>>Welcome to Def Con! [clears throat] Alright, uh, do you guys believe thes-the hacker's been coming to the city- the desert for 25 times now? Give yourselves a round of applause for coming to the desert. 25 years. [Applause]


So, uh, I believe we’re making history here, this is the first time sitting congressmen have been to uh, officially, in official capacity speakers at, uh, the largest hacker conference in the world. So that to me, looks like some progress. Uhm, we’re going to do some introductions in a minute, uh, first things first, we’re going to do a little framing to explain why we were able to get, uh, these two distinguished, uh, public servants to our conference. So, we’ve been coming here 25 years and we are not necessarily a single tribe. And a lot of the outside world thinks a hacker equals a criminal, and I think over the last few years we’ve been turning that tide, and now they understand there’s a- hacking is just a form of power, it’s like magic and we can use it for good, for ill, for any number of purposes, and one of the ways we’ve been trying to turn that tide is explaining why we do what we do. And we all have different motives, not everyone in here is the same, but you know alliteration works, short lists work, so we have these five P’s. We basically say some people are protectors. They want to get stuff fixed, they want to make the world a better place. Some people are puzzlers, that’s why most of us got into this in the first place right, we want to tinker, we want to take it apart we want to put it back together. We’re curious. Curiosity is our original motivation. Some of us do this cause we want to win the white jacket or we want to be famous. We do it for prestige or for pride. And  there’s nothing wrong with that. It’s allowing us to achieve great things. Some of us do this for profit or personal/professional gain. And we make a career out of it. And Some of us do this for a protest for or against some ideological cause that we care deeply about. Ideally within the bounds of the laws. So whether you’re motivated by being a protector, a puzzler, a prestige/profit, or protest. You know we’re complicated individuals but there’s a reason you got in thins in the first place and there’s a reason you stay in it. So for my part, I wanna make the world a safer place. So I’m first and foremost a protector, and like luckily over the last several years we’ve met several of you that feel the same, but you know I also like hard problems, so I’m a bit of a puzzler as well. And uh, we’re gonna ask these congressmen during their intros, why did you get into public service in the first place? What’s your motivation? Now, in the spirit of that 4 years ago here at Def Con we launch I am the cavalry. this was this idea that could we be the voice of the reason, an ambassador, a translator, should we bring Def Con to DC? Should we try to be a voice of translating the things we care about, specifically were ever there is  issues of public safety and human life. The idea is could we shift from being a pointing finger at pass failure to a helping hand towards future success. Can we stop celebrating failure and what wrong with something and look for what’s right with something, uh, and-and through that we focus more on empathy and communication then we did on breaking things. And because of that we’ve slowly, slowly made ourselves accessible to public policy makers and whether you guys knew this or not over that last 2 years there are 18 parts of the US government who enthusiastically support and encourage the use of coordinated vulnerability disclosure so not only is what you’re doing is not criminalized in all cases and were slowly turning the tide on that with things like the Digital Millennium Copyright Act exemptions, but they also see us as a vital resource and a teammate if done right. One of these two gentlemen on stage on the floor of congress said “Go hack the pentagon.” So I think we’re turning the tide and this is something I think is worth a little bit of cheers for yourselves and for others. [Applause] Now, there’s a loong way to go. Uh, last year was pretty hot for first of a kind policy engagement on cyber security issues. Yes, I said cyber but A, I did my friggin shot and B, uh, this is the language they speak on the hill, and if we want to be effective you know, when you’re in France you speak french, right so we have to harmonize the way we speak about things, but you know legislative and executive branch alone we saw the food and drug administration really tighten up things like medical advice cyber safety we saw the department of transportation do this, we saw commerce encourage disclosure and patching best practices. DHS, white house and congress themselves also asked, almost presciently, they said “we’re concerned about over connectivity and security risks in our health care which is a sixth of our economy.” So while we were all talking about information sharing in the CISA Act of 2015 they also asked for one year of congressional task force, and in that they wanted a diverse number of stakeholders to say “How risky is connective medicine?” and on June of this year we published this. They actually made sure they wanted a voice of hackers so I and the cavalry and a lot of the hacker community got to participate in this one year long task force. Now, I’m going to saw some stuff that’s a little scary so we can ground this group in why we’re having them here today. So, of the many thing we found, the punchline was that healthcare is in critical condition and whether you can read this graphic or not the 5 things on the front page of this report are essentially, about 85% of our US health delivery organization lack a single qualified security person on staff. That should scare everybody. And this is not a US only problem we talked with our international partners. Number 2, we tend to be defending legacy XP or older in the leg- in the-in the clinical environment so these things a well past their end of life where they’re no longer supported. Number 3, they tend to be over connected to each other and reachable by the outside world..which means that a single flaw in a single device could take out and entire hospital as you saw with Hollywood Presbyterian last February. And more over the average device in a clinical environment has over 1,000 known vulnerabilities. So put those together, most of our hospitals lack a single one of you, you’re defending harder to defend things, they’re over connected to each other and reachable by the outside world, a single flaw in a single device took out patient care at Hollywood Presbyterian Hospital, and the average device may give us 1,000 chances to do it. We’ve done amazing things over the last 25 years but we need more of you. To help us solve these wicked problems and if there wasn’t a sense of urgency as we were publishing this report back to congress, WannaCry took out 65 hospitals in a single day. That was 20% of their national capacity. You now people died from degraded and delayed patient care. So, I wanna call out to the best of you, as we reach out to the best of them, and in the spirit of that I think we’ve proven the model to work over the last 4 years, bringing Def Con to D.C. In fact some of us have actually quit our day jobs and moved into think tanks like the Atlantic Counsel and what not. And now we’ve brought part of D.C here to Def Con in a way that hasn’t been done before and I am honored and humbled that we have two sitting members of our democratic process here. So please, I’ll introduce them in a moment, but let’s give it a huge round of applause for these two pioneers. [Applause]


All right, we’re going to try and keep an eye on the hashtag if you wanna send me your poll answers and what not, uh, Def Con- uh DC2 Def Con, uh, first representative James Langevin, he will give his own intro, but I was uh, really excited to work with him as the chair and founder- co-chair of the cyber caucus in the house of representatives. And also representative Hurd of Texas who uh, also a very strong and leading and informed voice on cyber security issues and Ill you  them tell you their origin stories but please gentlemen weave in which of the motivations do you carry to public service? So, you first representative Langevin.


>>Alright, well thank you very much Josh, for the introduction, for the invitation to join you today and uh, and uh, I wanna thank both you and Def Con and let me also recognise BOW and uh, the Atlantic Counsel for everything you did to make our visit here possible and uh, let me just say to the security researchers community, thank you all for what you do and uh, I know that collaboratively together we’re going to make a difference in this field and we’re going to make the uh, the  internet much more secure than it is today and we’re gonna do it together. So I thank you for that I know it’s a challenging, uh,  environment, for sure, dynamic one but I find it an amazing topic to work on. I am thrilled to be here with my colleague, Will Hurd, uh, Will and served on the Homeland Security committee together, and uh, let it be recognized here that I can tell you my partisanship is not dead on the hill there are pockets that still exist and guys like will and I hopefully are helping set an example and helping to raise the bar to show that by working together that’s how we truly get things done. So, great to be here with my colleague..So [Light Applause]


>>Clap, You can clap for that [Applause]


>>So, just to brief you a little about myself, uhm, So I am a congressman from the 2nd district of Rhode Island. I’m in my 9th term in congress and I sit on both the uh the senior memb- the House Armed Services Committee and a founding member and senior member of the Homeland Security Committee. Uh, in all of that work, I specialize in-in cyber security and uh, the ranking member on the emerging threats and capabilities subcommittee on armed services. We have primary jurisdiction over NSA and US cyber command and uh, the Homeland Security Committee, I sit on the subcommand in cyber security and infrastructure protection. But I have to tell you, I kind of fell into this-this world of being involved in cyber security uh, about of a decade ago, when I was the chairman of the subcommittee on emerging threats, cybersecurity and science and technology and originally I thought we were going to be focusing mainly on the emerging threats part of the responsibility which was to look at all the, uh, the most serious threats to the face of the country such as chemical, biological, radiological, and nuclear threats to a, to America, and our allies. And then uh, one day my staff director uh came into me on the sub committee and said uh boss you’re gonna get a briefing on this thing called the Aurora threat, uh, by two, found, discovered by two uh, researchers at Idaho National Labs where they found a vulnerability into a-into a critical infrastructure through a a-a skater attack, and hence everyone knows that as the Aurora threat but uh, I was riveted by the video that showed how a generator operating normally all of a sudden because of a  a-a malicious code that was remotely inserted caused this generator to spin up out of control and then basically shake itself apart and uh, and that was just a small example of what could happen to, uhm, to our electric grid if in potentially shutting down a whole portion of our country's electric grid if a successful widespread skater attack were to be carried out. So that is how my interest in cyber began. And just to close out, from there we were asked Mike McCaul and I, uh, my co founder and co chair of the cybersecurity caucus, Mike now chairs the full Homeland Security Committee, but he’s been a great, again bipartisan partner in this-in this effort to enhance our nation's cybersecurity uh, he and I were asked to chair b-be co-chairs of a national commission the CSIS commission, on cybersecurity for the 44th presidency, which became the foundational document for president Obama as he charted the nation’s cybersecurity uh, blueprint and plan going forward, and uhm, and then we also you know, founded the a- co-founded the cybersecurity caucus. And, when we originally started in this field i have to tell you we got a lot of funny looks Mike and I we felt like we had a lone voice in the wilderness and uh, people did not understand the-the what we were so worked up about. They get it now. Times have certainly changed uhm, but we still have a lot of work to do. Clearly the awareness has been raised but now we’ve got to continue to work together to close the vulnerabilities. So, that is a, just briefly, probably went on too long, sorry, but uhm, that’s-that’s my introduction to the cybersecurity challenges that the nation faces and uh, and uh, it’s a continued work in progress but i have a, been really gratified to know there are people like you in the security research community who are doing important work discovering vulnerabilities and I’m hoping that we continue for stronger partnerships uh to help do something about it when we find those vulnerabilities and uh as I said I know that we’re going to be able to do this together, Will’s been a great partner, in this a- in this effort, and I’m pleased again to share the stage with him but I want to thank you for your invitation and it’s an honor to be with you today. Thankyou. [Applause]


>>Which P are you Jim? Put the list back up.
>> Yeah I'm the one that fixes thing.
>>It’s definitely not prestige right [Laughter] Ah, yeah that’s when you have a 9 percent job approval rating, uhm, that's not prestige.[Crowd Laughing] uhm, anyways, not us individually back home obviously, right, but as a body, as a body. Am I too far away from this? How do we get that echo out? Anyone? 


>>[From crowd] Pull it back
>>Pull it back? This way? Uhm, well, again, thanks for having us here, this is my second time to-to  to Def Con and I always take a lot away from the interactions that we have especially on the sidelines of many of these events. And I appreciate the Atlantic Counsel for making this happen and getting us out here to Las Vegas. Uhm, let me see a show of hands, How many- if this is your first Def Con? Okay, wow, a lot of noobs a lot a [light claps] Yeah, give it up for the noobies! [Applause] How manys been here over 5 years? Okay, over 10? We got any of the originals? No, No originals? What, DT ain't here? DT didn't want to come uh, here or talk?
>>They’re all on duty [Laughter]
>>Yeah, uh, you just came here cause you drank too much last night and need somewhere c-cold to hangout? Anyone? Okay, I appreciate that, I appreciate the honesty. Uhm, So, I'm from San Antonio born and raised and [light cheers from crowd] A lot of San Antonians there you go. Uhm, and my, when I was in highschool I had the opportunity to take a internship at the southwest research institute and I had a female engineer[cheer from crowd] that exposed me, yeah? Female engineers? Give it up. [Applause] Exposed me to robotics and is the reason that I first got interested in computer science and I studied it at Texas A&M and [cheers from crowd] Yeah whoop gigamaggies! It’s our year, it’s our year. Uh, watch out Alabama [Crowd Laughing] Uhm, and so also if you need a turbo pascal or fortran programmer let me know [Crowd Laughing] Uhm, I sorta know a few things. And I had the opportunity, when I graduated, I went into the C.I.A. Uhm, I was a case officer. I did 2 years in Washington D.C at what I used to call the super secret C.I.A training facility called “The Farm”. Uh, now it’s  on google maps and, uh [Crowd laughter], uh, two years Indian, two years in Pakistan, two years in New York City, a year in a half in Afghanistan where I managed all of our undercover operations. So I was the dude in the back allies at 4 o'clock in the morning collecting, uhm, intelligence on threats to our home land and I also had a brief members of congress. Had I met a guy like Jim, I probably would have stayed in the C.I.A. Uhm, I unfortunately had not been exposed to Jim and Mike McCaul and Ted Lieu from California, uh, folks that really understand the issues that they’re talking about and so I was frustrated with the caliber of our elected officials and so I ran for congress in 2010 and I lost. [cheers and laughter] uhm, why does that always get a jok- get a laugh? I-I-I still don’t understand that. Uhm, and-and I lost a round off by 700 votes. And that’s not a lot of votes and it’s even worse after you’ve been to the grocery store for the 2 months afterwards and people came up to you and say “How’s the campaign?” and [crowd laughter] uhm, like I lost and they’re like oh, shucks we forgot to-to vote, yah know?[crowd laughter] I literally ran into 740 people uh, [Crowd laughter] like that. Uhm, but it gave me an opportunity to-to work for a company called Crumpton Group, uh, Boutique Consulting Firm, and I helped Matt Debow with and build Fusion X and so if you don’t like anything that I do, see Matt Debow, uhm, he- everything I’ve learned in this-about this industry i've learned from-i've learned from Debow. And he’s a he’s-he’s-he’s been a good friend and so understanding penetration testing, technical vulnerability assessment, things like that, understanding the talent that’s outside of the government, uhm, understanding the threat that individuals in companies are-are faced, it was a great experience and to be able to leverage that when I got in congress. And So, in 14’ I ran again uh, no- everybody thought I was crazy, uh, nobody thought the black dude would win in a hispanic district alright, I represent a 71 percent hispanic district and it’s been an opportunity to work on issues like cybersecurity. And that means in Washington D.C that actually means information sharing, uhm,  we should have passed a cybersecurity act of 2015, 10 years ago? But we finally-we finally got something done. Uh, we look-we focus on privacy and you I said yesterday i don’t know which crypto war we’re on right now uhm, but we should be strengthening encryption not weakening it. Uhm, [Crowd cheers and applause] Our civil liberties are not burdens, they are the things that make our country great. And we, [crowd applause] we-we can chase bad guys, we can defend our digital infrastructure, and we can protect our civil liberties all at the same time. It’s hard. And one of the things that I have to- that Jim and I have to do when we educate our colleagues is to let them know that uhm, guess that there is really no such thing as an impenetrable device yah know? Come out to Def Con if you don’t believe us [light laughter] and-and so we have to get to a point where we can do security and protect privacy at the same time. And this conversations will go back and forth right, this is-ther-this is always the topic of back doors and encryption is always going to be out there and you’re going to have to continue to-to-to fight those-fight that back and having the support of folks like ya’ll is-is really important to do that and I will say everybody knows now what OPM stands for.
>>Oh, yeah
[crowd laughter]
>>right, uh, as-as Lindsay Graham says, mucho bad [light laughter] ya know, uhm, it’s-it's, that brought a consciousness to this issue that everybody understands the importance of protecting our digital infrastructure and our colleagues understand that but they don't alway necessarily understand the nuance and that’s why we try to educate, that’s why having ya’ll is important ya know, many of our colleagues uhm, think that direct messaging on twitter is the dark web, ya know, uhm, [crowd laughter] it’s like well no, it’s a little more complicated than that uhm, but there’s-there is a-there’s an interest in understanding that topic and so i always get nervous when someone says oh, I’m an expert on anything let alone cybersecurity especially being in a room with folks like ya’ll but coming out here helps ya know, prevent our knowledge base from getting stale so I appreciate, yall have been, everybody has been super nice to both of us uh, I think everybody was a little worried that we might have gotten attacked or something when we got here, uhm, but it really is-it really- ya’ll ya’l have opened- have welcomed us with open arms and your willingness to help us understand the big issues and the small issues and I’m looking forward to talking about some of those big strategy things that we have to get right before we’re able to do some of the-some of the small things, so, Thank you all.
[Crowd applause]
>>Alright, your friendly reminder. I put out a twitter poll it’s got probably 20 minutes left, maybe 10, uh, on which topics I should prioritize amongst Mirai botnets, WannaCry hitting hospitals, power impacts, or Wassenaar export controls that may affect our ability to do our jobs, uh, internationally. So please vote, I’m gonna keep an eye on it for one of our last questions. So, uh, yesterday we had a pretty full line up. These guys are-are-are a very robust in their ability to take in information we-we had a lot of briefings yesterday,  we took them on a walking tour of many of the villages downstairs we saw what, hack- auto hacking village, lock pick village, IOT, Industrial Control, the voting machine hacking.
>>Roots.
>>The Kids Roots Hackers
>>Yeah
>> So, uhm, you know, I know you’re both pretty savvy on cybersecurity but what was a, what really stood out, what was your biggest surprise, and what kinda things might you be able to act upon when you get back to D.C if you wanna continue this cooperation?
>>Uhm, what was I- the things that I was surprised by is the voting machines and the fact that all 24 got dismantled in less than 6 hours. That is- That is a huge problem. We have to ensure that the American people can trust their vote tabulating process.  And now, the machine is just one step in that process, but I think that the work that has been done out here is important in educating the secretaries of state, uhm,  all across the country as well as the election administrators, the people who are tasked with doing this and a lot of times ya know, I have a county that’s the second least populated county in the United States of America. 95 people in the entire county. I've met 72 of them. Uhm, and-and they don’t have a cybersecurity professional to help them, ya know, manage that process and so figuring out how, uhm, the states and these election commissioners-uh, election administrators are-are-understand the risk and vulnerabilities is important. So that was important. Uhm, things that we can take away, I’m interested in doing a hearing on uhm, the 5 points. Uhm, the 5 points when it comes to-when it comes to connected cars uhm, it is it is an area that I think we have to have a little more conversation around because I want to  ensure that we don’t create an overly burdensome regulatory environment around some of these issues and I think connected cars is the subsection of IOT that most members can get their heads around uh, but it’s such a-a-a broader conversation and how do we prevent, I don’t want the government to get in the way. I want the government to be able to facilitate and to allow entrepreneurship to grow but we all know we have to vancane security. Lets not make the same mistakes that we’ve made in the creation of the internet, let’s not make those same mistakes when it comes to-when it comes to  IOT. Uhm, and those are-and look-learning about TLS 1.3 and ya’lls opinion on that, and ya’lls opinion on what is the future of Quantum Computing and the ya know how quickly is that going to get here on some kind of commercial scale and how do you defend against quantum computing. These-these conversations are going to lead, uhm, me to hold hearings on many of these topics through the subcommittee that I chair.
>>Excellent, Thankyou. 
>>So the thing that surprised me the most, uhm, so uhm, when I -well ya know many of you have seen me riding around, and I use an Ibot wheelchair to get around and I can pop it up on two wheels, same inventor as the segway scooter, Dean Cabin, brilliant uh, inventor, uh, The thing that surprised me the most is that when I went into the car hacking room, that someone didn’t find a way to hack into my system and start driving me around [crowd laughter] I did wonder if it was going to happen  and it actually it’s a sophisticated piece of technology and I uh don’t pretend to understand all the magic but I do know it has 6 gyroscopes that keep it balanced and uh, I did put it down on four wheels just in case [laughter] so but a-
>> He’s here for 4 more hours by the way. [crowd laughter]
>>So, uhm, so that was the thing that surprised me the most that didn’t happen but uh, thats a good thing. Uhm, but a, I have to say that, I too was a-a-a-a surprised, and though not shocked by the election voting systems and apparently how easily those systems could be compromised and hacked uh, I-I knew that they were- that the electronic voting systems are uh, potentially vulnerable and I’ve heard the reports, how easy it was though was-was an eye opener. So I was a former secretary of state as well and before that I served for 6 years in Rhode Island general assembly as well as a state rep and I actually chaired a special legislated commission on purchasing new voting equipment. And the one thing, all though I love technology, and I was impressed by the DRE equipment the touch screen back then at the time. I could never get passed the fear or the concern that ya know, what happened if everything went south and the data was lost. How do you ever recreate that election? Or prove t-t-to verify how people voted is actually how th-th-the vote turned out. An duh, so we consequently wound up recommending to this- to the legislature to the governor at the time, that when we choose the voting equipment that it should be optical scan so you can have
 The best of the old in the new technology but you have to have the paper ballot as the ultimate audit trail. Uhm, so that’s what we wound up doing and I was able to uhm, to get new optical scan voting equipment for the state when I became secretary of state. But to see- go in the room and  talk to the professors and the-the researchers who set up the room and who set up the a the challenge and to hear how easily the systems were compromised was-was certainly disturbing and an eye opened and certainly gives me plause as we go back to D.C now and a- and and I’m part of a task force to look at a-at elections and this is certainly going to be a primary topic of conversation. The other thing I’ll just say and finally . the one thing that really impressed me, is how the uh, the hacker community wants to be pro active yet both identify and closing vulnerabilities in our cyber ecosystem. So i look forward to those-growing those opportunities and-and making sure that we have a way to have a vulnerability disclosure process at each of the government agencies I think that’s somet-it’s long overdue and that’s something that I hope to work with you all on.
>>On the-[crowd applause] On that last point, Jim ,and I want to add I-I-I told this story yesterday, some reporter asked me “you know,are you out here to get these hacker civically engaged?”  And I was like what are you talking about? They already are. Right and-and the feedback and what you all do for society is incredibly important and we gotta make sure we can continue to build upon-upo that relationship, so, and I think we want to try to come back as often as we can and we’d like to see ya’ll up in D.C as well.
[crowd applause]
>>So I knew, yesterday, we had them, uhm,  in a small room for 2 hours of completely unvetted questions and exchanges. It was amazing, it was magical,  I wish we had 2 hours now uh, we’re at about the T-minus 15 minutes mark. Uhm, really quickly, what’s an example-we want examples of uh positive and negative or effective proactive or reactive forms of engagement for the hacker community. And uhm, I-I remember over lunch you were talking about a good example of the risk of wassenaar. Can you quickly explain an example how hackers helped you do your job and preserve US interest?
>>Sure, So, this is something that I-I tackled pretty aggressively with my team once we became aware of the problem and again it was the a the research community the tech community that came to me and-and-and made us aware of what was ya know, I'm sure done with good intentions, missed the mark uh, Walsh and I are trying to use a cold war legacy agreement to prevent uh, dual use technologies from falling into the-into the wrong hands when you try to uhh, apply that to software and to uh- prevention of uh, transfer intrusion control software, but it missed the mark. It didn’t work and here you had the a department of commerce that was charged with promulgating the rules and regulations on how this was going to work uh, during the common period, but the researched community really stepped up, the tech community really stepped up, and made robust comments and I can tell you I took those comments and these challenges and stuff that you brought to me and with 124 of my colleagues was able to organize a letter again to the Obama administration to really ask them to change course on the addition of these controls that a- and now we’re making sole progress on getting those controls clarified. But it wouldn’t have happened without the engagement of the of the-a of the technology community and i just wanna underscore, uh, never underestimate the value that you bring to the table in advising policy makers about what’s going to work and what’s not going to work or what we need to do to change course to-to-to close vulnerabilities. There are 435 members of congress. The House. 100 members of the United States senate. We all have varied interests we all have things we per say specialize in. And you have a small group of us, uh, myself, and Will, Mike McCaul, uhm, Dutch Ruppersberger, uhm, you have  Mac Thornberry, and uh, a couple others here that really get cyber and and we’ve made it  primary focus of what we do. And then you’ve got the next level down of members who recognise it’s important but it’s not maybe persay their thing but they want to know more about it and they wanna be up to speed on it. And they got a few- they have a significant number that it’s not their thing- maybe it’s never going to be their thing, but they still need good advice and people coming forward to advise them and their staff. So I just wanted to close by saying never underestimate the value you can bring to the table, in helping to educate members and staff about what the best policies are and what’s going to work and what’s not going to work and again, never assume that we’re-that we know all the thousands of bills that are introduced in congress each year it’s not possible. So if you hear something or you become aware of a bill or idea that you think we need to know about, be proactive about it. And Engage. And I just- in closing I just ask you just rhetorically, you know, how many of you have ever made an appointment  with your member of congress or their staff, or written an email, or made a phone call? Ya know, I would just ask you to be proactive because you can make an impact and we want you to be engaged. Thank you.
[Crowd applause]
>>An important point in that story as well is the process around this worked. The feedback that commerce was getting instigated some congressional hearings and one of your own, ended up going into the negotiating room in-in Europe to-to try to fix this multilateral agreement. And so I think this is a-a-a great example of how the right engagement of really smart people fix a problem. Now, we’re not completely there yet, because we haven’t signed the new agreement, but I think we’re going to try and sort that out in-in December so it’s an example of how the wheels of the process worked.
>>Yeah, and Let’s hear it for Katie Missouri because she was the one the really help-
[applause and cheering from crowd]
>>Thanks Katie, Yeah
>>Thank you Katie.
>>Katie Mo!
>>So- So Katie, I want a picture when you walk in with all these stuffy diplomats and your pink hair. Yah know, and-and make sure you get that picture next time. [faint laughing]
>>Alright, now that wasn’t a- yah know Karen Ellis already says that hackers are the immune system of the internet right, we’re the a- so we flock to the dangerous threat to the way we do our jobs and security in this particular case but in some of these we want to get in front of them uh, so our part we- it looks like the Twitter poll was a pretty tight race here, uhm, the winner was concerns of our a power utilities infrastructures so in the US and other countries these are designated critical infrastructure that are very, very important but are often privately owned and operated and often quite exposed. Uhm, it’s a pretty close vote with also Marai’s effect on taking out the internet for a day. These low cost, low hygiene devices, there’s so many of them now with the internet of everything. Uhm, and then also the WannaCry type hospital outages where it’s just too easy for these things. We tend to summarize these things at the Atlantic Counsel that our over dependence on undependable things is exposing us to accidents and adversaries. Uh, that could be a National security level event. Uh, instead of us flocking to maybe go, you know, stop bad wassenaar, what are the appropriate mechanisms or most effective mechanisms for us to proactively engage with members, with their staffs, with committees? It’s a bit of a confusing and nebulous thing for us if you could give us some succinct advice of where to get started or whats worked to date for us bringing topics so we don’t wait for hospital outages?
>>Sure, I would go back to what I touched on just a few minutes ago. Don’t wait til something comes to your attention to start engaging with your members of congress and staff. Introduce yourselves ahead of time, get to know them, let them get to know you . And develop a rapport. Develop a-open up a dialogue so that you know, you’ve already established that rapport, that trust if you will and so when something , you know, comes to your attention that is serious and needs to get their attention right away you already have a point of contact. You don’t have to go searching for who that person is.
>>On many of these issues that you just went through, there is a lack of a proper strategy on how to deal with it. And so, let’s start with- let start with doing something to industrial controls within the utility routes. So what is it, 3 years ago, 2 years ago, this was no longer a philosophical exercise. The Russians did it in the Ukraine. If you look at the UN, the UN says there's certain things that are an act of war. It is foolin with somebody’s grid. Is an Act of war according to the UN. What was the response to the Russians when they did that? Nothing. The sanctions that were put in and the sanctions that we just strengthened, uhm, in the House, this week, was not because of that. And So if you don’t articulate what a response will be to a certain redline, uhm, that’s a form of a deterrent. And so-so what should an actual response be in-in that-in that case and there’s all kinds of conversations around it but there is not an accepted policy at the NSC that would ultimately drive this. Now, folks in congress, we could be shining light on this and talk through these issues. It’s the Homeland Security committee, which we’re on, it’s the oversign government reform committee, where I chair a sub committee there. It’s energy and commerce and it’s also, uhm, science and technology. Right, but Homeland and OGR are 2 of the ones that do the bulk of some of this of some of this work and so it's important to educate us, the individual members of congress, but we also need yall sitting down with some of the staff that populate these committees. Sitting down with GAO. GAO is-is basically the inspector general of the entire government, and then every department has IGs as well, but these are the folks that are looking at kind of the holes in policy, the holes in-in taxes techniques and procedures when it come to defending a digital infrastructure uhm, so-so that we-we-we need to help-we need to be talking about what’s the strategies so then we can start talking about the tactics and how we- how we should be- who should be responding to what. And this is another problem when it comes with-comes along with disinformation. The Russians are trying to erode trust in our institutions. Period. End of story. And how do we deal we do not have a counter covert influence strategy. And many of ya’ll in this room can help and have delt and have operated in some of these communities that we could be leveraging intelligence from and talking about so we don’t have a strategy there. So that’s something that I'm concerned with. Cause guess what we’re going to see this in 2018. And it’s not just the Russians. We know other nation states have tried to do this and based on what was demonstrated in the last 48 hours, we have to tighten up some of these voting machines as well. So, all of this stuff is connected and-and nobody has the right answer but talking to folks that live and breath this is important. And so, committee staff’s important, the legislative direc- wherever y'all live, your member of congress you should know the district director, uhm, you should know the legislative director for your member, those are 2 people that drive the policies of those offices.
>>And who on their staff is the point person that deals with the research community issues in particularly. I just want to say something else if I could just to underscore what Will had said. What the Russians did was outrageous, it was wrong and they are going to keep doing it. Particularly if they’re not hit hard enough, if they don’t get strong enough sanctions or the message isn’t sent clear enough that we’re not going to tolerate that kind of interference or undermining our- our- of the pillars of our democracy. And we have to look at this holistically and say that as a nation state we have a whole sweep of options that we can draw from to-to retaliate to make the point that we’re not going to uh accept that kind of interference with our elections and we need to make it very clear from here forward.
>>Alright we’re reaching the end here, um, boy I wish we had 3 hours for this. Um so, as we face these challenges they’re not going to slow down. I think while we were here one of the victims from Petya was Merck in the pharmaceutical industry admitted that it had a material impact on the production of several of their drugs. This is designated critical infrastructure. Unrestrained cyber ammunitions got outside it’s intended target and affected US critical infrastructure. These are the types of companies that make our pandemic vaccines and shots incase we have a national emergency. So, as I look across this room I see a lot of raw talent. And I know in general we loath to regulate, we loath to work with government, we uh, in general like the come as you are, do as you please type guys. I know a lot of the things we see come on the news or around the hill might have some rough edges. As things get very, very real, and as the consequences of failure get very, very high, I really encourage you to see that they’re outreaching a hand and trying. And when they publish something or they ask a question look for what’s right in it and cultivate that. We’re really, really good at finding what’s wrong with something but I think we’re at that stage now where we have to make that outstretched hand and go that extra mile and meet in the middle if we’re going to rise to meet these challenges together. So I see what we’ve done here maybe as a coal or a little ember a little bit of heat and light. We can either snuff it out or we can foster it and grow it, uh, into a real vibrant collaboration here. Uhm, we have now brought D.C. to Def Con, I'm trying to make it happen so we can bring more of Def Con to D.C. Perhaps we can turn this into a regular thing. Maybe a Cyber caucus in the Summer here? Maybe a cyber caucus in D.C. around ShmooCon? Just sayin’.
[light laughter and applause] When we said 4 years ago the cavalry isn’t coming, it meant it fell to you. It was to be depressed it falls to you. So, if we see something missing in the world, we gotta put it there. I hope this is the start. I respect and admire every single person in this room. I respect and admire our colleagues in D.C. This has got to be the beginning. We’ve been amazing for 25 years. Who are we going to be for the next 25? Thank you.
[Crowd Applause and cheers]