August 10, 2016
At Cybersecurity Gatherings, A Thaw Between Feds and Hackers
By Jeff Stone, Passcode
Over the past 20 years, the Black Hat and DEF CON hacker conferences have grown from intimate gatherings of computer tinkerers and tech outsiders to glitzy conventions that draw thousands of attendees and international media attention.
While the security research revealed at the back-to-back events – from breaking into ATMs to hacking roller coasters – seemed like science fiction just a few years ago, the work on display at last week's conferences in Las Vegas drew the attention of major global corporations and governments from around the world.
This year also marked the debut of a DEF CON event sponsored by the Defense Advanced Research Projects Agency (DARPA). The DARPA Cyber Grand Challenge aimed to prove that sophisticated computers can find and eliminate flaws in computer code without the help of human operators. Organizers broadcast the seven-team competition, which could revolutionize the cybersecurity process in the future, on jumbo screens for scores of spectators.
For the first time, politics played a bigger role in Vegas. Not only did representatives from Congress, the FBI, and the Federal Trade Commission attend the gatherings, but supporters of Democratic presidential nominee Hillary Clinton staged a fundraiser at the conferences.
But even though hackers and politicians are increasingly working together, there's still a wide gulf between Washington and the broader cybersecurity community. At an Atlantic Council Cyber Statecraft Initiative and Passcode event on Wednesday, security researcher and policy experts explored the growing bond between between the two camps – and what still divides them.
Panelists included Lorrie Faith Cranor, chief technologist at the FTC; Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs; Beau Woods, deputy director at the Atlantic Council's Cyber Statecraft Initiative and Brent Scowcroft Center on International Security; and security researcher Cris Thomas (also known by his hacker handle Space Rogue) of the cybersecurity firm Tenable Network Security.
Here are just a few things we learned:
1. The relationship between hackers and feds is warming
“We’re seeing a change from a completely adversarial relationship between government and the hacker community,” said Mr. Thomas.
The once-popular game "Spot the Fed" is perhaps the best example of that animosity. The game once challenged conference-goers to look for anyone who appeared to be an undercover officer. Judges awarded both the fed and spotter with free T-shirts.
Now, DEF CON organizers invite DC insiders into their hacker circles. This year featured a panel called Meet the Feds, in which the FTC's Ms. Cranor and representatives from the Federal Communications Commission and the White House shared their point of view with hackers.
“We wanted to do outreach to the hacker community by letting them know what our agency does and to show people we’re interested in what they’re doing,” Cranor said Wednesday.
2. It’s still a boys’ club
Women represented a mere 10 percent of the 22,000-or-so attendees at DEF CON this year, said Ms. Cranor. But that didn't necessarily make her uncomfortable, she said. At least most of the time. For instance, she said, at point during the popular "Hacker Jeopardy" game, one presenter known as “Vinyl Vanna” performed a striptease on stage. As a woman, she said, "It can be isolating."
3. Hackers get political
There was also the “Hackers for Hillary” event, where cybersecurity pros gathered for the Clinton fundraiser.
But Columbia’s Mr. Healey had a different take. He said the Hackers for Hillary event was "where we started to matter. Normally we would have to go to DC to testify, but now they’re coming to us.”
That's not all. There’s also a new willingness among lifelong hackers to participate in what’s going on outside the hacking community, said Thomas. Often, that means having a dialogue with policy wonks about encryption, or campaigning against the Computer Fraud and Abuse Act, which most respondents in a Passcode poll said stifles legitimate security research.
“There’s a growing movement, at least in the circles that I run in, of people actually trying to get involved,” he said. “When the FTC opens a comments period, people actually submit comments. There are more than enough of us who are willing to put a tie on.”