Blog Post September 15, 2022

Policy hackers take Vegas

By Will Loomis, Safa Shahwan Edwards, Trey Herr, Stewart Scott, and Sarah Powazek

Every year, in the early August heat, thousands of hackers from around the world head to Las Vegas, Nevada for a series of cybersecurity conferences known as Hacker Summer Camp. This year, the Cyber Statecraft Initiative – and a few friends – decided to ship out to see what all the hype is about. Below, they talk about their experience at the DEF CON Hacking Conference, why policy conversations belong at a Hacker conference, and much more!

1. Why should a think tank be at a hacker conference?

Stewart Scott, assistant director, Cyber Statecraft Initiative, Atlantic Council:

“Cybersecurity policy is one of those spaces where actual, deep technical expertise and policymaking experience don’t often overlap. Policymakers would be missing out by trying to craft laws and rules about technologies without speaking to the people who make and/or break them.”

Will Loomis, associate director, Cyber Statecraft Initiative, Atlantic Council:

“With recent headline-grabbing security incidents like Colonial Pipeline, SolarWinds, and Log4J, there is finally sufficient momentum to make meaningful change when it comes to cyber security policy in the United States. However, these changes cannot be made without input from the folks who will be most affected for decades to come – the hackers and technical practitioners. DEF CON provides the perfect opportunity to bridge this divide and bring these two communities together.” 

Safa Shahwan Edwards, deputy director, Cyber Statecraft Initiative, Atlantic Council:

“Think tanks have a track record of serving as a bridge between government and industry. By connecting security researchers with government, policymakers and hackers can better learn from one another and craft more effective policies.”

Trey Herr, director, Cyber Statecraft Initiative, Atlantic Council:

“How can you make policy about infosec without the people working in infosec? Applied policy research means trying to get to know these issues from the perspective of those building, running, and breaking things.”

Sarah Powazek, program director, Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity:

“To put it simply, hackers make good policy, and they shouldn’t have to travel to or live in DC to contribute to the cyber policy space. Policy@DEF CON aimed to bring the public policy party to hackers where they gather and with topics that are directly applicable to them.” 

2. What policy-focused programming was offered at DEF CON this year?

Scott: “DEF CON ran an entire Policy Village, of which was great to be a part. Some highlights that come to mind: the Meet the Fed Series, where DEFCON attendees got to hang out with different federal cybersecurity officials in a pretty laid-back capacity; and Gavel Battles, which saw some heated debates over beers and giant inflatable gavels.”

Loomis: “DEF CON officially introduced Policy @DEFCON this year – the first time in the conference’s history they have had a space dedicated exclusively to policy content. However, there was also plenty of additional policy-focused programming spread throughout the forum – I was able to catch some awesome maritime cyber policy talks at the ICS Village and a discussion on aerospace cyber regulations at the Aerospace Village.”

Shahwan Edwards: “There was an entire track just devoted to policy at DEF CON, which was cool, but what was even cooler was the amount of interest this track garnered! The policy village held over twenty discussions, but some that stood out to me were Hacking Law is for Hackers, Meet the Feds: ONCD + CISA Editions and the Offensive Cyber Industry discussion.”

Powazek: “There was an incredible roster of talks this year, all of which were interactive with big Q&A portions and sometimes breakout groups working on specific proposals! My favorite was the Election Security Bridge Building talk —which brought together election security machine vendors, election officials, and security researchers to talk about trust and collaboration. There were also talks on offensive security, hacker law, crazy Gavel Battle debates, and much more.”

3. What surprised you the most about your DEF CON experience?

Scott: “I was surprised at how much the conference crammed into a few days—trying to catch every presentation or workshop I was interested in wasn’t even close to possible.”

Loomis: “As this was my first DEF CON experience, I think I was most surprised both by  the sheer scale of people and programming and by how much the core hacker ethos was built into every single aspect of the event.”

Shahwan Edwards: “First, the sheer quantity of programming. I knew this would be a large conference, but I still wasn’t prepared for the sprawl and number of discussions, activities, and receptions. Second, I was surprised by the amount of interest in policy-focused programming and LineCon (the long lines outside any DEF CON programming is called LineCon) at the Policy Village.”

Herr: “The degree to which DEF CON is a celebration of the layered history of the culture of hacking and cyberspace. There’s a historical lens to a lot of what goes on – long running traditions and programming, as well as remembrance of those lost. This is much, much more than another cybersecurity conference in the desert – it’s all the flavors of an online bulletin board system come to life.”

Powazek: “I was shocked and gratified to see how popular the DEF CON policy space was this year. There were lines out the door for the policy team’s two small rooms, and many attendees had never been involved in policy before. There is an incredible appetite for relevant hacker policy content!”

4. What was one thing you missed at Summer Camp this year you’d like to do next year?

Scott: “I would have loved to spend more time at the technical talks. The sheer number and variety of exploits is amazing—I heard there was one talk where a pair of researchers used emojis to deliver shellcode? Wild.”

Loomis: “I would have liked to explore more of the wide array of programming offered at DEF CON, but more broadly, I wish I could have stopped by the B-Sides LV and the Diana Initiative conferences earlier in the week. It looked like there was a plethora of great content presented – it’s not just DEF CON!”

Shahwan Edwards: “The Social Engineering Community for sure. I’d love to learn more about the ways malicious actors can prompt certain actions or behaviors by leveraging soft skills—something often overlooked in cybersecurity.”

Herr: “Lockpicking remains one of the great microcosms of the security mindset and hacking. The lockpicking village is definitely on the list for next time.”

Powazek: “I didn’t get to spend very much time in the Villages, which are in many ways the heart of the con. I’d like to loiter longer in ICS Village, Girls Hack Village, and Aerospace Village to name a few.” 

5. What is your biggest takeaway coming out of Hacker Summer Camp?

Scott: “Don’t even try to see everything! Instead, pick a couple of things you need to be at and then go with the flow the rest of the time.”

Loomis: “Every single person approaches an event like this differently. Tailor your agenda to what YOU want to do – there are talks from 10am-11pm every day, so pace yourself – you won’t be able to do it all!”

Shahwan Edwards: “Have fun, talk to people, learn something new, but also be sure to pace yourself over the weekend.”

Herr: “Expired: Spot the Fed; Tired: Meet the Fed; Wired: Hack with the Feds!”

Powazek: “There is no substitute for meeting folks in person! I’m grateful for the chance to meet wonderful policy and hacker friends at least once a year at DEF CON, and I believe connecting these folks in person goes a long way in pushing forward technically informed and strategic policy proposals.” 

Interested in the work we presented at DEF CON? Check out:


Sep 14, 2022

Dragon tails: Preserving international cybersecurity research

By Stewart Scott, Sara Ann Brackett, Yumi Gambrill, Emmeline Nettles, Trey Herr

A quantitative study on whether legal context can impact the supply of vulnerability research with detrimental effects for cybersecurity writ large through the coordinated vulnerability disclosure process (CVD), using recent regulations in China as a case study.

China Cybersecurity


Will Loomis is an associate director with the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He leads the Initiative’s work on critical infrastructure protection and industrial control systems (ICS) security. Will is also a Certified Bourbon Steward.

Safa Shahwan Edwards is the deputy director of the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). In this role, she manages the administration and external communications of the Initiative, as well as the Cyber 9/12 Strategy Challenge, the Initiative’s global cyber policy and strategy competition.

Dr. Trey Herr is the director of the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). His team works on cybersecurity and geopolitics including cloud computing, the security of the internet, supply chain policy, cyber effects on the battlefield, and growing a more capable cybersecurity policy workforce. 

Stewart Scott is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He works on the Initiative’s systems security portfolio, which focuses on software supply chain risk management and open source software security policy. 

Sarah Powazek serves as the Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity (CLTC), where she leads flagship work on the Citizen Clinic, the Consortium of Cybersecurity Clinics, and public interest cybersecurity research. Sarah previously worked at CrowdStrike Strategic Advisory Services, and as the Program Manager of the Ransomware Task Force. She is also an active member of the hacker community, and helps organize Hackers On The Hill and DEF CON Policy.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Will Loomis, Safa Shahwan Edwards, Trey Herr, and Stewart Scott