 So this is the talk about the public policy department. By show of hands how many of you have heard of the policy department before? Oh man, that's a lot more than I expected it to be. That's good. How many of you have been to policy talks at DEF CON in years past? Fewer people. Good. Room to grow this year. So we are one of the newest departments at DEF CON. We are kind of focused on the idea that you can bring public policy makers and hackers together in the same space and have them collaborate, cooperate, build trust and start to cause things to happen in a better way than they would have otherwise. And we're going to have the dark tangent come on in a couple of minutes and elaborate more on what the policy department should look like and some of the history of the policy department and policy itself at DEF CON. We've got an interesting program. We've got three very distinguished folks up here over here on my right, your left that have spent the last 30 years in some way, shape or form as hackers transforming public policy engaged in conversation with members of Congress, with the executive branch globally as well to try and bridge the gap to close the expanse between public policy and the hacking community. For those of you who aren't aware, DEF CON has had a little bit of a tenuous relationship with government in the past. Requisite pause for laughter. But I think we're closing those gaps. We're changing the way that things get done in DC and around the public policy centers and centers of power. And I think that we've got a huge opportunity to expand on that. I myself live in downtown DC. By the way, I'm Beau Woods. I run the policy department this year and I'm excited to have you all here. I live in DC and I've seen the change in just the last five or six years in public policy and the way that they look at hackers. You know, a decade ago, public policy folks thought we were all criminals and now they have a much more in depth and nuanced understanding. And the reason is partly because of some of the folks over here to my right, your left. And so I want to start off and give them an opportunity to give a little perspective and context and history. In the past 30 years, what's happened in the hacking community and public policy and how have they seen that change? So just immediately to my right, we have Jay Healy and then Jack Cable and Space Road. So Jay, do you want to kick us off? Yes, sure thing. So hi everyone, Jay Healy. And one of the reasons that I've got it involved and to really start thinking about policy was I came across a great quote that said, few of any contemporary security controls can stop a dedicated red team from easily accessing any information. So we know that. That the red team is going to get through, the hacker is going to get through, the offense has the advantage over defense. That quote was from 1979. Since before DEF CON, the attackers had the advantage. And so hackers do what we do for a lot of reasons. We do it for curiosity, because we hack because it's there. But a lot do it because we think we're making the world better. That we're going to, doing this is going to lead to more security, to more privacy that our kids and our grandkids aren't going to have to deal with the shit that we've been dealing with for DEF CONs. But it's not working. That quote from 1979 is still relevant. So that's one of the things that we try and do on policy is saying, all right, people are working super hard to find vulnerabilities and fix them. And we're not making any progress. So what else can we do differently? What else can we try to do out of DC, out of other governments, out of things like I'm the Calvary. So that the work the hacker is doing is having more impact and that we can find other ways to have impact. And that's what's really driving me in the way I think of the problems. Jack? Hi, everyone. I'm Jack Cable. I'm a hacker. I'm also a security researcher, which is what I call myself in front of policy people to make myself appear more professional. Good tip out there. So I got into the world of policy, kind of my forage that started when I was in high school. I got an email titled what if I told you the Pentagon wanted you to hack it. This was the first US government, I believe the first government bug bounty program, where they were inviting hackers to find vulnerabilities in Pentagon systems. Something that even a few years before you could only go to jail for. So now there was a legal pathway for this. Government was recognizing the value of people like us in helping secure their systems, helping secure our country. So I participate in that, got involved, a couple more, went to work for the defense digital service, which is the agency that put this on. And before that, I'd never really considered working in government or doing anything policy related. I had been kind of immersed in this community and really enjoyed what I did, but that never really crossed my mind. Until I went and saw the potential for change, the idea that there are places in government you can do where you can actually make change, where you can get around the bureaucracy. There's, I won't say that's everywhere in government, but there are certainly places where that can be done. Second instance was when I was registering to vote, I came across a pretty serious vulnerability. I did not know much about election systems or who administered elections, but I knew this was pretty serious. I went about trying to figure out who to disclose this to was a long and confusing path eventually after around six or so months, found the right people was able to get to them so they could fix it. That was not at all transparent. I got connected with the folks at CISA, the US cybersecurity infrastructure security agency, along the way who were able to help make those connections in order to be able to effectively disclose the vulnerability. I then went to work for CISA, working on election security, helping secure both stay in local election systems as well as some of their disinformation work. So through this work, I've been able to engage with election officials, election manufacturers, policy makers across the country, and I can say that the conversation is changing. If you want to engage with this conversation, which I think is critically important because us here in Vegas or wherever we usually are, do not typically intersect with the folks in D.C. There's a disconnect there, and I think of policy on the technical side as really two sides of the same coin. Almost all policy problems have underlying technical truths that we all know that unless we're there in the room helping them get it right, aren't going to get right. So a couple takeaways, I think one, policy is really about creating change at scale. That's part of why I got into this is because I saw the ability to kind of take the technical work I had done and raise that to a level where I could apply that not just for say one company or one organization, but at a more national scale. A second thing is being able to speak the language of policy makers. We have very different lingo, and what we all do is great, and what they all do is great, but unless we're able to effectively communicate, we're not going to be able to effectively make change. So it goes both ways, of course, we must speak their language, they must speak ours. But making an effort to kind of meet them in the middle will go a long way in order to make progress here. And third is just to get involved. And fortunately, it's easier than ever to do so. You could walk over down back there to the policy village where there's both done a great job of playing this together, conversation after conversation on really important policy topics with top policy makers across the country. So I encourage everyone here to take a moment, step in there, participate in some of those discussions and see how you can apply your expertise to help advance policy in our country. All right. And before we go to the last, we're going to bring up Dark Tangent to give us some perspective what his vision is for the policy department and some of the policy interactions at DEF CON over the past 30 years. So, Jeff? I didn't expect this many people to be interested in policy. Thanks for coming early on a chaotic day after a flood. So we want to just give you a little bit of an idea, I'm sure Bose been orienting you. The big sort of picture is that DEF CON was doing policy without realizing we were doing policy. And we thought we should probably be a little more intentional about that. So it's sort of like that old saying, if you're not doing policy, it's being done to you. And we think it's important that we have a seat at the table. And if we're not at the table, we're going to be skeptical of the outcomes of the policy. And over the years, a lot of informal interactions would happen between different policy makers, different governments, and them trying to get an idea of what is going on. And it turns out that our community's superpower is basically speaking truth to power, but also giving a more unbiased sort of third party perspective. When you're here, you're not really working for your vendor, you don't have to have your day job vendor perspective. You can be a little bit more open. And that turns out to be in short supply for people in policy who generally get pitched information from trade shows, I mean trade groups and vendors and other private interests. And they need information to balance it out. They need another voice, civil society's voice, maybe not commercial America's voice, to give them another perspective. And so that's one of the things we're trying to do, right, is build a countervailing force to be considered. Over the years, when we would interact with law enforcement and say no, no, they're misrepresent, this lock is very insecure, or don't worry about this safe cracking thing, it's not feasible. You can see the relief, oh my gosh, somebody told me what's really happening, you know the vendor would never tell me that. Okay, great, that's what I needed to know. And building those bridges builds trust between our communities, and it's gotten to the point over the last five years since we started doing policy more intentionally, that it's time to upscale it into these maiden stage talks that we've scheduled this year. It's time to have a real department that Beau took the lead of this year, built an incredible team of goons, and we're trying out a lot of new things this year. And so your feedback is going to be very important for helping us correct and decide what we do next. And did you talk about like the three tiers of kind of what we're doing? No, not yet. So we're trying three different tiers. Why try one thing when we can try three things? We're trying the main stage talks. We're trying the policy village where we dive in deeper on specific topics. And this is where you can debate section 320 or DMCA or whatever it is with experts. And this is essentially a new track at DEF CON. It's like a policy track. And then in the evening, we want to facilitate off the record Chatham House rules conversations. So you can get a more honest assessment and not have to maybe do it so publicly. And that's our evening program. And we have some evening lounges, much smaller. And last night we had our first, it was an invite, but we had our first policy dinner. And so we hope to grow all of these in an environment where we can interact honestly. And if you think it's for you, we want you involved. And if it's for somebody else, please point them our direction. We're going to be learning a lot. And our goal is to grow the policy just like the rest of the con has grown. There were villages, the original villages, hardware hacking village and wifi village. The original villages have grown into over 30 something villages. We're hoping to take the policy department and turn it into, there's a section over here talking about aviation security. There's a think tank, Atlantic Council doing a cyber 912. There's, you know, EFF talking about online privates. We want to create that kind of environment. So it's not just our perspectives. We're bringing other groups in and you can participate. And so I think in the early days it was policy tourists coming in from D.C. wanting to see the crazy hackers and kind of get a flavor of it. But there was no real chance to have a substantial interaction. And the hackers are like, oh look, a policy maker. Great. But there was no real way for them to interact either. But we survived those initial contacts without killing each other. And so it's time to go a little deeper. And that's what we're signifying by kicking this off. So with that said, I want to pass it back over to Bo and we'll end up taking some of your questions. And we really hope that you check out some of the policy. And if you have ideas for workshops, hands on, white papers, anything where we can show what our community can do. I guess let me leave one thought with you. The voting village when I said we accidentally ended up doing policy, the voting village was really the best shining example of this. Again, no master strategy. But what happened was after 2015 or 2016 we decided to hack voting machines. And they'd never been available and nobody had hacked on them. And there had been a storm, much like last night, that caved in the roof of a warehouse that was holding voting equipment for a county and it destroyed the voting equipment. It got wet. The insurance company wrote off the voting equipment. And the insurance company being green shipped all the voting equipment because they owned it now, shipped it to a re-PC recycler. Recycler got all these pallets of voting machines and started trying to sell them. And we found them on eBay. And we're like, oh my God, and we started buying them. The manufacturer caught on and contacted them and said, great, we want our voting machines back. And the re-PC place was like, great, they're $200 each. No, no, we want them for free. You shouldn't have them. You didn't sign the contract. And he's like, whatever, they're $200. They said, okay, well, you have to destroy them. He's like, okay, well, it's $200 an hour to destroy them. He's like, well, we don't want to pay. And he's like, okay, well, they're for sale, $200. Like, you know, how many pallets do you want? And so we bought them as many as we could. And we got our hands on these machines. And it just so happened the year before the DMCA has an exemption that was added, had never been added before for good face security research. So had that storm not happened, had the Library of Congress not put in a research exemption for critical infrastructure and specifically called out voting structure, we would have not been able to hack those voting machines. Just crazy coincidence. We hacked the voting machines and in policy land, this was very controversial. There were some interest groups that were provoting machine reform, pro-transparency that did not want us to hack the voting machines. And they were trying to talk us out of it because their concern was if we could not hack the voting machine, they could not argue that voting machines were unsafe. So it was for them, this litmus test, this existential threat, if the hackers did not succeed, their whole lobbying effort would go away. And they're like, whatever, we're hacking the machines. The first machine fell in like three minutes. And then 90 minutes. And I mean, everything got taken over. And I'm telling you, that group within minutes went from hiding in the back of the room to jumping in front of the TV cameras, right? Now their whole point of existence was validated. This is, we got more done in the hacking village to advance awareness in that one weekend than their organization had in 15 years. Once people see it and can touch it, it's like touching the hot plate. You know it's hot, your mom told you it's hot, but until you touch it and burn your finger, it doesn't count. And what we're trying to figure out is how many other hot plates can we set up for people to touch so they can learn things very quickly. You don't have to wait 15 years for people to believe them that maybe a voting machine is not safe. We released a report for the voting village. That ended up influencing a lot of different elections counties. I think Virginia was probably the most famous for us because they referenced our report when they changed back to paper marking devices, paper ballot marking devices. And that's our shining example of what we want to try to accomplish. It's not always going to happen, but I think that's the power of combining the two communities. Is that kind of change? And then being a positive example for other conferences to copy what we're doing and really foster this relationship around the world. So, okay, sorry I got sidetracked. Take it away, Bo. All right, thank you. Thank you, Jeff. All right, so we'll go to our third and last person over there on the right to give their historical perspective. I'll try to be quick because Jeff took up a lot of time. I'm Space Rogue and some of you know me, like 25 years ago, I guess, in 1998, I was with a group called Loft Heavy Industries, a group of hackers out of Boston. And we somehow ended up in front of what is now the Homeland Security Committee in Washington, D.C., testifying on weak computer security and government. Space Rogue! There he is. And so that was, I mean, up until that point, really the only policy that had happened was like CFAA and some other laws that have been passed. And if you go back and you read the original CFAA, you can tell the people who wrote it did it so in basically a vacuum. They had no concept of what was real and what was really going to make any difference. That law has been amended several times since then, thank goodness, it still needs work. But anyway, so we went to Congress and we testified and we basically told them their pants were down around their ankles and the Internet was weak and everything was open and people, just eyes opened up really wide and like, oh my goodness. But not a lot changed after that. That was really my first foray into policy. You know, over the years since then, I've been involved at various companies where we would do briefings on the hill and talk to lawmakers in D.C. and Bo was very instrumental in doing his hackers on the hill, where we would get a bunch of hackers together and go visit representatives and their staff and senators and their staff and try to discuss issues of the day and try to bring their knowledge level up. Not so much as to actually write policy but so that when they do go to write their policies and pass their laws that they do so with a little bit more knowledge. I want to paraphrase something that D.T. said over at Black Hat, that we have struggled for a long time as a community, as a group, as people who are trying to make the world safer, make the world a better place in trying to do that and we've started out trying to educate the user and say, hey, don't click stop, right? Or, you know, be wary of this e-mail and that has had limited success, right? It really hasn't gone very far. It's made some progress and so we sort of changed our focus and we went over to companies and we said, hey, you need to secure your stuff. You need to work on this or that and by proxy with companies, we also relied on insurance companies. We're like, oh, insurance companies are going to have to pay out when there's a breach so they're going to force companies to be secure. It hasn't really worked out the way we'd hoped either. It's made some progress, again, like educating the user and then the third thing we've been relying on is legislation or regulation, not necessarily laws but self-regulation, industry groups coming together and we've met with limited success with that so we sort of have a three-pronged area that we need to focus on to sort of get security to a point where the user is safe. Educate the user, push companies and insurance companies and the policy, right, which is why we're here now. It's to try to focus on policy, advance the narrative, educate the people who are writing the policies and get to a point where things are safer. Cool, thank you. So obviously Jeff talked about his vision for the policy department and a little bit of the nuance that went into forming it but you know DEF CON has a long history of doing public policy even before the voting village and that was a really good story that you told about how you accidentally changed things in Washington but even at DEF CON 1 there were policy conversations that were going on, there were legal conversations that were going on, there were a lot of these same conversations and I think we kind of tend to forget that public policy is just a way to change the world and a lot of hackers really want to change the world. I won't say hack the planet just for space rogue but hack the planet. I really hate that. And there's been a lot of other things. How many people remember when they were members of Congress who came out to DEF CON? Yeah, so we've had many, many members of Congress come out to DEF CON and give talks, give sessions over in the crypto and privacy village or here on the main stage we had I think there have been five members of Congress now who have done that. It's kind of epic. We've also had high ranking members of the government, the executive branch come in and today on the same stage the national cyber director Chris English is going to be here and in case you don't know the national cyber director's office was set up through a congressional act fueled by a report that a lot of hackers contributed to and a lot of people who are in this room helped advise and build that up. We're also going to have director Jen Easterly from CISA here on the stage. She will also be talking about getting more hackers involved in public policy. So I think it's kind of in our DNA at this point at only seems right that we should have an outward more visible more overt and planned response to it. But it's not just about me. It's not just about the folks on the stage now but we've got a really, really, really talented policy department team and I wanted to bring some of them up now to talk about some of their experiences what got them into public policy. Why they think you're going to get something out of these sessions and hopefully inspire you to come out and participate in some of the public policy discussions that we're having. Which is over in rooms 224 through 226 the policy department on your map. So I'd like to introduce some of the amazing policy team there are many others in the policy team who are holding down the policy department or waiting for their shifts to start. And so I want to give each of these folks a couple of minutes to introduce themselves and give you some perspective and then we'll have a few minutes to take questions. So Jenny do you want to come up? I'm Mosfet. I've been coming to DEF CON for just over a decade for as long as I've been a hacker. I was a hardware hacker, I was a packet hacker and now I'm a few years ago in pre-pandemic times I had the opportunity to jump into the deep end of policy making. Not knowing anything about cyber policy. I earned a spot in a fellowship called tech congress uprooted my life, quit my day job and moved to DC after a two week crash course I went to work for congress. On day one my hacker friends informed me to my existential dread that I was now a fed. But it didn't take long I was hooked. Public policy the laws and the regulations that governments all over the world were making played such a big role in my hacker job and in my life and I had no idea. So DEF CON policy for me is here so you don't have to be me. You don't have to jump in the deep end of policy. You can quit your day job. You can come to our talks and come to our village and interface with those policy makers and learn a little more about how public policy might be affecting your job and how you can change it and how you can influence it. We can help you make those discussions and get in the conversation and if you want to quit your day job and come to congress we can talk to. Thanks. My name is Sarah is really nice to meet you all and I want to say that we absolutely cannot make good policy without you all. In fact good impactful thoughtful policy about cyber security is only possible if we have the folks who are actually doing the day-to-day work integrally involved in that process and that is why it is so so important that you all are here interested in policy coming to our talks. I got my start in policy helping a group of cyber practitioners put together recommendations on how to combat ransomware as a nation and I think that having a group of practitioners there made an incredible difference in the sorts of proposals that we actually ended up putting out. We had a whole section of the report that we put out that was only focused on helping organizations improve their cyber security maturity giving them funding, creating funds to help them with response if they are attacked and I think that that victim-centric viewpoint is something unique to the hacker community that spends day in, day out actually helping folks recover and defend themselves against these attackers and that was having those folks in the room absolutely changed the course of the sorts of proposals that we put out. Folks also strayed away from recommending punitive measures. We were much more focused on attacking the threat actors through sanctions attacking cryptocurrency launderers and focusing on positive incentives for organizations and for individuals, time funding to improving cyber security maturity and absolutely all of that is due to the fact that we had folks who were on the ground coming into these discussions and saying no, we need to make sure that people have the resources that they need, the education that they need and that's the sort of voice that you folks bring to public policy that is absolutely crucial. We have a bunch of big problems coming up. Ransomware is one of them protecting critical infrastructure securing our elections and I would say that there isn't a right policy solution for those problems but there's absolutely a right process to create that policy and that process is one where you are all at the table. So I really hope you'll join us at the public policy talks in the policy village and in track two today again it's Sarah Pavlosek, it's really nice to meet you all and I'll give it up for Harley. Hi everybody. I hope that you're having a great time. Thanks very much for coming. So my name is Harley and I am a cyber security attorney. I've been working in cyber security law and technology policy for several years. I'm a former congressional staffer and now I'm the senior public policy director at a cyber security company called Rapid7. I wanted to get into policy because I wanted to help people. I wanted to protect consumers and advance human rights and cyber security is consumer protection. Hacker rights are human rights. What the security community does in finding vulnerabilities that can then be fixed protects everybody in society especially the most vulnerable among us to consumers, vulnerable populations dissidents, users including enterprises and everybody else. It's really important and it's never really been a better time to be a hacker interested in policy than right now. The barriers to getting your input to government have arguably never been lower. I'll just give you an example. Just yesterday the Federal Trade Commission put out a call for public comments on privacy, data security and commercial surveillance. They would love to hear from a community like this that has an outside DC perspective and a lot of technical savvy. Government really does want to hear what you are saying and there's lots of activity like this on cyber security policy happening within government right now. They get that it's a problem and they're trying to figure out how to fix it and they need your input and I know that this community has a lot of valuable input that they can provide to government. I think though that often what becomes a challenge is understanding where to comment to whom should the comments be sent how would have the most impact in the format and that kind of thing. That is part of what DEF CON policy is here to help solve. To help build that connective tissue by bringing in policy makers to the hacker community, bringing hackers to policy makers and identifying those venues for collaboration so that policy going forward has your input and it makes us all more secure. Thank you all very much. Good morning everybody. My name is Will Loomis and I am the associate director of the cyber policy program at a DC think tent called the Atlantic Council. I've been working on cyber policy issues for about five years now and one thing that I've seen over the course of the last two or three years is a serious increase in momentum when it comes to policy making around info second cyber security issues. I think we've seen a couple of really high profile incidents in the last couple years stuff like solar winds, colonial pipeline and log 4J that have really functioned as the proverbial kick in the ass of action going within government here and right now these folks within government are writing the legislation and the policy around info second cyber security issues that will really kind of manage the way that we deal with these issues over the course of the next decade and I really, really, really strongly believe that hackers need to be a part of that conversation and that's really why I got involved with DEF CON policy this year so just quickly I think DEF CON policy is really trying to do three main things at least to me the first is lowering barriers to entry to these types of government folks and making it easier to have these conversations the second is really working to to translate both to make sure that hackers can understand policy makers and vice versa and the third is just making sure that we're establishing meaningful connections and building communities around these issues these can't be one off conversations they need to be sustained to make sure that we're making the right types of changes and conversations here so we have a lot of really good content going over the next three days at the DEF CON policy village some talks that are focused more on specific substantive issues like open source software supply chain security and others that are kind of more focused on that building relationships bit like the meet ONCD and meet cyber security and infrastructure security agency sessions that Bo was talking a little bit about earlier so really encourage you all to stop by over the course of the next three days we got a lot of really good programming that we're really excited about and hope you guys enjoy it too thanks y'all I am Doug Duck my voice hopefully will come back by the end of con if I don't shout make a hole too much I have a bunch of stuff I wrote down here I think a lot of it's been covered but really what I'm here to do is to call out to the hacker family here I know many of you want to make a difference like we were saying you want to make the world better you want to make safe and make it more secure and if you don't engage with the right aspects of security you're not going to get security if you're at a corporation you talk about securing the systems and I think we all know at this point that it's also the human factor it's also security awareness when it comes to policy when it comes to the statutory restrictions and the legislation the regulatory environment that has gotten more and more complex and more burdensome over the last three decades that I've been involved in and longer than that and I am concerned that if you don't engage and we don't engage then you're not going to get what you want out of it not because the folks involved in that are not well in tension but because they need to hear additional perspectives and we have a lot of potential to make huge huge positive impact we also have a lot of potential with some of those burdens that are imposed on companies on people on communities we have a lot of potential to make things worse and we want to make sure that we are articulating the right approaches that are going to allow for NIMBLE solutions so I would encourage you if you are sitting there and saying maybe in your hotel room listening on DCTV because I know a lot of people are saying oh my goodness there's flooding there's hangovers whatever you're not here right now come over to the policy village have a chat, listen in I think you're going to like what you see welcome to DEFCOM thank you a few minutes left for questions I don't see any mics but if we've got mics and mic runners I'm sure they're coming around but while we wait on people to generate them from the audience maybe I'll just throw a couple of questions into the folks here on my right so as folks who went into public policy before that you were kind of in the hacking community what was your kind of emotional journey the first time you talked to a policy person it was like oh they don't get it I need to help or make the opposite fear, yeah I mean the first time that was probably one of the very first times I'd ever been publicly speaking so in 1998 it was a long time ago it was definitely fear and if you ever watch the c-span video you can see I'm mostly looking at the floor more recently I think it's a feeling of education or trying to communicate what is real or the truth on the ground the facts of the case and trying to make sure that they understand your point of view and that's the hardest part for me I'll get in a room with a staffer or a policy person and we're having a discussion and I'm explaining whatever I think is going on and I'm trying to gauge their reaction on their face as to whether or not they actually get it or not and sometimes I get that glimmer in their eyes like oh this guy understands and sometimes I don't get that and sometimes I get oh this guy has no clue what's going on or gal excuse me so it's that I'd say the first feeling I had was of frustration because I had seen these problems out there there would be ways to fix them but clearly something wasn't working and so I wanted to know kind of why this had happened and what we could do to make it better I would echo a lot of space works points that this really is you need to be persistent because policymakers want to learn they want to know how to do this right and over time you can help them learn but it's not going to change overnight it's a process that has taken years, decades for us to even get to the point we are today and there's still a lot of room to go so have patience but know that policymakers and hackers share the same goal and it is slow and two things to ask your patients for people that are in policy we tend to say two relatively douchey things and thank you for putting up with them one is we tend to say cyber a lot and thank you for your patience on that issue it's a DC thing we tend to say we're speaking on our own capacity and not any kind of official job and speaking as a person so thanks for letting us get that out of the way and one of the things that really struck me as a veteran so I came up dealing with policy as a little bit more of a natural thing I got started in doing this work at the Pentagon helping set up the very first joint cyber command back in the 90s but it really struck me because not long after that I was at the White House working these issues and it really struck me at how much the government folks thought what they did really mattered into this space that we were going to solve this in the office and hiring a couple of civil servants to do something that I knew the private sector and the hacker community were already doing and had been doing for years and so that's a lot of where I'm in on and I'm doing policy makers now to say I hate sports analogies but look there's a lot of players on the field and generally it's going to be a hacker it's going to be someone at a tech company an information security company that's in the position to most make the play and so that's one of the things I really think that they need some help with too there's a lot of other people that can help one other point, you mentioned frustration this is a long process I've been doing this for 25 years and the needle has moved but you can't jump into doing policy work and thinking you're going to solve everything next week because that is not going to happen so yeah and everybody agrees cool anybody on the policy department team want to answer the same question Space Heroic said it was definitely a process because I was only there for a year and a half but everybody, the first time I spoke to a policy maker about a cyber issue why tiktok is national security issue you know I realized I needed to learn from them who Siphias was I had as much to learn from them as I can learn from the community and the optimism of all the policy makers to make a difference, to move that needle even if it's a little bit at a time was just off the charts off the charts how much they wanted to help and so this engagement is wanted and needed and we can learn as much from them as they can from us so I have a maybe a little bit of a different perspective I'm coming at policy as an outsider I'm coming at it as an insider this is my career, is public policy and living in DC and talking to policy makers and my experience has been largely positive they've been actually very receptive and there are a lot of ways that you can communicate your input to governments it is not just that there is a lack of technical understanding in some cases you will be surprised by how well they actually understand technology maybe surprised that government is already trying to solve certain problems if you do try to communicate your input to government I do encourage you to try to look into what government may already be doing about that it's important not to just appreciate a problem we ask our government officials to solve problems and that is actually much higher a much higher level of advocacy than just identifying a problem so bringing to them your thoughts on a workable solution it doesn't have to be very polished it actually really advances the ball quite a lot and then there is one other sort of uncomfortable truth in all of this which is again not just a lack of technical understanding but there will be lobbying groups and parties from corporations or from interest groups things like that that may disagree with your position and run interference don't underestimate the power of that to sort of stall things out and drag things and problems and solutions out a lot longer than you may anticipate it's a very profound influence cool alright I saw at least one hand over here yes sir yeah I'll just repeat the question and then add a short thing and then throw it open so the question was a lot of people have been doing policy for a long time which I think is awesome thank you and a lot of the accents on stage here are gringos or Americans so what are we doing on as well as beyond to make things more global and I'll say this year has been very challenging for DEFCON in particular because we're still in the aftermath of COVID and some of the travel restrictions and costs and everything else but we actually do have quite a few folks we've got a panel coming up today later that is an international panel that has Singapore and UK represented and we've tried to weave in international perspectives where we can some of the conversations over in the policy department are very internationally focused so we're trying we would love to have more help getting better at being more international and maybe bringing the message of DEFCON more broadly and bringing more international folks here so for the rest of the yeah I'll just add that on the CFP review board so in the people that submit talks through the main process rather than through the DEFCON it comes up a lot also for Black Hat I'm on the Black Hat policy and it comes up a lot of just trying to make sure that we're not just picking the the US stuff it's really difficult we're not always getting the talks submitted but thanks for helping keep our attention to it and so I appreciate it alright I see one way over there yes okay so just repeat the question and then throw it to the group how prescriptive versus descriptive should policies be for instance, mandating multi-factor authentication so I can start with taking a crack at that I think that and especially when we're thinking of for instance law we have to keep in mind that something we write today is going to apply 10 years from now and we have to make sure that what we do doesn't lead to unintended consequences so after authentication might be a best practice today we don't know if it will be a best practice 10 years from now so I think this is very similar in a lot of ways to what we're seeing with security compliance where we don't want to just make something where it's check off these boxes and then you're secure because as everyone in this room knows compliance doesn't actually equate to security so I think it's a very similar model with policy where we want to think about kind of what are the goals that we can set out that get us to where we want to be without having to be over prescriptive without having to kind of say codify like these X controls but rather what is the end state and then can there be kind of a flexible approach to get there I so the question of whether regulations should be prescriptive or just very flexible is actually a perennial problem in DC policymaking and you see this endlessly battled on both sides it's one of those reasons why the process gets drawn out as we've discussed I think that there is a move now towards more risk based regulation recognizing that one enterprise's risks or one community's risks are not the same as another the problem there though is that sometimes it is easier to fudge enforcement on risk based security and so I think we're also seeing a bit of a movement towards some minimum baselines so that you actually have to do sort of this minimum baseline if you want to address your risk but the rest of it is a process of identifying your risk and having safeguards around it most of the new regulations around safeguards seem to be built that way but it also depends on what you're trying to address so things like incident reporting tend to be a lot more prescriptive and less risk based so I think it's both I think it's a hybrid I think to that last point it's precisely for that reason that we need you in the conversation because just because there's a lot of folks in the room that think they're very very small hackers doesn't mean you're always right but it does mean that if you listen to the other side of the equation and we think about the other consequences both intended and unintended we're going to likely get a better outcome and I just say you know we the very first as far as we know in the world national policy document that really tackled this was especially for critical infrastructure protection was 1998 is from the the Clinton administration and it said you know we don't want to regulate but if market forces aren't obviously solving the problem we might need to so that was almost 25 years ago that we came up with that and so we're still here we're at DEF CON 30 and we know the problems haven't been solved so and I think you'll see a difference between existing regulation we got a ton of regulation the finance sector, the energy sector a lot of them are already heavily regulated you've got things like the SEC going to publicly traded companies so hope that after you do see regulation it's going to be like locking in and looking at these different areas and especially it's great to see the frameworks that are coming out like the NIST cybersecurity framework is not a regulation but boy it's really helped drive a lot of positive change yes over here before we do that for those who didn't hear you said tomorrow 4 p.m. or today 4 p.m. today 4 p.m. crypto privacy village talking about MFA my favorite female or non-binary hacker can I give you three Bea Katie Moe and Wingo still one of mine there I'll go with Jenny Easterly I think director Easterly has done a great job kind of taking the Helms at CISA and Jeff looking forward to see where she continues it sorry Jenny Easterly and I'll add Amelie Caran to that especially because Bea and I have done a lot of work on Hacker Film Festival called Defrag and the knowledge that Amelie brings of hacking and of just so many other awesome nerdy stuff like soundtracks fabulous yeah a couple of mine also got stolen but that's great I'd say Alyssa Knight another one who's awesome and I'll go with maybe an unconventional one I really like Jen Ellis she's not a hacker herself but comes from the hacker community and has done a lot to really advance public policy and to bridge those gaps as well anybody up there I'm going to go for Grace Harper I know that's an old one but she was freaking awesome I'll give you three I think Grace Hopper is great Kitty Moussouris and Amelie Velasco I'm also going to cheat and do two I'll say Amelie Caran and Kitty Hegemon great trainer, password researcher at Carnegie Mellon alright I saw another hand here's one great question so the question for the cameras is there's a lot of really good technical people in here how do you convince them to get started talking with policy folks and stay with it since it can be a long drawn out process a lot of it is getting to know the staffers a lot of times you're working with a member of Congress or your local equivalent like do this thing at your city council do this for your town or your village do this for your legislature for your state or your region the attention of the policy makers is going to drift if something happens that day they're not going to have your attention it's really the staffers like Harley had mentioned like Mossfeder had been helping that they are there year in, year out and they need to know to ask the right questions and so I think staying in with them and I always try and tell myself please to help you on the patients I always I suck at billiards when I'm playing pool with a buddy my job is just to get the ball a little bit closer to the hole because if I actually try and hit it in the hole I'm never going to get it and it's just going to ricochet off so like just try on those half measures and being happy with a half measure that the ball is a little bit closer to the pocket and then a little bit closer after that and then the third time I'm hopefully going to be able to sink it if you go in thinking I'm going to I'm going to just roll in and we're just going to get this done it's almost never going to happen unless you get really lucky sometimes at that political moment like we had this report called the cyberspace solarium commission the political moment was there and shit just lined up and it happened so when you have those moments be ready for them when we have the bad thing happen as always does and you have the attention of these policy makers that's when you need to be ready with your ideas so that you can come in and say here's what we need to do rather than beating them up with we told you this is what was going to happen yeah and I'll say I help organize an initiative called I am the Cavalry as well and one of the things that we found was the most effective at bridging the gap and I think is actually really helpful for encouraging people to stick with it is starting with like building empathy understand the person why they're doing something for me anyways it's a lot more interesting it keeps me a lot more encouraged to go back if I understand their motivations if I understand them as a human being and it gives me a lot more patience to be able to stick with them to work with them to know what they're going through so maybe just start with not just diving into the technical content or the policy content but here what's going on and understand what they're trying to achieve with either the particular thing they're working on or overall is a longer term career goal or life goal I would just add super quickly that I think where we see some of the most tangible effects is where we kind of create either programs or venues to really foster these types of conversations and bring both the policy and the tech folks together so whether it's I am the Cavalry whether it's DEF CON policy or Congress or Hackers on the Hill these are the types of venues and opportunities where we can really have these meaningful conversations that can help drive impact so wherever we can create more of these types of opportunities programs, events that's really really increasing the opportunities for these types of things to happen and manifest and just on the global side since a lot of this is just digital piece now so if you're interested in this digital piece now is kind of a used movement to say we need to do better on these expertise and it is a global movement alright so I've we got the five minute sign a few minutes ago so unfortunately I think we're not going to be able to take any more questions but I've got a question for you how many of you are going to come and see us at the policy department today tomorrow or Sunday alright thank you everybody let's continue the conversation over there and what's that follow at defcon policy on twitter we're trying to get to a thousand by the end of con so you can help us make that happen thank you very much