Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Why Hackers Are Getting 'All Political' This Election Year

Jeff Moss, aka 'The Dark Tangent,' explains why the 2016 Presidential election is a turning point for security and politics -- and why he headlined a Clinton fundraiser last week in Vegas.

DEF CON 24 —Las Vegas—The traditionally apolitical white-hat hacker community over the next few months will launch at least two and possibly three nonprofits to address front-and-center government cybersecurity policies likely to land on the desk of the next US President.

Jeff Moss, founder of Black Hat and DEF CON, in an interview here last weekend, said discussions have been under way for forming official groups to tackle some of the key policy topics facing the security industry, including an update to the Computer Fraud and Abuse Act (CFAA), The Wassenaar Arrangement, the battle over encryption and privacy, and public safety and security of Internet of Things things.

“You’re going to see two to three different [nonprofit] groups of hackers in the next six months” emerge, he said in an interview with Dark Reading.

Moss raised some eyebrows in the security community last week in Las Vegas after headlining a Hillary Clinton fundraiser event held there the same week as Black Hat USA and DEF CON 24. The fundraiser was mistaken by some press outlets and observers as part of Black Hat USA, which it was not. “It was totally not a Black Hat event,” Moss said.

His ultimate endorsement of Clinton also raised the ire of some in the security community. Clinton’s private email server controversy and possible exposure of the system to hackers sparked plenty of criticism from the security industry.

Moss’s participation as a featured speaker at the event marked what he says is an “exceptional year” in politics.

“We’re becoming all political this year—that’s the difference,” he said. “If you had two candidates that were very similar, this probably wouldn’t happen … Because Trump is just an unpredictable character and we really don’t know what his views are in information security and privacy, there’s a sort of fear of the unknown.”

This isn’t the first time security and policy have intersected. Groups such as the Electronic Frontier Foundation (EFF), the grassroots I Am The Cavalry group, and the recently formed Coalition for Cybersecurity Policy and Law -- a vendor group founded by Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7, and Symantec -- have focused on educating and working with policymakers on security legislation and regulation.

I Am The Cavalry was formed three years ago at DEF CON to bridge the massive gap between the security research community and the consumer products sector, and is best known for its five-star cyber safety program it proposed to automobile manufacturer CEOs that year. The group in January of this year proposed a similar best practices credo for medical device manufacturers in the wake of the Food & Drug Administration’s draft guidelines for securing medical devices.

Why He’s With Her

Moss says he’s backing Clinton because her record indicates interest in formulating cybersecurity policies, pointing to a speech she made while Secretary of State when she said the State Department would help provide online access and freedoms to dissidents and others in countries with oppressive regimes. He also noted that Secretary of State Clinton had elaborated on the administration’s national strategy for cybersecurity.

“I’m an independent and try to look at all of the information out there,” Moss said.

Meantime, Moss said his main concern is that whoever becomes the next President could have the most influence ever on the direction of cybersecurity policies. Take the encryption debate, which came to a head during the standoff between the FBI and Apple over turning over the San Bernardino shooter’s iPhone. “There are competing public interests there” with the encryption debate, he said. “And when there are competing public interests, the government is usually the arbiter. It’s going to have to get mediated somehow.”

Then there’s the Internet of Things, especially when it comes to consumer products and public safety. “The concept of consent in a hyper-connected world needs to be” defined, he said. Would a consumer be liable if his Samsung TV became part of a botnet? “A lot is going to boil over…with autonomous cars,” for example, he said.

“If an Internet toaster bursts into flames and burns down a house, you’re going to start seeing liability” as a major issue, Moss said.

Add to that the already evolving policy stance on nation-state hacking:  the Obama administration’s no-hack pact for economic gain with China was historic, and later spread to other nations such as the UK, he noted.

“Are we at the beginning of a sea change in what the international community decides is acceptable behavior? It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior,” Moss said.

Jen Ellis, vice president of community and public affairs for Rapid7, says while she agrees that the security community has reached a turning point when it comes to policy, she doesn’t believe the next President will be the biggest factor. “The community has reached an inflection point … The big macro conditions have changed,” she says. “The stakes have changed—from protecting information to protecting lives,” for example, she says.

But “Presidents come and go. They aren’t the only factor,” Ellis says, noting that neither Clinton nor Trump are campaigning on cybersecurity issues. She doesn’t think either would come with a dramatically different policy approach on security. “When it comes to cybersecurity, the reality is most decisions made come from ... Congressional debate, I would hope,” or if not, the administration.

Moss said he expects to see the Executive Order -- which President Obama instituted on several occasions for cybersecurity policy -- to be the main vehicle in which the next President takes action on cybersecurity.

Security pros can’t just consider politics as “distasteful” anymore and just stay heads down on technology, he said.

“You’re seeing us start to organize. We have to get ready for the policy coming for us,” he said. “If we don’t participate in it, the policy is going to get done to us.”

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/17/2016 | 12:01:56 PM
Re: Cyber security
VPN use is important, but it wouldn't necessarily thwart an attack that comes via a user falling for a phishing email, for instance. 
User Rank: Ninja
10/17/2016 | 11:52:22 AM
Cyber security
I heard they are also using new tactics to get into election systems and rig the elections. It sounds real bad but that is why it is important to protect yourself from the perils of data theft by deplying good vpn server like PureVPN to secure your IP. 
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-27
Intelbras TIP200, TIP200LITE, and TIP300 devices allow /cgi-bin/cgiServer.exx?page= XSS.
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.