 Okay, our two o'clock session is titled, How Can We Encourage More Hackers to Engage with Policy Makers? And we have two speakers. Peter Stevens is an experienced policy lead in the UK and abroad. From 2018 to 2021, he led the IOT Security Policy Division across the United Kingdom government, responding to the Mariah Attack delivering the Product Security and Telecommunications Infrastructure Bill. He is an experienced public servant, well versed in delivering through government. He has advised ministers and prime ministers on the creation and running of delivery units in government, while not technical by background, he brings a rebellious streak. As a student, Peter hitchhiked from Buenos Aires to New York City, and he also spent two years teaching in an inner city school in South London. Experiences like this have left him with a staunch optimism about people and he is a passionate advocate for partnerships between policy makers and hackers. To make better informed policies that can support policy makers and citizens around the world, he's currently a policy advisor at the OECD, supporting member states to navigate the range of challenges economically. Thomas Krantz is an award winning cybersecurity consultant, a senior security and technology leader within and an author with more than 30 years of experience in IT and cybersecurity. Starting his hacking career in the 80s in the United Kingdom, Thomas has also spent the decade since then involved in lobbying United Kingdom and European Union policy makers and contributed to various government consultants around hacking and cybersecurity. He's written two books, his award-winning Making Sense of Cybersecurity and How Is AI Transforming Cybersecurity for NVIDIA. And this session is on the record, which means that it's okay to photograph slides and share slides on social media that the same photography policy applies in terms of permissions required for photographs of people. So thank you. Thank you very much and thank you everyone for coming and thank you, Defconn, for hosting this event. It's a great pleasure to be here and yeah, thank you all very much for coming and I'm really excited for the conversation and listening to your perspectives. Please note that this is not going to be the two of us talking for 50 minutes. We will be really grateful and appreciative of your insights as well and comments. So yeah, hopefully we can set that up. But I'll pass over to Thomas. Thank you. I'm gonna steal that instead. Sorry, the acoustics aren't great. Hi everyone, thank you for coming along. Peter and I have very, very different backgrounds but as Peter said, we're not gonna be here talking about us or talking about our perspectives. We're gonna get your input, your perspectives. So one of the reasons that we wanted to hold this session is that there's several things happening so far. So there seems to be a critical mass across governments and supporting organizations globally for people trying to put together laws, policies, frameworks about not just cybersecurity but also other emerging technologies like AI, like quantum cryptography and all of the impacts that those have on society and technologists in general. So one of the things, yeah, is that easier? There we go, thank you. It's very difficult to hear from here whether you guys can hear. So what we're looking for is to essentially have some open conversations about what has worked well, what hasn't worked well, which areas people think there needs to be more work on. One of the things that I'm very keen on is that hackers and security researchers should be more involved in supporting policy creation, supporting governments, not necessarily in terms of let's hire 50 or 60 hackers and get them to work full-time in government but more in terms of where are the areas of expertise? We're in the middle of DEFCON, we're seeing a lot of really great research, we're seeing a lot of good people coming out and saying, look at this cool stuff we found, how do we get those people engaged with policymakers to make sure that policymakers, decision makers, politicians as well, have the best information they need to make informed decisions and also how can we engage hackers and security researchers more in some of the sort of NGOs and the lobbyist organizations to make sure that when there is legislation that happens that perhaps is not as good as it could be, then we can tackle that and we can deal with that in a constructive way and make sure that we fix some of the problems that we say. Thanks, Tom. And I think just to share back on that, so from my experience working, so I used to be the IOT product security division lead, so heading up the Product Security and Telecommunication Infrastructure Act and basically the UK's government response to MIRAI. So I think that in about four years we went from sort of an attack which encouraged a bit of a response to delivery not only of a technical standard but also of actually the first international legislation for that to take place in the world. And I think that the reason we did that was because we had a really great relationship and we managed to find some fantastic people who were able and generous to support us. And I really cannot testify enough just how much it meant to us and also enabled us as a division to engage with security researchers but also then to engage effectively with industry and civil society and academics. And I think it really kind of gained critical mass momentum. So I'm a huge advocate for this to happen more and for there to be more opportunities for these kinds of partnerships. As well as that, I think there's a bit of learning that we took over that period of time about how can we adapt what we're doing to make it more accessible, to make it something which can be engaged with easily. I appreciate lots of members of the security community are very busy of course and don't necessarily fit into the confines of civil society or industry associations which exist and have gone for decades. So how can we do that? And I think also just something that I've learned a huge amount is the importance of transparency, the importance of engaging with one another and being prepared to iterate and sort of have an approach and talk about it but be prepared to get feedback on that and be prepared to maybe like and not like some of that feedback. So I'm really grateful for the feedback that we can get from this experience. But what I'd love to also hear from everyone in this room is actually a bit of a show of hands to see like what kinds of backgrounds are here. So would I be able to ask if anyone is from like a government administration, could I ask to put their hands up? Okay. One, cool. And from members of the security research community, so I guess people would define as hackers. Okay. And curious as to what other organizations or categories people would say what they're hoping to get out of this session. University academics, okay. Cool, okay, great. Super, thank you. All right, cool. So do you want to add a bit more of a perspective? Yes. Yeah, yeah. So I'm going to make some comments about engaging with governments and policy makers from the hacker security research side of things. Now, one of the difficulties that I face trying to get more hackers involved and trying to get more security researchers involved is the length of time for the feedback loop, right? If I'm trying to break into a system, it's very, very quick feedback in terms of am I successful, am I failing? If I'm defending against an attack, it's very, very quick feedback loop. Am I successful, am I failing? If you're trying to put together a legal framework or a policy, especially one I live in the EU, right? There's 27 countries there. There's a ridiculous amount of languages. Trying to get anything to happen there is a miracle. And the fact that it does is a testament to hard work from people involved. But normally hacker security researchers do not have the patience to sit there and see through four, five years of conversations. So, where can we meaningfully engage those people? Where can we get their input, where it has the most impact? Where can we make sensible use of their skills and where is it important for them to share their knowledge and educate rather than physically get involved as well? Anything you want to add? Great, okay. So, I think what I'd love to do is, I think we need to do is, guess my ideas of what kinds of questions people are thinking about and the kind of questions that we put together of think how can we improve the relationships between security researchers and also with governments directly is understanding what have been the experience that people have had of working directly with governments, you know, good and bad, the ugly, you know, what I've prevented you from engaging with policymakers in the past, but also what you are looking for from security communities and how you can bring that into the way you develop your policy. I think that something that I am also really interested in is the effectiveness of some of these additional initiatives such as Hackers on the Hill or Hack the Capital or global forums that take place which, you know, have the stated objective to sort of bring together people from different, and even, you know, DEF CON policy, you know, bringing together these kinds of communities. You know, what kinds of events specifically work? Have you seen actually be productive, you know, introductions or sandboxes or what kinds of things can people be doing to help engage that process? That's something that I really want to learn and to understand because, you know, I think from my experience, you know, I think it's very, there's a big spectrum across government, some are more adaptive and some have a very strict series of processes and if you don't know how to access it or don't know who to access in particular, you're gonna really struggle. So that's something that I'd love to hear from people in this room. So I think what I would love to perhaps do is if we maybe split into smaller groups, I think there's more people on this side than on this side. So some people want to move over to here and then perhaps we can spend 15, 20 minutes in front of one of these whiteboards just understanding what kind of ideas to go get together a bit of an idea answering some of these questions and then gathering some of your insight because I think that's really where the purpose of the session on this one. Should we start there? Yeah. Okay, great. So should we move on this side and I'll take over here. Okay, thank you very much for those conversations. Really grateful for those conversations and appreciative of time and we've got about five minutes of scheduled allocator time left. So I'm just gonna quickly summarize the conversation which we had over here. We came across a number of different themes, really came into challenging perceptions of hackers within community, within organizations that can have quite antiquated views and I can totally assess, I can totally see that something that it's come across and we also talked about basically the need for translations, the need for a translation between an organization which has potentially an old fashioned view of this type of work and this type of skill set but also how can we make it easier for that community to understand the way it works and that was the thing we talked about the need for potential structure where there could be a third party organization or safe space chance to bring that up and say these are the sort of challenges that we face and how we can really translate those challenges. I think we talked about the importance of communications and the importance of making sort of how can we support security researchers to get the top level of the key point so that it's coming across to ministers who perhaps don't have the time investment to be able to engage with it. So that was what we really came through. Excellent, so we've covered two pages. We got through a lot. So I'm gonna pick out some key points that really stood out. So one of the things was getting the right experts involved and the difficulty in that in that the Donald Rumsfeld thing, right, known unknowns. If you don't know technology, you don't know who you need to get in as an expert and therefore you can't get expert advice and you can't engage in the right people. And so therefore by default, you're falling back on the usual government contractors and the usual industry lobbying organisations who are technology companies who may not necessarily be giving you the right advice you need to support society as opposed to industry. We also covered some talking about barriers, barriers to engagement, specifically around motive and consequences. So there's been lots of instances that people cited and that we've seen in the history of DEF CON hacking as well, where people will have reported a security incident or will have uncovered some research and they will have been punished for it. And that has a chilling effect on people wanting to share stuff, especially when we look at things like critical national infrastructure, when we look at IoT solutions, when we talk about core bits of stuff that keep our society going. And it is a, to use your phrase, you know, trying to find a safe space where you can engage and say, we have found these issues, we have found these problems, we are reporting them and talking about them in good faith. So having that, you know, the usual law enforcement mechanism of react and then deal with the fallout later on, consider motive after the action has been taken, you know, having a safe space where you can consider motive upfront, especially is because, you know, the security researchers who are coming forwards with some of these vulnerabilities on key systems that may impact national security, they're not the only people who are finding this stuff. There are lots of other people who are adversarial, who are not telling you about this. So how do we get past that and have, as you say, a safe space where people engage? We also spoke about the difficulty and the barriers of talking to the right people. So, you know, not just educating legislators, but finding people who actually want to do stuff and are empowered to do stuff and are willing to do stuff, but also setting expectations correctly. You know, it's putting something from this as a problem through to this as a law takes a long time and it takes a huge amount of effort and commitment and expecting security research and hackers to be involved in that entire process is just not gonna happen. So where can we get them involved in key stages to help define, to help steer, to help give input, but actually have people whose focus is on creating this legislative framework, have them focus on what they're good at and have them use hackers and security researchers on what they're good at. And there's a bunch of other useful stuff and we'll be typing this up and sharing it later on, but one of the things that's very close to my heart, being self-employed and a couple of people who touch on it as well is cash, right? Security expertise is not cheap. And we found this in industry that the organizations in industry who tend to have the best security are the ones who've said, this is a business resilience issue. This poses a threat to our continued business function and therefore it's acceptable to spend X amount of our profit on getting the best security people, testing that, utilizing it. There is a unfair distribution of funds, shall we say, across governments and you only need to walk down the street and look at the mess of the roads outside in Las Vegas to understand that money is not being spent on maintaining basic transport and yet defense budgets and policing budgets are through the roof. So there does need to be a shift in terms of everyone says this is a real problem. Brilliant, put your money where your mouth is. Start showing that you're taking it seriously by allocating budget, empowering people to spend money, bring the best people to the table as well. Thank you. I'm afraid that's all the time we have for this session, but thank you all very, very much. And that was, you know, very provocative and very interesting parts, interesting chats here. As Tom said, we will need to be writing this up. We'll have a conversation after this. Please do feel free if you'd like to get in touch with me directly. I'm happy to give up your business cards with me and more than happy to try and signpost the right kind of policy makers to help demystify this a bit more and looking forward to more future discussions. So thank you very much. Yeah, thank you. Thank you very much.