The Hip Hacker's Guide to Policy

so the next session is going to be uh the hip uh Hacker's guide to policy I think I got that yep the hit hack his guide to policy if you're not hip if you could just leave yeah yeah yeah there's a couple um so just before we get started I'd like to uh you know thank our sponsors here at b-sides uh so who have currently made this all uh possible so where is my sponsors field so uh we especially want to thank uh our Diamond sponsors LastPass Polo Alto networks uh and also our gold sponsors uh Amazon Flex track uh New Vision Google Etc so we'd like to thank them for their support without them uh these

conferences these events uh aren't made possible uh so moving on uh getting into the next year I'm going to hand over to Josh uh who's going to uh conclude with the introductions for this session so thank you Josh all right home stretch um excellent first day uh we usually try to do a policy refresh of like what were the wins what's the pending legislation or what's the attitude towards hackers we kind of had some interruptions over this thing from covet or whatnot so the bad news is we haven't had an update in a while the good news is a lot of really important stuff happened including passing the law uh including you're gonna hear from uh prosecutorial

discretion for good faith research so we want to have that family no spoilers spoilers um but uh I mentioned this morning and this is a perfect example of why to do it I mentioned this morning that if you watch the Cavalry launched nine years ago and it's on video um one of the things you have to put yourself back in a nine-year-old period Edward Snowden just happened distrust between government hackers had never been higher uh we had seen some cyber physical systems hacks and stunt hacking on certain things but we didn't really have any trust built and one of the deep concerns that Nick percoco our co-founder had was that we're going to see increased criminalization of

good-based security research and that was a very possible future and don't just get an update of what's happened last two years it's stunning to see the plan that we had in place nine years ago and how it is actually matriculating and now how much Embrace we have seen so uh we have three amazing uh panelists here and they will introduce themselves because they are funnier than I am and um but look at this not only as a milestone for what's happened over the last two years and where things are going but just think how far we've come in nine years and think how much further we could go if we double down all right so let's welcome

our panel uh thank you very much um and just as a like a little Public Service Announcement before we get into this one um are you good can you can you hear me okay uh I don't know what that means um uh so in one of the earlier sessions people were talking about ransomware a whole bunch um for those that are going to be at Defcon and I do know it's a party Foul to mention another conference when you're at one uh but there will be a session in The Policy Department on government responses to ransomware it's a two-hour discussion it will involve the UK the US and Australian governments and they want to hear from you guys so

if you have ideas on things that are not being done that should be being done or you want to hear what the stuff is that they're already doing um that session will be on Saturday from four to six in the policy section um at uh uh Defcon and I apologize sincerely to all of the lovely besides people that I've referenced everyone um but it is an opportunity to to speak with the government attendees on that topic um but that's not what we're here for today uh so yeah so we're gonna do a like a uh what's happening in policy land um and there are three sort of things that we really wanted to cover which is

like how does it all work like how does policy work what are the different parts of the government doing how how do they work together all of that kind of stuff how can you guys get involved how can you help influence it and and create positive outcomes and then what's the stuff that's actually happening what's the status quo with things that kind of thing to get like a bit of a level set and make sure that we're using our time wisely and in the right areas they're going to interest you how many people in the room feel that they're pretty sort of up to date and cognizant on like how the process works and like you know

how's the sausage made what does policy look like and all that kind of stuff who's brave enough to say that they think that they are all right so it seems like we can probably spend a bit of time on that and some others will find that useful awesome um thank you for playing uh okay so um I'm Jen Ellis uh I am rapid sevens VP of community and public affairs a title that no one knows what it means for myself included uh and I work a lot with governments around the world on how do you Advance Security for everybody right how do you create society change um that is what I do it's my accent

and also that I don't know how to use microphones uh okay I'm just gonna awkwardly Lean Forward um yeah so uh it's funny actually because normally I'm told there are people who can hear me in the UK without a microphone when I'm in the US um so yeah so we're going to talk about how policy Works how you guys can get involved and what's going on in policy land um you know Josh mentioned nine years ago when the Cavalry started uh and funnily enough nine years ago Josh and I were at Derby con and we sat down and just went I'm starting this thing I'm really worried about the intersection of physical and virtual and the potential for it to

create harm I'm starting this thing and I was like I'm starting this thing I'm really worried about the legal impact for security research and the chilling effect and we looked at each other and we were like are we starting the same thing at the same time what is that and then we realized they were super complementary not the same just super super complementary so we ended up kind of on the hill going and talking to policy makers and like I would reference his work and I would reference the Cavalry in my briefings on security research because you know it was a great opportunity to talk about the importance of security research when you can say

and researchers are these great protectors who want to like you know save the world and protect people from that intersection of I'm going to use a Josh communism where bits and bites meet fashion blood uh and so I was able to hook him up and you know I'm gonna just give him the benefit of the doubt that he did the same for me okay so that's a little bit about me um I'm now going to hand off to Jack and Leonard to introduce themselves sounds like I'm being volunteered to go first so I'm jack cable I am a security researcher which is what we call hackers when we're talking to policy makers to make them less scared of hackers so if

you haven't caught on yet that is a good tactic to make people think you aren't like this scary figure in a hoodie even though you are um so I um have worked in a number of government agencies including sisa U.S cyber security infrastructure Security Agency on Election security uh Department of Defense working on their hack the Pentagon program which was bringing in hackers to help secure the US government through bug Bounty programs um and most recently doing a fellowship in the Senate um so kind of spanning get both the executive branch and legislative branch and looking forward to our conversation today and good afternoon I'm Leonard Bailey uh I am a special counsel for National

Security and head of the cyber security unit which is what I call myself to make sure I don't scare hackers uh I'm also I guess a prosecutor federally um uh I I've been at the department for 31. the search gave you away I know I know I I guess I said to Jen I tried to make spot the FED as simple as possible so um and so yeah I've been working this area for about 20 20 years and I've been in the department in a lot of different capacities I will say that that that conversation about chilling security research uh what what happened there was now I think it was 2014 um Jen and some colleagues came to my

office of computer crime and intellectual property section and um basically said your ways are strange to us but but they're chilling research and the chief my section heard that and he said we don't want to do that we think there's there's legitimacy to having p people who are trying to solve the problem on the playing field and so we embarked on what has been a multi-year effort um and we'll go over I think you know some of the high points over that that time um to figure out how we could better message what we try to do um which is actually try to go after people who are trying to victimize others um rather than you know at worst people

who are trying to do the right thing in the wrong way um and so uh just to add to that story so that meeting happened towards the end of June and during the course of the meeting when they didn't instantly throw us out and tell us that we were idiots uh we said hey if this is a thing you're interested in learning more about there's this thing happening in Vegas in a few weeks you guys should come out we'll introduce you to some people you can hear about it firsthand from researchers and they looked at us and they were like Vegas we're the Department of Justice and you said weeks and then a month later in

August a month later I get an email from Leonard saying I've booked flights in a hotel can we still do this and it was the first time you came out to hack a summer camp right and he has been here every year since that's nine years even the last two years not there and he has spoken every year since because he has made a huge effort to basically try and build a bridge between his community and our community and I think Jack does the same thing from the opposite side as a researcher working in government he's building that same bridge and I just think these touch points these sort of entry points and and uh these points where we create this

two-way dialogue is super super super valuable and important so I think these two people being on stage is just incredibly important and I would actually like it if you would give them a round of applause for the work that they do thank you it's deserved it's dessert all right now we'll get substance stuff now that we've done the cheesy moment so you were going to do I think like a little bit of a how does it all work together yes so I I'm gonna I'm I'm sorry I'm gonna get a little Schoolhouse Rock on you for a moment so I want to talk a little bit about how the government works um and I imagine a

lot of you are familiar with the government um but the last few years has for me at least suggested that maybe not everyone really understands how the government works uh and and so I wanted to just sort of break things out just for a couple minutes um and how many of you are lawyers I I'm a Juris freaking Doctor does that matter does that okay only a couple good okay so very quickly um obviously we have the three branches we have con you know Congress we have the exact branch and you have the judicial branch um you know congress makes the rules they they pass the laws that tell others what to do so for

example the government can only do what is authorized to do so we have to look for some statute or some authorization in the Constitution to to do whatever we want to do um we don't just get to do what we want uh we have to have it moored in some some statute or some Authority in the Constitution so uh the executive branch not surprisingly executes the law right so we do what Congress tells us what they authorize us to do um and then though there's this one little space where we kind of get to make law generally the executive branch does not make law but in discrete areas Congress is able to say hey look there's this issue

it's complicated we're going to give you the guard rails on what we want you to do but you fill in the rest of it and that's essentially what the regulatory authority of different agencies are so you have like the FTC right the Federal Trade Commission or the FCC or the FCC or independent agencies where Congress has said okay you deal with publicly traded organizations and you come up with guidelines that's your mission go and that agency is able to make up rules that guide that and they have a rulemaking process where they have public comment um you know they invite people to comment on on the role they're promulgating and then they take that in

and they they produce a rule uh and then sometimes people say wait you've you're now exercising too much Authority that's past what Congress said was was okay and so you may have a Judiciary step in which is not supposed to make law but it's supposed to interpret whether the law is being Faithfully applied so they're supposed to essentially say wait um you've overstepped your bounds um and you you will have to to stop that now this is an elaborate Rube Goldberg device that is not built for efficiency or speed right the whole purpose of this is to make sure that there's no institution or individual who has so much power that they can essentially assert tyrannical rule over other

parties in in the system so this is the way he sort of checks and balances work it messy it's messy but there are opportunities in each of these channels to have some policy impact and we're going to be able to talk a bit about that now but I just want to lay out these different these areas yeah and I think you know you you talked about how Congress can set boundaries and or guard rails and then there can be an ongoing uh role but that also happens on a project basis sometimes right so like we saw that with something like the iot cyber security Improvement Act Right Congress passed the law and said but nist is going to figure out the details

and we just saw it recently with cersea right same thing if this is incident reporting um where Congress said hey we need to have internal reporting and then it's like super important let's pass law on it and then let's give scissor three and a half years to figure out the details um yeah so but so which I'm sure is working on Super urgently um yeah perfect um so it happens on a like on a for Regulatory Agencies it happens on an ongoing basis but then you also see it happening on a sort of ad hoc project basis very much sort of hand in hand with the law passing process and it's important to understand those two halves

because you can influence them either side of the law passing potentially if that makes sense okay um okay anything anything else on like how it does anyone have any questions on the how these parts work together before we move on okay all right um so we talked about like all the different pieces I mean I'll ask you jack like let's talk a little bit about how people get involved how do you work with these different parts like I just said you can work on either side of the law being passed how what does that look like yes so and I think a starting point for this and of course there's I'll start with Congress again to a little

executive branch I'm sure Leonard can go into that more um but um in in terms of kind of thinking through and yeah it goes back to the Schoolhouse Rock I'll spare you the the singing of it but um essentially how uh Bill Works through the ways in Congress but even broader than that just the different tools in the toolkit coming from Congress and kind of yeah we're all familiar with bills setting law but beyond that Congress has oversight functions where it can do stuff it can hold hearings it can write letters it can ask hard questions that's not setting law but still kind of keeping the executive branch in check um so that's one area where kind of when

you're thinking of okay how how should this policy problem be tackled um I would encourage you to think broader than just say kind of would a bill solve this but maybe is it due to something not working as well as it should be in the executive branch is maybe something outside in the private sector that um some more attention could be brought to but kind of the different tools in the toolkit when it comes to um kind of making policy and then specifically with bills and kind of how to get involved um I I think one area that at least wasn't clear to me before kind of I came into Congress was the importance of committees uh where

Congress divides itself up into different committees which handle different jurisdictions there's for instance the armed services committee which handles all matters related to defense Foreign Relations Committee handles matters related to Foreign Affairs um and in order for a bill to move that relates to one of these jurisdictions it must get cleared by that committee um so that means that especially the chair the head of the committee and the ranking member which is the top um Congress person of the minority party um has a lot of influence in not only determining what bills get in or what bills don't move forward but also um say what's in those bills um so I I think being able to kind of

identify these say when we're talking about cyber security policy the Committees that are especially relevant a lot of those are for instance the homeland security committees in the house and the Senate um the house oversight committee um the Commerce committees um when you're thinking of say nist or um ntia um and then um the armed services committee as well for kind of some of the um and intelligence committees for some of the more kind of intelligence Community aspects of cyber security so identifying kind of who the um say staffers are there is one way to be able to influence more than say talking to a member who might not be on the relevant committee um and that's where a lot of kind of the

relevant subject matter or expertise lies as well on committees um so that's the the Congress view um I'll let yeah Leonard get in just should we do that just quick show of hands how many people here have ever reached out to a member of Congress about a policy issue okay and uh who did that by email who phoned okay interesting um sorry but how do you get the face face did you meet them somewhere over there okay hey I mean honestly the stuff is of the people that get things done so um and everyone starts somewhere um okay uh and of the people who put their hands up how many of those were committee staff

rather than your local representative uh so the people who have talked to Congress how much was it committee staff so who who went to committee committees community members or committee staff as opposed to going to your local representative okay all right interesting thank you yep okay well so in the executive branch it's it's a little complicated there's there's no simple answer and part of the reason I wanted to break out that regulatory agency um issue is because you know those are agencies that have a a ready-made process for people to get involved right so they do a a notice that they're going to be rule making and a solicit comment and and those comments actually truly

matter um in talking to Regulatory Agencies it's not the question of numbers because it's not really it's not about voting it's about the sophistication um and accuracy and rigor of of the comment and people with technical understanding of the way in which a law might impact a community or an issue actually have a louder voice when people review the comments um you know obviously you know 100 people saying this law sucks or this rule sucks you know it's not going to be as effective as someone who can dissect the rule you know in a very exacting way and explain why it's it's a problem and so in that way I would say that people in this room in sort of a rule making

process may have a louder voice in some ways than than others who are commenting on something and would have something to bring to the discussion that others others may not now once you get outside that sphere though um I would say that it's a little harder for anyone to just have impact on on Executive Branch policy making um I can say like for example the Department of Justice we're not an agency that that takes comment on the things that we do by and large right um but like people for over and over again she does she does um and so you know it it depends on how you want to make make some impact I will I will say though that there is

some um I mean people have succeeded that there have been sort of lobbying efforts of of of individuals in the administration for example in our security Council or other places um and one reason I would just say that that might make more sense now than it has in the past is because I don't know if you've noticed but there's a certain bit of gridlock on on the hill um that has made it harder to get legislation passed right as a result executive Authority is being used perhaps more more often you're seeing more executive orders that deal with specific issues like cyber security and that's because it's something that the detective Branch can do unilaterally um the one thing I'll flag about

executive orders though that is not always well understood is that again as I said the executive branch doesn't get to just make laws an executive order has to be based on some statutory Authority that exists or it has to to reside on you know Authority that resides somewhere in the Constitution that sort of the organic authority of the executive branch so you know if you're in the area of national security or foreign policy the executive branch has kind of constitutional authorities there but when you get to other areas you know it really is a question of finding what the statute Authority that that that undergirds the executive order if though you're in the space in which

the executive can actually use an executive order there's a good amount that the executive can do and I think we'll get the specifics later like the executive order or one four or oh the most recent um I was going to be impressed then that's no good okay um the the Biden cyber security uh exact order that came down in May of of 2021. um that that's an example of you know basically the executive branch turning to its own personnel and saying do better and this is the way that that I'm I'm directing you to do that just to emphasize one point that Leonard made is when you're kind of advocating for something the more specific you can

be the better um so if you can say rather than just saying kind of there's a problem here if you could point to kind of specific if it's a draft bill or something point to the specific area and say no I think the reason this is wrong and if you can articulate kind of the policy the harm that might be there and say Here's a suggestion for how you can make this better kind of when that gets to either the hill staff or or the person doing the rulemaking at the agency they can then kind of assess what you've said and then they have kind of the solution right there in front of them so they're a lot more likely to um

take that into account if you don't know the solution that's okay too though right um when we started out and we were going to them and we were saying hey the cfaa is creating a chilling effect on security researchers we didn't have an easy and this is how you should fix the language um and actually it was a really really super iterative process because it turns out when I kept saying like just remove the Civil causes of action nobody went oh that's a great idea that's really easy we should do that um uh even though they don't exist in any other country's laws um uh but yeah so it doesn't if you don't have a solution to offer that's

okay you can say to the policy maker I don't have a solution to offer right now but I'd be happy to work with you on this and I like I've been very fortunate I have found that frequently people really appreciate that sort of iterative process and and will happily work with you on it um just before we move off this topic and move into like what is happening and what we've seen in the past couple of years um you know I think we mentioned a little bit things like letters that you can do and they tend to have more of an impact if you have more of a sort of ground swap behind you um you know more people signed on more

amplification that kind of thing and so you know as as individuals sitting here you might be thinking well how can I do that I think this is actually an area where you can look to the Cavalry right like if you you know Cavalry has a community it has um a slack Channel I'm looking at Josh to be like it still has a slack channel right um a slack workspace um if you see something and you think it's a potential issue and you're interested in it it's a really great place to like put something out there and say hey has anyone else seen this is anyone else thinking about it worried about it you can come to Josh or Bo

um you can email info at and say it and we'll take a look at it and if there are people interested and we think it sort of aligns with cavalry's overall goals we can help draft a letter right like that that's the thing that could come from I am the Cavalry which then has perhaps a little bit more impact than coming from you know Joe blogs on their own and and not only can we like maybe do something for my recovery but it turns out we actually know a lot of other people we know a lot of other organizations and um we can go around to some of them and say hey we've got this letter would you

potentially be interested in signing on which we do all the time for letters right and so you like don't feel like you're in it alone there is a an amplification effect and there is power in numbers of people in this room all working together and collaborating and I think that is really what the Cavalry is all about is sort of harnessing that sort of strength that you guys all bring with your individual passion and and knowledge and expertise but all together we can create more from it um so just that was the last thing I want to say on that piece and then we'll get into what's been happening nothing's happened right it's been a really quiet

few years nothing's happened uh so should we start with security research and so is the topic of my heart uh so how many people are familiar with sort of challenges around um legislation chilling security research is this a thing that people care about I have heard about you guys are my people um all right so uh I think there are probably two main main pieces of law that when I started um on on my little bandwagon nine years ago were the sort of primary uh problems one was the computer forward and Abuse Act which is the main anti-hacking law in the US and the other was the traditional Millennium Copyright Act uh which um aims to basically protect copyright

uh I know that's my non-loyal version that's my Juris freaking doctorate version um and I will say over the past nine years we've made decent progress on one last progress on the other we always knew the other one was gonna be harder um so the digital medium Copyright Act has an exemption now for security research and it has had that since 2015. yes yes a year later yeah twin yeah um no they're re-optimating and then they re-upped again in 21. yeah so it's been re-upped twice yeah 15 the first time yeah wow okay um this is why I have a Juris freaking Doctor that's right um so yeah so they because they passed it in 15 but said a year and then it

came in in 60 I think I'm terrible with years but I think that's right um I'm I'm believing in me who is a lawyer and she's saying yes um so uh it's got a little stronger every year which is the good thing right they've like removed some of the the boundaries part of the reason for that has actually been support from the Department of Justice um who've written letters in support of it um I think more recently we've seen we've seen ntia in support um I think FTC have been in support um I think maybe recently scissors been in sport so there is like there's a there's an increasing government understanding of the importance and the

value of security research and we've seen it um uh represented through this sort of rulemaking process that that re-ups every three years for the dmca so at this point if you're a security researcher and you own the technology and you're testing it in a non-production environment then like you know as long as you're not breaking a bunch of other laws you're probably good um that's a huge step forward from where we were honestly like there's a massive step forward and we've seen actually a shift in the attitudes of a lot of companies who make technology in understanding that that was coming like I I remember quite clearly being in a room with a bunch of Technology

manufacturers who had previously been pretty anti-research in 2015 and then them being like we're all working on building our vulnerability disclosure programs because we know it's coming and we know we can no longer use the dmca um so we have seen like a bit of a shift there cultural shift the community for an Abuse Act was always going to be harder to change and so one of the ways to look at influencing it was to look at how it was being used by prosecutors

for just one moment because I think that I understand that that was a rule making process like we've already discussed um there's a an odd statutory provision in the dmca on the circumvention of of copyright protection um in section 1201 that mandates a triennial process every three years a Library of Congress has a rulemaking process where they ask are there more exemptions that we need to to create here to to further these goals and one of the discussions was a security research exception um we we did weigh in we did something we don't usually do we we submitted a formal letter in support of the the exception and as the folks who actually enforce the

criminal provisions of the dmca we had the Library of Congress actually listened to us um and so there was at first a the the creation of the exemption and then some expansion of it subsequently on the cfaa um a little more complicated because the dmca typically you're working on something a piece of equipment or software that you possess right it's it's in your your possession uh when you're dealing with let's say pen testing remote you know testing of a a server that doesn't belong to you uh things get a little carrier and um you know and we actually are a little more skittish about that because the potential of there being a problem is is

a bit greater uh now we've talked about legislative fixes we've we've found it kind of difficult to figure out how exactly you carve out research without also providing people who are trying to do bad things um I read the excuse to to still continue doing bad things with under an exemption um but what we did end up doing and um announcing in May of this year was uh through policy so my office reviews every indictment for a cfaa prosecution across the country um and so we're kind of we oversee the statute uh which wasn't always the case right that was in and South yeah in 2016 the department made that shift create greater uniformity on how the CFA was

being applied across the country um and so you know we have uh the opportunity to promulgate policy in this area and what we um have issued and publicly available uh online is um direction to the U.S attorney's offices the you know 94 districts across the country that prosecute Federal cases uh that they should decline um prosecutions where there was good faith security research um and that is sort of the accessing a system for purposes of of testing investigating um or correcting a a security flaw or vulnerability where that is done in a manner that does not endanger Public Health um or or safety and where it's done uh for purposes of improving security um and so that's essentially what what

we've been trying to to get done in legislation but it's it's very difficult to do frankly um here I will make a pitch to all of you and this is a hobby horse I've been on for years um I think there's one way you can help us help you and that is beginning way back in 2014 when I came out and talked to security researchers I was told and convinced that basically having a department come in and tell you how you should do what you do is not going to go really well right that's not going to really take hold um but having the community articulate norms and standards about how security research is supposed to be done what

it's supposed to look like would allow us better to be able to distinguish between people who are doing the right thing and people who are actually not um and it's not clear exactly what the vehicle for that is and I've talked to different people about this but um I mean I it's something I would encourage the community to kind of consider and think about it there's some way of of giving form to that all right um I'm just gonna say momentarily that that guidance that doj issued is a really big deal

[Music]

application Pro cess what the doj and the judicial

s yes we do um we also though assume that what we're assuming about the intent of the actor is in fact the intent of the actor so like so building that into the the tests seems like it makes some sense I don't know to at least to us repeat it oh it that that us assuming an intent of the actor seems even though that's something that we ultimately have to prove that is what we would want to be the actual intent of the actor and that's why it's reflected in the standard we use regardless of what perhaps the individual is intending I mean we will want to understand we we want to believe that that's what they're

doing we want the evidence to support that's what they're doing um ideally that is in fact what they're doing um if they have a different motive then you know we don't we're concerned that there may not be but you those things you're making is 100 on the money right we that this came up like we've talked about this for nine years and we've looked at like different ways of drafting language because we haven't given up on the CFA um or in fact other anti-hacking laws in other countries like I've been working on the CMA the computer misses act in the UK recently and what you're saying about looking at intent so in the UK UK

law looks intense did you intend to do a thing but not motive and so you could say I intended to access that system without permission but I did it for like all the right reasons because I'm a researcher and they're like oh we don't care you intended to an escape's law um and so hi

uh we had a speaker request for survival instructions it was really for these two I just wanted them to be prepared

this is great I'm very happy with this thank you thank you very much this is amazing that's me thank you fantastic thank you thank you so much we appreciate it it was really I was really hoping they were going to make them run fantastic thank you um so yeah so we've been having a lot of conversations around that exact thing of like if you so for example I am very passionately anti-private sector hackback but I'm very passionately pro-security research often the activities that you undertake could look the same for those two things so how do I draw a line between them right exactly as you say if you're looking at just based on activity and

you're missing out that piece of our motive it's a problem um but it is a challenge because you've got to work within the framework of the law and what it actually acknowledges and looks at um I think you know one of the things with the US version that we struggled with is if we said hey one condition or one characteristic of good faith security research is that you disclose your findings publicly what happens if you don't find anything are you basically saying like if you didn't find anything you broke the law but if you did find something you didn't that's not very fair so it is it is really it's it is really really hard to find language that works

on this which is why nine years later we don't have an exemption for the CFA yet

discovered yeah

they're in jail their research was recovered to patch it was so I would be interested in knowing what that was because to our knowledge and CDT has also done the same scrub we've done we don't know of any security researcher that's been prosecuted in the last decade other than arguably weave for the 2012 at T instant now it I don't know if it was a state prosecution or something else but I'd be interested just to make sure that our our understanding is right of what's what's going on yeah we've we've also done research on this and we don't have cases there are there are state laws for sure and actually interestingly Washington's equivalent of the cfaa

actually does have a security research exemption it's the uh it's the it's the Forefront of state laws on that um all right we're going to take some questions I do want to cover off some of the other laws that yeah sorry Jack the question marks run out of power would you repeat yeah sure absolutely not a problem yeah no no

I think yeah

so the question was um I think it was aimed specifically at doj is doj working with states to help influence their thinking around state laws and state prosecutions um on anti-hacking and security research so to be honest we haven't reached out in in the way that you suggested in part because of federalism um like States get to interpret their own laws uh and you know but there is potentially an impact from I mean every single state that has a law that is something that addresses hacking is patterned after the Computer Fraud and Abuse Act and so there is potentially sort of some impact on changing the way that the federal law is looked at and used yeah and I'm sorry

the person sorry yeah just before we move off this one though also to say while I think I think Jay isn't people like CDT and the eff and sometimes ACLU they do there are also people like so my colleague Harley Geiger is the person who worked with Washington State to get the the research exemption and so like that's why I know about it because actually keeping up with all the states is super hard um and so again this is the thing if you hear about stuff that's happening in your state use the slack share the information help raise the flag on it and then we're better able to respond and to figure out you know how to get involved and

influence hopefully sorry Jack go ahead yeah I do want to go back to a point that Leonard made earlier around creating norms for how to conduct This research because I agree that that is kind of an its Central area and one that I think we've made progress in um so shout out to amit's work with disclose.io which is creating norms for both the researcher side but then also for organizations to say okay this is how you can conduct security research against our company or our government agency and in the absence of exemptions in the law these um often vulnerability disclosure policies are really essential to guide researchers to understand okay this is what you're allowed to do

including illegal Safe Harbor to say okay if you comply with the terms of our policy we will consider the this act to be authorized and we won't take legal action against you so kind of just doing that on organization by organization basis and for instance we've seen sisa issue a directive requiring all federal civilian executive branch agencies to start vulnerability disclosure policies authorizing security research against their systems so now you can go for pretty much any government agency you could go for doj and look for vulnerabilities in them and be authorized as long as you comply with their vulnerability disclosure policy we've seen this at the state level as well some states Iowa Ohio South

Carolina for instance authorizing security research with vulnerability disclosure policies for their election systems at least those that you can um kind of whatever websites on the internet so and private companies adopting this as well so I think that is one area where we have seen progress in kind of organizations taking the lead and allowing security research against themselves uh yeah there was one on the back and then we'll come to wait one minute we have our room mic working all right thank you yeah the the first thing I was going to say is that it was really hard for us to hear what the what the question was and because the first question was so long it was there was a

lot of nuance that was missed and I'm assuming that the camera like in the recording also might have missed that so that was that was the point that I appreciate you made um the second thing is that um it seems like the in the federal system you were talking all about the the federal the federal laws is not the state was and you're getting into it a little bit right now but the part of the design of the system seems to be allowing different states to try different things and then the federal government can kind of see which works best and then apply that to you know kind of like California leading the way on privacy things like

that it's important this is actually an area where things actually work a little bit on its head for this reason so what's developed over time is that the federal government is presumed to be the one that is most likely to actually pursue what would be a you know cyber crime because often they have an international component these days almost invariably and that's something that basically states are not well positioned to to address let alone even if it's if it's domestically one that you know reaches across state lines and so it's sort of a this particular type of crime you know an intrusion or A disruption um is sort of tailor-made for federal government you know intervention

um and just to just to quickly sort of do a quick paraphrase on the first question it was basically the the doj exemption looks at um the the sort of activities it draws a a box around say like you know if you're a good faith researcher doing these kinds of things and the question was isn't it better to look at intent rather than specific set of activities because bad guys could do those same activities um so that was that question uh okay so then you had a question at the front all right uh first off thanks for being here um so that the it's an idea and it's a kind of question at the same time so there's a lot of

regulations out there and laws where you have to get a license to do something like on Federal Land you have to get a license to hunt can we not just have the good guys go get a license to do the good stuff and then if the bad people don't have a license you know let's put that to a vote I'm just curious so I so I I testified on this topic um I just switched Congress in 2015 on this topic and you know one of the sentences said the same thing he said we'll we'll just we'll just license researchers the problem is a lot of um discoveries are accidental incidental so what do you do about that you know

what do you do about the five-year-old who figured out a way of hacking his dad's Xbox because he wanted to play um and like it's unlikely that Microsoft's gonna prosecute a five-year-old instead they actually gave him a lifetime supply of Xboxes um but like the the point remains like you we see a huge amount of incidental accidental Discovery and so we we want to make sure that that is also protected I think the key here is to focus Less on the concept of a researcher and more on the concept of research as an outcome that would be my that would be my take on it I mean and it's it's a good question because the flip side of that

is there's been questions about like well if I'm a security researcher shouldn't I be exempt and it's sort of on its head where we say like it's not a status right you you can't say because I'm a security researcher I can do things that will be destructive or invade people's privacy right and so it as you said I think it is really looking at what is the conduct rather than sort of the status yeah I'm aware of a case at the moment where the public domain information on this is that poor researcher is being victimized by a nasty company truth of the matter is the researcher has taken a copy of all the data and is

holding it Ransom effectively um that's not okay you you doing research for the greater good doesn't give you a get out jail free card it doesn't make it okay to do things like that Leonard mentioned the weave case earlier they took 200 000 records and they sold them to Gorka that's not research you know you can't just say I'm a researcher therefore it's okay that I do these crazy things um in my view my non-government view um okay so sorry yeah go ahead

uh good afternoon so uh several uh Attorneys General of recent uh memory um Jeff sessions and Bill Barr included but even going back to Eric Holder with respect to the San Bernardino shooting and the capturing of the iPhone have made comments regarding uh end-to-end encryption and how it pertains to lawful interception and basically alluding to backdoors master keys weakening of entropy however you want to phrase it I'd be curious to know um your read of the terrain as it exists today and perhaps how it might move forward given that this conversation seems to be driven very much in in the wake of catastrophe or references to any number of things that I think we all

agree are reprehensible but to which I I think you get my my point sure uh and I have an easy answer for this because I'm a cog in a very big wheel uh and it's this Administration has not yet taken a position on that so I I I don't have as an Administration official a position on that yeah that's some nice dancing you just did I just work here oh um okay so I'm just we're gonna move on just because I know that people are interested in other uh policy topics and there are other things that have happened um so let's get a quick update on the iot cyber security Improvement act because I think that this crowd care

about iot uh so the Act passed in 2020 okay December 2020. and said hey this is going to figure out the details which they did and then what like it's a point blood from a stone you speak so and we were talking about this earlier so this is this like a lot of the things for example um in in in the executive orders has and also in the directives have come out things like performance goals for ICS systems um required nist and OMB to work on guidance uh that would be implemented and one thing to remember about the iot um cyber security Improvement Act is it was government focused right so sorry how many people are familiar with the

iot cyber security Improvement Act okay so in a nutshell um rather than trying to move a broad piece of legislation to address all iot development uh Congress will Savvy and thought let's use the buying Authority that the US government has to create behavioral change uh in the market that will then create a long tail benefit so the iot cyber security Improvement Act is specifically aimed at Federal civilian agencies right and their purchasing of iot and so uh so I'm going to use this point though to Pivot to uh what I think is important I really want to make it because I think it's it's a sea change in something we've seen in the last two

years and even from 2020 and that is you know you're absolutely right that there is an issue uh the thinking was that the government could drive the market and drive change uh in its purchasing power uh what we've seen over the last year is a government that has a much greater appetite for regulation of cyber security um writ large right so we've seen uh performance goals for ICS we've seen reporting requirements that have been promulgated by the SEC by the occfdic and fed um you've got cersea which is going through half mandatory reporting for critical infrastructure for a certain covered incidents um and these are things that were not happening I we actually attempted to get

a data breach reporting law for about 16 years and it essentially took what was a very bad year in cyber security incidents last year um and this is an area now and this all goes to also a place where I think you have a outside's voice where there's actually kind of bipartisan agreement right we actually there's actually a law on on data breach reporting and we've seen this in various other cyber security areas we have the cyber security information sharing act in 2015. we had cisa authorizing statutes we had Authority given this is a that this area seems to be a place where uh regardless of what political um you know view people have or what

administration there's been a remarkable consistency across the last several administrations from the Obama Administration through the Biden Administration on Cyber a critical infrastructure policy by and large um but I I'm I am suggesting that there actually is a change in that there is a greater appetite for actually regulatory Authority in this area than we've ever seen um and I'm going to give the last words Jack is there anything that you think we've missed that we should have covered off there's so many things we could have covered I think one area that hasn't been or has been mentioned in passing but is uh President Biden's executive order on cyber security which I think did um both through some of the kind of

leveraging purchasing power of the government or just kind of government security itself and security of contractors has also represented kind of a major um shift in how the government treats cyber security includes a lot of stuff that this community has been working on software bills of material uh vulnerability disclosure policies um that we previously hadn't really seen coming at this level of policy making so I would encourage people to check that out there's a bunch of associated guidance that's come out related to that there's going to be regulations um say related to software bills with material that are kind of in the work still um but um for instance there's things like a zero trust strategy for the

federal government I would give data read you might be surprised that the it includes a lot of things that probably many of us would agree on that we've never seen government talk about say fishing resistant multi-factor authentication the idea that we actually shouldn't require people to reset their password every six months or something um so some of these kind of Common Sense on technical policies finally bubbling up at the policy level very good thank you so we are time so I'm going to wrap up I'm just the not American in the room a lot of these topics are also being looked out by other governments around the world and a lot of the things that we talked

about around how you can get involved in influence are also true for other governments so if you are like me not American you can still get involved it's still relevant um and it's good to know what's happening in other countries and Cavalry cares about that right Calvary is international not just U.S Centric thank you very much for joining us and we'll be around if you have questions