LAS VEGAS — Jeff Moss, founder of the Black Hat cybersecurity conference, said the annual event here provides "a crystal ball" on upcoming information-technology issues, and that may apply to cyber policy too.
As many in the high-tech world seek to stand apart from the traditional business of Washington, the policy "asks" from this diverse community are quite significant in a couple of areas.
The 20th annual Black Hat was held last week at the sprawling Mandalay Bay Resort and Casino, with attendance approaching 20,000, according to organizers.
During the event, the need for better law enforcement tools to fight cybercrime and federal support for programs to train the next generation of cybersecurity professionals were mentioned repeatedly by participants.
"Every place we move to [in technology] creates a seam for bad actors," said Trend Micro's chief security officer, Ed Cabrera, whose company sells IT security services and issues reports on global cyber trends.
"What we're missing is a global strategy to look at cybercrime," he said. "Cyber is just a small subset of our transnational crime strategy — that has to change."
Despite the "rebel" image of Black Hat, one source from the law enforcement community said firms represented at the event — like Rapid7, Mandiant, PriceWaterhouseCoopers and others — help law enforcement with "identifying trends and spotting things."
"They're like the Pinkertons of the cyber age," the source said.
IT professionals here spoke in unison on the need for better cyber education and training programs, and reaching into diverse communities.
Facebook's top security officer, Alex Stamos, emphasized the diversity issue in his keynote speech, pointing to his company's support for the CodePath program offering technical training to underserved communities and efforts to build major cyber programs at "nontraditional" colleges and universities.
Todd Thibodeaux, president and CEO of the tech trade group CompTIA, talked about about his group's efforts behind legislation that would create a national IT apprenticeship program that could help fill out the ranks of cybersecurity professionals.
"We hear from customers that they are starving for cybersecurity professionals," said Trend Micro's Kevin Simzer. "It is a massive strain on companies."
But the discussions here also reached into more controversial policy areas.
"You can't ask policy to keep up with the pace of security events," RSA Security's Ben Desjardins said. But he did lament the poor basic cyber hygiene that enabled massive ransomware attacks such as WannaCry.
"When poor hygiene is happening, that could be where policy comes in," he said.
Conference participants frequently raised implementation of the European Union's General Data Protection Regulation as a seminal event that will force cyber policy changes on the United States as well as European companies.
"The GDPR may set in motion efforts by U.S. industries to get ahead," Desjardins said, calling the rule, which takes effect in May, "a good first step."
The regulation will require companies to take stock of the personally identifiable information they are holding and who has access to that data, as well as requiring a process for consumers to edit or remove their data from companies' possession.
U.S. industry groups have opposed the mandates in the rule. But trade associations representing various industries and vendors of security products aren't necessarily on the same page when it comes to such rules.
Desjardins said, "GDPR is an initiative to implement best practices. This kind of regulation plays an important part in making sure companies are responsible."
At the same time, Brian Vecci, technical evangelist for the security firm Varonis, said "[U.S.] corporate efforts are way ahead of the GDPR, but I expect something like this will be applied in Canada and then the U.S. over the next 10-15 years. The only ‘policy piece' missing in the U.S. is a mandate to do it, and we don't even need that anymore."
Speaking of data, conference goers said they are closely watching the Apple-FBI struggle over access to encrypted data on consumer devices.
Facebook's Stamos urged civility as the tech community pushes back against any requests, or demands, for "back doors" into devices or other mandates. He suggested that the tech community went overboard with anti-FBI rhetoric in the battle last year over encryption.
"Have empathy for those on the other side and consider solutions that are not back doors," he urged the audience. Stamos later told reporters that he was not proposing any specific solution to this debate.
Black Hat founder Moss, while agreeing on the need for civility, suggested there was not a middle-ground solution to be found in the encryption debate.
And Moss raised perhaps the biggest policy "ask" to come out of the week in Vegas: the possibility of revisiting the liability exception long enjoyed by software makers.
"Why is software the only industry with no liability?" Moss asked. "When you install software you sign something absolving them of liability — and that served the software industry well for three decades. But I'm not sure it will for much longer."
Legislation "defining expectations for entities holding data would be helpful," Moss added. "Our whole economy is digital, we need to lay down the rules of the road. These are unanswered policy questions that must be resolved."
Black Hat provided a vibrant forum for discussing these policy issues — particularly among some members of the tech community who rarely if ever venture into the cyber policy space.
Next up is whether these views work their way into the policy dialogue in the nation's capital.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.