A mohawked man at DEF CON 19 in 2011. Used under Creative Commons.

A mohawked man at DEF CON 19 in 2011. Used under Creative Commons. Dan Tentler / Flickr

A Congressman Goes to DEF CON

Amid the fun and fanfare of the world’s largest hacking conference, the cyber-political battles of the future are taking shape.

LAS VEGAS, Nev. — At some point last weekend, Rep. Will Hurd, R-Texas, woke up, shut off his phone, and made his way through the smoky, noisy, blinking floor of Bally’s Casino to meet with a few of the world’s hacking elite.

Turning off your phone, or at very least putting it on a secure private network, is a necessity at the annual DEF CON conference.

“It’s wise to consider the public network at DEF CON profoundly hostile! You’ll want to take some precautions,” reads a typical warning sent to the media who cover the event. If your data isn’t locked down, your phone number or email address might wind up on the conference’s public shaming board, the so-called Wall of Sheep — and everywhere else.

Every year, the event draws thousands of attendees who pay in cash so their names don’t appear on rolls anywhere. Many show up in costumes and kilts, and just about everyone seems to have tattoos. Anyone in a suit is wearing it ironically. A fair number of the conference-goers have mohawks, and if you don’t have one when you arrive, you can easily find someone on the conference floor with set of clippers. Among the more popular activities this year: hacking a Tesla Model S to win $10,000 per bug (sponsored by Tesla.) And there’s a perennial favorite, “Spot the Fed.”

DEF CON attracts more than a few colorful characters, such as cybersecurity rockstar, international fugitive, and accused murderer John McAfee. Defense One found McAfee taking pictures with fans, at 1 a.m., on the roof of a strip club. He had spent the early part of the week in a Tennessee jail cell for driving while intoxicated...and armed.

What is Will Hurd, Republican Congressman from Texas, doing here?

“The best way to defend digital networks is to have an attacker’s mentality,” Hurd told Defense One.

Hurd, who spent nearly a decade as an undercover CIA operative in places like Afghanistan, doesn’t freak out easily. And he’s adopted that attacker’s mentality at various points in his life. But more than other members of Congress, he has a few things in common with the crowd at DEF CON. For one thing, he ran a cybersecurity firm for four years. Naturally, he’s made cybersecurity a cornerstone of his legislative efforts.

Most noticeably, he offered three amendments to the National Cybersecurity Protection Advancement Act, or NCPA, of 2015, a bill aimed at giving corporations liability protections to share threat data (possibly related to private user data) to stop cyberattacks. The most significant of Hurd’s amendments dealt with allocating “DHS cybersecurity resources that large firms currently enjoy” to smaller firms, of the sort you might find at conferences like DEF CON. He came away from his conversations at the conference with a sense of “how to strengthen that. Put some meat on those bones,” he said.

His most recent bill, the Einstein Act of 2015, allows the Department of Homeland Security to more widely deploy the Einstein 3A cybersecurity solution, which was used to diagnose the OPM hack. This allows “classified information to act as a first line of defense against cyber espionage,” according to a statement from Hurd’s Office. He’s framed the legislation as critical to defending both civilian and military information. “Our adversaries are attempting to steal military secrets and valuable information on a daily, if not hourly basis. It’s bad enough when any person’s private information is stolen and used for identify theft, but imagine the grave impact of the theft of information belonging to those who are tasked with protecting America’s most sensitive information,” he said.

Hurd has broken with GOP leadership on such issues as the importance of secure, end-to-end user encryption, a position that puts him on the side of the hacker community and companies like Google, and opposed to Senate Majority Leader Mitch McConnell, R-Ky., Sen. John McCain, R-Ariz., and FBI Director James Comey.

And he says that sort of independence earned him a warm welcome at the conference.

“Everybody embraced me that was there,” he said. “This community knows that’s where I come from. This is why the conversations on encryption — we should be encouraging the use of encryption, not weakening it. I’m able to have those conversations because of my background.”

It’s also a sign that DEF CON is growing out of its “Spot the Fed” days.

Following his talks with attendees, Hurd said he may schedule hearings to explore moving some data servers holding federal information to new locations outside the United States. “Is there some value from a resiliency perspective in having these things in other places?” he asked.

Not every piece of legislation Hurd has supported is popular among all facets of the hacker and cybersecurity communities. The Electronic Frontier Foundation, which makes a regular appearance at DEF CON, opposes the NCPA, though not as strongly as some other pieces of legislation that would give some companies broader protection from privacy lawsuits when they shared user data with the government. The tension illustrates Hurd’s delicate balancing act ahead as cyber-information sharing legislation makes its slow, circular way toward the president's desk, which many think will happen.

It also foreshadows the information security battles of the future.

The Internet’s next chapter could be far less free, open, and potentially less safe, says Jennifer Granick, an attorney and advocate for the hacker community. Granick, who attended DEF CON, also gave this year’s opening keynote at its rather more corporate sister event, the Black Hat cybersecurity conference here.

In her keynote, Granick warned about current trends in legislation that punish cybersecurity professionals and hackers for attempting to find vulnerabilities in new software and products (or simply learn about how they work). She said they could allow rapid spread of unpredictable software as more and more common physical objects get wired into the Internet of Things. “In the next 20 years, we are going to have all these network devices,” she said.“If we aren’t allowed to study that, we will be surrounded by black boxes we don’t understand.”

Granick also thinks it “necessary” — indeed “inevitable” — to pass laws that affix liability to software makers when their products prove to insecure. It’s the sort of legislation that some cybersecurity businesses that develop software might oppose.  

“So far, we have almost no regulation of software. There have been very few cases, mostly where the vendor has misrepresented to the customers what the software does. But people who are not big into regulation are sick and tired of crappy software and they aren’t going to take it anymore. That feeling is going to be accelerated by the Internet of Things,” she said. “Autonomous cars that crash? Someone is going to sue. Your toaster catches on fire and someone’s going to sue.”

But Granick fired most of her keynote ammunition at legislation, both current and future, that subverts user privacy for national security concerns.

“We have lots of laws, and more being proposed, that will give corporate immunity for helping out the government and giving [consumer] data over, even when there are other laws that say no, this information is private. And, increasingly—particularly in other countries but we’re going to see it here too—data retention obligations where companies are going to be commissioned to be police officers and spies for government,” she said.

In many ways, the recently passed USA Freedom Act, which requires telephone companies to store call records for possible FISA-approved government use, is an excellent example of this coming wave, even though it was broadly supported by many in the privacy community as it was better than the alternative, allowing the collection of bulk metadata by the government to continue.

Greater liability for software makers that create bad software, protection for companies that share user data — any one of these might pit national security professionals, businesses, hackers, and privacy advocates against one another, potentially placing Hurd against people like Granick, both in Washington and in Las Vegas. “Spot the Fed” is not dead.

Maybe they can duke it out at the mohawk booth.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.