Magical thinking … and how to thwart it

so I am Mara I live and work around here this is becoming increasingly accurate and not funny um if if you wonder how about it is it's it's bad Tech policy is currently very lonely and fraught place we kind of went from a high watermark under the last administration where you know I I had friends from Redmond out there all the time and you know there were there were always people around and now it's just kind of like crickets in between technical advisory meetings at the Department of Commerce if people even come to those so I work in an advisory capacity I do not work for these agencies I do not represent their views but these are some of the agencies

that I have acted as a private-sector advisor for usually for the intersection of policy and what that actually means in technology terms like if you make this policy what does that actually mean for the technology or what does this technology mean for this policy question and more or less what we're what we're going to do is I'm going to exploit my speaker privileges and give a curmudgeonly intro rant about things that I hate about policy talks work a little bit through why we can't have nice things which substantially hey we substantially was covered by both my Gossman and Senator Wyden and then a few examples of magical thinking in the wild and adventures in thwarting which are sort

of woven throughout but you know I feel like it's important to kind of work at a raft of things that we can do to actually make things better instead of just you know getting up on stage like this and shouting about how broken everything is so instead of prior art we've got a literature review and magical thinking came out of the idea of sort of a bestiary and a bestiary is a medieval compendium the documents sort of animals in the natural world and you know prior to the advent of of proper by biology and and and proper biological sciences these often were you know effectively the equivalent of having third hand accounts of blind men who once felt an

elephant and trying to describe an elephant based on that so that in the 20th century morphed into these sort of cheeky political bestiaries which inspired the work on the left I think that was the work on the right is 1979 the work on the left is 1981 but the work on the left is from the CIA's internal journal for intelligence professionals called studies and intelligence and the strange anteater Hydra thing you're looking at is apparently multidisciplinary analysis so anyway unclassified articles from studies and intelligence are published quarterly by by CIA and have been for about 15 years I highly recommend their book reviews they're really really good so in addition to this inspiration substantially this work was inspired by

by some talks that Sergei brought us has given over the years this one in particular which is offense and defense notes on the shape of the beast and that is one of my favorite slides that he that he put up which was about our all bugs shallow and the answer is well of course they're not how big is your ocean so Sergei has worked for a really long time and or is one of the friendly neighbors that has worked for a really long time on articulating you know what is this hacking stuff anyway we've got this universe of we've we've got the intended universe that we design and then we've got everything that we can do within that universe and Sergei

just has a more eloquent and more accurate way of conveying the realities of Investigation of computing systems than I think most others do and then we have not last year two years ago my Kauffman stood up here and told you that your ideas are worthless and it's interesting because Mike was Mike really was talking about the way that we develop things in the way that we value ideas and you know these two points that he made really really stuck out to me so ideas have value in proportion to how much they are shared and he was talking about patent law and whether or not you know what what is the value in open-source but I

heard something a little bit different and related to what Senator Wyden had to say last year and so Mike's fundamental point of your ideas are worthless until you share them with the world well if you're looking for high-impact places to share ideas you really can't get much more high impact than DC and looking at senator Wyden's talk which was about a a large variety of species of magical thinking that go on in Washington about the relationship between security and privacy it kind of occurred to me that those two talks were actually a lot more related than maybe they might seem and in fact like even even the view of the world that Senator Wyden put forward he he did say in

closing his talk that you know he's a member of the intelligence community and he is also an advocate for preserving strong encryption at all costs and these are not mutually exclusive or or or paradoxical conditions you know but he did say that the world is a dangerous place but on the flip side you know the world can be a dangerous place and we can be empathetic to the needs of law enforcement but are we actually serving their needs and I think that was his question you know does a back door even help the people who are fighting to make the world safe and I think he was coming down on know which is more or less where

I do and just as an aside even even law enforcement officers will very readily say and did say in a I think this is a 2015 study by the National Institute of justice on the high price on the high priority information technology needs of law enforcement and you would think that when law enforcement would be asked to describe what their technology needs are they would say well we want more toys but that actually wasn't what they said they they cited technical skills training and skilled management as well as sound policy for using the tool the tools they already had as the primary deficiencies in that in that ecosystem not we need new toys so I think there's

more common ground there than usually we give it credit for but we'll get back to that lastly I have to say how far did me an epic solid with the series of talks that he gave and in thinking about and in in sort of this universe of magical thinking one of one of my biggest pet peeves is that you get a policy problem and the first thing somebody wants to do is throw an engineer at it and however gave this talk up here at blackhat Asia on why we aren't building a defendable Internet and his the preceding talk was how to build a defendable internet and Alvers point was this offensive problems are technical problems defensive

problems are political problems and in opening his talk at blackhat this year he he basically said I gave the easy talk first because the technical problems actually aren't that hard why we're not doing them and why we're not implementing them that's the hard part so another like little bit on things I hate about policy talks in short policy hobbyists governance is actually a profession it's it's not a thing that you just sort of drop into and I don't know how many just show of hands how many people think they know how the federal government more or less works and I've got like one maybe okay so in this in this room this room is typical

of most rooms in that the workings of the federal government are pretty opaque and mysterious it's kind of it's black box with a lot of documentation if that makes any sense but it is actually a profession and if I were to try to describe to you what what governance is is a profession its public service but that comes in several flavors right and I think when we get angry about politicians and about government not working we really are getting angry at politicians and the political class is only part of what makes up the government they're sort of the crunchy outer shell and interface with the populace but then there's this massive professional class and these are people

who go through very rigorous hiring tech you know hiring regimes and actually know their stuff really really well in an organization the size of a federal government it can take seven or eight years just to get good at the job you're in because your universe is vast and complicated and illogical and fraught and you hate your life and you don't get paid very much but you do it anyway because public service another thing that I will note about policy talks in general is that we are prone to oversimplifying I can't count how many introduction to CFAA or introduction to DMCA talks I've seen on black hat or DEF CON schedules over the years I think at

this point we are intelligent enough as a community to move beyond 101 I think you know even if we don't know how the federal government works we understand policy issues well enough that we should be delving into them a little bit more deeply than awareness-raising I think we are adequately aware at this point and I'm not sure the utility of further doomsaying I you know are stuck with the fact that governance is a thing we have social contract it might be a broken social contract and it might be in a radical state of flux right now but that you know repeating that ad nauseam doesn't actually solve the problem so as an example of the sort

of hobbyist oversimplification problem and also of how government works how many of you have seen or filled out something like this a a webform a call to action of some kind that says email your representative something like that okay so that's at least half the room how many of you think that that does something okay so I live and work around DC I'm friends with a lot of staffers on the hill one of them told me point blank and then this is this is relatively well known in DC but one of them mentioned to me that you know his perpetual frustration was that people think that this counts as interacting with your representative and there's actually a

hierarchy of how this works if you call your representative like on the telephone that does a million times more for the issue that you care about than filling out one of these web forms and if you really really really want to have high impact you write them a letter you you actually write them and write them a letter print it out put it in an envelope send it to them email their staff directly but this this is actually worse than useless this this counts as in if you're a staffer and you get piles of this this is this sort of mass action stuff doesn't register to them because it's not telling them what you think

it's giving you an opportunity to proxy somebody else and if you call them and if you say hi senator I have concerns about this issue and I have to say having looked at it I really agree with the position that the e FF has developed that does something but that no anyway I will I will I will I will leave that there so um anyway the next time you feel like doing a little bit of activist of activist work phones phones are not dead there they work really well so moving on to magical thinking in the wild I used to try to enumerate these and I decided that instead of having a schedule this time I would just put up a picture of

Don Quixote and Sancho Panza and that is Don Quixote racing off to joust windmills which you can see a little bit better there so he yes so one of the first one of the first bits of magical thinking that I encounter in DC is going dark and just to race through this example this is the idea that even though we are in the most connected state we have ever been in somehow we are slipping farther and farther out of the view of law enforcement and the people who try to handle the dangerous world that Senator Wyden talked to you about last year so this is one of my least favorite species of magical thinking because it results in some of

the most idiotic policy proposals and in fact we all like most of the people in this room should be aware that you know even if you do all of the things that keep FBI directors up at night even if you use signal even if you use end-to-end encryption even if you do everything that you have ever read in any medium post by the croc I you know you you are still never going to be adequately dark to be out of you I so that's one of my least favorite ones on the flipside if anybody remembers the shadow brokers I think they're still around on the flip side and other species of magical thinking you get in

the other direction is that government shouldn't have hacking tools because if someone develops a hacking tool therefore everyone will have that hacking tool and this has been a bit of a fraught one because you know basically what we've seen with the shadow brokers is you have a nation state that stole fully formed and functional tooling from our intelligence community and instead of using that as espionage and and keeping that to themselves they started dumping it on the internet which is new and different that is not the way espionage used to work and in fact that's not espionage that's information ops but this is a difficult one because and I encountered this in think tanks a lot is

the assumption that if we have developed a capability surely somebody else has that capability as well and they have used exactly the same technical role a technical route to achieve that capability and modern exploitation doesn't work like that modern exploitation is composite it's chained it is highly contextual and it is really really difficult to do to the standard that we've seen in these in these stumps but another thing that we know is like we've identified nation-state actors from a number of nation-states now there is there is data it is not high quality data but there is data to suggest that just because you are a nation-state doesn't mean that all nation-states hack the same we have different priorities we

use different methodologies like nation-states hack differently from one another and so the idea that you know withholding a vulnerability or you know the idea that withholding one vulnerability from the vendor that is affected is inevitably going to result in the use of that vulnerability by a different nation-state that's a false equivalence that I run into more often than I would like and that is resulting in equally idiotic policy measures and these are just so this ended up being a really fun conversation in Heidelberg earlier this year because we had a lot of information sharing people around and again there's there's this idea that for some reason the technology is disproportionately implicated in the proliferation of terrorist activities

and that if only they didn't have the crypto they wouldn't be able to do the terror I like that sounds insane and it is but this was fun in Heidelberg because we had folks around that actually do information sharing and the great part is that if you talk to actual practitioners in the counterterrorism community they really care about information sharing a lot more than they care about breaking encryption and it's funny because whether you're in information security or counterterrorism information sharing is just a nightmare there's no budget for it everybody hates you when you try to do it nobody trusts you everybody just like it it's just bad and that is one of the things that I

think we have to get better at so information sharing is like the unsexy unloved child that actually turns out to be a really effective security tool and it's a profoundly human problem that we just don't have a good grip on yet so that's all very depressing and and we're going to change gears a little tiny bit actually how many people here participate in any kind of information sharing program on yeah on behalf or on behalf of or with your employer it's about maybe a dozen and a half that's better okay moving on to hideously complex systems and why they are hard so this is a ballistic missile submarine and like many of our legacy systems sub

ballistic missile submarines are hideously calm they're expensive and if the tiniest thing goes wrong they can kill you although in this case it can also kill me and everyone which is slightly different from computing systems so the discrete components of the Ness SVN can function they can function perfectly to their design specifications but if you assemble them incorrectly can produce catastrophic failures and if this sounds familiar in the security sense it should because you know for decades we have approached this by trying to secure one bit at a time or taking known secure components and assembling them in idiotic waves that produce insecure systems and we know that that just doesn't work and part of part of the

reason that this happens is structural and I expect about half of you are going to leave when I say this but I am gonna talk a little bit about procurement and about procurement policies and in structural structural incentives in procurement anyway so these submarines are designed to run for 30 plus years I and you know you have your capital expenditure you get your submarine it's supposed to be good for at least three decades you can extend their lives by subjecting them to extensive engineering overhauls and these take 30 to 40 months in drydock they take both crews assigned to the boat it's really really pretty intense but even if that intensity of activity you know even that intensity of activity

produces what's called steady-state you don't get something other than a submarine at the end of 30 or 40 months of overhaul you still have a submarine at least you hope you do and and this this qualifies as operations and maintenance an O&M can get really confusing sometimes in these complex systems that are very long-lived because when it's system has a long life when it is specified at inception if you have to service that thing 40 years later the standard technology that you may be employing to replace the capability may on in may have unintended consequences of altering baseline capabilities or introducing new functionality so that's when onm gets a little bit confusing and it can start to look like development

modernization and enhancement so this is just a sort of a quick breakdown of what the two things are and development modernization and enhancement is basically capital expenditure so that's what you need when you need to improve capability or performance you need to meet a regulatory or a compliance standard or you just need to buy new stuff and I think recently on Twitter Alex Thomas had put together what I think he called like the worst middle management tweet thread in in history and was trying to figure out if he if he was trying to figure out the accounting for acquisition of ninjas and I pointed out to him that if he was replacing ninjas it would be operations in

maintenance but if he was introducing ninjas into his system then that would definitely be a capital expenditure so dammy accounts for so DME in federal IT spending which is where you can get really like quite good data on this you can so okay this is fiscal year 2016 on non provisioned eme services and DME services are for projects and activities that lead to new assets and systems or projects and activities that change or modify existing IT assets but the weird split here is that orange bar at the top those are non major investments and so those are ones where you don't actually have to submit a business justification for why you need to do this which I find

a little bit strange so this also is from fiscal year 16 and this is actually way better than it has been so this is the breakdown between how much the federal government's IT budget is split between capital expenditures and duct tape duct tape a good tug tape constitutes in the overwhelming majority of the money that we spend in IT and this is true if you're in the private sector or the public sector and if you are in charge of security budget how many of you have ever found it easier to actually replace the capability rather than service it and like hope that it actually still works anyway that's sort of so submarines um a slightly more I think a

more amusing example is Wang how many people actually know know or remember Wang Labs excellent okay so this has become one of my favorite procurement stories and you should probably ignore the fact that I have favorite procurement stories specifically I really want to talk about Wang as as the story of Wang unfolded here and here is here being this hideous and nondescript federal IT building that is actually the u.s. Department of State in Foggy Bottom and that is also an archival photograph which is contemporaneous with our story which take play takes place between sort of the 80s and the early wild 90s wine labs actually goes obviously goes back a lot longer than that but for the purposes of

this story 90 State Department scene so in August of 1990 the State Department leadership had figured out that they really needed to start investing in their IT infrastructure with with with passion and purpose and they manifested that passion in purpose by awarding Wang hording Wang laboratories a five your 840 1.3 million dollar contract which in today's money would be about 1.6 billion dollars and that that is a bit strange for a company that was literally circling chapter 11 at this point had made its name making word processors and was clearly on the outs so you know despite despite the fact that you know they'd been struggling for years the State Department ordered them this contract but it's you know I don't

want to disparage wine too much it is it should be noted that at one point Wang competed like basically directly with you at Packard at one point I think on Wang was the fifth richest man in America and they did this by making ma no purpose ma no purpose machines they did this by building word processors that processed words really good so everybody kind of you know everybody kind of took the State Department signal as a sign that you know maybe Wang had another shot at life maybe they weren't out of the game just yet I and again like in retrospect it seems crazy that the State Department would have gone with Wang to try to branch out

into more general-purpose computing or into mini computers but they'd been with Wang as a word-processing supplier for you know decades at that point and you can never underestimate the power of inertia and procurement decisions I so if you're not sure what foggy bottom does and and I think we've established that the workings of the federal government are pretty mysterious to anybody that doesn't work in DC and it's mysterious to those of us who do as well often and like the State Department suffers a kind of existential they've suffered an existential crisis for about the past 20 years since the collapse of the Soviet Union what do we actually do but one of those State Department's

primary functions is to write memos cables briefings advisories reports you would not believe the amount of text that this organization is capable of producing and it has always been like that so it's it is odd to think of it now because government agencies are not generally known for being early adopters but if you have an entire institution whose primary function is to write to itself and write to other people it turns out that they will take on you know office automation and and word processing technologies really really quickly and they will spend huge amounts of money on them because it turns out that that's worth it however this is a sad story after all and and despite the

State Department's best efforts and Wang and n Wang Labs and best efforts I by 1995 it was clear that you know note with salvaging Wang was not going to save the State Department's IT infrastructure and the horrible part about this is that the State Department never really recovered the IT posture that it had back in the 80s when they discovered you know word processors made their lives a lot better and they've been struggling with this ever since because they were given extraordinary license to spend enormous amounts of money on technologies that served a single function which happened to be the function that they needed but then general-purpose computing happened and everything went up in flames but just to

come back to the O&M versus DME point that i made earlier this is from testimony that secretary Warren Christopher gave to the Senate Appropriations Committee in 1995 talking about the 1996 budget for the State Department and if you can trust this pitiful 30 2.8 million dollar capital investment fund that he used begging for so that they can have one classified mainframe that works compare that to the 840 1.3 million dollars for the wang contract and again this is this is why procurement is broken and this is why we generally can't have nice things either in you know large orgs you know in large org description be they public or private sector and I figured that after that also very

depressing story we might need a small comic interlude I Wang was so pervasive in the State Department systems that their entire communications protocol books that reference Wang protocols and in reading these because why not i discovered the single best acronym in the history of the state department which is the wang one way interface for transmission or wowie for transmissions from unclassified systems to Post classified telco processors so in the end and always right and complexity kills I and you know you're you're you're a large org will succumb to inertia and probably end up like this sad submarine moving on to underlying causes one of the reasons why we Hughes so hard to operations and maintenance over capital expenditures is

because we are absolutely convinced that we just need to fix this one thing and it will continue being fine and you can see this at work in our industry all the damn time and I admire the optimism of people who think that we will they that that we can eliminate everything over I I don't I know no my actually my favorite thing about this about this image is if you look in the background you can see the endless field of repeating windmills so even if you pick a great windmill to joust there are always going to be more windmills so instead of instead of queuing to the onm model of the world and trying to squash

bugs one by one and eliminate the problems and our existing systems until you know until they work magically and do everything that there's Bost you again you know there is a species of magical thinking in the other direction which is that we can just abandon everything and migrate to something new and the truth unfortunately inconveniently is kind of in the middle and this is a slide from a talk that you can also catch this afternoon which is rito and Domenic talking about rust on grape fed this is from the heidelberg version of this but in the other direction for those who think that maybe we just need to abandon the old systems and you know leap

bravely into the new world and get rid of everything that we know like we will never get rid of see like that is just a fact of life there are still active industries where sea is king you have to deal with the in hearing unsafe nosov that language and we are just stuck with it however that means that really really that means that in dealing with the realities of see that doesn't mean that you have to lose all hope and for example things like getting rust working on great but for for embedded development is really helpful I imagine that places like the FDA are gonna be really excited if they can get IOT producers to be developing products

on you know memory safe systems that would be great and there's other work going on in this area as well but this is hard stuff I think Joffrey Cooper II published a paper earlier this year called writing parsers like it's 2017 and he did a test case where he was able to jam like a Russ parser into a pile of rust of cruft ec code in the form of the VLC media player and make it go and like that that sounds awful but it's actually really important another form of magical thinking related to squashing bugs one by one I we have this problem with exploit and O'Day fetishism in this industry which isn't just impractical it's it's

also really useless and getting back you know this is people are going to have feelings about this one way or the other but getting back to the dangerous world that Senator Wyden alluded to last year like yes there there are hacking tools in the hands of governments and some governments misuse them however mischaracterizing the nature of those hacking tools doesn't do anybody any favors as we try to work on policy solutions to make sure that they are not used for human rights abuses and this is a slide from Sergey go Livanos hacking team and gamma international in business to government malware that he gave in berlin back in i think that was 2013 and this was a researcher who tore apart

some who tore apart hacking teams RCS looking for the sweet exploits that surely were being used against the unsuspecting victims and found yeah we're actually not talking exploitation and that trend is i think become more clear we're seeing things like customized phishing its scale now a lot more than we're seeing exploit kits especially since neutrino and black hole have died but yes so squashing bugs one by one actually turns out to be a really rubbish approach to to any set of problems like whether you're trying to secure an org or just a single piece of software it is one of the pieces of magical thinking that i really wish would die but you know it's satisfying

like you squash one bug you are one more secure right like and it's it's really difficult to train people off of that thinking where you're like no i don't really care that you've given me a way to report you know like memory corruption vulnerabilities in this thing I want you to I want you to do like do Joffrey's magic and make those not a problem anymore so in terms of sorting I think the the most important concept that I can communicate to you is that there is a massive deficit of translation layer in in information security right now and for all of these magical thinking problems that I've described whether we're talking about the fact that you know terrorism doesn't

happen because crypto or that you cannot band-aid your way back to like a functional back to functional enterprise software if it's 30-plus years old one of the most discouraging things that I see corporate actors doing is trying to throw engineers at the problem so if they have a policy issue they throw an engineer at it and that actually doesn't work out all that well and I feel pretty bad because at my at my invitation some of my more you know technical friends have accepted invitations to you know August August bodies or think tanks in Europe and the United States and they've had terrible experiences if you really really know how computers work and you go sit in a room full of policy people

like you're gonna hate your life so my solution to that is that if you're a great engineer be a great engineer this is actually somebody else's job we haven't done a great job we haven't done we haven't done very well at defining the general ISM or the specific skill sets that constitute this but there's a there's a fairly healthy cohort of us that are like trying to muddle through it and and figure that out but yeah be be great engineers and don't don't do things that make you hate your life and you know it's not a keynote unless you put up something by Dan Geary so so this is this is one of my favorite

quotes from him and I I think I've been using it for at least two years now I think I first used this a MOOC on back in no only last year it was 2016 so if you ever wanted to be taken seriously you know it used to be the problem that just I IT was ignored security is ignored and now we are extremely listened to and one of the problems is that we are giving extremely bad or miscalibrated advice and what do I mean by that so it's it's not just the engineers that suffer when we try to approach this problem in that manner I policy suffers as well and what we get is what we get

on the flip side is when you know when organizations like or when when think tanks try to try to tackle the cyber issue they end up disproportionately relying on popular press citations and that is true even of academic institutions that have been around since the 18th century like this is a publication from probably one of the most respected academic institutions in the United States and even they have this problem so if you look at the breakdown this was on governance of dual-use technologies in three areas nuclear nuclear biological and cyber as if that's a thing but for nuclear in bio the number of popular press citations and I'm talking like the New York Times or The Wall

Street Journal two out of hundred and forty-three three out of hundred and twenty five in the cyber section it was 27 out of a hundred and ten or a quarter and if I had eliminated like if I if I had more broadly defined popular press it would have been closer to half for 60% and like this is a really fundamental reason why the policy situation sucks as badly as it does and like just [Music] and this this is not a theoretical problem either like I I think if that if if that illustration isn't vivid enough this actually happened not long after I gave the first version of this talk at troopers I and in this case a statistic

that claimed that was variously attributed to the National Cyber Security Alliance and to Symantec and a bunch of other places this statistic claimed that 60% of small businesses that suffer cyber attack will go out of business within six months and you can imagine that if you are a law maker or regulator or even just a professional guffy sitting in DC and you hear a statistic like that that's gonna stop you dead in your tracks and this actually ended up being cited in legislation and it turned out that there was no basis for this whatsoever like there was no study there was no grounding it was something that had shown up in a relatively well-respected publication and then played telephone

throughout the entire cyber policy universe until it ended up in legislation and I have seen this happen more than once so like when we look at this part of the reason that we get this is because we have legislature legislators law makers and regulators relying on white papers from for-profit companies for subject matter expertise and this is this might be difficult to hear or shocking even but informational security really sucks at government affairs like badly and one of the ways that other industry is correct for misinformation is they will send people to sit on volunteer technical advisory committees in all parts of government and these are actually pretty fun I do work on some of the ones at the

Department of and in one of them we do emerging technologies and research and so we got to talk about cool things like hypersonic weapons and gene crispers and like fun and stuff but the core problem is that the private sector participants in these technical advisory committees we're not paid like we are all volunteers and getting information security companies or getting just technology companies to really engage as public sector partners is really really difficult and the mature ones do it and they'll do it well and they show up and they can be subject matter experts and they can keep stuff like this and like that from having to horrible of an impact but if you don't have the subject

matter experts from your area showing up in order to fight these fires when they happen guess what it ends up in legislation so again I would say in closing or getting towards closing but if you really want to do something if you want to thwart effectively the effective thing to do is not this the effective thing to do is to look at the policy problems that interest you that are relevant to your concerns and your org find the relevant agencies or departments that deal with that problem and look at the help that they're asking for because every single one of them asks for help an outgoing assistant secretary from the last administration told me on his way out the door that the

one thing he hadn't succeeded in in six years was convincing everybody that there wasn't a secret handshake that if they wanted to get something done the trick wasn't finding the right person or saying the right thing or you know making the right noises they make it really really clear what you have to do in order to be heard you submit comments to an advisory committee and like there's a forum online that you can use or you can show up and give them in person and there's an email address and it all over the website and it says hey if you have thoughts about these proposed about proposed rulemaking do it here and people don't hear this and they don't

hear it to the extent that on the day that there was a meeting regarding the intrusion software controls or the proposed intrusion software controls that the United States has not implemented from the pops in our arrangement instead of submitting comments to subject matter experts published an op-ed in Politico or the hill or something and as I was talking to this person you know the former assistant secretary was just like I don't understand why they did that like they could have copy pasted the text and submitted it in his comments and then we could have used it that would have been listed but by leaving it in press we can't touch that and yeah it's quirky and it's weird

but there are things that government has to do in order to ensure transparency and accountability and this is one of the annoying things that you just have to do if you work with if you work in that space like they need to be able to have a paper trail that says like you authentically you private sector person showed up to this meeting or we're interested enough to submit comments and that has real weight because the one thing that is true both on the political side and on and in the executive agencies is that you know they don't care about the mass action click click like feel good campaigns they want to know what real people think and they

want thoughtful considered contributions a single one of those is worth more than 10,000 of those forms so I would say that if you're looking for places to have an impact like those are really good places to start because any any agency or or you know government body that deals with information security and they basically all have to do now they know that they're getting it wrong and it's not like they wake up in the morning wanting it to be like that nobody wakes up and says hey I'm gonna craft some horrendously bad policy today and they actually do listen so I think when I post I'm gonna be all post these slides on probably on my github and add a couple

of pages of like helpful links to you know examples of you know for real impactful things that that folks can do but in sort of broad strokes I think the forward motion that we need to be developing is primarily folk is primarily in those translation layers so how do we communicate fluently between technical and mission space and if you remember the the ballistic missile submarine like my my favorite story about a submarine is about my younger brother who happens to be a nuclear naval officer and on his very first deployment and he was engineering officer of the watch which is a very stressful position to be in if you're on you know I think a tube underwater with

a trash can sized nuclear reactor running it so his very first deployment his energy his engineering officer of the watch he gets racket out of bed so called out at like you know Oh dark thirty and he gets taken down to a part of the ship where there is a problem and it is a big problem and there is an engineer that has diagnosed the problem and together the engineer and the engineering officer go to the captain and they briefed the captain of the boat now if the engineer had gone directly to the captain I'm really not sure that that problem would ever have been solved because you would have been missing the translation layer of the engineering officer and I'm

not advocating for the you know an explosion of middle management in information security but we have to find some happy middle ground there and because this ballistic missile submarine hadn't and had an engineering officer the problem got fixed and nobody got hurt and you know the boat was merrily underway however I have seen that story and very differently in our space a lot of times the second thing that we can be doing is better the standard of documentation in in technical and policy research and in the technical space this means being more methodical using you know not inventing a new tax on every time every time the mood strikes it means trying to communicate things in

a way that makes them reproducible and like this is a serious issue and and I appreciate the spirit of I appreciate the spirit of I found this cool thing and I can do it this once but if we want to build on that and if we want to build actual you know operational solutions on that we have to be doing better in terms of documenting our own research and also in relating it to other existing work you know the number of black hat and DEF CON talks that I've seen where it's like somebody just appeared from the wilderness with their fully formed idea that had never been touched by anybody else before is a little bit

disconcerting so yeah literature reviews this would be good and the last one is just sort of coming to terms with the inter linkage of science and politics like we can't opt out of engaging with the government space and you know even people like me would love to at this point but that's an unfortunate reality that we just have to deal with and one of the one of the things that I've observed this year that has been different from every other year is that the nature of governance you know professional government goes on being professional government but there currently use the state of flux that has not been seen since probably before I was born and our social contract is more

or less being rewritten right now by anybody who cares to show up and it profoundly worries me that not a lot of people from this space are showing up so if if you need any further encouragement to you know try to find a way forward through this it is that there is so much up for grabs right now and the people who are showing up to opportunistically manipulate these this situation are generally not great people so it would be it would be nice to have like it would be nice to have more company in this space I guess is what I'm saying anyway

you