some uh very tiered levels very tiered skill set acquisition um some of them have minimum age requirements that are different from others um the actors The Screen Actors Guild um is broken down into various Subs Specialties that each approach things a little bit differently but um there's a very dramatic uh discussion in the Press of some of the ways that their internal court-like proceedings are carried out in um the case of one of their member acting in ways that the guild views as Unbecoming of a member of The Guild including uh in one case the people in the uh observing area stood up and turned their back on the member of The Guild who had

transgressed and so the sanctions vary some of them are symbolic sanctions some of them are not symbolic sanctions you could some uh members uh can be kicked out of certain organizations relatively easily others have different probationary models but there's a formalization that has evolved across all of these different Industries um and there's a comfort a trustworthiness and a um self narration and and communication power to to all of it so here are some of those variables um that I'll just mention for you to all think about and then I'll ask some probing questions and I will stop talking and uh before I forget there are a bunch of stickers in the front of the room so you

all obviously have earned a sticker by listening to me talk so uh please uh partake they have three bears on them um who are very safe Bears they're wearing helmets and visors as they're working on their laptops um as one should okay so licensing requirements probably not something this community is ready for but just heads up it's one of those requirements that policy makers are very comfortable with in some ways so again some of what this conversation is intended to stimulate uncomfortably is getting ahead of the policy makers to write your own story so that they don't try to impose a story on you that might not fit through your eyes um liability Frameworks and uh how there is a um

Mutual vouching or Mutual calling out for egregious misconduct professional sanction could be kicking out of the membership organization could be putting people on probation could be um creating a I don't know penalty box of some sort um limiting right to to work limiting right to use certain labels so Realtors are very aggressive about protecting who gets to use the word realtor to the point where they have had trademark litigation on this point and definitely uh enforce it zealously if someone who is not a member of their organization is holding themselves out as a realtor in the case of practicing law it is illegal it's a crime to hold yourself out as practicing law unless you have a license

which means that you have completed certain educational requirements in Most states and passed an exam so exams are another piece of of this um there are um exams that are General but there are also specialized exams think about doctors right you're not going to have a podiatrist show up to do your brain surgery why because both are different and hard and very different parts of the body they both have expertise you may need any of the Specialties at any point in time but the point is you need a fit for circumstance the context matters uh character Fitness that's something that they do a check on when you are sitting for your bar exam for example um

and that may not be something that um is viewed the same way in this community and that's um entirely you know up to you what that means it it may mean just um acting in ways that are becoming of the Bas lines of Ethics that are shared um and then re reviewing that if there's a report that someone is in continuing education requirements exist in many professions including law um apprenticeship tracks degree requirements which isn't necessarily going to be a thing here but maybe for some sub Specialties maybe there is a very targeted set of courses that if you are say doing nuclear safety engineering that is riant on high trust software deployment you know maybe there

will be in 5 years uh a training program for that that the relevant organization will say Hey you know everyone who's one of us has gone through that because this is such a dangerous place to make mistakes we want to be sure that um everyone who Bears our brand subscribes to that Baseline of of care and we want to offer a way for people who are looking for people with the skill set to be sure that this is a true possessor of that skill set not someone who had chat GPT write a resume so resume lying is a big problem in every profession and the level of checking especially in a world where a lot of employers use automated

tools this is the stakes are really high here this is not a great place to have um a high degree of Trust on automated resume checking tools that may or may not map to the ethics that are shared um malpractice and insurance are also part of some of these organizations um statements about client engagement and duties of care professionalism um objectivity personal references disclosure of conflicts some organizations require a sponsor for example to become a member of the Supreme Court bar you need to have at least two sponsors who are current members of the Supreme Court bar so it's a vouching so you build a net work of known individuals that um again ensure for the um higher likelihood though

nothing is foolproof of course higher likelihood that there's a shared Baseline of values and ethics in the the group and then when you pair that with the mentorship opportunities and the pathways to entry you can make sure that it's not a case of oh we create our little ingroup here no instead you open it to everyone who is interested and hold out your hand and teach people how to enter and then you also Elevate the the most talented the most committed and give them that push into success um and we talked about specialization so these are some of the various different pieces that are used in um organizations unions have Union representatives for example they negotiate collectively that's

probably one step more but there are Tech unions that are being formed in various cases and so there are conversations happening around Tech unionization in certain circles I'm I don't get the sense that that's where we are here but that's you know that's all that's you all not me but the the point is that Collective uh conversations where there's an entity and uh a person across the table um that come to terms in that discussion and a shared checklist of items for negotiation that formalization helps to move things along okay so here's my controversial suggestion maybe the place to start is through building out a category of Chief technology safety officers so folks who are willing to get together and to say

you know I've been doing the security thing a long time here are the recurring mistakes that keep happening across the places I've worked here's how things are falling through the cracks this officer doesn't talk to this officer they have their little feif Dums they have their budgets this is what I keep seeing and so you create a shared sense of community around this notion of the relationship of the organization that you work for to the public and what that allows for is um you know Baseline ethics having the ability like lawyers to say to your bosses well I can't do that because that violates my ethical responsibilities as a professional do we really want me to

put in writing that I have to violate my ethical duties as a professional because you're asking me to do that that would be really bad in Discovery if that comes out when the bad thing that I'm telling you is going to happen actually happens because we all know I'm right and you're just trying to game out if you'll be gone to your next job before the bad thing happens which is of course uh sadly we all know a regular CEO problem where CEOs are timeing their earn outs and their uh terms of contracts and sometimes leaving uh a liability in a closet somewhere under a carpet use your own metaphor for hiding things I was going to use a worse one

but I'm going to try to be nice and so timing out how long it's going to take for a litigation item to be fully resolved and building in appeal time if your CEO only has has two years left on a clock your appeals for the bad thing will run probably 3 to five years they can run out the clock and so the CEO may be on to another job leaving the company holding the bag on whatever mess has resulted but this could be a type of officer that looks across the organization for these emergent effects be they operational in terms of conflicting priorities inside the organization or um particular officers okay so here are the

questions what are the core shared values internally that you could see people breaking themselves into and ascribing to what types of Subs Specialties could there be common ground for in order to generate subsidiary codes of Ethics subsidiary commitments and how would self- policing work these are hard but think about the some of the different models we've talked about um feel free to ask questions about any of those professions that I listed um or if you want to tell me what I get wrong about my Bureau of Technology safety proposal have at it and that's that's all I've got and I welcome thoughts questions discussion am I am I just completely wrong yes okay uh so we're going to enter into a time

of interactivity and I see one question coming up soon yes um all right immediately before your question let us give a round of applause for Professor Andrea thank you professionalization certification verification who felt a little bit uncomfortable during this discussion you can raise your hand it's okay it's good okay so let us jump into Q&A

great talk I appreciate it um so for the the chief technology safety officer um I guess looking back at I guess maybe using history as a guide in terms of like uh like the bridges and and dams and things like that um would there need to be a agreed upon safety rules or or check boxes or something for Tech like sometimes it's hard to imagine okay what what are the policies or highlevel things that we look at or so the beauty of approaching this from a self-regulatory organization standpoint is that you don't need to imagine things that aren't there so if say five of you get together and say let's have Beverages and tasty food and

let's share War stories about things that we have seen more than once you create that list of repeating problems and then you look for the common threats so I can tell you one thing that I have seen um in recurring unfortunate uh enforcement situations is over trusting contractors or just having papered over the relationships to make it look like you have all the policies in place but nobody's actually checking if any of them are enforced and nobody's actually checking if there are meaningful controls to say you know prevent a loan employee from pushing out a code update that could impact consumers dramatically I'm not I am not referencing anything necessarily in the news this is a recurring it it really is

it's a recurring problem that that I've seen in other context um so you know that's very efficient right so Friday or maybe you're taking a vacation so it could be a Monday I don't want to you know reference anything in particular but the point is there's a timeline that's pushed by something other than quality of the customer's interest and there is a known way inside the entity or at least among the contractors to leverage that Gap and then bad things happen and you know maybe there was one person who was supposed to be engaging in oversight but was too busy or maybe there was no one who was really engaging in oversight or the oversight needed to

be asked for the there are lots of different ways that these things break but the point is there's a recurring theme there of internal control relationships with verifying the trustworthiness of contractor conduct that could have devastating Enterprise implications for an entity its customers and the public and so something around that idea and the relationship of these Chief technology safety officers as to how they would look at this and whether there's maybe a whistleblowing obligation maybe to be a member of your organization you have to promise that if you see a um a looming disaster coming that could endanger human life you will whistleblow to Regulators there are formalized whistleblower programs at the SEC at the

IRS doj has one now they're going to be more so that's the example of the kind of shared Baseline that is entirely policy neutral other than valuing human life and valuing truth and not fraud on the market in the way that companies are communicating or organizations are communicating it could be a nonprofit could be a nonprofit that is acting in ways that will inevitably endanger human life for example or cause harm or um have other negative outcomes that are not being accurately disclosed in whatever obligations exist at the time which will be a moving Target but if you set up broad enough principles you can move with that Target so you don't have to get super

specific yeah I know which hand is next let's go in the corner oh yeah oh sorry next one whever the I'm just trying to we're tracking order get the room is you are you tracking order okay thanks hey great talk thank you very much um you brought up the professional associations and certifications that path to professionalization and I guess based on your perspective how can this sort of professionalization and standardization resist what I think is a trend in in information security towards commoditization of Professional Standards and membership that we see that is exorbitant keeps new entrance out and uh you know as speaking as a Canadian is prohibitively expensive yeah um and I was wondering if you know some

of the orgs you looked at had you know track records of preventing that from happening or alternative methods yeah so uh some organizations have um sort of graduated fees uh I'm going to give you one that that is sort of a quasi organization that I just joined so because because I'm writing an article that has a Hannah orent angle who was a secret technology theorist I joined the German studies Association and the German studies Association has an income based Gra graduated fee structure so one way that you could create a uh an economic Justice component to the structure of the logistics of say a nonprofit model and so the the corporate model that you would choose would also be relevant here

potentially um and then you could write in your bylaws a blanket prohibition that is a core value of the organization that the following kinds of behaviors will not happen and so you get that first set of organizers in place who subscribe to that Baseline of principles and then you have your little group and this is what you stand for and if people want to be part of this group they have to agree that they will also hold these values and you don't have to sell anything ever but it is a formalized mutual support organization you could view it a little bit um like the model that some uh Credit Unions at least back in the day in um immigrant

and minority communities used where it was a community self-help mechanism and they pulled resources and it wasn't really about making money for anyone it was just about helping the community grow together so you could play with these models in various different ways nothing says you have to have an organization whose goal is to make money and I think there's a you you know you can have lots of different organizations some of them make money some of them are about building Community some of them are about preserving certain Baseline values so um I think your point is well taken and I think that economic Justice component is really important to consider so this one's a bit of a ramble

and I apologize for it but referencing back to police cameras and the idea of subjective trust um is is kind of a thing especially when we get into Information Security Professionals who may or may not be good and so apologize for reading some of this I was just jotting down my notes how does the average citizen know that a cyber security person is good and speaking from a topic they're actually qualified for so cissp has become a good coverall and we've seen professionals who are both great and limited in their understanding um how can we help when we're all acting incon consistently based on the risk appetite of the executives resupport yep so you've highlighted one

of the key problems so one way to approach this would be to create to five find five friends and create a very high trust mini organization that stands in contrast to a less focused organization and uh get the word out of its existence so that like-minded people can help grow um and then you'll be challenged with this question of how do you ensure the the level of people in your organization stays that way and that's the tough question so with lawyers we've been kicking people out the last few years there have been quite a few dispar in in the news we do that maybe some people would say not quickly enough um but nevertheless we do kick

people out so that's a value judgment that that you and you can have different tiers of value judgment so even if you have a very specialized organization someone could for example be excluded from a very specific organization but still be a member of a general one it's about shifting expertise rather than um claiming expertise and everything but it's the podiatrist brain surgeon problem right so you don't want the podiatrist to to offer services in brain surgery because it's that's going to end badly nine times out of 10 let's let's give some credit to maybe some podiatrist out there who happened to also have that skill set but um you can structure these organizations as narrowly or as broadly as you wish and

there doesn't have to be just one there doesn't have to be just two there can be 14 the point is to have or more you the point is to have published shared values so that people can see them and see that the people who are member of this organization subscribe to this list and if there's an experience where someone who is allegedly subscribing to that list of values professional behaviors Etc does not um act in ways that our consonant does not perform up to those standards there's a mechanism of accountability so for lawyers you report us to the State Bar Association at some point there may be some sort of um local or uh state regulatory structure that

evolves right now there isn't really one so it would be primary reporting to the membership organization to say to I I use the nuclear Security Experts um models to say to the nuclear security computer Security Experts organization I had a negative experience with person X here's exactly what happened here's why I believe this was a problem and then you have a rotating panel of adjudicators for the organization that people elect mini democracy and you have a back and forth so as I said Screen Actors Guild they actually have fake trials where people present sides and in Union situations there is Union Council that represents the interests of union members um in various circumstances there are lots of

different ways to structure this this but the point is to figure out what works for the particular context that you're embedded in and to have these external signals and these internal Frameworks to create high trustworthiness enclaves of likeminded experts all right I have this gentleman then Dean then Christian but I lost track after that the good news is we have 40 minutes left um so you're you've been very patient so um my concern you mentioned things like the bar association and and doctors and those are like you said mandated um my concern about about doing things like this is in order for it to to get Beyond this like five or eight like actually grow so there has to be an

economic benefit to it but and and how do we get there I'm concerned me being a part of this group saying I'm required to whistleblow why would a company hire me if there's not uh like I mean so there's there's that that that balance of how do we get from where we are so the examples fair point so the ex the examples that I used were criminal acts right so for public company that's engaged in known criminality that they may or may not be disclosing in their 10ks or in the world where we have reporting requirements for security incidents which we do right so you have a stronger case you have the wind at your back

around ensuring that the disclosures happen so what you are in this world where say and you you know you can have an association without a whistleblowing Duty right but if you wanted to have a whistleblowing Duty what you could say is hey you know if you get to say in your SEC filings that you have hired someone who has a duty to whistleblow wow that's really trustworthy that's creating the impression to the market that you really care about safety about technology safety because you are willing to take feedback constructively from someone inside who's going to push you to do better and so the organization holds its members to those high standards of doing better then the

professional members hold their employers to doing better and there's a mutual reputational win there so you start with a handful of companies that are may be friendlies to this organization and to this community who might be willing to help set that bar and advertise it push it into the public I mean I think especially if you're talking about uh scenarios where physical harm is is likely if you get to say to the public We Care by by putting our money where our mouth is our CH our chief technology safety officer has your back is taking care of you there's a there's a marketing one there arguably and it's something that uh if nothing else uh a

general Council would say that is a really good fact for the organization in case of an event that there was someone who was professionally held to a higher standard of care who was doing their job well who was watching things and who didn't catch whatever it was um but but look they're trying they even had an extra level of demonstrable uh Personnel that had Authority so what I've heard from ciso time in Memorial is that they have the title but they can't actually do much because they're not listened to inside the organization right so this kind of a role would be not limited in those ways this would be by design a role that is a

peer and by having this kind of a role exists you get to change the power relationship inside the organization away from let's spend all our extra money on marketing to hey how about that Tech debt that's going to inevitably really hurt someone are we doing that because we have this consentire over here that says that we should be doing that are we really doing that because you know I know there's this squabble over here between this department and this department there's something that's falling through the cracks here so to be able to have that kind of a structure I think there's something that could be added but that's up to you okay uh next is Dean

one of the speakers from yesterday uh who I believe has some bling on his ring ring fing no a pinky finger so you are a professional yeah all right so can you give us a glimpse into a non- haacker example I don't know about that um so as a professional engineer licensed in uh 25 States um which is it presents its own set of problems um there's a couple of things to think about and a a certified um automation professional which is a member Society certification I'm not a legal certification um there's a lot of nuances to all the words that that she's using so you got to kind of watch these things um the legal terms of Duty to

care means very specific things and legal Frameworks um and then we also have this Engineers ring um formed from a uh an accident in in uh Canada or a bridge collapsed because the designers weren't qualified I I'd like you to think about this from a different perspective though it's it's easy to throw up roadblocks and say you know this is a terrible idea and this is never going to work for us and and it only going to hurt us um it it that's the human nature is to find the negative the positives in something like this is is it protects the profession right and and it keeps it weeds the Bad actors out um and yes there's going to

be some Financial things that that are going to have to be dealt with but it's also going to provide you you know I don't know if anybody in your is there is there practitioners insurance for hackers is anybody even tried but you could create some exactly so you know for a lot of the work that I do I call the insurance company and say hey I'm about to do this job and they're like eh but when I call it my professional society and say hey I need coverage for this or like oh yeah is it this or this or this fill out this form here's your coverage um so those are things that you know even sick codes yesterday talking

about not getting not willing to sign off on a disclosure and John Deere want and stuff and back and forth a lot of that stuff the legalities the legalities of a lot of the stuff just simply vanish because you are first you're going to go through a certification process to become a a legal entity and and go through the licensing process is going to take a lot of time uh I would also encourage you to do that at the federal level not at the state level because then you're going to end up with 50 very different programs and right now I spend about $10,000 a year maintaining only 25 licenses and probably about total of a week's worth

of time in all just to fill out the an entirely different form that asks all the same information across 25 different states um but to your point in order for me to practice Engineering in a state that I have a project in that I'm going to get revenue from a client that's based in that state I have to be licensed I have a duty to the public to protect the public first the client is like third down in that list the public is first that's part of what the ring is about is to remind me of that um not that I need it I just but I you know everything that we're talking about today is this is

this is CR um what I kind of some of the stuff Josh and I were talking about was like how do you get organized how do you get real basically um to where you are respected and and and you're you're coming out of the Shadows um which is I don't know if I don't know if you've ever done the marketing research to determine you know what is your what do the what's a public think of a hacker it's probably not good but it's getting better and this would be a way to to help that uh we have the same problem in the automation profession we did a big study multi-year study and we found out two things um the

good was nobody knew or we the public didn't have a bad rep uh we they didn't think badly of us they didn't but the bad was they didn't know what the hell we did um and how we benefit Society so anyway I bet you'd get really positive reviews on Market testing technology safety

officer yeah so I think part of what's challenging with some of the default uh framings of roles in this industry is that they're just a little weird sounding to to people who aren't insiders so translating The Insider knowledge in language your points very well taken to to connect with what starts as um a communication bridge to in in instilling confidence and in Shifting the default of distrust toward a default of trust knowing that there's a safety net of professional promises okay I think the next one's in the back we have we have one over here too I don't know if there's a mic on that side I'll be super quick all right so uh I I

really like the analogy with the Medical Specialties uh it was a very long time coming from the medical space and there had to be a very deliberate over 50e effort that involves many different levels so it was people were calling them M themselves doctors and maybe they learned from this person it was very much the apprenticeship model it was all that um and then we went to like medical schools and then we had to credit medical schools and say these are the standards you have to teach we want to make that national standards and then only certain spots you couldn't make some Rogue school because if you went to that med school uh you couldn't get a

job or medical license at the state level so there was the state regulation of that and then even further than that say you just had a license you had to meet all these standards you still had to go and get a medical specialty from a board organization right if you got your medical degree and you want to go practice at a community hospital in a city if you don't have a medical specialty you can't so then there was all these organizations that would come up um that had very high standards the federal government was subsidizing medical student education and graduate student education so it was like an alignment of not just the practitioners but the only reason why your brain

surgeon has to go through 20 years of school and three different certifications and doain it's a certification every single year is because the states agreed to regulate it the federal government agreed to subsidize it and the most important thing at the end is that insurance companies wouldn't pay for care unless you had someone doing it at that standard so that alignment took 60 years and without it any one of those things if it didn't happen we wouldn't have that so I just would say and then the last thing I would say is it's like scale right we train out a ton of doctors we need a lot of medical professionals to do that work it is a

it's an issue almost like chicken or egg thing right to get to the uh momentum that you would need for a certification like this to be widely accepted standardized um a requirement you'd have to have a lot of them and that has been a that's going to be a problem as you gain momentum they can do that at scale for the national healthare system but uh you know how many of these professionals do we do we need do we need one in every company do we need one in every large company until I think you we could figure out like how many folks could actually step into that role it'll be really hard to push the standards high

if you're only doing this for a handful of folks no that's fair enough and I mean for the idea of the chief technology safety officers I can probably name 20 people off the top of my head that I think would make great technology safety officers you know the O the OG people who've been doing this as long as I have are all a little tired all a little disgruntled and they want to have an impact on a broader scale or some people have you know fli flipped their company and they're looking for their next ACT and maybe they they want to just go in and do some policy hacking inside companies by encouraging people to do the right things and they can just

walk away if they feel like it but in the meantime maybe they can make the world a little bit better so you know the not all doctors are brain surgeons and estheticians are not brain surgeons that's a different level and structure and so it's not necessarily the the medical profession structures that work here so the goal is to think about the various different structures and that's kind of why I offered this whole list they all hit different inflection points on each of these different metrics some metrics may not apply some metrics May apply only to certain subsp Specialties but if you're holding yourself out as hyp skilled in a high impact high mass uh harm event scenario

circumstance I would hope that much like the brain surgeon you would have Baseline Plus in context now just that context so I don't want to go to a brain surgeon for my whatever Podiatry needs I might have and So Different Strokes different organizations it's all good Let It Bloom um but I think doing nothing is not the right course of action that's my big Point doing nothing we've done nothing for 25 years here uh or very little in the way of organization other than in particular this effort of like-minded folks which is very important but I mean in terms of formalizing Normy facing formalization of um more traditional models of uh self-organization there's a power in it that has not yet been fully

harnessed and so having the same degree of I shouldn't say nothing that's I don't mean to be harsh so having the same degree of variability and in quality for certain high-risk situations that is not a good path forward as the world becomes increasingly interdependent on uh inadequately resilient inadequately backed up fragile technology ecosystems with lots of tech debt so that's my plea yeah so um some thoughts here um and a question for you that I'm very curious about um so several months ago I had a surgery that pretty complex took three months to recover still recovering and um in that surgery board certified surgeon with an anesthesist and all that we used a robot I have no idea how

good that software quality of that robot was I have no idea if there's any certifications involved in the software that when into that robot the results for me were good but I could see at some point this robot was just doing very complex internal surgery on my pelvic area one bite of C kind of thing and bad results would be there the the thing there is that um I feel like every society that we talk about was founded in blood you know the statement is you know every every regulation from building on up has been found in blood and what I'm very curious about is what at what point do you see Society coming along in saying we

are going to impose a requirement of a professional certification or a professional um organization on this industry and they better figure their out and the other thing I'd also bring in two is so their imposition of a standard of care and you better figure your out otherwise you can't hold this office whatever that office may be and the second thing is um people probably aren't aware of the role of the UN in things and I don't know if you are aware of UN resolution 155 but for those of you who aren't um it is um uniform Provisions concerning the approval of vehicles with regards to cyber security and cyber security Management Systems I work for an

automobile company and that is one of our big things coming up there's a bunch of other regulations that California for example has put in place regarding labeling of batteries that it's like if we don't get our together governments are more than happy to impose their on our and I'm wondering like I don't know if you mentioned the UN stuff are you aware of the UN stuff there's a lot of stuff to be aware of but I wondering if you could talk about the you know the imposition of Standards because too much blood has been spilled no so your Point's well taken so one of the reasons why I think we are missing a regulator is precisely for international

harmonization issues so what I've heard from folks who have uh been at the table negotiating with our peer oecd countries is that um we are not necessarily parallel in who we're sending into those negotiations and those conversations we pick an agency that is something plus Tech rather than a technology Minister a technology focused decision maker policy lead who has visibility across the economy who sees how the pieces fit together and that that puts us at a disadvantage the US uh For Better or Worse has not been always great about uniformly adopting un resolutions uh but European markets certainly are more proactive about that and so some of this ends up being a market entry limiting variable that

could work as a good nudge toward positive improvements um and the way that we craft our policy should hopefully be aligned with those directions so that as we move in uh greater Public Safety um standard uh preservation uh toward say a higher standard in Europe that we have that Runway rather than unwinding conflicts conflicts in various different um agencies uh framing of issues so unified framing on the federal level around all of Technology safety I think would be incredibly help precisely to more readily engage with International policymaking efforts to open more markets more simply for us companies toward their entry with technology products um and to make foreign purchasers more comfortable with us products to be able to say hey it's

functionally interchangeable and safety with your German products for example which to my eye and again not an automotive engineer by any stretch to my eye I think I drive a ger car I trust German automation with my life um time check uh we are nearing the tus 15 minute Mark and I'd like to leave a couple minutes to wrap up um so in the spirit of we don't always have as much time as we want Christian just pointed out it took 60 years we set this two-day track that we have two and a half years to at least make ourselves visible to people who need help that we are the helpful so to impress how much time we might need

versus how much time we might have I'd encourage can we try to do like a speed round of uh get more questions in as we head over to lunch I know Ray's next but uh can people try to do or do you want a batch of questions that you can we should probably do a a a batch but I I do want to tell one quick story on the point of Medical professionalization in the case of medical standards there were also riots that happened where literally Alexander Hamilton was holding the door of Columbia's medical school over cadavers being dug up and used and there are state laws on the point of caver use so there were multiple

different context variables that were in play and some of them are arguably constraining and some of them are arguably facilitating because if you can create formal Pathways then it might actually solve some problems like the angry mob at the of the medical school over the cadabra problem so you've got a a list up here I all my degrees are in engineering so I got my EIT ring that I that I don't wear because I don't work that way and I did pharmaceutical R&D for a bunch of years so I'm familiar with the idea of Licensing and when I started doing cyber security I was amazed because you know people can die so you've got 20 um areas

where there is some sort of Licensing or certification when you look at information security where are we in the life cycle once we've diagnosed that we have an illness how long is it going to take us to recover to the point of other I think it depends on which model you want to use well like he said took 60 years foric only 25 years of doing I think that is the most complex model possible and for some aspects of security it may be the best fit but I think there are other aspects of security that don't require the 6ear cycle I think there can be a much quicker turnaround with using some of these models it just depends on how

which points you have shared interest on in implementing and that's a question oh yeah I was thinking like well it I mean I don't know if if so I may regret this later if 10 of you send over a shared list of values we could probably get something up and running in six months but um you know there's the Throwdown for you there's the challenge I'll help I mean I do have law students that would potentially be helpful hopefully at least you know but it depends entirely on how sophisticated you want to set the Frameworks what the governance structure is how you want to run it and these are a lot of policy decisions that will be a fit for certain

contexts and not a fit for other contexts so so lots of moving pieces so I'm just trying to offer as many moving pieces as I can think of to feed the discussion Christian did you have another oh yeah thought about I know sorry I know it's incredibly complex and I'm not going back to this to say that it's always going to be compared to something like a medical specialty but a lot of the competencies that folks have to do to get certified in a specialty are very objective it's do 25 gallbladder surgeries with another doctor and they watch you and they tell you when you suck and when you don't and then at the end if you've done

25 you that's one of the 160 things you have to do to become a board certified surgeon right so one of the things that might be a challenge in this is is like the curriculum but the standardization and how much there's variance right like what would the competency be for something like that had you blown the whistle before and can you write a good whistleblowing report like how do you communicate to the SE Suite this catastrophic Tech debt will like you were you good at that bad at that or mediocre at it will give you a c at communicating to the SE Suite it it's hard when you talk about like Competency Based assessments that are objective but

let me flip that that's what the organization's for hey members here's a good form letter to communicate the existence of crippling Tech debt that will cause bad things to happen hey membership here's how you whistleblow here's the reference to an attorney that we have hired to work with you to protect your interests throughout your whistleblower process hey membership here's the insurance provider who's giving our members discounted rates and so the models they don't have to be such a trial by fire as they are in law or in medicine I mean I I I'm I'm still blocking out parts of my bar exam because it was that stressful I remember walking in I remember having unkind

thoughts about someone who's jiggling their leg down the table I'm still mad at that person it was very upsetting and then I remember walking out so but that's a trial by fire thing but like EMTs it's a different model and so the skills are slightly different and and I'm still digging into this history but from what I know of the history it was working with a smaller set of skills in particular to help economically Empower people who wanted to be productive and didn't necessarily see that pathway and it was the work of a very small number of people one one doctor in particular who was transformative in that way and wrote the curriculum Etc so I think doctor EMT

maybe different pieces of security require peering with different kinds of models yeah so as I understand it you know the goal is to make things better safer and the organization Guild model essentially is a proactive one where you say you know these are the expectations uh that we have you have the carrot the stick you indemnify the people who um satisfy the expectations you punish those who don't and the difficulty of course as as you alluded to is identifying those expectations and that is the absolutely most uh difficult part of this and it's where we aren't right now we aren't even able to do re active well proactive is almost impossible but uh I think that a uh expecting a small

group to to uh organically form those expectations is is probably not uh going to happen and perhaps a uh a supported effort to develop those expectations is more what we really need okay challenge accepted I'll uh I'll offer I'll think about that and offer some Avenues if people would like guided round taes Etc I'd be happy to help facilitate that and even feed you thank you for the talk um one thing that I am curious about is your perspective on how this role would interact with like the chief risk officer for an organization because most organizations of the size who would have or be interested in this kind of role have um a chief risk officer and so how

is this role differentiated from it and how would it interact with that role so that's a good question I think Chief risk officer ends up being somewhat idiosyncratically defined across organizations and so it may be a uh context specific determination maybe the chief risk officer gets who joins this group and gets certified as this too and it becomes a hybrid role that is elevated to have enough clout to be able to do that the question that I would have is would the chief risk officer have the ability to functionally identify those cross cutting gaps in internal controls and to say you know request or require stopping shipment of unsafe code so companies vary on that

even General counsels can't necessarily stop the shipment of unsafe code in a lot of places and that's been something that's gone back in fourth even in some of the biggest tech companies and there there's also been reversals around whether the security team can shop can stop shipment of unsafe code and some of the biggest tech companies um this is a position that in my mind would have that level of authority to say if we do this this will end badly no we we should not do this um depends on how we build it so so I'm I've I spent a lot of my career in so standards land and so I really really loved a lot of what you

said here um one of my concerns that I'm curious what your think the solution is though is where there's a a big difference in resource availability between the the the I guess private sector and whoever is developing the standards be it government standards organizations or these other organizations you run the risk of I'm can't think the right word except for regulatory capture but the equivalent of regulatory capture do you have any thoughts for where you've got this big asymmetry in resources how to address that particular problem I think that the starting point is a bottomup effort of like-minded professionals who get together and say we all acknowledge there's problem here we've all been frustrated in the way these problems

have been resolved there are from my perspective there are standards that are good a good idea even you know basic ISO standards around say vulnerability intake and management that if companies did them would facilitate the process a lot and other development process standards Etc they're just not being implemented so maybe the question around um adherence to a shared list of recognized standards in the organization as being the bare minimum of what safer uh product design shipment looks like that's one thing that the organization could could do but I think it's going to be a bottom up thing um since I've already committed I'm happy to facilitate that with a series of roundtables and I don't do anything

without food so I'll feed you all you just have to come up with the standards and then I'll ask annoying questions because that's what I do um so I I think some of this will organically crystallize as the the areas to fight it out and you know a neutral Arbiter can call the balls and strikes or whatever metaphor you want to use on asking the right questions to have people meet in the middle and create that that code and then you know you've got a Little Seedling organization that will either grow or won't grow but you at least are marketing I should say marketing are informing a creating a public facing document of what your

values are and what where kind of the stake and the ground is on what you subscribe to all right I'm going to give the last I saw three hands that have not spoken I'm going to give them 30 seconds each after all three just answer whatever you can and then I'll wrap us up okay so I I haven't asked for you and those that might create such a Professional Organization to consider and include a role for those of us who have been practitioners for a long time and are now at a point in our life where we are enjoying the future of our labors we are no longer practicing uh but we consider this important enough to expend

our own resources to come to week-long security conferences to maintain our certification and still want to contribute sounds like it might be good panel members for a adjudication body I'm in quality assurance which I like to call security adjacent which means I come to these conferences get the beesus scared out of me and then go take that back to my engineers and scare the beesus out of them um I think having a professional code of technical safety will really help us tell people how we want to be treated tell people how to interact with us what they can expect from us um how to what to come to us with um and that's really going to lay the foundation to start

creating these relationships quickly having a professional code like this is a shortcut to trust and that's going to be so important to get adoption and um QA is your allies be nice to us we're here to help hi um one thing I kind of think about uh a parallel historically um that might be worth looking at is the railroad when it was developed um there was a lot of opportunity created kind of like as we techn you know technology progresses but it wasn't pretty when it started and there's had to be a lot of safety regulations it's infrastructure it's supply chain it's just kind of I see I see parallels today like if if you

look back is that it those are my three yes you can you can synthesize yeah uh totally agree with the perils with railroad there was also a lot of financial fraud that happened with the railroads that um they're still in some cases cleaning up a little bit um QA I'm a big fan so I had a fascinating conversation with an ex QA engineer who is now a very high-end chef and what he told me is that his QA skills are what left him to excel in three Michelin star dining situations so the parallels I absolutely see them and I think that the benefit of the safety language is precisely what you said it's a translatable language across

organizations and different communities to build allies who can push together toward a safer public and a better tomorrow uh fun fact Chris I myself bunch of absc people all started in QA um so we agree um because we said this was uncomfortable conversation um I appreciate everyone leaning into this this is the start of it not the end of it and I'm going to make it a little bit harder in a minute here because while she's not coming to speak to this specifically our White House oncd person helped lead the strategy on work force expansion so in your left hand we're talking about how do we make sure we separate the wheat from the chaff and the more trustworthy

and how do we identify ourselves in a 2 and 1/2 year period to be useful to our communities Under Fire and disruption which might narrow the field and in my right hand we have so many unfilled jobs and the White House is currently looking for reducing barriers to entry and reducing college degree requirements I don't think these are inconsistent and incompatible but it's going to be hard so it's possible we could bleed some of this conversation over into how the White House is using their white their Workforce Development strategy but this is the time for the hard stuff guys uh we when you all all you do is look for the low hanging fruit and the easy stuff you know what's left

they're really really hard stuff so we're in the hard stuff adulting place and I appreciate you stirring the the pot here the pot a little bit and and I'll stir the pot a little bit more think about how much you want to keep it in the community in terms of this first steps of building versus engaging with the policy makers externally on this I I would my instinct is that maybe May and I'm happy to help maybe the first cut in an organized way on this stays in community fail small I do think they I can see I don't know if any of you saw this but I felt like there was some concentric Rings

here where the maybe the most Atomic nugget could be some shared values and then maybe some stratification and just a give credit where credits do before we launched I in the Cavalry at besides August 1st 2013 one of our early collaborators in addition to Andrea was Tim kbec in Florida and he wanted to make a union like a bluecollar union and trades and apprenticeship program for pen testing and things like that so there could be concentric Rings there could be stratification don't look for one siiz fits all just look for things that can create common cause common purpose signal to other stakeholders and could be built upon later um thank you for both your keynote

this morning and running this difficult conversation and we'll keep it going and I hope everyone has a nice lunch and comes back for White House and myself on the next session do you want the last word stickers there are stickers with bears on them please [Applause]

Related talks

51:51
Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
BSides Las Vegas
32:48
G1234! - Cash in the Aisles: How Gift Cards are Easily Exploited - William Caput
BSides Las Vegas
33:48
CG - How to Start a Cyber War: Lessons from Brussels -EU Cyber Warfare Exercises - Chris Kubecka
BSides Las Vegas
54:33
BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK - Katie Ni
BSides Las Vegas
31:06
BG - From Email Address to Phone Number: A New OSINT Approach - Martin Vigo
BSides Las Vegas
20:51
PG - One OSINT Tool to Rule Them All - Emilie St-Pierre
BSides Las Vegas