 Good afternoon everyone, and I hope that you're having a great day. A special greeting to the specialists who participated in the previous panels. I'm Isabella Rose, the communications officer for the Inter-American Committee Against Terrorism of the Organization of American States, CICTA and OAS. It's an honor for the OAS to attend and share our experiences during DEF CON 31 this year, with over 15 years of experience. Our program is a regional leader in helping OAS member states develop cybersecurity capabilities at the technical and public policy levels. Its initiatives and activities aim to ensure an open, secure and resilient cyberspace throughout the Western Hemisphere. The program's three main objectives are, first, to support the OAS member states in developing technical and political capabilities to successfully prevent, identify, respond to, and recover from cyber incidents. Second, to enhance strong, effective, and timely information sharing, cooperation and coordination among cybersecurity stakeholders at the national, regional, and international levels. And third, to increase access to knowledge and information on cyber threats and risks to public, private, civil society stakeholders and internet users. Beyond the breach, exploring cybersecurity policies with hacker perspectives will be a discussion that explores the role of cybersecurity policy hackers in responding to cyber policy challenges that governments and organizations face in the current rapidly evolving landscape. We'll focus on the importance of cybersecurity policy hackers in shaping and advancing cybersecurity policy, the challenges in developing effective cybersecurity policies, and the need for collaboration and innovation in the field. A special thank you to the panelists for taking the time to share their valuable perspectives at this event. Today, we are joined by three professionals with excellent international projection. First, Mauro Vicciatti, advisor in digital technologies of warfare at the International Committee of the Red Cross. Second, Orlando Garces, cybersecurity officer of the Inter-American Committee Against Terrorism of the OAS. And finally, Andrés Velázquez, cybersecurity expert and the founder of President of Mática. So, the field of cybersecurity policy is constantly evolving, and as such, the need to think innovatively and critically about policy solutions to address new and emerging threats. But when we talk about cyber policy, we can do it from the organizational, governmental, or international levels. Andrés, let's begin with you. Tell us a little bit about yourself and from your experience, share with us the following. How can Latin America and the Caribbean, private and public organizations, foster a cooperative and trust-based environment to encourage hackers' participation and initiatives to enhance cybersecurity policies? Thank you very much, Sevilla. It's a great honor to be here. Because actually, I attended one of the first, well, at least six, one of the six first DEF CONs. And when I started working after that with law enforcement, I wasn't able to come here again. If you're familiar with DEF CON, there was something called Spot the Fed. So, probably people that were intended on working with government were not actually kind of allowed here. This has changed, and I'm very pleased that that has happened. So, pretty much what I have done in the last 20 years is create specifically the cybersecurity and most of the law enforcement agencies in terms of digital forensics, digital intelligence, some of the most important cases in Latin America. So, even that I'm in the private sector, I have been working a lot with government in terms of bringing new technology, new ways of looking and how to find out where are the people that are attacking us, trying to be as clear as possible. So, one of the biggest things and the challenges that you mentioned is I think that something that we should be talking about is mistrust. Mistrust between government, hackers, and sometimes academia. So, that's mistrust. It's probably one of the first things that we're having a big challenge and we have to do a paradigm shift. Specifically, if we see the great value that we can have on education, on cybersecurity, and how can we can work all together. Back in the days, one of my first tutors, the agent Lugo from the US Secret Service, showed me a book called The Cuckoo Sec. I don't know if you have heard about it, Cliff Stoll. It talks about an astronomer that back in the 80s from Berkeley, here in California, was able to, using whatever he had, a way to find out who and when his server was hacked. So, pretty much it's a story about hacking and intrusion and how he was able to figure out where they were doing it. Long story short, and no spoilers around, he was able to find out that was not in the US. That was the first time that I learned about jurisdiction. Something that hackers and policy makers don't really understand. And that's one of the biggest challenges that we have right now in Latin America. Because most of the time, everything when we talk technology-oriented is based in the US. Considering that, every single time that we need information from the states, we need to go through mutual treaties in order to get the information. And that can take five, six years just to arrive to the states and then another five years in order to get back through the normal processes. So, if we look at this context, what we can start, you know, trying to put some ideas in the table, I think that another challenge is how we report vulnerabilities in Latin America. In comparison to the states, we do not have any policy. We do not have any regular way of doing it. If you hacker, report a vulnerability into a Mexican, Colombian, Argentinian company, probably they will try to sue you and start a criminal case. Why? Because we don't know what to do. And that's the real reason of that. In the other side, we have these legal protections that we need to figure out how to make it happen. You know, clear frameworks on how to report and how to work together. And that's most, or gets into the point that we need to understand as Latin American countries that the hacker is not the bad guy. And that's one of the most important things that I can share with you. We could do, and I expect to do a lot of collaborative workshops, recognition and incentives that will motivate us to start working together. The reality, and at the end, I will finish with that, right now our biggest challenge is that we do not work together. That's really interesting, Andres. Thank you so much. Now, Orlando, you have been involved in several OAS technical assistance projects for the formulation and implementation of national cybersecurity strategies and policies in multiple countries in Latin America and the Caribbean region. What challenges do Latin America and the Caribbean region governments face in engaging the hacker community during the life cycle of national cybersecurity policies or strategies? So, thank you. Hi, everybody. My name is Orlando. Hi, Andres. Hi, Mauro. Hi, Isabella. Well, I work for the OAS, this Organization of American States. We have an Inter-American Committee against Terrorism there. And over the last eight years, I've been, you know, involved in some technical projects regarding formulation and implementation of national cybersecurity strategies in the region. So, let me, I have to apologize to Mauro and Andres because I just want to share to the audience, you know, the Latin American experience regarding this type of, you know, exercises that we have done there. So, the OAS-60 cybersecurity program has been, you know, the regional leader in Latin America and the Caribbean in providing, you know, technical and policy levels, cybersecurity capacities. These initiatives aim to ensure an open, secure, stable, resilient cyberspace throughout the Western sphere. Out of the 35 member states of the OAS, 19 more than a half have formulated a national cybersecurity policy or a national cybersecurity strategy. 11 of them with OAS assistance. Colombia, for example, have formulated three national policies. Chile has formulated two national cyber strategies, cyber policies. The Dominican Republic and Panama, two national cyber strategies. Currently in the region, there are four countries, most of them in the Caribbean, Barbados, Guyana, the Bahamas, and Uruguay that are formulating their first national cybersecurity strategy. And there are four countries formulating their second one. Argentina, Costa Rica, Jamaica, and Tenerife. I have to highlight, you know, the experience in Costa Rica because last year the country has faced some major cyber attacks. So, even though, you know, this is very important for policy action in the region, even though OAS has been around for about 15 years helping the member states, nowadays more and more international community actors are getting involved in cyber policy making in the region. So we have other global international organizations such as the United States through the ITU. We have regional organizations such as the European Union that are very interesting in the region. We have CARICOM in the Caribbean region. Multilateral development organizations such as the World Bank and the IDB, the Inter-American Development Bank. Other independent states, for example, you know, the United States are providing a lot of help in our countries and a lot of private sector companies. So, you know, the policy making processes in the region has a lot of, you know, actors trying to get involved. So there are, you know, the capacities, there are like intermediate level capacity and the cyber capacity maturity is in the intermediate level. So multi-stakeholder approach is like, it's been using since 2015 and right now the current generations of policies are working on most of the time in governance models and also working on trying to get involved, you know, all the multi-stakeholders in the ecosystem, in cybersecurity ecosystems. So that's what is going on in the region. We are a very small team trying to do a lot of things in Latin America. And what Andres just said, you know, there's lack of trust and, you know, the main challenge in the region right now is that, you know, the authorities that are in charge of formulating a policy or a national strategy lack of technical understanding of what cybersecurity vulnerability research entails and sometimes our countries, you know, present only the malicious hacking point of view and sometimes, you know, they have this narrative that this type of research should be penalized. So the region has facing a lot of challenges involving technical communities like the hacker community because there are like fear and hostile reaction from the authorities and legal sanctions. We have a lot of legal barriers and absence of a safe legal framework and lack of coordination between public officers and who are dealing with policymaking with, you know, the hacker communities and the technical communities. So that's what I'm about to say. Thank you so much, Orlando. Mauro, you have been working for a while in cyber policy at the international level. Please talk to us about your expertise. How can hacker perspectives contribute to balancing cybersecurity measures and preserving online privacy and civil liberties in developing and implementing cybersecurity policies for global organizations like the ICRC? Thank you very much. Thank you for having me. I think I'm the only non-AOS panelist here, so the goal here would be to expand the view from an international perspective. So I'm working for the International Committee of the Red Cross. You probably know the ICRC, so we are based in Geneva. It's probably the largest humanitarian organization worldwide. We have operations in more than one of the countries, and we mainly work in a situation of armed conflict. So those are very challenging situations, very challenging work we have there, and we are facing situations that are requesting a very important response. So in this regard, also in the digital space, we are confronting with such challenges. And there are two main aspects in this regard when we operate in the digital space. First, because also the ICRC has to digitalize its operations to provide services to our beneficiaries, and as you may know, the beneficiaries of the ICRC are people that are suffering from the consequences of armed conflict. So we have to digitalize our operation to be able to reach out to them to be more performant and because the society is digitalizing, and also the armed conflict are digitalizing, so our response must be also at this level. And the second one is because we are facing an increasing politicization and polarization of the digital technologies. So we know that there are companies taking stand for one part of the conflict or the other, and the ICRC is a neutral and impartial organization. So we have to be able to provide the services respecting our independence and our neutrality. So that said, I would like to bring you a couple of examples on how we engage the Accords community and how we work with them. So the first one, you probably may know the emblem of the Red Cross. It's a Red Cross with a white background, so we use these to signal the protection of assets during armed conflict. So we put the emblem, for instance, on the rooftop of our warehouse not to be bombed, or we use these to put on our vehicles that we use to transport goods and people. So this is a signal of protection, so we say to the parties of the conflict do not shoot this because it belongs to an international organization. So we are trying to transform this and translate this into the digital space. So we are in a project where we are digitalizing the emblem of the Red Cross. How to signal operations that are on cyberspace and say, hey, those assets are protected, please do not attack those servers, those networks, and so on. So how we do this? So we engage with the hacker communities last year and we suggested a couple of technical requirements that they have to take into account and we asked them to help us to provide some prototype of how to digitalize the emblem of the Red Cross. And they come up with some ideas, they criticize our ideas, they put new ideas in, and so we are developing this. We published our first report in November on the digitalization of the emblem and this is how we engage with the hackers. We saw a very interesting response because probably it's one of the first time they can work without thinking about there is money in place, or the goal is a humanitarian goal, it's completely different from Bagbante or other situations. So this is one first example of how we engage with the hacker communities. Another one is because of the respect of our neutrality and dependence from digital technologies of the private sector. So we opened a delegation for cyberspace in Luxembourg last year and one of the main goal of the delegation is to engage the hacker community to help us to develop open source tools that are independent from the commercial one to be able to have a backup or situation where we cannot use commercial services, commercial product with also to respect the information and the protection of information that our beneficiaries provided to us so we have a duty of respect those information so we are developing with the hacker communities and we're going to come in 2024 asking more from the hacker communities to help us to identify venues to be able to produce and develop such independent tools that we're going to use in our daily work. Thank you so much. Now Orlando, given this international overview what are the national policy approaches in the Latin American and Caribbean region to promote ethical hacking by enabling professionals to use their skills to identify and fix vulnerabilities in computer systems? Well as I mentioned before the Latin American is a very special region in terms of maturity level we are at the intermediate level of course each country is totally different but we could think about three approaches the first one would be creating legal frameworks that's very hard because it's not only the executive branch dealing with that it's talking with the legislative branch because we need to modify or try to create a law to try to deal with this situation so I could brought here one example it's the experience in Chile right now Chile is working, there's a law on sub-security and critical information infrastructure that is about to be approved by the National Assembly or Congress and there is one article there that exempts from criminal sanctions ethical hackers who have for example committed acts classified as computer crimes but carry on for example investigation working computer security so they exempt these type of actions as long as they comply with certain conditions for example immediate notifications among others so that's one thing that in Latin America is going on but Chile is the best example the second one, the second approach is that promoting ethical hacking but through the national cybersecurity strategies or the national cybersecurity policies for example the Dominican Republic government issue last year the brand new national cybersecurity strategy and they included responsible vulnerabilities disclosure as a guiding principle of this strategy in order to create a more secure digital environment to promote the use of ethical hacking techniques so of course we have other countries but for example the Colombian and the Ecuadorian NCS they just mentioned the establishment of procedures for the promotion and dissemination of a model of vulnerability disclosure but they have to comply with the law and that is just told us before in Colombia and in Ecuador it's totally penalized these type of actions so they are trying to work from the executive branch to work on that and finally some countries that don't have policies or cybersecurity policies but they are working on national guides but just for information sharing and just responsible disclosure but not very well framed so that's what is going on right now in the region Perfect, very interesting Mauro, a couple of years ago you were tasked to create a vulnerability management unit within the national cybersecurity center in Switzerland leading several projects among them the first bug bounty program of the Swiss government what are some successful European examples of collaboration between hackers and governments or organizations in shaping cyber policies and what was the key to success? Yeah, thank you for the question so prior to my engagement with the ICRC I was working for the national cybersecurity center in Switzerland and we decided it was time to have a bug bounty program inside the vulnerability management for the Swiss government network so we built up these but it was not just using hackers to find bugs but we developed the program with them so we gave them our necessity and they come up with an idea on how to build a bug bounty program for the national government so as you have to understand Switzerland is a confederation so it's like we have 27 canton it's like the US with the states so we have the same situation the federal government and then the canton government so this was a little bit challenging so how to build a program that has to incorporate all the party of the country so we come up with the idea of having a central platform paid by the government and then having the different canton pay the bunties to have them testing several canton assets so the same idea we would like also to implement for the ICRC so this is something that we can replicate also in other context for other countries so having a central platform for the ICRC for instance but the ICRC is not just alone we have an entire movement composed also by the national societies so the American Red Cross is one of them we have in every country a society so one of the idea could be to have a central platform for the ICRC but having also bug bounty programs for the national societies of Red Cross that can join this effort so having the hackers community working for also for the national societies not just for the ICRC Thank you Now Andres an essential dimension in national cybersecurity strategies or policies in the region is the fight against cyber crime could you talk to us about the role of cybersecurity policy hackers in the ongoing evolving landscape of digital investigations and the associated challenges in Mexico and the rest of the Latin American and the Caribbean region So as I mentioned you know the cyber crime is a big thing in Latin America and if we try to understand why first of all we have to say that there is not enough awareness on cybersecurity in most of our countries and I'm not talking about the technical people we're talking about you know the people that are on the streets and even the government the other thing that is starting to happen is that government knows that there's a threat but they don't know how to stop it so they're trying to create these national strategies that most of them are on a preventive side but they're not including you know how you prosecute how you investigate how you and there's a little thing here that is probably what I'm more concerned of is how we interact how we do cross-border access in order to get evidence from other countries and then where it comes something that is kind of different from what we're used here in the States the States is based on an English system so it's precedence so things move faster than what happens in our countries we're based on codes so in order to change the law that could take more than six years so we're not doing everything in the speed that we should in the other hand the malicious actors are finding out that that's an advantage why? because right now organized crime is using people from Mexico and in other countries in order to hack from Mexico or to Mexico knowing that nothing is going to happen so we put everything together I think that the policy hackers have to be the frontline defenders you know right now it's our only option on how we can work together in order to identify those vulnerabilities and weaknesses before the malicious attackers are finding them the issue here is if we build something in each one of the countries if we make a collaboration in between these hackers and we try to get to the government we need them to trust us as we were mentioning and then we need to build the way we can work together and will be legally correct again the reason that some countries are going against policy hackers is because that's the way the law is coded so we have to change that then we need to understand that there are some challenges outside the technical side limited resources in terms of the governments and how we can do that that limited resources I'm not talking about just money lack of a standardized cybersecurity policies and that we need more legal frameworks in order to combat cyber crime if we combine this with the training like the one that the OAS is doing in Latin America as well as the Council of Europe so you can tell that most of the training that is done in Latin American countries is not made by Latin American countries we're actually getting people from other countries in order to help and I think that what we should be doing in the near future is try to standardize the cybersecurity strategies all around the region and when I'm talking about the region I'm not just talking about Latin America and the Caribbean so we need to do all Americas you know how we can work together to make this happen Great now it's time for the audience to ask a question so we have time for one question Yes The future that I foresee is not very good the thing is what we can do right now in order to not get into that future the experience that I had in Brazil was amazing Brazil actually found out that there was so much corruption inside the federal police that what they did is pretty much they created a new entity specifically with academics and people from the private sector that were willing to change that and when they did that everything changed at least on the federal side they were not able to do it on the state side but that helped a lot talking about cybersecurity is even worse because as you know there are not enough cybersecurity experts in the region so the last report from ISCE is that we need 130,000 specialists this year in Latin America so I don't know I don't know how to answer that specifically at least I can tell you that Orlando and myself were trying to do stuff in order to make people understand my personal experience is if I train the DA if I train the expert witness in each one of the Latin American countries at least they're going to start doing their job correctly but I cannot change the legal system and that's kind of coded well I work for a political organization we are, you know, the OAS as member states and we work by their mandates for the whole Americas but one thing that, you know what you're saying is something that is happening in the region that, you know, cybersecurity is not a state problem but it's a governmental problem so, you know, there's a lot of countries that as soon as they switch government they change everything and that's very costly for the region and for the country what, you know, the OAS is focusing right now is trying to work on robust governance models in the countries because lack of leadership and lack of coordination and collaboration mechanisms could lead you into that type of problem so that's one of the main problems in our countries that we don't have a robust governance model we don't have that type of expertise so we are working right now with trying to help the countries in order to bring everybody to the table everybody to discuss even if it's, you know the international community and, you know, the international community is very broad and it covers the whole globe so each country is independent, well for example we have to take into account best practices in the region for example, the Dominican Republic has a very, very, very good, you know governance structure there they have a cybersecurity agent it's one of the I think it's one out of five countries in the region that has, you know, a cybersecurity agency right now there are some countries such as Chile and Colombia that are trying to pass bills, you know, cybersecurity bills trying to design these type of agencies so what I have to say is that we look forward as an OIS we look forward to bring the discussion including everybody, all these multi-stakeholders and that could build, you know, strong national cybersecurity strategies and policies. We have time for one more, yes. My name is Ira Victor, I'm an ambassador for the Center for Internet Security Controls we've, the CIS controls have been used in the United States to create a legal incentive for public and private entities to adopt information security and privacy best practices have you or the people in your in your world been looking at an incentive-based approach for public and private sector to adopt an international standard for information security either the CIS standard or one of the other ones? Well, of course we encourage the member states to be involved in these type of initiatives when we go to the countries to the member states in Latin America we try to invite people with a lot of expertise on the subject so we try to bring, you know, as much as we could, you know, technical people organizations who have worked on those type of standards and procedures and what we try to do is try to open the discussion, try to debate bring everybody to the region and of course we are going to take a look at what you're saying and try to show it to the region. Well, Argentina actually saw into that and actually Claudio is around here he's part of the group but it didn't go through so it's a matter also on how things are presented to the decision makers the government and how we can make it happen most of the ways that in Latin America works it will work after they have a catastrophe you know something that affected not a company but really the government so we're talking about you know if we're talking about Mexico it should be Pemex or the CFE that is the electrical grid so until we don't have that and probably I'm going to say something that I didn't want to say it but I'll say it most of the times it's a matter on they are thinking like this it's that electric grid connected to the internet why I should bother you know and we know it's an issue but it's boring in terms of we need to generate so much awareness on those levels that probably one of the best ways of doing it is waiting when the new generation start getting into the decision making inside the companies so we can change that thank you