If you work in cybersecurity in the U.S. – or further afield like me – you may be counting down the days to Hacker Summer Camp - the week when the security community descends on Las Vegas like a plague of hoodie-wearing, IMSI-catching locusts. There are at least four security conferences and countless mini-cons or meetups taking place amidst the casinos and neon during the week of August 7th.
I am closely watching the calendar as I mutter to myself about all the things I need to get done before it's time to get on the plane. I’ll be speaking at BSidesLV and DEF CON, and in both cases, I’ll be on stage with policymakers. I’m also helping organize Policy @ DEF CON, a space dedicated to creating an opportunity for policymakers and security experts to engage and learn from each other. Meanwhile, I’m also working on a similar, albeit much smaller scale, space for 44con, which takes place in London in September.
All of this has me reflecting on the level of policy engagement at these events, and how many policymakers now attend them. It’s kind of amazing. In the space of a handful of years, we’ve gone from playing Spot-the-Fed to having dedicated policy tracks at all three of the major Vegas cybersecurity cons, and a range of other policy-related activity happening during and around the events.
Think about that for a second. It’s not straightforward for people in government to attend events, and even less likely when the event is in Vegas. There’s a fair amount of paperwork and hoop jumping that has to happen, but that’s not putting them off and we’re seeing a serious investment of time and resources for the government to come and spend time with the security community. And it’s not even limited to the U.S. government - we’re seeing other governments around the world also sending people.
So what’s the draw? Yes, I hear your snarky response about the delights of Vegas. I sincerely doubt it’s that given the previously mentioned hoop jumping, and also, I’ve seen the schedules of a lot of the folks coming and there isn’t a whole lot of free time for sampling Vegas’ attractions. Rather, the policymakers are looking to ensure they are making the absolute most of the opportunity and creating as many opportunities to engage with security experts as possible.
It seems then that policymakers are investing their limited time in coming to security conferences because tackling cybersecurity-related issues and identifying future threats have become major priorities for governments around the world. Further, policymakers recognize they cannot do this in a vacuum. Their efficacy in this area is enhanced by collaborating with security experts, and where better to find a lot of those than at some of the biggest security conferences in the world.
Each of these individual events gives policymakers the opportunity to meet lots of security experts and hear what the security community is flagging as emerging threats. The combination of all the events in one week multiples that benefit. Further, the nature of these events also adds allure as these are some of the most interactive and collaborative events in the security calendar. For example, BSides events around the world are known for their emphasis on community building and sharing. Similarly, the DEF CON Villages are designed to provide safe spaces where people of all levels of knowledge can come and learn together, a space where people can go deep on a given topic and there are no stupid questions.
That doesn’t mean these events aren’t intimidating. In some ways, it’s probably a lot less scary to go to a more traditional conference where you can sit anonymously in the crowd and listen to a talk without direct engagement. At the Vegas events, policymakers will be looking to make new connections and identify people willing to work with them in the future. They will want to ask questions around topics they are grappling with for policy development. They will want to learn about what the security community thinks is important. Instigating those kinds of conversations can be difficult, particularly in the chaos of Vegas and large conferences. Add to that, the policymakers may be growing in number, but they are still seen as the odd ones out as policy experts rather than security ones.
So I hope the security community will recognize their presence for the incredible investment and outreach it is and will welcome them and encourage collaboration as much as possible. I’m hopeful this will happen. The very fact that there is so much policy-related activity planned tells me lots of security people see the value in this engagement. There is a small-ish-but-mighty-and-growing community of security pros creating and nurturing these touchpoints and we welcome others to get involved. Remember that the goal of all this is to embed security expertise in the development of cyber policy, and that ultimately benefits not just the security community, but society as a whole.
So if you meet a policymaker at a security event, why not ask them how you can help. Make them feel comfortable asking questions. Help them navigate the security events and chat with them about what you’re seeing in security. Ask them about their role and learn a little more about policy development. We are all richer when we learn from each other's experiences and points of view. Help them make the most of their investment in coming and hopefully we will continue to see opportunities for security experts to participate in policy conversations grow. I’m
If you are interested in learning more, you can see the Center for Cybersecurity Policy and Law in Vegas in the following ways:
I’ll be speaking as part of the I Am The Cavalry track, both in the opener (August 8th) and in a session with the UK Department of Science, Innovation and Technology, speaking on IoT security and connected places policy (August 9th).
DEF CON 31
- Mainstage panel on legal defense of security researchers; Friday, August 11th, 9AM
- U.S. Cyber Policy 101 in the Policy @ DEF CON space, Friday, August 11th, 10AM
- Workshop for security pros on how to submit official comments to proposed regulations; Friday the 11th, 2PM
- “All Your Vulns are Belong to Terms & Conditions," a panel on vulnerability disclosure and handling policy in the Policy @ DEF CON space, Saturday, August 12th, 3PM
Ari Schwartz, Executive Coordinator of the Center for Cybersecurity Policy and Law will be participating in the International Cyber Policy 101 session in the Policy @ DEF CON space, Friday, August 11th, 12 noon.
The Hacking Policy Council is also hosting a happy hour at the DEF CON Policy Department with the AI Village. A bunch of hackers, policymakers, and AI experts will have free beverages and discuss whether it is a hacking crime to lie to AI, what governments are doing about vulnerability disclosure, and the ultimate AI hacking challenge.
Finally, I’ll be hosting a session on software resilience in the Policy @ DEF CON space. The session will include representatives from the U.S. government’s Office of the National Cyber Director (ONCD) and Cybersecurity and Infrastructure Security Agency (CISA), as well as from the UK’s Department of Science, Innovation and Technology (DSIT) and the Australian Department of Home Affairs. This session will be on Friday, August 11 at 3PM.
Episode 6: Congressional Cyber Policy with former Rep. Jim Langevin
Former U.S. Congressman Jim Langevin joins the pod to discuss a few of his many contributions to the field, including as the co-founder of the bipartisan Congressional Cybersecurity Caucus.
What Does a Government Shutdown Mean for Cybersecurity?
As a U.S. government shutdown looms, the impact on cybersecurity may be significant as workforce is furloughed leaving potential gaps.
NSTAC report details abuse of domestic infrastructure findings and recommendations
As the number of foreign actors using U.S. commercial network infrastructure to launch cyber-attacks has increased, a new report from the details findings and recommendations to deal with this abuse.