News

8/9/2016
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Why Hackers Are Getting 'All Political' This Election Year

Jeff Moss, aka 'The Dark Tangent,' explains why the 2016 Presidential election is a turning point for security and politics -- and why he headlined a Clinton fundraiser last week in Vegas.

DEF CON 24 —Las Vegas—The traditionally apolitical white-hat hacker community over the next few months will launch at least two and possibly three nonprofits to address front-and-center government cybersecurity policies likely to land on the desk of the next US President.

Jeff Moss, founder of Black Hat and DEF CON, in an interview here last weekend, said discussions have been under way for forming official groups to tackle some of the key policy topics facing the security industry, including an update to the Computer Fraud and Abuse Act (CFAA), The Wassenaar Arrangement, the battle over encryption and privacy, and public safety and security of Internet of Things things.

“You’re going to see two to three different [nonprofit] groups of hackers in the next six months” emerge, he said in an interview with Dark Reading.

Moss raised some eyebrows in the security community last week in Las Vegas after headlining a Hillary Clinton fundraiser event held there the same week as Black Hat USA and DEF CON 24. The fundraiser was mistaken by some press outlets and observers as part of Black Hat USA, which it was not. “It was totally not a Black Hat event,” Moss said.

His ultimate endorsement of Clinton also raised the ire of some in the security community. Clinton’s private email server controversy and possible exposure of the system to hackers sparked plenty of criticism from the security industry.

Moss’s participation as a featured speaker at the event marked what he says is an “exceptional year” in politics.

“We’re becoming all political this year—that’s the difference,” he said. “If you had two candidates that were very similar, this probably wouldn’t happen … Because Trump is just an unpredictable character and we really don’t know what his views are in information security and privacy, there’s a sort of fear of the unknown.”

This isn’t the first time security and policy have intersected. Groups such as the Electronic Frontier Foundation (EFF), the grassroots I Am The Cavalry group, and the recently formed Coalition for Cybersecurity Policy and Law -- a vendor group founded by Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7, and Symantec -- have focused on educating and working with policymakers on security legislation and regulation.

I Am The Cavalry was formed three years ago at DEF CON to bridge the massive gap between the security research community and the consumer products sector, and is best known for its five-star cyber safety program it proposed to automobile manufacturer CEOs that year. The group in January of this year proposed a similar best practices credo for medical device manufacturers in the wake of the Food & Drug Administration’s draft guidelines for securing medical devices.

Why He’s With Her

Moss says he’s backing Clinton because her record indicates interest in formulating cybersecurity policies, pointing to a speech she made while Secretary of State when she said the State Department would help provide online access and freedoms to dissidents and others in countries with oppressive regimes. He also noted that Secretary of State Clinton had elaborated on the administration’s national strategy for cybersecurity.

“I’m an independent and try to look at all of the information out there,” Moss said.

Meantime, Moss said his main concern is that whoever becomes the next President could have the most influence ever on the direction of cybersecurity policies. Take the encryption debate, which came to a head during the standoff between the FBI and Apple over turning over the San Bernardino shooter’s iPhone. “There are competing public interests there” with the encryption debate, he said. “And when there are competing public interests, the government is usually the arbiter. It’s going to have to get mediated somehow.”

Then there’s the Internet of Things, especially when it comes to consumer products and public safety. “The concept of consent in a hyper-connected world needs to be” defined, he said. Would a consumer be liable if his Samsung TV became part of a botnet? “A lot is going to boil over…with autonomous cars,” for example, he said.

“If an Internet toaster bursts into flames and burns down a house, you’re going to start seeing liability” as a major issue, Moss said.

Add to that the already evolving policy stance on nation-state hacking:  the Obama administration’s no-hack pact for economic gain with China was historic, and later spread to other nations such as the UK, he noted.

“Are we at the beginning of a sea change in what the international community decides is acceptable behavior? It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior,” Moss said.

Jen Ellis, vice president of community and public affairs for Rapid7, says while she agrees that the security community has reached a turning point when it comes to policy, she doesn’t believe the next President will be the biggest factor. “The community has reached an inflection point … The big macro conditions have changed,” she says. “The stakes have changed—from protecting information to protecting lives,” for example, she says.

But “Presidents come and go. They aren’t the only factor,” Ellis says, noting that neither Clinton nor Trump are campaigning on cybersecurity issues. She doesn’t think either would come with a dramatically different policy approach on security. “When it comes to cybersecurity, the reality is most decisions made come from ... Congressional debate, I would hope,” or if not, the administration.

Moss said he expects to see the Executive Order -- which President Obama instituted on several occasions for cybersecurity policy -- to be the main vehicle in which the next President takes action on cybersecurity.

Security pros can’t just consider politics as “distasteful” anymore and just stay heads down on technology, he said.

“You’re seeing us start to organize. We have to get ready for the policy coming for us,” he said. “If we don’t participate in it, the policy is going to get done to us.”

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/17/2016 | 12:01:56 PM
Re: Cyber security
VPN use is important, but it wouldn't necessarily thwart an attack that comes via a user falling for a phishing email, for instance. 
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/17/2016 | 11:52:22 AM
Cyber security
I heard they are also using new tactics to get into election systems and rig the elections. It sounds real bad but that is why it is important to protect yourself from the perils of data theft by deplying good vpn server like PureVPN to secure your IP. 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.