News

8/9/2016
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Why Hackers Are Getting 'All Political' This Election Year

Jeff Moss, aka 'The Dark Tangent,' explains why the 2016 Presidential election is a turning point for security and politics -- and why he headlined a Clinton fundraiser last week in Vegas.

DEF CON 24 —Las Vegas—The traditionally apolitical white-hat hacker community over the next few months will launch at least two and possibly three nonprofits to address front-and-center government cybersecurity policies likely to land on the desk of the next US President.

Jeff Moss, founder of Black Hat and DEF CON, in an interview here last weekend, said discussions have been under way for forming official groups to tackle some of the key policy topics facing the security industry, including an update to the Computer Fraud and Abuse Act (CFAA), The Wassenaar Arrangement, the battle over encryption and privacy, and public safety and security of Internet of Things things.

“You’re going to see two to three different [nonprofit] groups of hackers in the next six months” emerge, he said in an interview with Dark Reading.

Moss raised some eyebrows in the security community last week in Las Vegas after headlining a Hillary Clinton fundraiser event held there the same week as Black Hat USA and DEF CON 24. The fundraiser was mistaken by some press outlets and observers as part of Black Hat USA, which it was not. “It was totally not a Black Hat event,” Moss said.

His ultimate endorsement of Clinton also raised the ire of some in the security community. Clinton’s private email server controversy and possible exposure of the system to hackers sparked plenty of criticism from the security industry.

Moss’s participation as a featured speaker at the event marked what he says is an “exceptional year” in politics.

“We’re becoming all political this year—that’s the difference,” he said. “If you had two candidates that were very similar, this probably wouldn’t happen … Because Trump is just an unpredictable character and we really don’t know what his views are in information security and privacy, there’s a sort of fear of the unknown.”

This isn’t the first time security and policy have intersected. Groups such as the Electronic Frontier Foundation (EFF), the grassroots I Am The Cavalry group, and the recently formed Coalition for Cybersecurity Policy and Law -- a vendor group founded by Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7, and Symantec -- have focused on educating and working with policymakers on security legislation and regulation.

I Am The Cavalry was formed three years ago at DEF CON to bridge the massive gap between the security research community and the consumer products sector, and is best known for its five-star cyber safety program it proposed to automobile manufacturer CEOs that year. The group in January of this year proposed a similar best practices credo for medical device manufacturers in the wake of the Food & Drug Administration’s draft guidelines for securing medical devices.

Why He’s With Her

Moss says he’s backing Clinton because her record indicates interest in formulating cybersecurity policies, pointing to a speech she made while Secretary of State when she said the State Department would help provide online access and freedoms to dissidents and others in countries with oppressive regimes. He also noted that Secretary of State Clinton had elaborated on the administration’s national strategy for cybersecurity.

“I’m an independent and try to look at all of the information out there,” Moss said.

Meantime, Moss said his main concern is that whoever becomes the next President could have the most influence ever on the direction of cybersecurity policies. Take the encryption debate, which came to a head during the standoff between the FBI and Apple over turning over the San Bernardino shooter’s iPhone. “There are competing public interests there” with the encryption debate, he said. “And when there are competing public interests, the government is usually the arbiter. It’s going to have to get mediated somehow.”

Then there’s the Internet of Things, especially when it comes to consumer products and public safety. “The concept of consent in a hyper-connected world needs to be” defined, he said. Would a consumer be liable if his Samsung TV became part of a botnet? “A lot is going to boil over…with autonomous cars,” for example, he said.

“If an Internet toaster bursts into flames and burns down a house, you’re going to start seeing liability” as a major issue, Moss said.

Add to that the already evolving policy stance on nation-state hacking:  the Obama administration’s no-hack pact for economic gain with China was historic, and later spread to other nations such as the UK, he noted.

“Are we at the beginning of a sea change in what the international community decides is acceptable behavior? It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior,” Moss said.

Jen Ellis, vice president of community and public affairs for Rapid7, says while she agrees that the security community has reached a turning point when it comes to policy, she doesn’t believe the next President will be the biggest factor. “The community has reached an inflection point … The big macro conditions have changed,” she says. “The stakes have changed—from protecting information to protecting lives,” for example, she says.

But “Presidents come and go. They aren’t the only factor,” Ellis says, noting that neither Clinton nor Trump are campaigning on cybersecurity issues. She doesn’t think either would come with a dramatically different policy approach on security. “When it comes to cybersecurity, the reality is most decisions made come from ... Congressional debate, I would hope,” or if not, the administration.

Moss said he expects to see the Executive Order -- which President Obama instituted on several occasions for cybersecurity policy -- to be the main vehicle in which the next President takes action on cybersecurity.

Security pros can’t just consider politics as “distasteful” anymore and just stay heads down on technology, he said.

“You’re seeing us start to organize. We have to get ready for the policy coming for us,” he said. “If we don’t participate in it, the policy is going to get done to us.”

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/17/2016 | 12:01:56 PM
Re: Cyber security
VPN use is important, but it wouldn't necessarily thwart an attack that comes via a user falling for a phishing email, for instance. 
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/17/2016 | 11:52:22 AM
Cyber security
I heard they are also using new tactics to get into election systems and rig the elections. It sounds real bad but that is why it is important to protect yourself from the perils of data theft by deplying good vpn server like PureVPN to secure your IP. 
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.