A Congressman Goes to DEF CON

LAS VEGAS, Nev. — At some point last weekend, Rep. Will Hurd, R-Texas, woke up, shut off his phone, and made his way through the smoky, noisy, blinking floor of Bally’s Casino to meet with a few of the world’s hacking elite.

Turning off your phone, or at very least putting it on a secure private network, is a necessity at the annual DEF CON conference.

“It’s wise to consider the public network at DEF CON profoundly hostile! You’ll want to take some precautions,” reads a typical warning sent to the media who cover the event. If your data isn’t locked down, your phone number or email address might wind up on the conference’s public shaming board, the so-called Wall of Sheep — and everywhere else.

Every year, the event draws thousands of attendees who pay in cash so their names don’t appear on rolls anywhere. Many show up in costumes and kilts, and just about everyone seems to have tattoos. Anyone in a suit is wearing it ironically. A fair number of the conference-goers have mohawks, and if you don’t have one when you arrive, you can easily find someone on the conference floor with set of clippers. Among the more popular activities this year: hacking a Tesla Model S to win $10,000 per bug (sponsored by Tesla.) And there’s a perennial favorite, “Spot the Fed.”

DEF CON attracts more than a few colorful characters, such as cybersecurity rockstar, international fugitive, and accused murderer John McAfee. Defense One found McAfee taking pictures with fans, at 1 a.m., on the roof of a strip club. He had spent the early part of the week in a Tennessee jail cell for driving while intoxicated...and armed.

What is Will Hurd, Republican Congressman from Texas, doing here?

“The best way to defend digital networks is to have an attacker’s mentality,” Hurd told Defense One.

Hurd, who spent nearly a decade as an undercover CIA operative in places like Afghanistan, doesn’t freak out easily. And he’s adopted that attacker’s mentality at various points in his life. But more than other members of Congress, he has a few things in common with the crowd at DEF CON. For one thing, he ran a cybersecurity firm for four years. Naturally, he’s made cybersecurity a cornerstone of his legislative efforts.

Most noticeably, he offered three amendments to the National Cybersecurity Protection Advancement Act, or NCPA, of 2015, a bill aimed at giving corporations liability protections to share threat data (possibly related to private user data) to stop cyberattacks. The most significant of Hurd’s amendments dealt with allocating “DHS cybersecurity resources that large firms currently enjoy” to smaller firms, of the sort you might find at conferences like DEF CON. He came away from his conversations at the conference with a sense of “how to strengthen that. Put some meat on those bones,” he said.

His most recent bill, the Einstein Act of 2015, allows the Department of Homeland Security to more widely deploy the Einstein 3A cybersecurity solution, which was used to diagnose the OPM hack. This allows “classified information to act as a first line of defense against cyber espionage,” according to a statement from Hurd’s Office. He’s framed the legislation as critical to defending both civilian and military information. “Our adversaries are attempting to steal military secrets and valuable information on a daily, if not hourly basis. It’s bad enough when any person’s private information is stolen and used for identify theft, but imagine the grave impact of the theft of information belonging to those who are tasked with protecting America’s most sensitive information,” he said.

Hurd has broken with GOP leadership on such issues as the importance of secure, end-to-end user encryption, a position that puts him on the side of the hacker community and companies like Google, and opposed to Senate Majority Leader Mitch McConnell, R-Ky., Sen. John McCain, R-Ariz., and FBI Director James Comey.

And he says that sort of independence earned him a warm welcome at the conference.

“Everybody embraced me that was there,” he said. “This community knows that’s where I come from. This is why the conversations on encryption — we should be encouraging the use of encryption, not weakening it. I’m able to have those conversations because of my background.”

It’s also a sign that DEF CON is growing out of its “Spot the Fed” days.

@DefTechPat @HurdOnTheHill quite the change from @thedarktangent asking the feds to stay away. My how the photo ops have changed

— Eric Zimmerman (@EricRZimmerman) August 8, 2015

Following his talks with attendees, Hurd said he may schedule hearings to explore moving some data servers holding federal information to new locations outside the United States. “Is there some value from a resiliency perspective in having these things in other places?” he asked.

Not every piece of legislation Hurd has supported is popular among all facets of the hacker and cybersecurity communities. The Electronic Frontier Foundation, which makes a regular appearance at DEF CON, opposes the NCPA, though not as strongly as some other pieces of legislation that would give some companies broader protection from privacy lawsuits when they shared user data with the government. The tension illustrates Hurd’s delicate balancing act ahead as cyber-information sharing legislation makes its slow, circular way toward the president's desk, which many think will happen.

It also foreshadows the information security battles of the future.

The Internet’s next chapter could be far less free, open, and potentially less safe, says Jennifer Granick, an attorney and advocate for the hacker community. Granick, who attended DEF CON, also gave this year’s opening keynote at its rather more corporate sister event, the Black Hat cybersecurity conference here.

In her keynote, Granick warned about current trends in legislation that punish cybersecurity professionals and hackers for attempting to find vulnerabilities in new software and products (or simply learn about how they work). She said they could allow rapid spread of unpredictable software as more and more common physical objects get wired into the Internet of Things. “In the next 20 years, we are going to have all these network devices,” she said.“If we aren’t allowed to study that, we will be surrounded by black boxes we don’t understand.”

Granick also thinks it “necessary” — indeed “inevitable” — to pass laws that affix liability to software makers when their products prove to insecure. It’s the sort of legislation that some cybersecurity businesses that develop software might oppose.  

“So far, we have almost no regulation of software. There have been very few cases, mostly where the vendor has misrepresented to the customers what the software does. But people who are not big into regulation are sick and tired of crappy software and they aren’t going to take it anymore. That feeling is going to be accelerated by the Internet of Things,” she said. “Autonomous cars that crash? Someone is going to sue. Your toaster catches on fire and someone’s going to sue.”

But Granick fired most of her keynote ammunition at legislation, both current and future, that subverts user privacy for national security concerns.

“We have lots of laws, and more being proposed, that will give corporate immunity for helping out the government and giving [consumer] data over, even when there are other laws that say no, this information is private. And, increasingly—particularly in other countries but we’re going to see it here too—data retention obligations where companies are going to be commissioned to be police officers and spies for government,” she said.

In many ways, the recently passed USA Freedom Act, which requires telephone companies to store call records for possible FISA-approved government use, is an excellent example of this coming wave, even though it was broadly supported by many in the privacy community as it was better than the alternative, allowing the collection of bulk metadata by the government to continue.

Greater liability for software makers that create bad software, protection for companies that share user data — any one of these might pit national security professionals, businesses, hackers, and privacy advocates against one another, potentially placing Hurd against people like Granick, both in Washington and in Las Vegas. “Spot the Fed” is not dead.

Maybe they can duke it out at the mohawk booth.