 We'd like to welcome Jay Healy from the CFP team and then Flamida Welcome to DefCon. They'll be giving a fireside talk. Please watch your schedules and You'll see the latest information on the hacker tracker app. So if you're following which Times and rooms you'd like to see that's the best place to find your updated information So please give a warm welcome to our panelists Yeah, I don't think we have audio for Flamida Hi, there we go. I hear myself now hacking So I'm Flamida O'Sheed. I'm the managing editor at Dark Reading and it is my pleasure to be here at DefCon To speak with Jay Healy. We're gonna be talking a little bit about the past present and the future Info set, hacking, policy, we're gonna be touching on a lot of different topics. So Jay, thank you so much for joining me today Thanks, thanks for me. I'm excited. So I think one of the things that I was hearing is this is DefCon 30 But I think you mentioned to me it's also the 50th anniversary of the realization That hackers will almost always succeed. So what does that tell you? How does that make you feel? Yeah, let me let me push that back on on Led to that question Are we thank thank you for those that are giving me the universal sign of are we doing any better on this one? Okay Check one check two I was just on this check one check two test. I'm wearing pants and a shirt Check one check two. Yes. Thank you. We have connected Great to hear you or great that you can hear me If I made his intro she was talking about How we haven't done as much as we want to as a community You know this is this is DefCon 30 right if we look at why a lot of hackers do What we do right a lot of it is for curiosity a lot of it is because we're driven to do so but a lot of it is to make things better Right, we're doing this for a purpose many of us and I came across this quote that Said few if any contemporary computer security controls can stop a dedicated red team from easily accessing any information sought Right, so it's saying that the red team is going to get through right the hacker is going to get through the attacker has the advantage That quote was from 1979 And I found actually quotes that go back to 1972 That say the red team is going to get through So all right, so if we're doing this to try and make things better, right, it's failing Using the normal way we go about things and that's what that's why I'm glad to see everyone here in policy Right, that's a lot of what we're trying to get done with policy is to say all right the normal things like hacking things and telling people about it Isn't leading to the success at scale that we wanted because the attackers if anything are just getting better and better And if you heard Chris English and others talked about this in this room And so just think of that since 1972 right think about all of the patents all of the hundreds of billions of dollars all the worked Weekends all the missed kids birthdays that we a community have done in 50 years and we haven't changed the most fundamental dynamic Because things aren't better now I Mean I'm thinking back and like you said it's like all those work weekend. We're thinking. Hey, what is the purpose all of this? So it does get a little bit This heartening Yeah, and a lot of you know a lot of the mindset from this community do over the last 30 years I've started I've been coming since DEF CON 9. I've been on the CFP review board for the last six or six or seven years Is that if we fuck things up right if we hack the planet It's gonna be better And it's not working that way Right, we're hacking stuff and it's not getting better At least at the speed and scale that we want if anyone heard dark tangent in here this morning You just talk about how it worked for the election village, right? So we can do better, right? We can make it so that when we break things it really is going to lead to better outcomes on the other side Or we even start figuring out that okay, what are we going to do differently? Why don't we just kind of go back a little bit? What was the early days of hacking like what was I? Know I mean, I know some of us have been around but I know not all of us have been around for that So what was that like? Yeah, it's um So I don't have the hacking chops of a lot of the a lot of the others on the on the CFP board, right? I'm there to help out on the On the policy talks, but it's really interesting to see how death con has been Has been changing as part of that right when this when we started off, you know, we're the early years at Alexis Park, right? It was about shenanigans You know, there was cool hacks. There was there was Fucking stuff up, you know and doing cool hacks right if you ever one of my buddies he he said to me that one morning Oh, God, how drunk was I last night? Oh, man. I don't know like I didn't think you were that drunk What happened? Oh, I found an ATM receipt in my pocket pocket from the Alexis Park Right that was considered the height of the stupid thing you could do is actually using the ATM to the Alexis Park because it was the most hacked ATM in Las Vegas and probably the world and Death con was absolutely a hundred percent a hacking conference At four hackers and it still substantially is now, but if anyone heard Jeff here today And I'm sorry dark dark tangent right especially after Snowden and after Stuxnet DT Disinvited feds coming from to the conference. He said you are not you are no longer well put our conference We need some time away and that was around and that was around def con and remember that those aren't def con 22 22 something like that And and just look at how different it is today, right? Not only have we repaired that rift for now But Jeff has said DT has said we need to do better We're not making a difference as a community of hackers just on our own, but we need to better integrate With the policy makers not just in the United States but across the world So we have an actual policy track to try and make more difference, right? This is still a hacker conference But I think you're seeing that commitment at DT that we need to start doing better We need to start getting defense better than offense. I think that's actually the more Positive aspect that we've seen like hackers have always been a little bit on the outskirts a little bit Doing their own thing, but now with policy involvement. We're seeing a little bit more Not necessarily mainstream, but the idea that our ideas matter So what have you seen in the past few years where you were seeing these kind of? Solicitation of ideas from the hacker community. Yeah, and first I have to say I'm speaking in my own my personal capacity right now not with with any of my affiliations And so we're starting to see a lot more ways that hackers can get involved right just that you're here that we have a policy track here We had some great ideas this morning. We had it. We had a Panel and a lot of folks that are involved in the policy village and some really great ideas came out of that we heard from Mosfet who's a Fabulous hacker and she went to Congress right she was part of tech Congress fellow that went to help Members of Congress and their staff learn to do better right to have better laws We had Monica Ruiz here who was helping out. I think something called digital peace now Which is a global youth movement to say we're tired of nation-states hacking and everybody else having to pay the penalty and So what can we do to try and get to help make governments more responsible? And they're really well-meaning is anyone with digital peace now anyone sign up to digital peace now Super well-meaning, but they don't understand the tech as well as they might and So if that sounds like it it's something that's of interest to you They can really use your help in whatever country you're in like checking with Your city council like there are people there that need your help as a hacker to say Good. Yes. I need help. I need some advice on how that we can do better whether that's at your village your city Your state your region Whatever those are we had Jack cable here this morning Who's around he got involved in hack the Pentagon? The first bug bounty program against the Department of Defense That's how he got his start was finding these bugs in the Pentagon And then moving on and then he's switched to a job in government to help do things like improve election security in the United States and he did that because he He got in through the front door and just doing a bug bounty program So that's a US example, but we're starting to see these hack the blank Come up and in all sorts of all sorts of country And the last one I'll mention is the United States government as well as other governments when they're coming out with a new rule They'll ask for input So we heard this morning. I'm hardly who's a former congressional staffer So look the FTC is coming out with the new rule rulemaking on What cyber security should be to help protect consumers? That that so fits into the kinds of things that we're doing And rulemaking it sounds boring, but it's how big things change over time In the United States but in other places So whatever your context is, however, it is that's interesting to you take a look at these things, right? Bo woods Runs. I am the cavalry with Josh Josh Corman and others And so take a look at I am the cavalry. They did this probably what how long is six years? Maybe seven years longer. Yeah, I mean they were around for at least four five years before out of the lockdown Okay, and and the message from in the Calvary is we can't just hack stuff and Wait for someone else to own the responsibility of it That if you hack something You're responsible for the result if it gets whether it gets fixed or not So the name came from the cavalry is not coming right there are no adults that are going to come by and Say thank you for calling our attention to that. We got it from here. It is not gonna happen Or at least it hasn't been happening. We're trying to do better So this whole this whole movement of I am the cavalry was to help hackers own up to that moment of good How can we do better? How can we own the results? Not just for fucking things, but for unfucking them as well and making sure that they stay unfucked Technical term. I think that's actually when we were talking about all of this idea or saying this I'm thinking that is the biggest difference. I think the early days of hacking and now like there's a little bit of Accountability like the hackers are like, yeah, I'm doing all this cool stuff But let me tell you how to fix it or even if I don't know how to fix it Give me someone who can sit down with me and fix it and that level of accountability I think one of the more positive aspects of what we've done I had a real tough moment After it was prior on Defcon 22 because anyone anyone involved with NSA tool set and the folks that would come in and do And the talks on NSA tool set not if you were actually doing NSA tool set don't put up your hand And it was after Snowden revelations and it was a set of fabulous security researchers That said we want to make we want to look at the stuff that Snowden revealed about what NSA was doing And we want to make it so easy This was there was that a ten-year-old girl could do it not sure what they had to gender that but And they were doing that for privacy Right, so their goal if I remember I was saying they were hacking GSM encryption They wanted to make hacking GSM so easy And they were gonna do that for privacy and I had real difficulty Getting my wrapping my head around that. It was a great talk. It was a great goal But how long especially back then? Right that process of we break things and then it will get fixed It's not a direct causal relationship, sorry, I'm an academic now That's what we talk about causal relation like if you do something Are you expecting that it's actually gonna leave you at what result that does it actually get to? And so that's why I think we've done a lot better now in the community of Looking at that causal relationship in a good. All right, if we break it, let's make sure it gets fixed And it's even just a fact that that we have more of a structure So that even if I can't make that or I don't know who to I now have sources to go to we have bug bounding programs Where those say I'll help you make that connection. So I think we just we have more of an interest infrastructural Support and I think the media I think the journalists are doing better, too, right? Yes. Um, and if folks heard Jeff at Death com I'm sorry black hat yesterday introducing Kim Zetter right about how in the early days the journalists would just buzz in and buzz out and talk about the crazy hair and and Use the community for their purposes now you've got dark reading you've got Kim Zetter You've got so many other great journalists that are Embedded in the community like yourself like deep tech shops right now in application security And so help us to tell better stories so that we get better a better change on the other side The one thing I wanted to actually touch upon and you kind of hinted at it I think a lot of the time when people's here. Oh hacking and policy is well I'm not gonna run for office. I'm not a lawyer. So I don't know the laws So you mentioned how working with like the city council and stuff How do you even start that language? How do you even get the folks in this room who are curious to understand that you don't need to be a legal expert? To be involved in policy right they do that right they understand the legal side They're curious about what you know and so just have the conversation, right? I mean for whatever levels comfortable for you whatever path that you have is gonna be good There's check out the stack for tech Congress and I am the cavalry There's a lot of good material on this if you've been out to b sides b sides Las Vegas is usually a place where a lot of these folks are if you go down to the policy track look for Bo Woods He's got the he's got the I think the here's blue today And and just ask around there. There'll be a lot of folks that can help Not just have general ideas but have been through it and helped others for whatever context you're bringing with Just some some other tips is one trying at least Be forget it's gonna take you a while to speak the language But be forgiving of the language right folks in policy. We say cyber a lot If you can't forgive us Right, it's gonna have difficulty right if you want to be understood you have to Help meet people halfway and how they talk about things right so on the policy side attribution matters a lot to us Because at the end of the day, it's about what nation is responsible, right? I worked at the White House for a couple of years, right? I didn't care about attribution I cared about national responsibility at the end of the day The president is gonna have to pick up the phone and he's gonna have to call Some prime minister some president and say knock it off or there's gonna be consequences That's not attribution Right, so that stuff matters at places like the White House and Congress or in in your national Equivalence so again if you can't get past the fact that no attribution stupid You know you're in your full threat, but an attribution dice like that stuff's funny and it yeah It might not matter much it in your context But it definitely matters when you're thinking about some for some aspects of this national security policy But definitely be yourself right if you're angry and you're pissed off don't lose Right stay angry and stay pissed off just just let's keep it channeled and stay energized Yeah, I think we have a big problem sometimes when you get angry when you're just annoyed you frustrated You think hey nothing's ever gonna change, but we tend to get a little insular Yeah, so I think this track is like the perfect way of explaining don't become insular and within the course of one year This is right around 2011 2012. I had Jeff Moss to meet y'all Paribish Richard Baitlick and others say we can't we're frustrated because we're not making the difference that we wanted to have through technology But we don't know how to make this happen on policy I was working for a think tank at the time the Atlanta Council Sorry, so a lot of folks have been down this road of saying I I need to do differently I need to figure out other ways to get my voice heard and to bring and to bring my knowledge and skills to bear Right, so this this is this is well trod path so What We're talking a lot about how we're doing things differently now But what is the if you can even give me one example of something that we are we are doing better Yeah, you know, I don't want to be just all doom and gloom saying we haven't done anything better So I consider myself a strategy person, right? It's it's been a long time since my fingers were on a keyboard in any meaningful way or that'd be meaningful to y'all Remember the way I said right it was went back to 1972 we're 50 years in Where we haven't been having the effect that we want and I was reading a news article the maybe five years ago and the economist and they looked at climate change and they said What have been? The interventions that we have done as a species that's taken the most carbon dioxide equivalent out of the atmosphere And they rated them like one through 30 and they said as far as we can tell No, chuckle heads have ever asked the question in that way before right here It is one of the most compelling issues faced by humanity and no one had ever said What have we done that's made the biggest difference at the largest scale and the least cost and so I had an epiphany of So what is it that we as a community have done? That's given the defender the greatest advantage over attackers at the largest scale and the least cost and Let's do more of that the number any any guess is just shout out like the number one thing that we think we've done at scale and cost As a community Windows update. Yeah, who said Windows update? absolutely Because instead of doing something that only affects a single enterprise, right? We could come up with the most perfect widget And it gets all the VC money because it is the most brilliant thing. We still have to buy a billion of them We've got to integrate it into the enterprise or our home networks. We have to monitor it We have to keep it up to date. We have to train people to use the widget We have to get it to integrate with all the goddamn other tools that we have and Do that a billion times things like Windows update Cloud yeah end-to-end encryption You do it once and a billion Devices or people can take advantage of it. This is why especially in a lot of us on policy are so upset over Look Government folks looking to break end-to-end encryption It's one of the few things that aids the defenders at scale easily if it's implemented, right? It's really one of the few things that you can get it and it really makes it hard for adversaries And it's actually one of those things that we've seen really become mainstream Because it's become easier to use like the number of people I know who say oh I know nothing about security and they use signal and I'm saying there you go like that right there Yeah, is an important thing you're doing and if I could push on one area, right? So for me is some of that like strategy. We've never had a real strategy The what was there's the US strategy for the Cold War the single word containment What was for sorry, I'm a veteran, you know for for folks out in the military, right? Everybody knew what general Petraeus's strategy was for winning it was win hearts and minds a different general would have a different Strategy like getting far fights and kill people Petraeus was very simple No, we want to win hearts and minds more or less, right? It's a strategy that you can fit on us a single small sheet of paper in this phrase So mine since I read that quote from 1972 and 1979 was Defensible we've got to get Defender more most advantage over the attacker at the largest scale and least cost Sometimes I like to flip it around and talk about a sustainable internet just like we want our grandkids To have an internet to have clean air and clean water Better than we have today We can think about the same right what's have our grandkids that they have an internet That's at least as awesome as the one that we have today Because we can get so caught up in adversaries and the rest that we're not thinking about all the amazing things that we Want to do and we want future generations to do Since we are talking about the future and how we want the internet to be at least available for our grandkids my children but There's so many new types of technology that's coming on We are barely scratching the surface on understanding how we're going to use it how we're going to regulate it What are sort of like the policy implications that we should be think about with emerging tech? Yeah, just think about on emerging Because I know what I care about a defensible internet that has defense better than offense Right anytime I get asked about a new a new x y or z. I always think about all right Is this gonna preferentially aid the the defender or the attacker? It almost every time we've done anything It's preferentially aided the attacker right that the attackers have been able to use the scale of the internet more effectively Then the defenders have to add scale to our operations and what we want to do so anytime I get asked like quantum x y years a year the rest almost always know that's gonna help attackers more Cloud one of those that can definitely help bow woods Josh Corman Helped you to talk about it really well that the original internet, you know was never designed to be secure We added things to it and we just slapped band-aids on those and now we've got five decades of band-aids all the way down when it comes to the security For the internet cloud is one of those opportunities that we can get it right from the start Once we get people trained for it, right? We really do have to have people people more trained so that we're able to there the definite mindset change that we need to Make sure that people are not just bringing the same mistake same idea is forward And before we switch I know we're gonna try switch to Q&A soon The when we had a panel this morning and someone asked who is your favorite? trans or female hacker and we had a lot of great answers a lot you'd expect from Grace Hopper to Katie mode Emilia Coran and others I want to raise a woman named Hermione was Hilda Matthew and anyone heard of Hilda Matthew She's a and she's on the NSA Hall of Fame because Hilda came up with the idea back in the 80s that NSA that these new computer networks gave NSA this incredible ability to do amazing digital espionage And she was doing this as a female technical engineer in the 80s, right? Just think how rare that is and She was the one that figured out. Yeah, we can this is gonna be amazing, but she also realized This is gonna be a real problem for the United States Because we're incredibly vulnerable, right? So they were already understanding that at Fort Meade in the 1980s And what I really like about Hilda isn't just that she realized this and she was a real pioneering pioneering female engineer whom we've never heard about but also her her her Name before she got married was Faust so here we've got like this actual real Faustian bargain of of Wanting to both NSA to have it both ways in the US government to have it both ways that we can hack shit and We can still secure things well enough That we can hack it and the adversaries aren't gonna see what we're doing and decide they need to copy us But also for us here in this room and the people that have been coming to Vegas every August for 30 years That we can hack shit and We don't have to worry about How it's going to turn out right to see original Faustian bargain in part thanks to great engineers like like like Hilda Faust Matthew So I mean we started off all of this conversation with you saying that We've been doing this over and over again and nothing has changed We are now talking about a strategy of Defensibility How are we going to change? What are the things that we can start saying? Okay? These are the things we're gonna do so that we can get blue team better than the red. Yep I Think you heard a lot of it here from Chris English this morning, right? When I when I look at that question it so we've looked at we did this report So the New York Cyber Task Force out of Columbia University and we went back and we said okay What have been the actual innovations that have made the biggest difference at the largest cost largest scale in these costs? over the last five decades right going back to the original passwords and We looked at those that tend to operate inside the enterprise and those that operate across Cyberspace as a whole right in the fast bulk of things I mentioned we're up here in the technical things in the enterprise So one we really wanted to emphasize those things that we can get to the largest scale in the least cost end-to-end encryption Cloud we've already talked about I'd also really want to emphasize the operational innovations right when the Morris worm hit the early Internet in 1988 It took down 10% of the early Internet now. Yeah, that was only like 6,000 computers or something like that But it's on 10% of the Internet because they didn't have anybody that was there to Look for vulnerabilities and patch them beforehand and they didn't have any coordination mechanism once there was a disaster The only coordination mechanism they had was the Internet itself So they invented a computer emergency response team right we had to invent assert and of course everybody has a cert They're considered part of the environment right We had to invent the role of a computer of a CISO chief information security officer Vladimir Levin a Russian hacker took Citibank for 15 million dollars or so in 1995 and we had to invent a CISO we had to invent a ISAC I Used to be the vice chairman of the FS ISAC, but we had to invent ISACs in 1999 by a presidential directive the the MITRE attack framework Valkyrie Martin kill chain right this stuff is like the kill chain or the NIST service creamer like it's almost free right It's a doctrine. It's an idea about how you do things and Just think about all the defensive innovations that we've gotten From the MITRE attack framework and how it's allowed us to talk about things at scale and implement things that Stickson taxi, right? So as you're thinking about how we can have the most impact at scale, right? It's not all about technology right? It's a lot of these these operational these process the or these organizational innovations actually maybe like CESA Right is now doing JCDC the joint cyber Defense collaborative. I mean the thing that really strikes me about the cert ISAC Even the MITRE attack framework. It's actually fundamentally collaboration Yeah, it's like okay. How do I work with you? I can't do this alone I need to get other people with me and what is that shared language and I love the examples You gave because it kind of goes back to what we were saying earlier That we need to be working with the community. We need to be engaging with the community Yeah, there's a guy named Rob Kanaki who had been with the council on foreign relations now He's the deputy for strategy at the office of the National Cyber Director and he had a great phrase to it He he called it the Home Depot model You can do it government You can do it government can help right? And because when I looked at how do you get defensible right? It's not through government Right, we're not gonna get there by by creating some new government office And hiring more civil servants in any country or in every country right? It can help But it's got the only real change to get to defensible is it's got to happen through the private sector You know and that for the government for me is you have to enable them right? I imagine sorry to use a sports analogy Say it's American baseball right you've got nine players on the field What we had when with General Alexander when he was at Fort Meade and he tried this here Well, he had tried it at block hat right he would run around and saying wherever the ball is hit We got it. We at Fort Meade. We can make the play Let government do this Finance sector you y'all are doing a good job, but let me put my sensors on your network so we can so we can collect it for you So But most of the time whenever the balls hit it's someone in the private sector That's in the position to make the play now they might Not be able to see the ball They might have an old and the government has to help them to see the see the ball They might have a bad glove and we might need to help them with some capability They may be like me when I was in Little League and they might forget They're in the game until they hear the crack of the of the ball on the bat And they need to be reminded Others don't need the enablement. They need Encouragement right they they know it's a problem. They've got the capability, but they're not stepping up And their government has ways that they can help not just US government But others and last as you know at the end of the day I might come down to enforcing right where they already happens the finance sector energy sector Publicly traded companies right the enforcing is already happening in lots of regulated industries and you know We first said in 1998 presidential directives that said That if the market if the market doesn't work, we might need to regulate and so You know it's been 25 years. So maybe we're getting close so one thing I want to touch upon before we go to the audience questions and is There are a lot of people who can't Get involved with Congress. They can't get involved with FTC and I've been hearing a lot of friends who are lawyers They talk about how they're required by their law firm to do pro bono work to kind of give back to the community What would that look like from a hacker community? It's a great it Wow, I don't even thought about it. It's a lovely. I love that idea, right? So like imagine it for what to meet is raising here, right? If you're working if you're a CEO of a tech company and you care about these issues right say election security or You're worried about the water You know that your local water utility is Probably insecure just like a law firm might do pro bono You're saying that you might say hey, you know what we're gonna go and we're gonna help out the water utility And we're gonna do that pro bono because we're a tech company and you can imagine that working even not just for the CEO of a tech Company, but just anybody like I'm just saying hey I'm here to help. I mean if you're an incident responder going up to you know Hey journalist human rights activists and being like hey, do you want us to take a look? I just feel like there's so many ways we can use our skills and you know and it ties into a lot of corporations They're worried about their ESG right there environmental social and governance Yeah, and they wanted be do well doing that and you know companies want to help on their ESG and and people were Volunteer right so I worked for a bank and we would go out and we would do habitat for humanity or would clean a park or we Would go on a 5k fun run like why shouldn't there be a tech aspect of that right and saying no We're gonna get our we're gonna get our awesome set of nerds together, and we're gonna go help people like a At-risk community Like journalists or Rohingya or or Uyghurs like a good local school and help your teachers They go to school and help teachers. Yeah, it's a great idea to think about that as ESG to think about that as Pro bono work that we should do through our companies and get paid for it as part of making the world a better place I love it's a great idea so There is you have the microphone for a Q&A So if you have any questions for Jason, you know, please raise your hand And we welcome any questions here There's someone over there and then a gentleman blue I mean this kind of goes way back to the beginning of You know hacking and computer security. How do we still address the idea of what right do you have to check my doors? You know if you walk down the neighborhood trying everybody's door, you're gonna get arrested and There's that analogy to some of what's happening in the hacker community How do we are we still struggling to justify that from a legal perspective and from an acceptance perspective? You know, who are you to check my doors? Yeah? It's a great and for those that didn't hear who are you to check my doors, right? I mean a lot of you know And I think our community has had this from the very beginning, right? Who are you to tell me not to check your door, right? It's it's publicly available, right? Why should I be able to scan it, right? I shouldn't get in your computer because you didn't protect it well enough, right? That's part of our legacy of being hackers and being in Vegas in this time of year, right? But also saying we also care about privacy and we want to do that I liked how Chris English put it together, you know Up here and that at least how the government was seeing it and saying We're all in it together and just because your side of the boat has a leak, right? that's affecting the rest of us and I honestly approached this I talked about sustainability of how You know, we want our kids and grandkids to have at least as good as we have today and That's led to all sorts of norms and mindsets, right? Think think globally act locally, but also knowing that the things that we do have external externalities and that I can say good. I have a right to use as much water. I want or I can have as polluting a company or car as I want but The way I speaking personally, right? I say it's kind of a dick move But yeah, you've got the right to do it But you're imposing that on others and you're making the situation worse for others And so we are gonna have to think about you know think more about how that affects us that good You're unpatched system. It's not just you getting hacked But you're imposing that on others because you're gonna be part of a DDoS and I do not and English talks about this new social contract and what it is that we owe each other But what rights and responsibilities we can demand But what are the response of? Concomitant responsibilities that we owe others and I think I think it's a great part of that conversation and for us to really address that a fresh Because that's what it's coming down to a lot like what are we owed even if we're having unpatched systems Versus you know FBI going in and patching systems for them like they did for Cyclops blink right? Let's let's address it I think it's a great question or the ISP Basically saying I'm gonna scan and I'm gonna take your computer off the network because you have malware and it's a great And I know I know they want to happen. I remember there's a great It was a I think it was Arbor networks did this and they looked at ISPs of saying Which I and there's maybe 10 years ago ISPs do you monitor for inbound attacks and like 90% looked for inbound attacks and they said do you monitor for outbound attacks and Half of them didn't even bother to monitor for outbound attacks and those that did something like half of them did nothing about it They would just see the attacks going outbound they said not my problem What do we think about that right is that I mean that's classic tragedy of the commons That they know they either don't half of the respondents back then didn't know didn't care That they were imposing problems on others right that's externalities and at the end of the day That's where in the normal social contract. We expect the government to come in and say no you can't impose this Costs on others through your own inaction Can we get the next question? Yeah Good afternoon, so I have kind of an unpopular opinion here So this might be agitating to some people, but I think one of the reasons why We have issues with policy and that's really what the gist of this conversation was is that a lot of people focus on the hackers The people that are here, but if you actually look at when we actually were good at things like strategy It was from offset strategies, you know, we had a first offset strategy nuclear We had a second offset strategy ISR. We tried getting a third offset strategy of technology Ash Carter Bob work In a few other people Jim Baker and a few other people that worked at the building were champions of this And then it fell on its feet for whatever reason because of a session Yeah, let's call it so to me the biggest problem that we have as a nation because I want to take this beyond Just the hacking, you know, it's really about Cybersecurity and how do you secure things is that we do not have a defined offset strategy and from there? That's where your operational tactic your operations go and your tactics go my question to you is Will there ever be somebody that says no shit wake the fuck up and get offset strategy over? Yeah Yeah, cool, and this is probably the last question unless you want to take one more and then I and then I answer both I don't know how we're doing on time Yeah, you want to take one of the question and then he had the gentleman in the blue. Do you have a question? You're fine. Okay, and then I think the gentleman in the block with the orange lanyard He was one of the first people to have his hands up Thanks, Mike. We'll catch up Jason very good talk as always You referenced earlier about control effectiveness that for nearly 50 years We haven't really seen significant advancement and control effectiveness. I was curious if Especially from a policy standpoint we can get firms To to all agree to to improve cyber hygiene cyber control capabilities and effectiveness How would you suggest measuring control effectiveness and? Thresholds for for essentially defining good perfect. Thanks. Yeah, so so first The first one is a very department at US Department of Defense strategy This thing's called the third offsets and it was in the offsets were military strategy to say What are the things that the United States and ally that are super easy for what are for the United States and our allies to do? But are really hard for our adversaries. I actually thought of as an encryption problem right because encryption is there It's meant to be really easy one way and really difficult the other way and it just took that to military strategy and And so that we were we were trying this a couple over the last couple of years and we And people would sit in DC would say cyber is a way that we're gonna do this offset strategy And I had no idea what they were talking about Because it is just as easy if not easier for our adversaries have offensive cyber capabilities as it is for us What's really hard for them is to work with the private sector? When you look back at almost every major cyber incident that we've ever had anywhere in the world It's almost always the private sector that has the agility the subject matter expertise and they have their hands deep in cyberspace and they can fix it Governments lack that so we need to do those things that the Russians the Chinese the Iranians can't do is Work with the private sector in the rich way that we do in the West and then to close out on the measurement It's a fabulous question. I'm really interested not on a control on a measuring control by control But how do we measure if defense is getting better than offense at the largest scale of the internet? For example, if we're seeing longer break shorter breakout times We're probably not doing our job if we if we see longer breakout times if we see it Take them taking longer to get in those are all the sorts of things that we might imagine if the internet's getting more Defensible that might have to be a conversation next year Jay, thank you so much for joining us today and thank you everyone. Thank you for your good questions Thanks for the questions. Thanks for coming out policy. Stay angry go unfuck things