DEF CON 24 —Las Vegas—The traditionally apolitical white-hat hacker community over the next few months will launch at least two and possibly three nonprofits to address front-and-center government cybersecurity policies likely to land on the desk of the next US President.
Jeff Moss, founder of Black Hat and DEF CON, in an interview here last weekend, said discussions have been under way for forming official groups to tackle some of the key policy topics facing the security industry, including an update to the Computer Fraud and Abuse Act (CFAA), The Wassenaar Arrangement, the battle over encryption and privacy, and public safety and security of Internet of Things things.
“You’re going to see two to three different [nonprofit] groups of hackers in the next six months” emerge, he said in an interview with Dark Reading.
Moss raised some eyebrows in the security community last week in Las Vegas after headlining a Hillary Clinton fundraiser event held there the same week as Black Hat USA and DEF CON 24. The fundraiser was mistaken by some press outlets and observers as part of Black Hat USA, which it was not. “It was totally not a Black Hat event,” Moss said.
His ultimate endorsement of Clinton also raised the ire of some in the security community. Clinton’s private email server controversy and possible exposure of the system to hackers sparked plenty of criticism from the security industry.
Moss’s participation as a featured speaker at the event marked what he says is an “exceptional year” in politics.
“We’re becoming all political this year—that’s the difference,” he said. “If you had two candidates that were very similar, this probably wouldn’t happen … Because Trump is just an unpredictable character and we really don’t know what his views are in information security and privacy, there’s a sort of fear of the unknown.”
This isn’t the first time security and policy have intersected. Groups such as the Electronic Frontier Foundation (EFF), the grassroots I Am The Cavalry group, and the recently formed Coalition for Cybersecurity Policy and Law -- a vendor group founded by Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7, and Symantec -- have focused on educating and working with policymakers on security legislation and regulation.
I Am The Cavalry was formed three years ago at DEF CON to bridge the massive gap between the security research community and the consumer products sector, and is best known for its five-star cyber safety program it proposed to automobile manufacturer CEOs that year. The group in January of this year proposed a similar best practices credo for medical device manufacturers in the wake of the Food & Drug Administration’s draft guidelines for securing medical devices.
Why He’s With Her
Moss says he’s backing Clinton because her record indicates interest in formulating cybersecurity policies, pointing to a speech she made while Secretary of State when she said the State Department would help provide online access and freedoms to dissidents and others in countries with oppressive regimes. He also noted that Secretary of State Clinton had elaborated on the administration’s national strategy for cybersecurity.
“I’m an independent and try to look at all of the information out there,” Moss said.
Meantime, Moss said his main concern is that whoever becomes the next President could have the most influence ever on the direction of cybersecurity policies. Take the encryption debate, which came to a head during the standoff between the FBI and Apple over turning over the San Bernardino shooter’s iPhone. “There are competing public interests there” with the encryption debate, he said. “And when there are competing public interests, the government is usually the arbiter. It’s going to have to get mediated somehow.”
Then there’s the Internet of Things, especially when it comes to consumer products and public safety. “The concept of consent in a hyper-connected world needs to be” defined, he said. Would a consumer be liable if his Samsung TV became part of a botnet? “A lot is going to boil over…with autonomous cars,” for example, he said.
“If an Internet toaster bursts into flames and burns down a house, you’re going to start seeing liability” as a major issue, Moss said.
Add to that the already evolving policy stance on nation-state hacking: the Obama administration’s no-hack pact for economic gain with China was historic, and later spread to other nations such as the UK, he noted.
“Are we at the beginning of a sea change in what the international community decides is acceptable behavior? It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior,” Moss said.
Jen Ellis, vice president of community and public affairs for Rapid7, says while she agrees that the security community has reached a turning point when it comes to policy, she doesn’t believe the next President will be the biggest factor. “The community has reached an inflection point … The big macro conditions have changed,” she says. “The stakes have changed—from protecting information to protecting lives,” for example, she says.
But “Presidents come and go. They aren’t the only factor,” Ellis says, noting that neither Clinton nor Trump are campaigning on cybersecurity issues. She doesn’t think either would come with a dramatically different policy approach on security. “When it comes to cybersecurity, the reality is most decisions made come from ... Congressional debate, I would hope,” or if not, the administration.
Moss said he expects to see the Executive Order -- which President Obama instituted on several occasions for cybersecurity policy -- to be the main vehicle in which the next President takes action on cybersecurity.
Security pros can’t just consider politics as “distasteful” anymore and just stay heads down on technology, he said.
“You’re seeing us start to organize. We have to get ready for the policy coming for us,” he said. “If we don’t participate in it, the policy is going to get done to us.”