 Everyone, thanks for all for coming and here is Joe Slowick. Welcome to our second Ethics Village talk. Good afternoon everyone. Hope everyone's having a good DEF CON so far. Thank you everyone for showing up. Nice packed room, which is always a good sign. My name's Joe Slowick and today we're going to talk about something I wittily named Nations Nationalism and Cyber Security. Network security actually might have been better from a literator standpoint like with cyber security for this one because cyber. First a warning as we go into this, as I thought about this subject, actually just to back up one, if you need to get in contact with me, that's actually a very easy way to do that so Twitter is InfoSecLife. But as we move into things, first a warning, I'm going to mention some security companies. It's not that I'm necessarily calling out specific companies as being unethical or doing something wrong but rather as good examples of where we might have certain dilemmas in terms of duties and responsibilities within the security space. So there's no claim of wrongdoing but at the same time, you know, perception equals reality when you start seeing things mentioned in the press or public statements, it certainly casts certain impressions in terms of how we operate as an industry. So I think everyone's familiar with this story at this point as far as Kaspersky and their trials and tribulations with the US government and the Dutch government and maybe the European Union that Kaspersky is just an arm of the Russian government and therefore cannot be trusted in sensitive networks. That's fairly clear cut. I mean, certainly the legal regime surrounding where Kaspersky is domiciled makes them into a fairly sticky situation resulting in their announcement that they will move some indeterminate amount of operations to Switzerland in the near future, whether that actually solves the problem or not is probably not the case but at least they're cognizant that there is a concern there and they're trying to address it. But a little closer to home, some of you may remember or may not remember because this didn't seem like it received all that much attention. At the closing day of RSA last year, you had former NSA Director General Keith Alexander on stage with Nadav Zafir, who is former head of Israel's Unit 8200, their NSA equivalent or at least for hacking and such purposes, sharing a stage together, talking about what we need to do from a cybersecurity perspective. That's really weird. I thought it was really weird, at least, and what made it even more weird was when you look at what these guys are up to these days, Zafir runs something called Team 8, which is a sort of catch-all technical investment venture capital-ish organization that really seems to spend a lot of money in helping former 8200 companies kind of get started up. And then Mr. Alexander started something called Ironet Cybersecurity and there are some controversies around some of the initial collection from the National Security Agency and potentially some intellectual property items there, but certainly very much people with former state-sponsored or state-directed signals intelligence and information security, information warfare, leadership roles, moving into private industry into some fairly high profile roles. But what really led to me doing this talk was a little after this happened, you had Kevin Mandia at a FireEye event in D.C. that was for the U.S. government community going on stage and making some very curious comments. Again, I'm not trying to say that FireEye bad, others good or something, you get that flash movie from like 2000 Good on You, but really looking at this from the perspective of like, okay, when you look at some of the statements that were made publicly and unprompted, it was just really freaking weird. So among other things, before putting out a public intelligence report, FireEye will typically tip off intelligence officials from the Five Eyes Alliance about the release. Okay, data sharing, that's kind of cool. Yeah, but then especially in light of the alleged Joint Special Operations Command operation, which Kaspersky labeled a malware slingshot, there were also some comments of like, we'll play friendly with the home team, we won't out publicly this sort of malware. And some other just comments that made it really interesting like, well, where do loyalties really lie? Because if you go back in time a little bit and look at some things that have been publicly released, you know, put yourself in the shoes of say, Belgium, it's not Belgium anymore, they've been like subsumed under a greater conglomerate, I believe, but they were the victims of a hacking operation that was ostensibly for counterterrorism operations, but alleged nation-state-linked activity, the NSA, broken to our GCHQ, one or the other broke into the network in order to start monitoring and capturing communications ostensibly related to counterterrorism. Counterterrorism is not a bad thing, you know, from an ethical standpoint that seems like a worthy goal, but from Belgium standpoint, pretty sure they wanted anyone and everyone who was trying to break into their networks to get out of there, whether the reasons were chivalrous or otherwise. And so when you start getting into situations like this, it's a question for those who you're investing or entrusting the security of your network, you know, where do there necessary boundaries or values lie? So we've done some headlines, why are we here? So I haven't done an introduction yet, that's intentional, I figured we'd start with, you know, what's going on and then we'll talk about me, because me has a lot to do with why I think about this way too much. So my story is, I was actually a philosophy graduate student once upon a time. I ended up quitting at the University of Chicago back at like 2005, I escaped with a terminal master's degree, I spent my time mostly doing geontological ethics, like post counting sort of work in that field and a little bit of logic stuff and whatnot. It's been a few years, my German sucks now, I found that out to my chagrin when I went to troopers in Heidelberg this past year, but nonetheless that's kind of my foundational background like I think about this crap a lot in ways that have been sharpened by some formal training and work. But like I said, I dropped out and then I ended up in a cube farm because you got to do it in order to pay the bills. Cube farm was boring, so I joined the Navy. So did that, you know, thinking that I wanted to do cool stuff, but then they put me back in a cube farm because I had done computer stuff in the other cube farm. So then I did some other stuff, I made a drug deal and I ended up going to Afghanistan with some people who do interesting things and wear fancy uniforms, like that one. You know, that ended up finishing up and I continued doing government service, incident response operations at Los Alamos National Laboratory for a few years after I got out, so continued government service. And then I joined a vendor, dirty vendor. You know, Dragosh, the company I work for right now, I do threat intelligence work there. You know, we have some very interesting taglines, superheroes don't do infrastructure, it's why we're here, that's very humble, I guess. You know, company missions, safeguarding civilization. It's like, alright, interesting, like you're coming from this background like, wait, are you a Fed? Now, full disclosure, I do still hold certain credentials with the Department of Energy, I'm a guest scientist which coming from an almost exclusive humanities background for most of my education, I find to be absolutely hilarious. But, you know, so there is a potential conflict on my end, like, you know, I'm like to phrase it that I'm willing to help any and anyone out to solve the problems of defense and nothing whatsoever to do with offense. But that same sort of thing that we were talking about with Mr. Mandia and his company and some other entities, like, so Joe, word of your loyalty is lie. Well, the main thing is that, am I a Fed? No. They don't pay me any money, among other things, and I'm happy to collaborate with them, but I don't work for them. But it's really touching trying to phrase that in a way to get others to really trust you and accept that what you're doing is above board, so to speak. Because again, as I mentioned at the start of this, you know, for better or ill, perception equals reality. For example, if you look at this map, the lovely Drago's headquarters is located up here in Hanover, Maryland, just off of Dorsey Road, which is about, if there's no traffic, which there's never no traffic, you can do this in about five minutes to get to the main entrance to Fort Meade. So that almost screams like, oh, you guys are an NSA spinoff. And if you look at the resume for the people that work for the company, like, yeah, there's a lot of people who have backgrounds in the intelligence community. So again, perceptions equal reality. Can you really come up here and tell us or whatever, like, oh, ethical quandaries and conflict of duties, where do you stand? It's like, yeah, it's a really touchy subject because, again, this perception is a hard thing to fight off against, especially if you're trying to tell someone who is running, say, electric power operations in Saudi Arabia or, you know, oil and gas operations in Russia from an infrastructure perspective as an ICS security company, I don't want an oil and gas plant in Russia exploding. That's not cool. I don't think anyone should be in civilian power infrastructure in Iran. Iran might not be a very nice place to live in, but their people are just as nice and just as valuable as anyone else in my mind. And civilian power infrastructure, that's just not a place where anyone should be playing around. That's a separate argument we could have offline over drinks somewhere in a less crowded section of the glorious place that is Caesar's. But, you know, the main thing is that we look at governments as especially when you start getting into spaces like critical infrastructure, industrial control systems, and a lot of the really fancy sort of industrial espionage secret stealing, who's running most of the offense? It's governments. But private companies though in a sort of weird way that this field has played out are often the ones who are at the forefront of security. So, I don't have that slide next. We'll get back to it. It's very strange that in an environment where you have things that are supposedly very vital towards the common good, the public good that are being attacked by ostensibly public entities or public serving entities, albeit for different countries, and then the ones who are interested with defending against them, or at least doing the best job for defending against them, no offense to anyone here who works for DHS that, you know, it's private companies that are motivated mostly by the profit motive. I think I'm a little bit different, but at the end of the day, if Drago's doesn't make money, I don't have a job. The same goes for Kaspersky, FireEye, Eset, Symantec, etc. So, furthermore, you know, when you look at who are the ones disclosing these breaches and sort of pushing the defensive line forward, like, yes, DHS German BSI, Japan CERT, awesome people, CERTLU, all released, you know, pretty cool reports and whatnot, but a lot of the information driving this are releases by private security companies in the course of their business. So, examples we can go all the way back. Seems like it's weird saying all the way back to APT-1, Stuxnet, Drink, Fancy Bear, Electrum, Charming Kitten, etc. You know, all state-sponsored sorts of cyber intrusion events and all broadcast by private security companies, which also, when you start looking at the private security companies in question, either have lots of sort of government intelligence community ties, or lots of intelligence and government style contracts. So, examples of this, you know, the re-re-re-re-release of this story of Russia's hacking the U.S. power grid from last year, which was then made public again two weeks ago and then made public again a week ago with the same story, you know, DHS certainly has taken the lead on a lot of the public reporting on that. Dragos has responded to some of that and Symantec really pushed that narrative forward a lot as well. But then you also have stories like China hacking a Navy contractor, okay, again caught by a private security company and pushing that information out in the wild, probably a little embarrassing that government might not want that information to have come out. And then I referenced this earlier, Kaspersky disclosing the JSOC operation that was ostensibly for counter terrorist purposes in the greater Middle East. So I'm looking at this, you know, we have private companies involved in this space doing their thing. What are their incentives? You know, their incentives are theoretically shaped by clients and determined by markets. Again, the end of the day they wanted to make money. If you adopt the perspective, which is a very strange perspective to adopt, that companies are citizens or at least, you know, have some element of personhood, you know, presumably they have a right to continue existing or whatever, trying to make a living within this, you know, capabilities and limitations of what is right and what is wrong. But as part of that, you know, you start getting into the sort of organizational needs in order to continue operations, continue mind share, build revenue and business growth, and what sort of compromises and actions do you start to take? And so now you start getting into a potential conflict between those sort of private needs and those otherwise strategic or public requirements. So looking at those, how do these, you know, presumably, you know, you can argue, for example, that terrorists are bad. Maybe killing them is wrong, but certainly making them not capable of terrorism is probably a good thing. People would be better off. But in the course of doing this, like, okay, so Slingshot was very much a endpoint directed item, but they were midpoint sort of items that come into play to allow it to occur. So any of those innocent midpoints, it's not like the teleco providers or the mobile device providers or whatever, were willingly assisting terrorists, but in the course of their being compromised or otherwise their security circumvented, has the private security company done something wrong? Maybe not in this case or whatever, but it starts getting a lot fuzzier as you get into different sorts of activity. Another consideration, and we're kind of jumping around a bit at this point, so I apologize for that, you know, so we've talked about organizations, talked about relationships of organizations to governments, let's talk about the actual people. So I've told you my story already and, you know, how I have a background that might make some suspicious decisions, but it's not like I'm the only one. Certainly the mass exodus of technical talent from the National Security Agency over the years has resulted in a great many people throughout the greater DC, southern Maryland area now working for various private companies, but that's certainly not the only one. I don't know if anyone here works for a security company, but has anyone been like 8,200ed before in terms of a presentation? So that's a term used or whatever and the same goes for the NSA, that our company, we have all these ex-hackers from Israel Unity 200 or for the NSA or CIA or whatnot, companies and individuals for that part in terms of building up a resume really want to trumpet their connections to these sorts of communities as a means of instilling some sense of, maybe not legitimacy, but certainly technical proficiency and technical talent. And it's not just us, you know, you see the same sort of crossover just look at Mr. Kaspersky, Eugenie, Eugene, I call him Eugene you know, the same sort of thing he's a notionally ex-FSB or certainly Russian military intelligence connected and now is a founder of one of the largest and certainly a very effective AV engine companies in the world. So what we look at this in terms of sources of talent and people on the ground is that you have a combination of military intelligence communities as your primary, well maybe not primary, but very much one of the leading sources of talent. Whether it's enlisted servicemen and women getting out of the military and then tripling their paychecks as they go work for a private security company or a private company in their security department or people former intelligence community, intelligence community contractors, etc. But then as they move into these private sector and in often cases with clients that are multi or trans national in origin, you start getting a lot of potential concerns and conflicts of interests. One thing that's important to note from the perspective of the US system at least in most of the 5I general system is that the obligations taken on by accepting a security clearance essentially last a lifetime. You don't disclose that information, you have to protect that information, etc. You may no longer have access to that but you still need to make sure that you no longer use it or in other sort of ways. Well okay, so there's a lifetime obligation that an individual has entered into with a body that has its own purposes, interests, and directives and now that individual is also entered into a series of obligations as part of their employment where they have at least a fiduciary like duty to the companies that they're providing security for, providing security services for, that their client's best interest is in heart. So in cases where say the duty of, you know, lifetime protection of secrets and etc. conflict with a now duty to a specific client what do you do? My answer to that is I quite frankly don't know this really gets you into the area like well in a hierarchy of duties what wins out. But as I hinted before, so we've talked about like a potential fiduciary duty to clients and what not, so from a client's perspective what do you do? Again governments, although they're trying to muscle their way into this space for good or for ill, for effectiveness or lack of effectiveness at the end of the day most especially major companies are relying on private corporations to provide this level of protection from them against both criminal and state sponsored activity. So from a private company's perspective like what sort of questions should they have and what worries should be on their mind when entering into an agreement with another organization in this case a security company of some sort. You know, the simplest one is does the company have my best interests in mind? You know, that's a fairly obvious one but as we see statements like Mr. Mandia's, Mr. Kaspersky's etc. that are out there seems to be a desire to have it both ways that we have these government connections and support and what not but at the same time we also want to make sure that we put our clients, you know, over all else and really making sure like okay when you have a question where you have individuals that are still in some capacity working for or have government obligations or have a background in that field how are their potential requirements and duties balanced against the requirements and duties for properly serving that private company that they entered into an agreement to protect. So that leads us into goals and missions, you know, how do those personal or legacy missions that some of us including myself have signed up for mesh with the things that we're trying to do now in terms of protecting infrastructure? Like for example if I am now notially responsible for protecting civilian power infrastructure in, I don't know, pick a semi-adversarial country, maybe Ukraine or something along those lines and Ukraine ends up, you know, falling completely under Russian influence and whatnot and now there's sort of a conflict between, you know, US centered interests and what's going on there and maybe for all we know someone's starting to get into their network that has a five-eyes connection I would certainly say I have an obligation on behalf of my client to do something about that but I'm pretty sure people I worked with in the past to be pretty pissed off with me that I was doing such a thing. So really how do those balance out? And then finally what it takes us to this sort of ethics and motivation item, you know one thing I like to say all generalizations are stupid based upon that comment are all intrusions bad or some okay? So looking back at that slingshot now where that Kaspersky publicly released counterterrorism mission trying to take bad guys off the street so to speak, it seems like it might not be a terrible idea how they actually execute that might lead to some qualms but again there's, you know, you can work out several explanations for how that's not necessarily a bad thing but that's also an intrusion and, you know, compromise of other organizations in route to delivering that effect. So really trying to figure out when, if ever our duties to clients overcome by duties to country or maybe even perhaps wider duties overall. So for example a scenario I hinted at this already is that say we get a state utility company somewhere I'm sorry I have an ICS background right now so most of my examples are going to be industrial control focused but we have a state utility company that gets breached. Bad guys are in a civilian power infrastructure network right now the model that I operate under like that is never okay. The investigation though reveals that you have a fairly advanced adversary in question. The state in question where the intrusion takes place is one that's not my country, maybe not even one that's necessarily friendly to where I live and continued investigation reveals that well actually the people who broke in there happen to work within the same country I do for the same government that my taxes go to. There's no clear indication of intent or purpose yet could just be probing running around seeing what's there you know establishing some initial access so what do you do in that scenario now for myself personally and you know again this goes back to what sort of ethical framework you've designed for yourself and try to adhere to I look at this as a clear you know sense of you know what are my obligations and duties in this perspective like based upon no intrusion civilian power infrastructure chop this off the knees kick them out of there doesn't matter but I can definitely see the counter argument that well this might be the prelude say to arm conflict in one sense or another and perhaps by virtue of being able to you know manipulate what is ostensibly civilian power infrastructure that you also have follow-on effects intended follow-on effects for military systems of some sort such as say a missile defense system or early warning radars and things of those lines and by virtue of doing this the country or nation that is executing the attacking question on civilian power infrastructure may end up saving more lives by being able to deliver a more precision strike with fewer weapons as an example and so from a purely utilitarian or consequentialist argument you've ended up with something that looks ethically permissible I don't buy that argument but I can at least understand how someone could make that so what do we have here so we've got many victims and strategic targets are private organizations you know that's kind of the where we're fitting in in terms of things and we're in the really weird situation where private resources are expected to protect what is private infrastructure but with very heavy public general good sorts of implications that's not just the constant ICS examples I'm citing but for example you know economic pillars of the local economy like it's not good for the US when a lot of intellectual property walks out the door and winds up in another country for state sponsored industries to just take up and start producing things that seems bad about any way that you can possibly slice or dice that one so there's lots of consequences that come about these actions and certainly lots of people who are either state directed or state sponsored that are engaged in this field so given that public infrastructure private infrastructure has public consequences but public resources either can't because it's illegal for say the US Army or you know cyber command operate domestically that's going to be a really weird conversation over the next several years by the way that's one to keep an eye on so you're left with the FBI, DHS for the USA you're left with something like BSI in Germany SSGI, DI or whatever in France etc you know domestic theoretically non-military agencies that have responsibility for this but in many cases they don't have the talent, sorry all the talent tends to go out the door after they get a little bit of an experience and get a bigger paycheck elsewhere or they don't have the tools they don't have the access etc they might have access to certain sorts of secret information but not a lot of the tools that then you find migrating into that private environment as a result you have these obligations or responsibilities to protect falling to private companies which are often staffed with lots of former public officials of one sort or another either because it's start-uply founded after they retired as a four-star general and so they're doing double dipping into their pension and their VC money or you're talking about private first-class Jimmy who was a really sweet Python programmer when he was in the Army got out and decided to quadruple his salary and working for McAfee or something so this is a really awesome tweet is he in the room? it's unfortunate, I don't think I've ever met him in person I want you someday but a really excellent tweet by Hostel Spectrum here that this assumption is crept into policy I don't know if it's an assumption as much as it is a fate to complete at this point based upon just how the market has shifted out that private firms should be accepted to absorb and take responsibility for at their cost protecting against mitigating a potential cyberattack that would have dire public consequences either of an economic sort or going all the way into the scary, sensational ICS power plants going to explode sorts of scenarios when you've cast this within the scope of the Westphalian compact of non-interference in other state borders one of the items behind that to mix analogies and mix sources on this is the Max Weberin concept of a monopoly on legitimate violence we're talking like classical violence here we're talking about cyber violence anyone use that term before? I don't think so so if we can get that one built up we can push back against that other AOL area definition of cyber but in looking at this though it's almost like the state has been forced to or is willingly a lot acceded the role of having a monopoly on cyber impacts or influence at least on very vital infrastructure you can look at this that you know of course left the barn back in the 70's especially when you look at a lot of the you know sort of Anglo-American style Western countries through Thatcherism and Reaganism and Nixonianism for that matter of deregulating economies where lots of previously public goods were privatized in the scope of you know liberalish liberal in the classical sense capitalism so as a result we've you know somewhat deliberately pushed these obligations outside the bounds of the state into private hands and I don't think most of the Western world in order to take that back in if you look at some other countries for though you know Russia, China India even to a certain extent a lot of this infrastructure still lies in somewhat state hands so you have much more state intervention into those realms and arguably much better state resources and efficacy applied towards protecting these but I think most of us are US, European or something like that so we'll stick with that framework for now just as a point of focus the main thing being is that you've got this responsibility for protecting public or public influencing goods resting almost primarily on private entities which leads us into the idea of duties hinted at this multiple times I'm going to try and hit this both from the individual standpoint as well as from the you know notional person that is the corporation perspective I hate that idea and it's based upon a really crappy legal opinion but it seems to you know garnered some following or whatever at least in this country so we can look at conflicting duties putting yourself in the analyst shoes my shoes for example not let I work within the private sector that I've got duties to my organization you know Dragos wants me to do a good job to fulfill my obligations to the company so that we make money and continue to exist we all pay our mortgages and maybe someday I get this in my kids to college although at this rate that's probably not going to happen as part of that though in order to make sure that actually happens we have duties to client someone, some entity whether it's a financial services firm a oil and gas producer or a large retail corporation you know it says like hey you know we have a security problem that we cannot solve internally therefore I will pay enter into a contract with you give you money in order to step in and take over this vital service for me and protect that that's you know a pretty heavy duty that's being you know seeded out to an external party and then taken on by that third party so should not be taken very trivially when you say that oh I'm going to sell a product to someone that's more than just saying I'm going to ship a blinky box they put in their server rack and I walk away I at least like to think that you means that you have now taken upon yourself that for whatever you sold a you know intrusion defense system detection system any virus system some big fancy SIM product or whatever that within the scope of what that's supposed to do you've told your client that yeah I'm going to make sure that we got you there hopefully it's not the case if you went to black hat last week there's probably lots of people that don't have that conception of things unfortunately but lastly you know there's also this sort of communitarian idea that well I just don't exist in isolation you know I live someplace I have neighbors those neighbors have neighbors I pay taxes towards something to make sure that I live in a nice comfortable safe secure place with clean water power etc you know presumably entering into this framework I accept or you know now have taken upon duties to that community and when you look at community more wider you could you know simply define that as a country the US government make sure that borders are secure you know through various mechanisms of how funding is passed along the streets get paid my kids go to school etc so you know there are non-trivial things in question here it's like yeah the United States has been good to me they do really crappy stuff sometimes but you know balance of payments and what not from my perspective they've been pretty good to me and therefore it's almost like I at least tacitly owe them something at the end of the day but what wins then if you have all of these three things that are out there it's sort of in latent if not outright conflict with one another depending upon what you're doing so for example you have a monetizing intrusion ransomware hits a network that's easy to nuke it from orbit kick it out of their criminals you know pass the information on the FBI interpolar whatever end of story we're not going to talk about that anymore industrial espionage this could get a little more interesting still say this is fairly clear-cut you know someone's trying to steal secrets from someone that you are trying to protect but alright kick out of the network we're done end of story but like what if we're talking about a situation of you know to throw you a very interesting you know thought experiments were always the most fun thing as a philosophy student because you end up with situations that don't seem really plausible but as a result of how you construct them lead to ways where it's like damn it yeah that might happen it probably won't but shit no like my way of thinking about this is needs to change a little so for example say you have a country that has some latent cyber capability in state sponsored industry and research and development and they steal secrets related to say clean electricity generation said developing a middle income country relies almost exclusively on coal for electricity generation right now and as a result is contributing significantly to global warming which I hear is not just a theory it is not something that you can believe in that it is a real thing and you know you could tell a very easy story we're stealing clean power tech and then applying it within domestic industry can lead to again a consequentialist overall good in that you reduce harm effects from having you know reduced coal generation reduction in emissions all of humanity and especially unnamed middle income country which maybe it starts at the sea and ends with a niner is better off with that you know I'm not saying that well this has actually happened but you know from an intellectual property individual duty standpoint it seems like it's a clear click wrong but if you start you know being a little more flexible with how you're approaching or viewing the problem you can at least tell a story or make an argument that is cogent and sound that makes it sound like well that might not be a worse idea and maybe there's actually an obligation to share that is that the place for that debate we can have that over drinks later political interference also something that I hear that happens and may not just be a story that one finds or whatever on the Twitter's and what not this seems to start getting a little bit more clear cut but what's interesting about this is that political interference isn't just a question of like haha I'm going to hack party XYZ and do stuff rather it's been interference by manipulating channels of communication and other sorts of venues in order to pass a message on well in that case that seems pretty damn obvious that like nope that take them out of the network but again you know we look at this mostly from the standpoint of Russia influence on US or other elections they're not the only ones who try to influence elections though so what if you're trying to influence say for example look at Montenegro for you know who everyone here know where Montenegro is okay cool so a little country in the Balkans you know there's a traditional Russian sphere of influence sort of thing there recently voted to join NATO but there was a lot of back and forth over whether or not that was a good idea and so there was a lot of manipulation into how their political process was going about well if say a five eyes country NATO or whatever started surreptitiously inserting fake stories and what not about the other side you know presumably we like to think like well joining NATO can be a good thing you know there's go commitments to human rights and what not and it's a easy stepping stone to the EU it's probably the best interest of the Montenegrins in the long term but is it really ethical to say start seeding you know dicey information into the public sphere in order to make that come about and if I'm a security company and I catch that what should I do there might be a good result of doing this but the way in which it's being executed is not indefensible but rather much more touchy to try and defend so again not as clear let me get to this I'm going to say that short of some very very very narrow examples this is just no you're not allowed to do that everyone says like but stocks net drink stocks net is not a very good example for this because if you look at how it was designed and deployed it was a software that was designed to take a very specific effect in only a very specific environment to cause centrifuges to spin a little faster a little slower and make sure that people couldn't really see what was going on if you weren't running a semen step 7 PLC of a specific version and especially not in an environment that was enriching nuclear fuel you didn't really have much to worry about what sucks net it did spread a little bit further so everyone got a sample of it and you could do things like fancy TED talks and whatnot but otherwise like you know from a harm reduction standpoint you could say that it did a pretty good job and tried to minimize its impact even if the reason for doing so was to try not get caught as opposed to you know trying to be nice and ethical about it but then you start moving over into some other things like take sort of a combination of something like a shimoon event so wiping a bunch of computers at Saudi Aramco several times over several years and also like look at something like Olympic destroyer which gets us into warrable malware in this case targeting the opening ceremony of the South Korean Pyongchang Olympic Games well in that case you know you're getting potential physical destruction certainly cyber destruction for all those poor systems that needed to be wiped and rebuilt at Aramco but if you start tying those into industrial control systems of some sort well now you start getting something that is less targeted far more berulent and with the potential to do a lot of damage that just doesn't seem cool ever so in this case I would say it's fairly clear that if you catch this like you should kick it out but again like in the Stuxnet case like is Iran having nuclear weapons a good thing I don't know doesn't seem like a good thing you can make an argument though that well that kind of induces the potentiality for you know a nuclear parity in the greater Middle East with another country that doesn't actually have nuclear weapons but really does have nuclear weapons that's a little further west of them so again you can make a potential case where this might make sense but for the most part I'd say this one is fairly obvious now from a security practitioner standpoint you can try and take a stance where it's like okay nothing else do no harm this is a very nicely illuminated copy of the Hippocratic Oath it seems like a very nice idea it's like okay you know I don't have to be part of any of this offensive shit or what not or whatever I'm going to step away from this and I'm just going to make sure you're like do no harm I should be fine right well the problem is like when you say do no harm what the hell do you mean so there's the idea like well don't deliberately inflict harm so no I won't do offense okay that's pretty easy and cool but then like do not allow harm to be inflicted that starts getting a little tougher and looking at the examples I cited that you can again tell stories some of them might seem a little more far-fetched than others but certainly make arguments that this is a little harder to achieve because you can get into instances where you're you know very rapidly coming up with counterfactuals or counter examples to your general idea that tie you in knots like they do for me and you know the lastly and this is sort of a see no evil here no evil do no evil standpoint just don't allow harm that you like really know of or actively or investigating to occur so it's like I don't see it I'm like carrot or you know try to ignore it look away whatever that seems to be sort of the cop-out approach if you're doing this you're engaging in weedliness of some sort doesn't mean that it's not a choice it's just not the best choice but really there's an entire continuum of things that underlie you know the otherwise seemingly simple seductively simple idea of just do no harm and this gets us into the distinction between what is a positive and what is a negative duty I don't know this was an ethics track so I'm expecting everyone to have a you know somewhat idea but positive like I need to do something negative I need to refrain from doing something to some other entity which leads us into the idea the hierarchy of obligations so especially when I'm talking about something that is you know the sense that I have an obligation to do something on behalf of another party a positive duty you know when those start conflicting how do those rack and stack against each other so that when there is a conflict I know which ones to do this is where you get new idea and this is a very much an oversimplification you know what is my driving goal underpinning those duties like am I saying that hey a communitarian approach that what's good for my society that I live in the people that I know that are close to me you know my fundamental duties are to them and that's going to define my ethical worldview and shape my decision making or am I saying you know this is really like a sort of Aristotelian ethics and versus a more content framework and these days I kind of lie right in here personally or am I taking a universalist approach that that which I cannot will into a universal law is not ethical that is the rephrasing of the county in categorical imperative that means that you're entering into something that as the name says universal your flexibility in there is dramatically limited there's ways of reading that or whatever for like situationality and whatnot that they could a little more flexible than that is and you can read things like Christine Korsgaard and whatnot in order to get into that but you know overall you're talking about some very universal hard and fast obligations here lastly you can get into some sort of iron and bullshit and start going like completely yolo I'm going to do my own fucking thing or whatever my way or the highway and this could be the mercenary capitalism approach to doing network security I'm just in it to make money everyone else probably is too they got to protect their shit I'm going to protect mine and you know through some magic of you know natural selection bullcrap or whatever society is a whole advances as you can tell I don't think there's much to be said for this idea but people adhere to it so we'll talk about it and you know some very smart people here to this will talk about it so you can see that there's different ways of framing this that result in how you construct the duties under which you find yourself or rather the obligations under which you know you you operate that then frame your subsequent decision making huh so what is a conscientious neurotic over thinking security professional to do about this I'm not a hundred percent sure so there's a clean hands approach this is where you know kind of like the weaseling way out or whatever it's like I'm just not going to actively do anything you know the focus on the personal repercussions like you know what Jim and the cubicle next door he can go work this target or you know work this mission but I'm going to stay away from it I'm going to do something that's a little more amenable to my interest or what not call this you know to inject a little Judeo Christianity into this the pilot approach watch my hands of the matter and walk away again there's you know it's it's an answer I don't think it's a very good one but you know it's certainly one way of at least making sure that you know I am not dirtying my soul in the process of you know participating in a certain action another idea is you know very careful selection so don't put yourself into compromising situations in the first place where you have to make the decision do I do something or walk away that might sound similar to this but really what I'm looking for is you know things like very exceptionally discrete selection of who you work for so this is something that I've kind of done you know Drago's is kind of a weird company and that we're full of expoks and whatnot but at the same day none of us ever want to go back there and we've had some really you know touchy relationships with those organizations and very much adhere to the no one in civilian powering infrastructure full stop so that's one way of doing it find a company that fits your values so to speak and so you're less likely to find yourself in a situation of compromise but the problem is that might not be practical or probable especially like you know you're just starting out in this industry and you want to like go into something like you know I'm gonna be like the best white hat blue team or ever and I want to go save the world and whatnot you might not have much in the way of selection on who you go work for unless you feel like you know way you know being a barista in your spare time in order to try and make ends rate and get health care so you know as a result of how at least we've structured society in the United States you might not have very much scope in order to make that careful selection so it's not possible for everyone the last thing and you can try and doing this although it might not last very long is you can actively work for change within the organization and again if you're you know junior sock analyst Timmy you're gonna be looking for a job probably within about six months which it sucks you know quite frankly because we sort of stamp out that's like no organizational ethos boom you know sit down the nail that sticks up shall be pounded down but not only that you know in terms of agency and the possibility for actually executing within you know the idea of this what direction do you actually push the organization into which still allows the organization to actually still fulfill some mission and remain solvent because it's you know one thing to say like for example like we won't do any business with oil and gas companies because they pollute the environment okay so does that mean that it's okay then if someone hacks into an oil and gas plant causes an explosion because that sounds pretty bad they might pollute the environment but I think we all have a general interest in not seeing gas pipelines over pressurizing and blowing the hell up okay okay oil and gas is fine we're not actively contributing to their operations just making sure that they're reasonably safe we won't secure the manufacturing networks of firearms providers okay it's probably a little easier but then you start doing like some really strict salami slicing like okay so general electric they make engines that go on warplanes does that mean there's a lot to know how do you actually start breaking this down and where do you really get to a line that's both actionable feasible and you know sustainable across time within the scope of trying to run an organization so what answer to this is again you can go the complete you know like who be versus everyone else state of nature Hobbes Ian whatever you know everyone's a mercenary actually very interesting conflict to read about if you're not familiar with it the Civil War no well anyway but what security companies have tried to do is you know sort of mishmash their way through it through high-faluting sounding documents like the tech accord that Microsoft is pushing if you print this out you would not be short of toilet paper for a little while but at the same time you also don't end up with anything that's especially meaningful in my opinion sort of a completely pseudo voluntary thing where you know we'll protect customers no matter who they are or why they're attacked that is bullshit and they should know that because what if your customer happens to be a you know customer in another country for which their exports controls in question or sanctions applied or is using that technology for criminal purposes you can try doing this but very soon someone is going to knock on your door and tell you that no you're going to stop doing that now because guess what you still are physically located and you know subject to the laws of this country so that is a inaction course of action to say it lightly all right those are the idea like are all customers equal and if not who decides so that goes back to the idea like in cases of clear criminality and what not it's like yeah they probably don't deserve protection they're criminals they're assholes fuck them put them in jail but when we start getting into the question like you know the export controls argument like you know it's probably a good thing for you know a factory environment in Iran or man not North Korea Iran to operate in a safe environment and so to have access to say software updates for the machines that are running their equipment but that's not allowed by sanctions control and if you observe that that technology is being transferred in some way what do you do well that's a dicey one or whatever because again I could see a conflict of duties there there are some very clear legal obligations though and so it's really become very hard very fast to decide just exactly how to approach that and that really gets into who decides so for approaching this from that classic Westphalian sense of sovereignty of non-interference coupled with the Weberian concept of monopoly on legitimized violence and in this case cyber violence you know it's very clear who decides whoever's passing laws where you happen to be based but since we've already talked about the sort of Westphalian compact in the cyberspace oh god I just said that in the network security space has basically fallen away or is eroding as we see it it's not very clear who's deciding at that point because if you're looking at Microsoft I've got research and development centers in Israel, China, Europe, etc and so it's not just US law that overall it triumphs but I've got a lot of other sort of things that I'm also tacitly tying into certainly where your company is listed has some influence on that but again that gets pretty dicey very quickly this gets into the idea that if you have this question of duties especially from a communitarian perspective or just a law abiding perspective yeah I'm going to protect all my customers equally well okay you get a legal subpoena that the FBI wants to put a little implant on that device in order to interrupt say an international child trafficking ring which is something I think we could all say is not cool okay so all those duties then go away because of that well you've just made this breaching overall statement which is why I said it's bullshit earlier that goes completely against that which again goes to the point that all generalizations are stupid going faster than I thought so where are we right now where we are is very confused at least I am and I'm giving the damn talk so I'm very sorry you know we found ourselves in a situation where we have private companies that are interested with protecting what are ultimately public goods things that are in the general interest and as a result of that situation you have individual analysts that are placed in positions with conflicting duties whether it's to varying degrees of obligations because they either used to be a government employee or they have some sense of patriotism for example versus who they are when on the clock trying to defend there are some attempts at norm creation like that tech compact accord whatever we talked about but they're bullshit so there's nothing really good there and there's nothing binding anyway there's nothing like a hard and past rule especially when you're talking cross-border between places that really don't like each other that work here like you talk about US to EU US to Japan Australia or something yeah that's pretty cool there's stuff in place but like US to China yolo you know really it's just whatever goes so the thing is is that is this an impossible problem to solve I had a conversation last night with Maratama about this at a small event even smaller than this one you know it's like well what would you do about this and my answer to her you know when approaching situations like this is like fuck if I know all I know is that it kind of bothers me so really you know we have companies have the greatest responsibility in my opinion in this space because they kind of sit in that middle ground between the poor individuals that are just trying to get by and make sure that they can put food on the table pay their mortgages and have health insurance if you're in the US you know so they have a position of particular power relative to the analysts and relative to governments who lack unfortunately the skills expertise and some of the technology to do this very effectively the problem is that their incentives are not really aligned to take action because at the end of the day any company worth itself is going to work from a profit maximizing perspective and as a result make a lot of compromising decisions and route to doing that. Not saying that everyone does that in a complete mercenary fashion again like when I spoke earlier like trying to find a company that aligns to your interest I think we do a reasonably good job of this but we're also very young so it's only a matter of time before something like this happens and then it's a question of like do I really belong here or not I hope my boss doesn't watch this later anyway you know we've talked about individuals being most significantly impacted especially at an ethical level because at the end of the day who's hands on keyboard who is the one or whatever that is actually having agency over how this is applied even if they're you know the sort of good Nazi argument or whatever it's like but I was only following orders like every order is as good as another order you know how do you put yourself in a position where you can sleep at night where you don't end up compromising personal values and items of importance but just the fact of life requires that individuals are going to have to compromise is because they're in a position of less power than the other entities around them so as a result the problem is we situated really is not solvable because you've got you know on the one hand the entities that seem like they're most concerned with this are also the ones with the least amount of power people like us in this room whereas those that have the most capacity for potential action on this are in a position where their incentives are misaligned towards really resolving it and on top of that they legitimately have to worry about things like oh crap like you know to Kaspersky's credit they don't really have a choice for cooperating with the Russian government because there are laws in place that as long as they're operating there and have infrastructure there all all maybe depending how you want to look at it of their traffic has to be accessible to domestic security organizations they just lost the you know the game of life through letter whatever for where Mr. Kaspersky was born and where they happened to start the company is that their fault necessarily in which case you look at this again from the standpoint of intentionality are they deliberately doing this or it just happens so matter that they have to comply with the law of the land of where they're based so the only thing I can offer in terms of guidance is that you know we look at this for a couple of different angles so for an individual perspective recognize what your situation is like keep an eye on what your company does what your organization does and be aware of what's going on so that this doesn't blindside you out of left field one day it's like oh crap I can't live with this anymore but as part of that like I said earlier if Timmy the junior sock analyst starts raising hell about like why are we supporting this or whatever and then find himself without a job kind of need to keep your head down I'm trying to be pragmatic in terms of presenting this which is not always the like the most glorious ethical position to take but it's really hard to say die on this hill when dying on that hill might mean that you end up you know grossly in debt because you've got sick or something like along those lines but really the idea would be pick a mission and stick with it so from my perspective I've picked a mission you know I don't do offense I want to kick bad guys out of important networks and I won't compromise on that because I'd like to think that non-combatants and whatnot all have equal all have an equal interest and right to clean water reliable power etc and stick with it you know again try to find places that align with those values as much as possible but realizing that it might not be actionable or reasonable in all situations it's like companies you know their days of having it both ways I think are going to be over soon whether because of things like you know all the press and attention for Kaspersky I was really surprised that the Mandia comments some work by cyber scoop news notwithstanding who did a good job of covering this that that didn't garner more attention because it was just very strange that he very willingly just kind of said like yeah we give these guys a heads up or whatever and on the download or ever once in a while you know while taking what having cleared analysts sitting in watch floors in the greater DC area etc you know I think people will eventually get pissed off with this and there will be market signals or whatever saying that we can't do it you know and that will lead to I hope that eventually it's not going to happen tomorrow not going to happen next year but maybe five years from now that will start moving away from the like we've got all these guys from 8200 who are sitting in our knock right now or whatever they're going to protect you and hack the bad guys and they certainly don't have any obligations to Israel anymore trust me you know trying to play that game from both sides is you know they really need to just stick pick a mission and stick with it so from the drago's perspective safeguarding civilization it's a goofy little term but at the same time so far we're following it pretty well this is where something like the Google don't be evil thing now for a while they actually followed it I mean good on them like that lasted for longer than I ever expected and then it went away so so when those sorts of things happen that results in you know things going off the rails we have a lot of people that happen to work for that company or whatever it's like well what am I going to do now I got stock options I've invested for whatever benefits and I got the 20 days of vacation and whatnot I don't want to leave for another job so that makes it harder it really ends up when you start shifting gears along those lines or leaving that sort of mission amorphous puts again individuals who are the least powerful in these transactions in a bad spot the one other interesting thing from the infosec consumer perspective there's some level of power there you know they can try from a contractual standpoint legalistic standpoint expectations and requirements and writing doesn't mean that they'll always be followed but at the very least that if you find out later on that it's like you let the freaking NSA in my network for six months and didn't tell me about it well it could be an interesting lawsuit if nothing else I don't know how realistic that is but at least it seems like an avenue worth pursuing I'm not a lawyer and never want to become one so that's for someone else to decide but yeah really looking into like sort of doing the due diligence work of okay what are your obligations who do your people work for you people with active clearances do you do government sponsored work and as a result what are your obligations in terms of the protection of my data how you handle my data how you handle discovered intrusions how does that work really asking those hard questions and putting private companies on the spot to you know show their hand like alright you know what you got if you're in a situation where some of these conflicting situations erupt who side you got in this scenario one of the problems that I see in this space is a sort of vulcanization of security like as we've transitioned away from the you know post-soviet moment of like oh liberal democracy everywhere free markets and globalization or whatnot and the return well not the return but the rise of illiberal democracy and autocracy on the march again and really getting into a closed market standpoint worth becoming really hard to be an international company operating in this space anymore because you've got lots of people that want to get their hands on the information expertise and what results from this so in a situation like that do you just make sure that you pick the home team for your security company so if I'm target that means that okay semantic good Kaspersky not if I'm rose neft well I don't think they have much of a choice but you know Kaspersky a everyone else boo some Chinese company the mss I'm sorry 360 say for whatever yay and everyone else boo but then what if you're Germany as far as I know there is no like real major end point security provider major security company that's domiciled in Germany you could say well he sits in the EU aren't they yeah yeah okay there's a lock in that's close enough maybe but still you know if you don't have a home team to pick what do you do then and then you really have to start asking these questions to figure this out you know fairly quickly because you'll wind up in a bad spot I think sooner than you really realize so that's all I've got I can leave that up because we're not staring at a big screen I talked at you for 50 minutes now you have the opportunity to ask me questions and I might have things to say yeah I mean I hope that was at least interesting only a few people left okay that's cool wow really okay I just don't know what the point would be to be honest with you so this is where like getting somewhat away from the ethical dimensions of it but just to be you know very practical like well what do you achieve like damn it someone stole all my shit what do you do you're gonna get it back no they may have copies of it you're not getting it back once it's gone it's gone you can make yourself feel better oh I'm sorry so the question was yes I got that signal the question was you know does the circumstances under which we find ourselves really legitimize or incentivize the move towards companies hacking back and my answer is that even just from a sort of consequence driven standpoint I don't know what it achieves in terms of it doesn't enhance security whether because you're going to hit the wrong people as a result of like yeah I took out all those all those c2 points like all your c2 points are just some poorly secured word press instances and you just blow away Samantha's cat blog what the hell man um you know so there's that part of it but also like you can't put Pandora back in the box once it's been gone and even if you're the victim of a cyber-physical attack like you could do after getting pwned a couple of times and the lights going out and give yeah they can try and hack back it doesn't mean the lights go back on and I would say from the standpoint especially from the adversaries that are most capable and most likely to commit some of the more egregious sorts of actions in this space it's not going to deter them either because you know at the end of the day it's like arms race motherfucker we got this arms this offensive shit down whereas private companies I think you know while on the defensive side a lot of the technical talent and the shady pen testing firms and what not companies that do software development software development and research that are headquartered along the I-95 corridor between like northern Virginia and southern Maryland yeah they probably have a lot of offensive talent but for the most part you know Wells Fargo doesn't and even if they didn't have it I don't know what they do with it but lastly from an ethical perspective it also gets to the idea like what have you achieved in terms of improving the ecosystem overall and while you can go back into like you know some of the other things that I think people should argument you know I just don't see there being a way especially given the extreme likelihood of unintentional consequences like poor Samantha's cat blog where you know don't end up whacking the wrong thing as a result because no sane adversary at least no one hacks from their own infrastructure no good per you know good or capable actor does that there are three or four hot points but maybe not maybe at least two between their stuff and which has happened but otherwise you're typically not hitting something where it's actually going to matter so it just seems like it's a wrong path to go down in general there's a okay we'll start with gentlemen what's the obligations to let's say if you're a citizen of one country doing in close sector doing that work for that company but your company that you belong to is head toward in a different I don't know that's where it comes down to like you know really what's driving you like for example I could see I know of Canadian citizens for example that are working in the Gulf region that are very nervous right now considering what's going on between Saudi Arabia and Canada on a diplomatic level that's having a lot of very immediate economic repercussions as a result of some you know like not very we can all be pretty clear or whatever that human rights stuff is pretty important there's not really much of a leg to stand on in terms of the other side of this argument but you know like well what do I do I like took on an obligation with this organization or what not maybe I'm not in Saudi or you know maybe I'm sitting in Dubai or whatever but these are germane issues throughout the region and I find myself in an uncomfortable spot you know do I stick with I sign an obligation and therefore I'm required to complete it or it's like nope this violates a universal set of ideas that I have in my mind therefore I can now longer and good conscience support what's going on I'm going to pack up and leave and hopefully I can find a new job or from a you know communitarian sort of sense I've either willingly adopted a new community and therefore I'm part of that company or whatever entity I'm with right now or you know can it all the way I will continue to abide by what I think is useful there so it really comes down to in my opinion a personal choice for where your values lie and making sure that you're clear on that yourself going forward and then articulate your decisions around that so again all generalizations are stupid now everyone's answer is going to be the same on that one I certainly personally have you know my own view on that would be a blend of that universalist and communitarian approach so very much a virtue-driven way of looking at these sorts of ethical quandaries but it will likely be different from everyone else and I am okay accepting that gentlemen so do you think was the effect on the nation's state publishes a official policy that cyber intrusion cyber attack would be followed by a net attack that would be justification for that how does that affect me? so the question was and I didn't repeat the last question so I'm sorry I hope the gentleman in the back doesn't throw something heavy at me the question was you know for states that sponsor or it's not sponsor but that publicize and you know create guidance that in response to a cyber physical or cyber that we reserve the right to retaliate in kinetic fashion on the one hand from a like private industry standpoint makes me not want to tell the government what happened potentially depending on what I'm thinking it's like oh crap I don't want like you know the Russians are in the grid to mean that it's like oh shit the bulk or the Baltics just got invaded because like you know things went off the rails or whatever really fast and things got kinetic but you know for the most part though that decision-making where a lot of the agency lies seems to be within those government spaces my only pick up on that is you know the transition from virtual to physical or especially where there's a blend between the two is it's very much consequence driven in this standpoint of that saying that oh the financial system went down therefore we're nuking to run which may well it didn't go the financial system didn't go down it was slowed a few years ago during Ababil or however you pronounce that a physical response to that would have been disproportionate and in your classic Augustinian sense of laws of war like that's probably not a good idea but when you start talking about like for example what's happened in Ukraine several times I would say that they're probably well within their rights to say it's like you know what what you did could have had more dire repercussions than what actually happened and you didn't really know that going in therefore it seems reasonable that we could retaliate now they would lose that fight but at the same time though it seems for me you know just if you want to justify a potentially stupid action following that it would have been something reasonable so again it depends but in looking for it it's one of those spaces where the private sector should just try and like keep its head down and stay away the fuck far away from those sorts of debates because they get very uncomfortable very quickly so earlier you talked about fiduciary duty there like in the United States out of a box of fiduciary lawyers of fiduciary financial advisors then when you talk about states and if you want to build infrastructure like roads you need to be a professional engineer registered for the state how do you feel about enforcing like professional engineering licenses among like software engineers and like cyber security engineers to kind of bring up that level with respect to those individuals building and supporting infrastructure okay so the question was you know mentioning fiduciary duties earlier as one way of phrasing how a private company enters into an arrangement with another private company to provide security services is that just like we have the idea of you know doctors, lawyers have fiduciary duties to clients or just as we require civil engineers to be licensed and certified and continually monitored to make sure that they fit within professional standards can we adopt such a framework for practitioners in the security space and software engineering etc I think we can there was a talk in an event last night that I really wanted to go to by Tom Miller who's at DHS that touched on this subject and I did not get to attend it and I think he's a big proponent of it and I can definitely see there being space for it part of the problem that I have with the idea is it gets very licensing like for example with legal licensing or whatever that's pretty the way in which it's framed is let you pass a state bar and that covers like actions within a certain location or whatever where you're practicing law and that seems to link up fairly well if you're doing something internationally or across state boundaries you get licensed in both locations given the way that the security and the organizations requiring security don't neatly fit into little boxes in terms of location it gets very hard very quickly in order to enforce or require that out of the box but just because something is hard doesn't mean that it's bad so as much as I like malign just because it's a stupid idea you know this thing um it's hearts in the right place so the idea of the tech accord is like yeah you know we'll try and set up like just a ethos around which we will you know rally that you know like we will protect everyone anywhere whatever having something along the lines of at least a minimally a minimal professional ethic um something almost approaching that Hippocratic oath might be reasonable the only problem with that is that you get into scenarios where you know how are you defining harm or how are you defining those obligations so I think it's certainly something worth exploring the problem is if that you are have a real attention to detail issue and are very neurotic and overthink things that you very quickly wind up with lots of exceptions and ways in which it falls apart um so again see there being something for it but I think that any implementation is going to be difficult and if nothing else it will only be extremely localized so the question was if my current organization was approached that hey in order to do business here that you know the home team for where here is requires that hey you have to insert this thing into your product for reasons those could be various reasons but certainly you know something along the lines of data gathering or you know something along those lines probably be most likely or they don't tell you what those reasons are which is also scary um I would say given what I know about organization right now that the answer would be no I certainly don't know what that answer would be moving forward but that ties back into the idea or ethos that we've adopted as a organization that we've all sort of bought into which is easy when you're a small company it's not so easy when you become a much larger company which I can appreciate um that yeah right now it's like nope we can do things elsewhere doesn't sound good and if the answer was yes that's a resume generating event for me because that's just not cool but I'm also in a position where I'm pretty confident I could find another job without a problem um and that's not the case for everyone so again going back to that idea of you know the clean hands see no evil do no evil hear no evil or active intervention or whatever what do you do uh an individual's options in that uh framework might be constrained but overall I'd say just that approach of doing things which um ties into again I forget the name of the Russian legislation that goes back to the 90s for well really goes back to the telco way like 70s or something um you know really provides for lots of potentials for abuse although also you know can depending on what sort of communications that you're capturing or data that you're capturing or analyzing as a result you know could lead to low enforcement things like for example when uh you know like I want to make sure that I'm analyzing all of the classified ads to do your portal or whatever despite you know anonymity and what not in order to fight human trafficking like well that's a really really good goal that access could be abused really easily though so what do I do there um yeah I mean it gets tough but you know at least from the standpoint of the right now um I would say it comes down to you know our organizations like hell no don't not interested at the moment but I can see other places where that's not the case okay okay okay I mean we've got some swag ooh who's my favorite audience member I don't know that's gonna be tough we got some good questions so far um I gotta remember all of them too but uh gentlemen over here or someone was about to speak I thought okay yes um I mean like with Israel too it's not just 8200 you've got people who are like in doing Shin Bet stuff and you know everyone has tech talent sort of everywhere just the same as you've got uh you know GCHQ along with other sorts of organizations in the UK go to France who I don't think get anywhere near enough credit for their tech talent overall let alone the tech talent that they have within military and government circles they have a few organizations so everyone everyone lots of places have uh numbers of organizations involved in sort of state craft and especially in the intelligence and military space that are doing these sorts of things lo and behold they often seem to be the ones that you find later on who have founded successful or certainly you know very significant security companies of one form or another in the back so whistleblower cool so the question which I forgot in the last question I blame this guy for saying that I had my time back he distracted me the question concerns whistleblowing in the context of what I've talked about right now and I'd say whistleblowing is an important idea and it gets into that sort of actionable approach certainly you know I could see a cascading series of obligations like my organization is doing something blatantly illegal and harmful like okay if they won't stop I need to tell someone about that go to the authorities and they will take care of it you know hopefully um yeah but then it gets a little diced here after that point where it's less clear cut so as you know probably the most prominent example of a snow boy who is you know pulled up in that beacon of democracy and freedom known as refa some of the things that he released I can definitely see the argument and accept the logic under which it came about that yeah similar domestic surveillance stuff like yeah that was really weird there may not have been the sufficient conversation about it a lot of the other stuff though that came out of that were unrelated and really tied back and he was like you know I'm going to do their thing and you know I expect NSA to spy on China Brazil I expect the Russians to spy on the US I'm going to try and catch them I'm going to try and kick them out but that's kind of what they're there for and you know to really start revealing all those other stuff goes beyond mirror whistleblowing to almost like score settling so it's very easy to wrap oneself in the flag over the you know mantle of like haha I am doing good by revealing evil and by the way look at all this other shady shit it's like no actually that other shit's not that shady it's kind of cool but it's yeah kind of kind of goes above and beyond and so really when it comes to the whistleblower idea it's an identification of you know what am I really blowing the whistle on what are my motivations for blowing the whistle in this case and does that pass musters being a you know ethical act or a morally morally justified morally praiseworthy sort of action and if you look at some of the cases of whistleblowing in the last you know few years you see a lot of other motivations that might be in play in addition to the presumably you know altruistic one well I yeah well so the question here and this is a very interesting point from the perspective of you know and goes to align yourself with the mission that you're doing and from the coming from the perspective of someone who's new in the field trying to find a place that fits within one's ethical framework and are there any organizations that presumably fit a more altruistic framework in some cases government work is actually really good some of the things that go on in DOE are pretty sketchy but you know end of the day making sure that a nuclear weapons laboratory doesn't have someone probing around their network like no that's a pretty good one I don't want anyone stealing that kind of shit so depending upon your sense of obligations there or whatever there are actually legitimate options that you can make sure that no one wants the Department of Interior to have a bad day they don't seem to do anything too bad so like looking for options there but also you get into organizations like the electronic frontier foundation although they do some things that are kind of weird sometimes trying to think of like I know the names of them now they're all escaping me because I'm standing up here in front of all of you but you know there are a number of organizations like really vital ones from a civil society standpoint from like NGOs and what not that actors that actually operate in my opinion something like Bellingcat is one that just popped in my mind thank god yeah that you know not only are you talking about a good mission but like there are some serious adversaries that are trying to get into those networks so that could be a fun job too but you know again it's one of those like they can't exactly pay all that well usually so it's very much mission must Trump paycheck and especially if you want to live in the Bay Area you might find yourself or whatever at least sharing a house with four people but yeah that's it yeah I'm sorry a house like you know I'm in a studio so enjoy your closet but but no I mean there are possibilities and really it's just investigating and that's where like having a broader view of what it's like to operate the security space is important because it's not just a question of you know I'm going to work for a fire I a crowd strike or an E-set or whatever it's like you know what I want to work for you know this hospital system for example you know you can say many things especially for private health care within the United States that there are certainly many things to take issue with there but end of the day I don't want the nurses stations to get ransomware on them so that's could be an altruistic mission to have and they don't pay all that badly either so there are options once you go beyond like I have to work for a top tier cybersecurity company into the actual organizations that need security and aligning mission in that respect so there are a couple of hands over here you guys can fight right thank you I happens to know and people from Kaspersky and also people from Shmonema time 2000 1800 and basically that's kind of one loose big team which is have no legions absolutely none not to Israel not to Russia not to anything and that during the war between Russia and Ukraine that was actually people from Kaspersky that help Ukrainians and obviously people from Ukrainian which was clearly Russian spies so I mean all of your definition it's really like in real life it's little bit make belief that it exists in fact it's not because the coder from Kaspersky can be hired from Russian FSB or something obligated or threatened or whatever and do something but in fact coming home and taking your computer and work for I don't know Kharkovsky for freedom for Russia or something so it's again and it's extend to UK and extend to Europe so for me it's it's little bit I understand like philosophical point of view it's very good questions but in practical I don't believe it's really it's really big big big community which is you belong to also yes exactly that's why I made sure that I highlighted exactly where I'm coming from and continuing to come from to a certain extent so I know some of that was on microphone to distill at least what I think the other question and really more comment was that look at the example of Kaspersky for example or any of the underlying agencies there's lots of people there and a lot of them are diligent hard workers that are trying to fight the good fight or are fighting the good fight and pushing back against evil so to speak and I don't dispute that for one minute I don't have friends this is a holy shit but hey I don't have friends necessarily Kaspersky but I certainly have people who continue to work there or have worked there that I've had positive interactions with Anton Shepulin I'd say is very close to a friend who works in their ICS practice and I know there's great people there who do good work and which is why it would have been deceptively easy in constructing a strawman argument to have left that as the only example which is why I went to the fire I won as well as some of the other things that from the perception equals reality standpoint and whether or not some of these things are ground truth exists that there is at least the continuing perception and the building perception of their having some conflict of interest in terms of what obligations you face based upon what country that your company is based in and who your people are and where they come from in their background so you know even though in many cases where I don't think it's you can look at believers the hill quoted me a few months ago on the Kaspersky issue like yeah I think the US government's perfectly what it's rights to say is like yeah we're not going to use your product the way in which that was communicated that was really weird because it cast dispersions without evidence in a way that I didn't think was helpful and that then leads to the perception that's like well what's really going on but this work goes to and I think Mr. Kaspersky has tried to do a very good job of communicating this for his own company that you know no we'll protect anyone anywhere anytime although with that statement it's like I don't think you really can do that but I understand what he's trying to say they really try to drive that message and with the was it a libel suit in the Netherlands or some other legal action against what was a very bad news story so yeah I mean it part of this too is that as you know even if it's not just one of the companies that I've used as an example there are others like Mandy's comment that have resulted in you know just cementing this impression that there is a problem and then making others like my company for example having to answer the same thing I would not surprise me whatsoever if there is a non-trivial proportion of the overall security community and especially the ICS security community that just thinks that we're an NSA spinoff because we have so many damn people that used to work there and so from our perspective I can definitely appreciate the problem where it's like no not really but fuck how do I actually prove that and it's hard to it's hard to prove a negative in this case because like saying like no I we have no connection to this well you talk to DHS like well we have to we don't much of a choice like both law of the land and like you know we want to make sure that they're getting some good info as well so yeah I mean I definitely appreciate that again it gets very fuzzy very fast too so I don't know there we go I'm afraid I can't really add much more than I recognize that the answer this is more or less it gets complicated but so with a lot of the larger engineering firms will say your floors or G's etc that are going out of their way and building up stronger you know network defense capabilities but also say have military contracting also civilian infrastructure and engineering contracting also civilian infrastructure contracting in like mostly friendly countries and then also majority but non-controlling stakes in countries that are mostly friendly but they don't own the company but still oversee their operations to an extent I don't where do you see all of that kind of blending in when it comes into the conflicting possibilities and obligations because again they don't necessarily control them but they have sorry my answer is it depends but I mean that highlights the conflict quite nicely is that very rarely just like we can construct very interesting thought experiments involving trolleys and babies and whatnot like one does in ethical research but even the examples provided in real life complicated very fast especially in spaces where you're talking about different systems, different requirements and different levels of connectivity just what sort of approach you're taking and so really not going back to the idea that all generalizations are stupid that coming up with one definitive right answer and I used to be very much a universalist in scope or whatever it's like there are right answers to these problems that apply universally at all times and then I grew up and realized that that actually doesn't work and so it's really about applying conceptuality around individual events and having the awareness, self-awareness as well as an individual agent of what's in play, what are repercussions of a specific action and what sort of hierarchies of obligations and needs hold at any given time and then based upon that knowledge both of what's around you and self-knowledge acting in a way that you can then at least defend and that's what I'm going to say that there are cases where there are no right answers or it's just a question like where do I do the least harm and those are the ones that suck but even then that goes back down to like well what sort of a situation am I in and how does this play out, gentlemen wants to get in one extra question because this is something that it seems like to me we also have a bit of a self-fulfilled prophecy they would really harm a number of companies get brought on by let's say in northern yep the minute you're done with a year experience in northern you can kind of tunnel link in on security things it's kind of like you have a courier who recently had a courier talk to you but what kind of lumbering is is maybe that issue more of a thing like basically you're kind of encouraging people to get into these organizations because they can see the right on the wall where it's moving and maybe that needs to be where that approach is dealt with but maybe there has to be a little less focus on these companies that are doing this paperwork to maybe give the industry to spread out a little bit more and have less of this infiltration by the security okay that's an excellent question or really more I don't have a question so much as a comment but no it was a good comment that the idea being we've incentivized individuals to go work for organizations that end up being in murky situations or whatever like your defense contractors or buttway bandit sort of organizations and thus sort of driving people if they want to be successful in this field towards places where they might be not necessarily be in the most pleasant of environments in terms of how they feel what they're doing or if like some broader society and going back to the point I made earlier for the question for someone new in this environment I think we've done a very poor job as a community and appreciating and articulating the value that security practitioners bring to smaller organizations that are not traditionally associated with the security field I know some individuals who are really good at this job that work for like power co-ops in Mississippi or healthcare networks in Kentucky and the problem is that they do a good job they like what they're doing they're not looking to go anywhere else right now but if they wanted to they're experienced just by virtue that it's like oh what could they really have done here doesn't look as good as the person Pete Martin for five years or whatever and did penetration testing was behind the fence for part of that time that guy or girl is probably going to get a hell of a lot more return phone calls than the power co-op dude in Mississippi which is unfortunate because it also comes back to how do you start expressing this and appreciating how those different missions contribute and for those of us who are in HR-ish decision making chains and whatnot is really having a broader scope when looking at resumes for example or trying to reach out to the community of making sure that we're you know recognizing these people understanding their contributions and making sure that we're mentoring junior people to appreciate that hey you don't need to work for the big you know flashy company with the offices in DC London Singapore and Dubai or whatever you can go work for Adventist health system or for you know something else or whatever and you can get a hell of a lot of experience there and maybe you're aligning yourself to a mission that you can better you know support personally as a result and it's not going to hurt you professionally we're not there yet unfortunately that's a dick move the question was that company X developed security solution for the country A but as a result of the contract under which company X is working with country Y they cannot transfer the intellectual property behind that solution to any other entity and it just so happens that intellectual property could be very useful in helping a lot of people out it depends but from the way that I approach the problem I look at that as being a very much sub-optimal solution in terms of making the world a better place for everyone I think said that I could see that well you know there's also the case that not all networks are equal so maybe we want to make sure that you know the network environment that's holding weapons design and test results for the nuclear arsenal has this really special security solution making it unhackable that's a word of matter in the hallway and get some attention it's not a bitcoin wallet trust me but whatever cryptocurrency wallet but you know maybe from that case depending on how you want to frame the problem some networks are more important than others and making sure that one that level of protection is there and then is not revealed for others to muck around with might actually have something to be said for it so again it really does you know go back to the case where it's like there is no one size fits all answer to that it really depends but overall I would say that the burden is on the entity asking for that restriction to prove why that restriction is necessary and more beneficial than the opposite so we have yes yeah I mean and again it depends on like not only who are you but which way are you approaching the problem that there are different ways of you know where where do my obligations lie but yeah I know time need to kick me out yeah we have time for one more question does anybody have one more burning question oh yeah I'm sorry and as a heads up these talks will be online contact information for our speakers will also be online yeah yeah so we have time for one more question everybody give it up