LAS VEGAS — This week's 20th Black Hat USA conference and the 25th DEF CON hackers conference here offer cybersecurity researchers and technologists a chance to exchange notes on their often obscure trade, but they also provide a rare venue for discussion between corporate and government officials on one side and in-the-trenches cyber practitioners on the other.
Black Hat began Saturday with training sessions for cyber pros, and the main program runs Wednesday and Thursday. It's followed immediately by the DEF CON hackers' convention, which runs July 27-30.
Alex Stamos, Facebook's chief security officer, delivers the Black Hat keynote on Wednesday morning, in which he'll address "Stepping Up Our Game: Refocusing the Security Community on Defense and Making Security Work for Everyone."
His speech is likely to hit squarely on the often dangerous developments that have created an urgent need for government officials, lawmakers and Hill staff, corporate leaders and the independent, innovative and freewheeling cyber research and security community, to find ways to work together.
"Our adversaries are no longer motivated only by money, personal data or competitive intelligence, but are now driven to use the critical technologies of our lives to arrest journalists and activists, to suppress democracy and manipulate public opinion," Stamos wrote in a preview of his speech. "In these times, our community has a responsibility to the people of the world that goes beyond traditional facets of information security."
Stamos said his talk "will explore how we can adapt to better confront the obstacles we face as security practitioners. Can we incentivize and celebrate defensive security research in the same way that we applaud the discovery of vulnerabilities? How do we foster intelligent discussion of real-world trade-offs while avoiding sensationalism? We will discuss real situations from the last year where our community could have risen to the occasion, we will analyze what failed, and propose how we can further help protect people."
His speech will kick off two jammed days of briefings at Black Hat, including Department of Justice, Department of Homeland Security and Federal Trade Commission officials, and some of the top researchers and cybersecurity theorists from the private sector.
Sessions will delve into hot-button policy issues such as how researchers should disclose vulnerabilities they discover in the software of major tech companies — without tipping off the bad guys or getting themselves sued — the ongoing controversy over encryption technologies that the FBI and others say they can't crack, and how the security market is responding to cyber challenges.
"It's been great to see the agencies taking on more of a presence at Black Hat and DEF CON, particularly the FTC. They make a real effort to talk with the infosec community," said one source who has been active in cyber issues from perches in both the government and private sector.
Black Hat has changed over 20 years — some of the long-time participants say it has become too corporate and too accommodating of both government and business types.
Others say there has been change, but that this forum continues to play a critical role in bringing together communities that typically know little of one another — even if spurring a government-researcher dialogue isn't the main purpose of Black Hat.
"In the earlier days the executives and the policy makers generally didn't know what to make of this crowd," said Ari Schwartz, a senior cyber official in the Obama White House and before that a leader of the digital rights group Center for Democracy and Technology.
"Until about 7-8 years ago, it was very rare that there were panels of any kind" at the Black Hat conference, Schwartz noted in an email. "There were only talks by one person or one research team. There were a few rare policy panels with government folks. These panels usually packed the room and people asked the government folks very hard questions and they didn't know how to answer. I think this was also true for the corporate executives. But these high profile panels were not (and still are not) the reason most people attend. However, they got a lot of attention because it is rare for these folks to be caught off guard."
Today, Schwartz said, "Black Hat is a much larger conference. When policymakers or executives go, they have a reason to attend and a message that they want to give to that specific crowd. It is pretty rare that they would be caught off-guard the way they were a decade ago. There are also more of these policy sessions, which make them less special."
However, he stressed, "I do not see any of these changes as negative. It is good that policy makers see a need to target messages to security analysts at a wide range of institutions and from varying perspectives. It clearly demonstrates the importance of this field." Schwartz is now managing director for cybersecurity services at Venable.
One longtime participant, Adam Benson, deputy executive director of the Digital Citizens Alliance, a non-profit consumer advocacy group, and a former congressional staffer, said policymakers would derive a tremendous value from events like Black Hat.
"I wish more of official Washington, particularly members of Congress and Hill staffers, would go to the conference," Benson said. "They would come away with a better understanding of infosec issues if they had an open dialogue with the attendees at Black Hat. Conversely, lawmakers could build trust with a community that is wary of government agencies. It's important to hear from the infosec community about the challenges they face — including technical, legal, and financial issues."
Benson added, "The cybersecurity hearings on the Hill would be much more interesting if they included testimony from a few more Black Hat attendees."
Schwartz noted that Black Hat has never been primarily a "policy event."
But the definition of what constitutes cyber "policy" is changing rapidly along with virtually every aspect of cyberspace. And insights from the Black Hat community seem to be slowly making their way into the conversation in the nation's capital, where anything that advances the learning curve is truly welcomed.
Charlie Mitchell is editor and cofounder of InsideCybersecurity.com, a premium news service from Inside Washington Publishers. He is author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.