Daily News
The Editor Reports

The Black Hat community has a few asks for the ‘old-hat’ policy community in DC

July 28, 2017

LAS VEGAS – Making the rounds of technologists, researchers and tech-security vendors at the just-concluded Black Hat 2017, a reporter usually got a shrug and a shake of the head when asking what the federal government could do to assist their efforts.

But in speeches and briefings – and digging a little deeper in conversations – the policy “asks” from this diverse community are quite significant in a couple of areas.

Founder Jeff Moss said Black Hat in some ways provides “a crystal ball” on IT issues to watch, and that may apply to cyber policy too.

About this feature:
'The Editor Reports' is a new feature from Inside Cybersecurity intended to identify themes emerging from our news coverage and pose questions about the direction of evolving cybersecurity policies. Email comments to cmitchell@iwpnews.com.

The need for better law enforcement tools to fight cyber crime and federal support for programs to train the next generation of cybersecurity professionals were issues mentioned repeatedly by participants here.

“Every place we move to [in technology] creates a seam for bad actors,” said Trend Micro’s chief security officer Ed Cabrera, whose company sells IT security services and issues reports on global cyber trends.

“What we’re missing is a global strategy to look at cyber crime,” he said in an interview with Inside Cybersecurity. “Cyber is just a small subset of our transnational crime strategy – that has to change.”

Cabrera said legislation encouraging government-industry partnerships to go after criminals’ safe havens and steps on e-asset forfeiture could be helpful.

Despite the “rebel” trappings of Black Hat, this was the right audience for a discussion of cyber crime – one source here said firms like Rapid7, Mandiant, PriceWaterhouseCoopers and others provide essential help to law enforcement in “identifying trends and spotting things.”

“They’re like the Pinkertons of the cyber age,” the source said.

On the cyber workforce, IT professionals here seemed to speak in unison on the need for better education and training programs, and getting the issue in front of people in early childhood and making efforts to reach into diverse and often underserved communities.

Facebook’s Alex Stamos emphasized the diversity issue in his keynote, pointing to his company’s support for the CodePath program offering technical training to underserved communities and efforts to build major cyber programs at “nontraditional” colleges and universities.

Todd Thibodeaux, president and CEO of the tech trade group CompTIA, told Inside Cybersecurity about his group’s efforts behind legislation that would create a national IT apprenticeship program.

“We hear from customers that they are starving for cybersecurity professionals,” said Trend Micro’s Kevin Simzer. “It is a massive strain on companies.”

Lurking liability

Besides the apple-pie issues of education and crime-fighting, the discussions occasionally tipped into more controversial policy areas – amid a general sense of skepticism about what the nation’s policy apparatus could actually deliver.

“You can’t ask policy to keep up with the pace of security events,” RSA Security’s Ben Desjardins told Inside Cybersecurity.

But Desjardins, whose firm provides security services and hosts one of the most well-known annual cybersecurity conferences each year in San Francisco, is perhaps more willing to see a role for government in cyberspace than some of his colleagues.

Discussing WannaCry and other recent ransomware attacks, he said, “When poor hygiene is happening, that could be where policy comes in.”

Desjardins and other participants like Brian Vecci of the security firm Varonis and members of the Global Cyber Alliance raised implementation of the European Union’s General Data Protection Regulation as a seminal event that will force cyber policy changes on U.S. as well as European companies.

 “The GDPR may set in motion efforts by U.S. industries to get ahead,” Desjardins said, calling the EU rule, which takes effect in May, “a good first step.”

The regulation, among other elements, will require companies to take stock of the personally identifiable information they are holding and who has access to that data, as well as requiring a process for consumers to edit or remove their data from companies’ possession. U.S. industry groups have opposed the mandates in the rule.

“GDPR is an initiative to implement best practices,” Desjardins said. “This kind of regulation plays an important part in making sure companies are responsible.”

“[U.S.] corporate efforts are way ahead of the GDPR, but I expect something like this will be applied in Canada and then the U.S. over the next 10-15 years,” Varonis’ Vecci commented. “The only ‘policy piece’ missing in the U.S. is a mandate to do it, and we don’t even need that anymore.”

Speaking of data, plenty of participants here said they are closely watching the Apple-FBI struggle over access to encrypted data on consumer devices. Stamos urged civility as the tech community pushes back against any requests – or demands – for “back doors” or other mandates.

“Have empathy for those on the other side and consider solutions that are not back doors,” he urged the audience. Stamos told reporters later he was not proposing any specific solution to this debate. Moss, in an interview with Inside Cybersecurity, suggested there was not a middle-ground solution to be found.

A couple of participants – without prompting -- mentioned President Trump’s executive order on cyber, saying its requirement for federal agencies to use the National Institute of Standards and Technology’s framework of cybersecurity standards is a positive development.

But Moss, the founder of both Black Hat and its sister DEF CON hackers conference going on now, raised perhaps the biggest policy “ask” to come out of the week in Vegas: revisit the liability exception enjoyed by software makers.

“Why is software the only industry with no liability?” Moss asked. “When you install software you sign something absolving them of liability – and that served the software industry well for three decades. But I’m not sure it will for much longer.”

Legislation “defining expectations for entities holding data would be helpful,” Moss added. “Our whole economy is digital, we need to lay down the rules of the road. These are unanswered policy questions that must be resolved.”

Black Hat provided a vibrant forum for discussing these policy issues – particularly among some members of the tech community who rarely if ever venture into the cyber policy space.

We’ll see if and how these views work their way into the policy dialogue in the nation’s capital. – Charlie Mitchell, editor, Inside Cybersecurity