IATC - The Hip Hacker's Guide to Policy

so the next session is going to be uh the hip uh Hacker's guide to policy I think I got that yep the hit hack his guide to policy if you're not hip if you could just leave yeah yeah yeah there's a couple um so just before we get started I'd like to uh you know thank our sponsors here at b-sides uh so who have currently made this all uh possible so where is my sponsors field so uh we especially want to thank uh our Diamond sponsors LastPass Polo Alto networks uh and also our gold sponsors uh Amazon Flex track uh New Vision Google Etc so we'd like to thank them for their support without them uh these conferences these events uh aren't made possible uh so moving on uh getting into the next year I'm going to hand over to Josh uh who's going to uh conclude with the introductions for this session so thank you Josh all right home stretch um excellent first day uh we usually try to do a policy refresh of like what were the wins what's the pending legislation or what's the attitude towards hackers we kind of had some interruptions over this thing from covet or whatnot so the bad news is we haven't had an update in a while the good news is a lot of really important stuff happened including passing the law uh including you're gonna hear from uh prosecutorial discretion for good faith research so we want to have that family no spoilers spoilers um but uh I mentioned this morning and this is a perfect example of why to do it I mentioned this morning that if you watch the Cavalry launched nine years ago and it's on video um one of the things you have to put yourself back in a nine-year-old period Edward Snowden just happened distrust between government hackers had never been higher uh we had seen some cyber physical systems hacks and stunt hacking on certain things but we didn't really have any trust built and one of the deep concerns that Nick percoco our co-founder had was that we're going to see increased criminalization of good-based security research and that was a very possible future and don't just get an update of what's happened last two years it's stunning to see the plan that we had in place nine years ago and how it is actually matriculating and now how much Embrace we have seen so uh we have three amazing uh panelists here and they will introduce themselves because they are funnier than I am and um but look at this not only as a milestone for what's happened over the last two years and where things are going but just think how far we've come in nine years and think how much further we could go if we double down all right so let's welcome our panel uh thank you very much um and just as a like a little Public Service Announcement before we get into this one um are you good can you can you hear me okay uh I don't know what that means um uh so in one of the earlier sessions people were talking about ransomware a whole bunch um for those that are going to be at Defcon and I do know it's a party Foul to mention another conference when you're at one uh but there will be a session in The Policy Department on government responses to ransomware it's a two-hour discussion it will involve the UK the US and Australian governments and they want to hear from you guys so if you have ideas on things that are not being done that should be being done or you want to hear what the stuff is that they're already doing um that session will be on Saturday from four to six in the policy section um at uh uh Defcon and I apologize sincerely to all of the lovely besides people that I've referenced everyone um but it is an opportunity to to speak with the government attendees on that topic um but that's not what we're here for today uh so yeah so we're gonna do a like a uh what's happening in policy land um and there are three sort of things that we really wanted to cover which is like how does it all work like how does policy work what are the different parts of the government doing how how do they work together all of that kind of stuff how can you guys get involved how can you help influence it and and create positive outcomes and then what's the stuff that's actually happening what's the status quo with things that kind of thing to get like a bit of a level set and make sure that we're using our time wisely and in the right areas they're going to interest you how many people in the room feel that they're pretty sort of up to date and cognizant on like how the process works and like you know how's the sausage made what does policy look like and all that kind of stuff who's brave enough to say that they think that they are all right so it seems like we can probably spend a bit of time on that and some others will find that useful awesome um thank you for playing uh okay so um I'm Jen Ellis uh I am rapid sevens VP of community and public affairs a title that no one knows what it means for myself included uh and I work a lot with governments around the world on how do you Advance Security for everybody right how do you create society change um that is what I do it's my accent and also that I don't know how to use microphones uh okay I'm just gonna awkwardly Lean Forward um yeah so uh it's funny actually because normally I'm told there are people who can hear me in the UK without a microphone when I'm in the US um so yeah so we're going to talk about how policy Works how you guys can get involved and what's going on in policy land um you know Josh mentioned nine years ago when the Cavalry started uh and funnily enough nine years ago Josh and I were at Derby con and we sat down and just went I'm starting this thing I'm really worried about the intersection of physical and virtual and the potential for it to create harm I'm starting this thing and I was like I'm starting this thing I'm really worried about the legal impact for security research and the chilling effect and we looked at each other and we were like are we starting the same thing at the same time what is that and then we realized they were super complementary not the same just super super complementary so we ended up kind of on the hill going and talking to policy makers and like I would reference his work and I would reference the Cavalry in my briefings on security research because you know it was a great opportunity to talk about the importance of security research when you can say and researchers are these great protectors who want to like you know save the world and protect people from that intersection of I'm going to use a Josh communism where bits and bites meet fashion blood uh and so I was able to hook him up and you know I'm gonna just give him the benefit of the doubt that he did the same for me okay so that's a little bit about me um I'm now going to hand off to Jack and Leonard to introduce themselves sounds like I'm being volunteered to go first so I'm jack cable I am a security researcher which is what we call hackers when we're talking to policy makers to make them less scared of hackers so if you haven't caught on yet that is a good tactic to make people think you aren't like this scary figure in a hoodie even though you are um so I um have worked in a number of government agencies including sisa U.S cyber security infrastructure Security Agency on Election security uh Department of Defense working on their hack the Pentagon program which was bringing in hackers to help secure the US government through bug Bounty programs um and most recently doing a fellowship in the Senate um so kind of spanning get both the executive branch and legislative branch and looking forward to our conversation today and good afternoon I'm Leonard Bailey uh I am a special counsel for National Security and head of the cyber security unit which is what I call myself to make sure I don't scare hackers uh I'm also I guess a prosecutor federally um uh I I've been at the department for 31. the search gave you away I know I know I I guess I said to Jen I tried to make spot the FED as simple as possible so um and so yeah I've been working this area for about 20 20 years and I've been in the department in a lot of different capacities I will say that that that conversation about chilling security research uh what what happened there was now I think it was 2014 um Jen and some colleagues came to my office of computer crime and intellectual property section and um basically said your ways are strange to us but but they're chilling research and the chief my section heard that and he said we don't want to do that we think there's there's legitimacy to having p people who are trying to solve the problem on the playing field and so we embarked on what has been a multi-year effort um and we'll go over I think you know some of the high points over that that time um to figure out how we could better message what we try to do um which is actually try to go after people who are trying to victimize others um rather than you know at worst people who are trying to do the right thing in the wrong way um and so uh just to add to that story so that meeting happened towards the end of June and during the course of the meeting when they didn't instantly throw us out and tell us that we were idiots uh we said hey if this is a thing you're interested in learning more about there's this thing happening in Vegas in a few weeks you guys should come out we'll introduce you to some people you can hear about it firsthand from researchers and they looked at us and they were like Vegas we're the Department of Justice and you said weeks and then a month later in August a month later I get an email from Leonard saying I've booked flights in a hotel can we still do this and it was the first time you came out to hack a summer camp right and he has been here every year since that's nine years even the last two years not there and he has spoken every year since because he has made a huge effort to basically try and build a bridge between his community and our community and I think Jack does the same thing from the opposite side as a researcher working in government he's building that same bridge and I just think these touch points these sort of entry points and and uh these points where we create this two-way dialogue is super super super valuable and important so I think these two people being on stage is just incredibly important and I would actually like it if you would give them a round of applause for the work that they do thank you it's deserved it's dessert all right now we'll get substance stuff now that we've done the cheesy moment so you were going to do I think like a little bit of a how does it all work together yes so I I'm gonna I'm I'm sorry I'm gonna get a little Schoolhouse Rock on you for a moment so I want to talk a little bit about how the government works um and I imagine a lot of you are familiar with the government um but the last few years has for me at least suggested that maybe not everyone really understands how the government works uh and and so I wanted to just sort of break things out just for a couple minutes um and how many of you are lawyers I I'm a Juris freaking Doctor does that matter does that okay only a couple good okay so very quickly um obviously we have the three branches we have con you know Congress we have the exact branch and you have the judicial branch um you know congress makes the rules they they pass the laws that tell others what to do so for example the government can only do what is authorized to do so we have to look for some statute or some authorization in the Constitution to to do whatever we want to do um we don't just get to do what we want uh we have to have it moored in some some statute or some Authority in the Constitution so uh the executive branch not surprisingly executes the law right so we do what Congress tells us what they authorize us to do um and then though there's this one little space where we kind of get to make law generally the executive branch does not make law but in discrete areas Congress is able to say hey look there's this issue it's complicated we're going to give you the guard rails on what we want you to do but you fill in the rest of it and that's essentially what the regulatory authority of different agencies are so you have like the FTC right the Federal Trade Commission or the FCC or the FCC or independent agencies where Congress has said okay you deal with publicly traded organizations and you come up with guidelines that's your mission go and that agency is able to make up rules that guide that and they have a rulemaking process where they have public comment um you know they invite people to comment on on the role they're promulgating and then they take that in and they they produce a rule uh and then sometimes people say wait you've you're now exercising too much Authority that's past what Congress said was was okay and so you may have a Judiciary step in which is not supposed to make law but it's supposed to interpret whether the law is being Faithfully applied so they're supposed to essentially say wait um you've overstepped your bounds um and you you will have to to stop that now this is an elaborate Rube Goldberg device that is not built for efficiency or speed right the whole purpose of this is to make sure that there's no institution or individual who has so much power that they can essentially assert tyrannical rule over other parties in in the system so this is the way he sort of checks and balances work it messy it's messy but there are opportunities in each of these channels to have some policy impact and we're going to be able to talk a bit about that now but I just want to lay out these different these areas yeah and I think you know you you talked about how Congress can set boundaries and or guard rails and then there can be an ongoing uh role but that also happens on a project basis sometimes right so like we saw that with something like the iot cyber security Improvement Act Right Congress passed the law and said but nist is going to figure out the details and we just saw it recently with cersea right same thing if this is incident reporting um where Congress said hey we need to have internal reporting and then it's like super important let's pass law on it and then let's give scissor three and a half years to figure out the details um yeah so but so which I'm sure is working on Super urgently um yeah perfect um so it happens on a like on a for Regulatory Agencies it happens on an ongoing basis but then you also see it happening on a sort of ad hoc project basis very much sort of hand in hand with the law passing process and it's important to understand those two halves because you can influence them either side of the law passing potentially if that makes sense okay um okay anything anything else on like how it does anyone have any questions on the how these parts work together before we move on okay all right um so we talked about like all the different pieces I mean I'll ask you jack like let's talk a little bit about how people get involved how do you work with these different parts like I just said you can work on either side of the law being passed how what does that look like yes so and I think a starting point for this and of course there's I'll start with Congress again to a little executive branch I'm sure Leonard can go into that more um but um in in terms of kind of thinking through and yeah it goes back to the Schoolhouse Rock I'll spare you the the singing of it but um essentially how uh Bill Works through the ways in Congress but even broader than that just the different tools in the toolkit coming from Congress and kind of yeah we're all familiar with bills setting law but beyond that Congress has oversight functions where it can do stuff it can hold hearings it can write letters it can ask hard questions that's not setting law but still kind of keeping the executive branch in check um so that's one area where kind of when you're thinking of okay how how should this policy problem be tackled um I would encourage you to think broader than just say kind of would a bill solve this but maybe is it due to something not working as well as it should be in the executive branch is maybe something outside in the private sector that um some more attention could be brought to but kind of the different tools in the toolkit when it comes to um kind of making policy and then specifically with bills and kind of how to get involved um I I think one area that at least wasn't clear to me before kind of I came into Congress was the importance of committees uh where Congress divides itself up into different committees which handle different jurisdictions there's for instance the armed services committee which handles all matters related to defense Foreign Relations Committee handles matters related to Foreign Affairs um and in order for a bill to move that relates to one of these jurisdictions it must get cleared by that committee um so that means that especially the chair the head of the committee and the ranking member which is the top um Congress person of the minority party um has a lot of influence in not only determining what bills get in or what bills don't move forward but also um say what's in those bills um so I I think being able to kind of identify these say when we're talking about cyber security policy the Committees that are especially relevant a lot of those are for instance the homeland security committees in the house and the Senate um the house oversight committee um the Commerce committees um when you're thinking of say nist or um ntia um and then um the armed services committee as well for kind of some of the um and intelligence committees for some of the more kind of intelligence Community aspects of cyber security so identifying kind of who the um say staffers are there is one way to be able to influence more than say talking to a member who might not be on the relevant committee um and that's where a lot of kind of the relevant subject matter or expertise lies as well on committees um so that's the the Congress view um I'll let yeah Leonard get in just should we do that just quick show of hands how many people here have ever reached out to a member of Congress about a policy issue okay and uh who did that by email who phoned okay interesting um sorry but how do you get the face face did you meet them somewhere over there okay hey I mean honestly the stuff is of the people that get things done so um and everyone starts somewhere um okay uh and of the people who put their hands up how many of those were committee staff rather than your local representative uh so the people who have talked to Congress how much was it committee staff so who who went to committee committees community members or committee staff as opposed to going to your local representative okay all right interesting thank you yep okay well so in the executive branch it's it's a little complicated there's there's no simple answer and part of the reason I wanted to break out that regulatory agency um issue is because you know those are agencies that have a a ready-made process for people to get involved right so they do a a notice that they're going to be rule making and a solicit comment and and those comments actually truly matter um in talking to Regulatory Agencies it's not the question of numbers because it's not really it's not about voting it's about the sophistication um and accuracy and rigor of of the comment and people with technical understanding of the way in which a law might impact a community or an issue actually have a louder voice when people review the comments um you know obviously you know 100 people saying this law sucks or this rule sucks you know it's not going to be as effective as someone who can dissect the rule you know in a very exacting way and explain why it's it's a problem and so in that way I would say that people in this room in sort of a rule making process may have a louder voice in some ways than than oth