DEF CON
30

Hacking law is for hackers - how recent changes to CFAA, DMCA, and global policies affect security research

Friday at 12:00 in Roundtable
105 minutes | Talk and roundtable

Harley Geiger Senior Director for Public Policy, Rapid7

Leonard Bailey Head of the Cybersecurity Unit and Special Counsel for National Security, Department of Justice

What a year for hacker law! 2021-2022 saw major changes to laws that regulate hacking, such as the notorious CFAA, the grotesque DMCA Sec. 1201, and China's grisly "Management of Security Vulnerabilities" regulation. This presentation will walk through each of these developments and detail their implications for security researchers. We'll give background on how these laws have recently changed, identify areas of continued risk for hackers, and suggest concrete ways for the security community to make additional progress in shaping a favorable legal environment. An extended roundtable discussion will follow the presentation.

Red Teaming the Open Source Software Supply Chain

Friday at 12:00 in Collaboratorium
105 minutes

Aeva Black Technical Advisory Committee, Open Source Software Foundation; Board Member, Open Source Initiative

Allan Friedman CISA OSS Security Lead

Open source software supply chain has enabled great innovation, but there are a unique set of risks from this supply chain. While not a new topic, everyone from software users to governments have started to pay attention to the security risks that have emerged from the success of--and our dependence on—open source software. Some solutions proposed are not popular among open source developers and maintainers. Even worse, much of the discussion does not directly involve those with an attacker mindset, relying on just a few high profile incidents.

This session will bring together experts from the open source ecosystem with security experts to think about OSS security from an attacker’s perspective. We’ll go through a few scenarios collectively, and then brainstorm more in small groups, sharing them out. Each attack scenario will then be evaluated against potential defensive measures.

Emerging Technical Cyber Policy Topics

Friday at 14:00 in Roundtable
105 minutes

Luiz Eduardo

Kurt Opsahl

Yan Shoshitaishvili

Yan Zhu

The DEF CON community confronts difficult challenges daily, overcoming many through defensive levers, such as tools, technology, and process. How about a push to make a Nation (or Nations) more secure with actionable directives? Larger, more stubborn challenges require other tools, including those dealt with at the public policy layer, such as executive orders, Congressional action, agency rules and guidance, or collective industry action. Hackers and policymakers will raise several such challenges and moderate discussions about which policy levers may be able to address them, and how.

Meet the Feds: ONCD Edition

Friday at 14:00 in Collaboratorium
105 minutes

Staff from the Office of the National Cyber Director

Join Short discussions between security researchers and new senior staff at the Office of the National Cyber Director, working on technology ecosystem risk, open-source software, security research, CVD policy, and related talks. Forming relationships between the DefCon community and federal policymakers will enhance federal policy and its meshing with the security community; casual, close conversations are an excellent way to start.

Moving Regulation Upstream - An Increasing focus on the Role of Digital Service Providers

Friday at 16:00 in Roundtable
105 minutes | Talk and roundtable

Jen Ellis Vice President of Community and Public Affairs, Rapid7

Irfan Hemani Deputy Director - Cyber Security, Cyber Security and Digital Identity Directorate, UK Department for Digital, Culture, Media and Sport

Adam Dobell First Secretary, Department of Home Affairs, Embassy of Australia

Cybercriminals are no longer focusing all their efforts on the biggest fish, which means organizations below the security poverty line - who often struggle with achieving adequate cyber resilience - are increasingly being hit. At the same time, we've seen an increase in supply chain attacks, which makes sense as more and more of the tech ecosystem is moving to cloud or managed service provider models. Various governments are paying attention to these shifts and are considering how regulating digital service providers may advance security more broadly, while also alleviating the burden on small to medium businesses. This session will be led by one or two governments working on this issue and will include an open discussion on the challenges and opportunities of this approach.

Election Security Bridge Building

Friday at 16:00 in Collaboratorium
105 minutes | Talk and roundtable

Jack Cable Independent Security Researcher

Michael Ross Deputy Secretary of State for Iowa

Trevor Timmons Office of Colorado Secretary of State

Psst. I have heard whispers on Capitol Hill that one of the barriers to more secure elections is strengthening the trust between election workers and security researchers. And what better venue to bring together good faith researchers with election officials than DEF CON Policy? DEF CON Policy Department is working with top election security officials and security researchers to host a roundtable discussion on strenthening trust and collaboration in electiom security. This session will highlight work from top researchers and members of the DEF CON community, federal government representation, and perspectives from Secretaries of State.

Meet the Feds: CISA Edition (Lounge)

Friday at 19:00 in Roundtable
60 minutes | Lounge

CISA Staff

Following the fireside chat with US Cybersecurity and Infrastructure Security Agency (CISA) Director, Jen Easterly, several members of the CISA team will be on hand to provide a more in depth look at the Agency, their work, and some of the ways they're already engaging with the hacker community. This session will give hackers an opportunity to ask questions of the CISA team and provide candid feedback to them.

Fireside Policy Chats

Friday at 19:00 in Collaboratorium
75 minutes

Leonard Bailey Head of the Cybersecurity Unit and Special Counsel for National Security in the Criminal Division’s Computer Crime and Intellectual Property Section at the Department of Justice

Fireside Lounge sessions are your informal, off the record opportunity to get to know policymakers in an intimate setting. Maybe with a drink in hand. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must. The speaker will give a strategic analysis of relevant issues, lead a Socratic dialogue about the trade-offs represented in decision-making, and open the floor to audience questions and/or a moderated group debate. Did we mention it's off the record?

Meet the Feds: DHS Edition (Lounge)

Friday at 20:00 in Roundtable
120 minutes | Lounge

DHS Staff

Members several DHS departments will be on hand to discuss issues they address daily, as well as meet the DEF CON community. Representatives from across DHS are expected, including the Secret Service, Coast Guard, Transportaiton Safety Administration, and the Office of the Secretary.

Fireside Policy Chats

Friday at 20:30 in Collaboratorium
75 minutes

Gaurav Keerthi Deputy Chief Executive of the Cybersecurity Agency of Singapore

Fireside Lounge sessions are your informal, off the record opportunity to get to know policymakers in an intimate setting. Maybe with a drink in hand. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must. The speaker will give a strategic analysis of relevant issues, lead a Socratic dialogue about the trade-offs represented in decision-making, and open the floor to audience questions and/or a moderated group debate. Did we mention it's off the record?

Imagining a cyber policy crisis: Storytelling and Simulation for real-world risks

Saturday at 10:00 in Roundtable
105 minutes | Panel

Safa Shahwan Edwards Deputy Director, Cyber Statecraft Initiative, Atlantic Council

Nina Kollars Department of Defense

Winnona DeSombre Fellow, Harvard's Belfer Center and Atlantic Council

Story time for hackers. The importance of storytelling and simulation for teaching and training policymakers including a scenario from the Atlantic Council Cyber 9/12 program and other comparable efforts. Hear from panelists on how they construct stories and simulations for policymakers, from short from prose to war games to student competitions. This panel draws on the hacking community’s rich history of storytelling through fiction, graphic art, and more to demonstrate the practical importance of shaping ideas in policy debates. This session complements an otherwise heavy emphasis throughout the track on ideas over the medium itself. Panelists would also discuss their approach to breaking down a complicated issue or problem in order to represent its core themes, challenges, and opportunities especially for policymakers.

Hacking Operational Collaboration

Saturday at 10:00 in Collaboratorium
105 minutes | Panel and workshop

David Forscey Joint Cyber Defense Collaborative, CISA

Brianna McClenon Joint Cyber Defense Collaborative, CISA

Seth McKinnis Joint Cyber Defense Collaborative, CISA

Hristiana Petkova Joint Cyber Defense Collaborative, CISA

Gavin To Joint Cyber Defense Collaborative, CISA

CISA/JCDC leadership will speak on a panel to review the purpose and history of JCDC, and set the scene for the event before attendees begin their own conversations. Following the panel, attendees will split up into four breakout sections and gather in four corners of the room. Each of these groups will divide again to form no more than 5-6 people per discussion group. These small groups will delve into one proposal for a JCDC initiative and discuss for 15-20 minutes, after which they will rotate to the next section/topic. Each conversation will be facilitated by CISA, who play the “champion” for that specific proposal. Topics may include: Transnational Trust Webs (How can JCDC collaborate with researchers, orgs, and partners spread across the globe? Internet security, not just national security); Chaos Engine (How do we turn the Internet into a much more risky place for adversaries? Which hackers have the right data to find adversary infrastructure?); We Want You (How can CISA expand on its past work with individuals on research to integrate volunteer hackers into response operations?); Expect the Worst (What kind of contingencies should CISA prioritize? What planning and preparation can achieve the most leverage if the worst happens?)

Addressing the gap in assessing (or measuring) the harm of cyberattacks

Saturday at 12:00 in Roundtable
105 minutes | Roundtable

Adrien Ogee Chief Operations Officer, Cyber Peace Institute

Through this session we propose to outline the draft methodology, so as to leverage the expertise of the audience to provide feedback and indicate interest in peer-reviewing or testing such a methodology. As well as to have an open discussion about the value of understanding harm in a cyber context.

Hacking Aviation Policy

Saturday at 12:00 in Collaboratorium
105 minutes | Roundtable

Timothy Weston Deputy Executive Director (acting), Cybersecurity Policy Coordinator, Transportation Security Administration

Meg King Executive Director for Strategy, Policy Coordination & Innovation, Transportation Security Administration

Pete Cooper Deputy Director Cyber Defence, Cabinet Office

Ayan Islam R-Street Institute

Ken Munro Pentest Partners

TSA and DEFCON will host a policy discussion group focused on the current cybersecurity threats to the aviation ecosystem. Discussion will be focused on the increasing threat space focused on airports, airframes, airlines, and air cargo. Additional topics of discussion will focus on cybersecurity work force issues, prioritization of mitigation measures to counter the threats, and how the research community can assist the government and the private sector. The aviation sector policy discussion will be held under Chatham House rules, otherwise known as “what happens in Vegas, stays in Vegas,” with the desired outcome that participants will come away with a better understanding of the threats, possible solutions, and the importance of collaboration to solve these pressing issues. Given the global nature of aviation, we will touch on the partnerships and policy regimes under consideration by the international community.

Return-Oriented Policy Making for Open Source and Software Security

Saturday at 14:00 in Roundtable
105 minutes | Panel and roundtable

Trey Herr Director, Cyber Statecraft Initiative, Atlantic Council

Eric Mill US Office of Management and Budget

Harry Mourtos Office of the National Cyber Director

A moderated discussion on how to hack policy systems using laws and authorities already on the books, featuring the policymakers who write and use them, focusing on open source and software security. At DefCon 22 in the aftermath of Heartbleed, John Menerick told us to "keep calm and hide the internet". Alas, they found it. The policy community in the US, and lesser extent Europe, is finally starting to put serious focus on software security including open source. This event will bring hackers together with policymakers to identify policies on the book that could help improve the open source ecosystem and the security of software. Other policy conversations might stray into the possible, this one will emphasize the practical. The discussion will involve policymakers who write and implement these laws and use these authorities to enable discussion and debate focused on pragmatic solutions, putting hackers inside ongoing policy debates in real time.

Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet

Saturday at 14:00 in Collaboratorium
105 minutes | Talk and roundtable

Neal Pollard Ernst & *****

Jason Healey Senior Research Scholar at Columbia University SIPA

Guillermo Christensen Partner, K&L Gates

The global internet is in large part a creation of the United States. The internet’s basic structure—a reliance on the private sector and the technical community, relatively light regulatory oversight, and the protection of speech and the promotion of the free flow of information—reflected American values. Moreover, U.S. strategic, economic, political, and foreign policy interests were served by the global, open internet. But the United States now confronts a starkly different reality. The utopian vision of an open, reliable, and secure global network has not been achieved and is unlikely ever to be realized. Today, the internet is less free, more fragmented, and less secure. The United States needs a new strategy that responds to what is now a fragmented and dangerous internet. The Council on Foreign Relations launched an independent task force to develop findings and recommendations for a new foreign policy for cyberspace. This session will seek input from the DEF CON community on specific foreign policy measures, to help guide Washington’s adaptation to today’s more complex, variegated, and dangerous cyber realm. Come prepared to discuss topics, such as: Developing a digital privacy policy that is interoperable with Europe’s General Data Protection Regulation (GDPR); Building a coalition for open-source software; Developing coalition-wide practices for the Vulnerabilities Equities Process (VEP); Clean up U.S. cyberspace by offering incentives for internet service providers (ISPs) and cloud providers to reduce malicious activity within their infrastructure.

Right Hand, Meet Left Hand: The Cybersecurity Implications of Non-Cybersecurity Internet Regulation (Community Roundtable)

Saturday at 16:00 in Roundtable
60 minutes

Cathy Gellis

Cybersecurity is obviously an important policy priority, but it's not the only area of tech policy getting attention by government. State and federal regulators are also pursuing laws and regulations in other areas, like copyright, privacy, antitrust, and social media regulation - each of which ultimately affects the ability to keep our computing systems and networks secure. Come to this session to learn about some of the policy pushes in these other areas, consider how some of the consequences these regulatory initiatives may bear on cybersecurity, and workshop how those effects might be avoided. (Limited capacity event; open to all conference attendees to participate under Chatham House Rules.)

International Government Action Against Ransomware

Saturday at 16:00 in Collaboratorium
105 minutes | Talk and roundtable

Jen Ellis Vice President of Community and Public Affairs, Rapid7

Irfan Hemani Deputy Director - Cyber Security, Cyber Security and Digital Identity Directorate, UK Department for Digital, Culture, Media and Sport

Adam Dobell First Secretary, Department of Home Affairs, Embassy of Australia

Ransomware attacks continue to abound and various governments around the world are very active on combatting this issue. This session would bring some of them together to discuss what's being done and where it needs to go. It's been a little over a year since the Colonial Pipeline, HSE, and JBS attacks put ransomware firmly on the agenda as a threat to national security and economic stability. Since then, we've seen ransomware attacks become more openly politicized. We're also seen the White House and G7 both host international government forums to identify collaborative actions to tackle the threat. We've also seen new sanctions, public/private initiatives, bounties for criminals, and various other government actions introduced to make life for cybercriminals harder. This session brings together multiple govs to talk about what's being done, what results have been seen, and where we're headed next. They will start off covering these points and then open to the audience for questions and open discussion on next steps and impacts.

Thinking About Election Security: Annual Debrief (Community Roundtable)

Saturday at 17:15 in Roundtables
60 minutes

Cathy Gellis

Election security has left the realm of election professionals and is now top of mind for anyone. But what does it mean? Is it just about the security of voting equipment? Or the security of the entire system of running elections? If you haven't been able to catch the Voting Village's content, or would like the opportunity for a deeper dive on some of the issues policymakers are wrestling with, this session is for you. (Limited capacity event; open to all conference attendees to participate under Chatham House Rules.)

D0 N0 H4RM: A Healthcare Security Conversation (Lounge)

Saturday at 19:00 in Roundtable
180 minutes | Lounge

Christian “quaddi” Dameff MD Physician & Medical Director of Cyber Security at The University of California San Diego

Jeff “r3plicant” Tully MD Anesthesiologist at The University of California San Diego

Jessica Wilkerson Cyber Policy Advisor at the US Food and Drug Administration FDA

Alissa Knight Hacker & principal analyst at Alissa Knight & Associates

Seeyew Mo Senior Cybersecurity, Tech, National Security Fellow

Ayan Islam R-Street Institute

Hackers in healthcare have come a long way from the days of the Manifesto. There is no longer apathy amongst the powerful - baby food has been replaced with steak. Hackers are making medical devices safer for patients. Hackers are protecting hospitals from ransomware. Hackers are writing policy and guiding regulation. This is cause for celebration- and where better to throw down than DEF CON 30? Let’s face it- the last couple of years have been doom and gloom, and while attacks on hospitals continue to increase at record pace, and the promise of new medical technologies is equally matched with some terrifying security implications (Neuralink, call us), we really do need to stand back and appreciate where we’ve come from, because only then can we put into perspective what we still need to do. D0 No H4rm returns to DEF CON to once again give you the chance to interface directly with some of the biggest names in a domain that just keeps growing in importance. Moderated by physician hackers quaddi and r3plicant, this perennially packed event - with a heavily curated panel of policy badasses, elite hackers, and seasoned clinicians - always fills up fast. So if you want to protect patients, build a safer and more resilient healthcare system, and meet some incredible new friends, then join us. And welcome home.

Fireside Policy Chats

Saturday at 19:00 in Collaboratorium
75 minutes

Emma Best DDoSecrets

Xan North DDoSecrets

Fireside Lounge sessions are your informal, off the record opportunity to get to know policymakers in an intimate setting. Maybe with a drink in hand. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must. The speaker will give a strategic analysis of relevant issues, lead a Socratic dialogue about the trade-offs represented in decision-making, and open the floor to audience questions and/or a moderated group debate. Did we mention it's off the record?

Fireside Policy Chats

Saturday at 20:30 in Collaboratorium
75 minutes

Chris Painter President of Global Forum on Cyber Expertise

Fireside Lounge sessions are your informal, off the record opportunity to get to know policymakers in an intimate setting. Maybe with a drink in hand. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must. The speaker will give a strategic analysis of relevant issues, lead a Socratic dialogue about the trade-offs represented in decision-making, and open the floor to audience questions and/or a moderated group debate. Did we mention it's off the record?

Better Policies for Better Lives: Hacker Input to international policy challenges

Sunday at 10:00 in Roundtable
105 minutes | Talk and roundtable

Peter Stephens Policy Advisor for CyberSecurity, Organisation for Economic Co-operation and Development (OECD)

Every year, delivering effective cyber security policies becomes more urgent, and more complicated. These challenges are becoming more international. Just thinking about product security for IoT; consumers are buying more smart products through online marketplaces, supply chains are becoming more complex and overly reliant on online marketplaces , that often exist outside of the remit for existing legislation. Meanwhile, the vast majority of consumers simply don’t know what to look for to assess security. The problem isn’t just security, but it is one of market failure. In the policy space, it also feels like there is a market failure at play. Security researchers want to feed into policy makers’ approaches, and civil servants (many of whom are generalists) need technical experts to help them assess lobbying and design proportionate plans. The OECD exists to promote ‘better policies for better lives’. We support civil servants around the world, and would like to offer opportunities for the security research community to feed in at a broader scale. This will be a working session, with a particular focus on product security (including IoT) and the challenges facing the security research community in the handling of vulnerabilities.

Improving International Vulnerability Disclosure: Why the US and Allies Have to Get Serious

Sunday at 10:00 in Collaboratorium
105 minutes | Panel and roundtable

Stewart Scott Assistant Director, Cyber Statecraft Initiative, Atlantic Council

Christopher Robinson Intel

Join the Atlantic Council's Cyber Statecraft Initiative and DefCon Policy Track Initiative for a discussion on the strategic urgency behind better vulnerability disclosure. The session will focus on why the US and allied states need to take steps to make vulnerability disclosure easier, motivating the discussion with results from a study of the effects of a recently passed Chinese law on vulnerability disclosure.

Protect Our Pentest Tools! Perks and Hurdles in Distributing Red Team Tools

Sunday at 12:00 in Roundtable
105 minutes | Talk and roundtable

Omar Santos

A panel with Q&A about offensive cybersecurity tools like CobaltStrike, how the tools affect both defensive and offensive security practitioners, and the practical difficulties of controlling the licenses and distribution of these pentest tools. This is meant to be an impact-focused discussion on the merits and challenges of producing offensive tools and NOT a law-based debate/interpretation of export controls.

Offensive Cyber Capabilities Roundtable

Sunday at 12:00 in Collaboratorium
105 minutes | Roundtable

Winnona DeSombre Fellow, Harvard's Belfer Center and Atlantic Council

Sophia D'Antoine Founder of Margin Research

Matt Holland Founder of Field Effect

Join us for a Chatham House Rule conversation with hackers that provide capabilities to government cyber operations. Learn about the development and sale of offensive cyber capabilities, and what the government/policy perspectives are for regulating this space.

The Exploding Wireless Attack Surface: Policy considerations for a rapidly changing electromagnetic spectrum environment

Sunday at 14:00 in Roundtable
60 minutes

Linton Wells

Examine current and emerging cybersecurity policy issues introduced by the proliferation of new spectrum uses, many of which are not emphasizing cybersecurity. Billions are being spent for rural broadband; IoT/IIoT systems are becoming ubiquitous and many have RF component embedded; LEO internet will expand dramatically with ground, space and data link segments; MMW systems for 5G and 6G need to be backwards compatible with legacy systems; the military is putting increased emphasis on cyber-EW convergence and the implementing the 2020 Electromagnetic Spectrum Superiority Strategy; shared spectrum is becoming increasingly accepted, increasing the importance of dynamic spectrum access. Spectrum is critical to nearly every element of the emerging network environment, yet the initiatives are distributed (NTIA, FCC, Agriculture, Energy, Defense, States, commercial, etc.) and cybersecurity considerations are not receiving enough attention.

ONCD Cybersecurity Strategy Workshop

Sunday at 14:00 in Collaboratorium
60 minutes

Jason Healey Senior Strategy and Research Advisor, ONCD, White House

Samantha Jennings Senior Strategy and Research Advisor, ONCD, White House

Osasu Dorsey Senior Strategy and Research Advisor, ONCD, White House

The ONCD team will provide an overview of the National Cybersecurity Strategy that is currently under development and solicit feedback from participants.