Reema Moussa 0:00 From the Internet Law & Policy Foundry, this is the Tech Policy Grind podcast. Every week, our fellows chat with leaders in the technology and internet law and policy space on recent developments and exciting topics such as privacy, internet governance, cybersecurity, tech legislation, and more. I'm your host, Reema Moussa, and I'm a member of the fourth cohort of Foundry Fellows. The Foundry is a collaborative organization for internet law and policy professionals who are passionate about disruptive innovation. This summer marked an interesting time in the cybersecurity world. In the wake of increasingly severe cyber attacks, new regulatory regimes, and an era that feels more unsettled and chaotic every day cybersecurity has never been more crucial to protecting the world's digital citizens. This summer has also been a time for conversation. The return of many conferences and events to an in person format has been a bright light for many in the security world. RSA Conference or RSAC is one of the biggest cybersecurity conferences in the world, and hasn't been held in person since February 2020. It was held in June this year. DEF CON is considered one of the world's original and also largest security conferences and just marked its 30th iteration. Taking place in mid August DEF CON also coincides with Blackhat, BSides Las Vegas, the Cybersecurity Woman of the Year awards, and the Diana Initiative, all additional security conferences with various focuses in the world of cybersecurity, and all in Vegas. So, essentially, the nerds takeover Las Vegas. It's a fun time. So the ILPF fellows hit the road to get involved. I went to RSAC in San Francisco in June and ILPF Fellow and Director of Operations Grant Versfeld attended DEF CON just a few weeks ago. We chatted with some conference attendees to get their take on the key question, what happens at these conferences? And what's the current state of cybersecurity? So what's your name? Weijia Yan 2:33 My name is Weijia Yan. Reema Moussa 2:35 How's it going? Is this your first time here at RSAC? Weijia Yan 2:39 Yeah, this is my first time at RSAC in person. I previously attended the virtual version. So it's really totally different experience. I'm happy to be attending it in person seeing what the conference has to offer. Reema Moussa 2:55 Yeah. And what's been the biggest difference between the virtual event and being here in person? Weijia Yan 3:01 Yeah, that's a great question. So I think the biggest difference for me is just to see live people like walking around. I didn't know there will be so many, like people just in the conference and gathering together from different countries, also, vendors from different countries, and like, how big it is, was just really, like it just really surprised me. Reema Moussa 3:27 Yeah, absolutely. It is such an international audience here. Something that I've noticed. And maybe it's because of the different iterations of the conference that happened internationally. Like I think there's a, an Asia Pacific one and potentially a European version as well. But yeah, it's definitely really fascinating. So what has been a highlight of the conference for you so far? Weijia Yan 3:55 I think it's just getting together with friends, friends, from the community, friends, from my institutions, getting being able to meet a lot of just great people in the industry, those who have contributed great work to InfoSec. I'm just really humbled and happy and glad to meet a lot of those people in the conference. Reema Moussa 4:20 That's awesome. And so is there any big takeaway or thing that you've learned from any of the sessions that you've attended, or panels or people that you've been able to talk to any interesting things going on within the field that you've learned? Weijia Yan 4:36 Absolutely. So So for me, I think the biggest takeaway is, so I attended a CSO panel. Being in this industry like becoming a CSO and a long term and 20 next 20-30 years would be I think, would be one of my biggest goals. And listening to them talk one of the biggest advice I took away for me is in this industry if you want to be a leader for, for minority women like myself, I have to be bold and speak up. This is the biggest takeaway I have with me. And I hope to take this continue to be be bold and speak up to voice out my own in, I guess in the community. Reema Moussa 5:27 Yeah, yeah, no, I think that is so great. And such a important change that we're seeing within the industry, even though it's happening, you know, slowly, it's slowly but surely, there's such a need for diversity in cyber. Weijia Yan 5:45 Absolutely. Reema Moussa 5:46 Just for better cybersecurity infrastructure and strategy. To have that diversity of perspectives and opinions. And I think, you know, overcoming the imposter syndrome that I know, at least I feel constantly, is so important. And so I love that that's been a takeaway from you is that boldness and, and, you know, being unafraid to share your opinions on and your perspective on what, you know, emerging cyber threats are within the landscape. And especially taking that to the leadership level. So what are your next goals for the next few years as you look ahead as a young woman in cyber, you know, attending these conferences, such a great learning experience, what are you hoping to do next? Weijia Yan 6:44 Yeah. And I think I, I've been going to conferences, in the past year, met a lot of great people had amazing experiences. And I hope to just continue going to conferences, continue to learn from industry leaders, from people who did great work to the community and from my peers every day. And I just hope to keep grow, growing and, growing and keep learning. And I hope to find, find my place in InfoSec. Grant Versfeld 9:19 Hello, Tech Policy Grind. My name is Grant and I'm excited to join the podcast today. I headed to Vegas a few weeks ago for my first DEF CON to learn more about cutting edge security threats from the many experts who attend that conference. I was particularly excited to make it to DEF CON's policy department, which was new this year to chat with both panelists and attendees about the increasingly prevalent influence of policy on both offensive and defensive security work. What is your name? Emma Plankey 9:55 My name's Emma. Grant Versfeld 9:57 And what do you do Emma? Emma Plankey 9:58 I am a law students. But I used to be a cybersecurity researcher on the technical side. Grant Versfeld 10:05 Awesome. So what have you learned today so far here at DEF CON? Emma Plankey 10:09 Well, I just attended a panel on the CFAA and the DMCA and recent changes to the interpretation of those laws in the past couple of years. And that was really cool. I learned that there is a good faith exception to security research. So basically, the laws that apply to hacking will take into account more context when determining whether or not to prosecute security researchers who hack as part of what they do, and that's super cool. Grant Versfeld 10:43 I agree. That sounds pretty awesome. Is this your first time at DEF CON? Have you been here before? Emma Plankey 10:48 Yeah, I went for the first time in 2019. But since the pandemic, this is my first time coming back, and the theme this year is "Homecoming" so it's pretty fitting, Grant Versfeld 10:58 Wonderful. What's been the highlight of your experience at DEF CON so far? Emma Plankey 11:02 As someone who recently left the technical side of the industry, it's been really nice to come back, see folks that I haven't worked with in a second, and to feel welcomed back by this part of the community as well, despite my departure to the legal side of things. Grant Versfeld 11:20 Gotcha. So you spoke earlier about the talk you saw regarding DMCA and copyright. In your opinion, are those some of the biggest issues on the horizon? Or are there bigger issues that practitioners in cyber should be caring about? What do you think is coming next? Emma Plankey 11:35 So I think the question has to be couched as: "the biggest issues for whom?" Because different entities have so many different equities at stake when it comes to cybersecurity. So one really big issue right now, is the sort of privacy laws that apply to things like web searches or web chats for individuals who are seeking abortion in states where that is now criminalized. That's recently come to light where a warrant was served to Meta slash Facebook wherein a 17 year old girl's Chats were turned over to law enforcement as part of an investigation and prosecution against her for getting an outlawed abortion. So I think that that's a huge issue. But there are also huge issues in the national security space. If you're a corporation, there are huge issues in the regulatory space. So it depends on who you're asking. Grant Versfeld 12:40 I see. Do you have any advice as someone who's currently making the jump from the technical side to the policy and legal world? For people who are also interested in that transition? Emma Plankey 12:50 Oh, that's a good question. I would say try and seek out people who've done it and get as much information as you can. If you're considering law school, especially because it's a huge financial commitment. And that's difficult to navigate, especially for folks from disadvantaged backgrounds. So think through how you're going to handle a big debt burden. But also don't be discouraged by that. There's nothing but opportunities in this space, both on the firm side, the government side, the public interest side. And I think as tech literacy increase increases in the US, which you know, fingers crossed, it will, that's only going to be more so the case over time, we need people who know both the technical side and the legal side of these issues. Grant Versfeld 13:37 I completely agree and that's some great advice. Thanks so much Emma enjoy the rest of the conference. Emma Plankey 13:42 Thanks, grant you too. Reema Moussa 13:46 We'll be right back. The Internet Law and Policy Foundry's 2022 Policy Hackathon is the Foundry's third policy hackathon happening this October 14th through 16th. The Policy Hackathon is a three day event that brings together creative technical and policy professionals from around the world to tackle emerging and long standing problems related to the intersection of law, policy and technology. The theme of this year's Hackathon is: Privacy, Trust and Safety in the Metaverse. Additionally, the Foundry is holding a writing competition, and a series of virtual events about all things Metaverse. For more information about the Hackathon, the writing, competition, and other Hackathon related events, you can visit the Foundry's website ILPfoundry.us, or our social media pages. Grant Versfeld 14:48 All right, thanks for chatting with us today. What is your name? Mike Sexton 14:51 Hey, my name is Mike Sexton. Grant Versfeld 14:53 Awesome and what do you do Mike? Mike Sexton 14:55 I'm a Senior Policy Advisor at a think tank called Third Way so I am out the point man on cyber on their national security program. Grant Versfeld 15:03 Very cool. How's it going so far at DEF CON, what have you learned today or through the conference that you've enjoyed? Mike Sexton 15:09 It's great. I really love it. You know, I came to Blackhat and to RSA before this, and, you know, I, in my mind, I have a distinction between a conference, which is like serious, it's work, it's not fun, and a convention, something like ComicCon that is really just something fun you're doing on your weekend. And Blackhat somehow simultaneously manages to feel like a convention that is fun and entertaining but also a conference where you know, I'm learning a lot and I'm connecting with some really intriguing people. Grant Versfeld 15:42 Absolutely. Here we are on Sunday, even seeing these really cool policy discussions. So glad to hear that. And you said this is your first time here at DEF CON? Mike Sexton 15:49 Yep. Grant Versfeld 15:49 But you've been to other conferences previously? Mike Sexton 15:52 Yeah. So I mean, this is really my first time being able to make the rounds to the Big Three: RSA, DEF CON, and Blackhat. So yeah, I mean, it's been it's been really exciting. Little stressful. I'm not gonna lie. But you know, you adjust. Grant Versfeld 16:06 Sure. And what what's been the highlight so far any favorite talks or events that you've been to? Mike Sexton 16:10 Yeah, I mean, I think my favorite part is just, you know, being able to bump shoulders with so many of these people who honestly most of my friends have not ever heard of, but who I have looked up to as researchers forever. You know, as I'm talking right now, I'm looking at Beau Woods from the Atlantic Council, Jason Healy who currently works in the White House, Katie Moussouris who was really critical in in updating the Wassenaar Arrangements responsibly to regulate spyware without affecting pen test tools. So again, all of that was complete gibberish to most of my friends but the fact that I'm literally just talking about who happens to be in eye shot right now it gives you an idea how cool this is. Grant Versfeld 16:55 I completely agree. It's just wild to see some of the people that they were able to get. Mike Sexton 16:59 Yeah. Grant Versfeld 17:00 What do you think, in your opinion, is the biggest issue on the horizon with cyber? Mike Sexton 17:05 So my, my opinion, it is quantum computing. I think quantum computing is going to completely transform the way that we need to think about privacy and encryption. And, you know, we're beginning to take steps, you know, the National Institute of Standards, and private industry and academics are beginning to think about what are some new encryption algorithms we can build that will be resistant to quantum computers. But so far, it is really just so hard to define where we're going to go in terms of defending against quantum computing attacks. Whereas the question of when will quantum computers you know, that are that are sizable and functional? You know, engineers agree that it's pretty much just a matter of time, it's not a question of if. Grant Versfeld 17:57 Definitely, do you have any advice coming from a think tank for people who are also in similar policy roles that want to break into the security world or the cyber world? Mike Sexton 18:07 That's a really good question. I think I think a good thing is to not let yourself get too intimidated by technical folks. I got into policy, original from, originally, from a more technical background, I was a math major and study cryptography in college. And, you know, so when it comes to these people talking about red teams, blue teams, you know, SOCs, and all of this jargon, I don't have really any hands on experience in that space. But I have discovered really, that the things I assume that like, you know, a prominent hacker in the 1990s must know about the encryption scheme that's used for the clipper chip, right? And then I realized, oh, no, they actually don't know that you can transform any block cipher into a stream cipher. Like, again, this is complete gibberish, right. But like, it just goes to show you that like, even the people in the room who know a lot, they're, in my experience, very specialized and don't necessarily know all the things you think that they must know. All of the things that you know, that you don't know. Grant Versfeld 19:16 Sure. Mike Sexton 19:16 If that makes sense. Grant Versfeld 19:17 It does. And that's a really good point. I think that not a lot of people appreciate or you know, this super expensive field. Unknown Speaker 19:23 It can be a very, you know, gatekeeping kind of industry where, you know, people scoff at you because of the lack. I mean, I was laughed out of my first like hacker group in college because I came in with a cheap laptop instead of a MacBook and I was like, okay, well, you guys are mean. Unknown Speaker 19:41 [Laughter] Mike Sexton 19:41 Just don't get yourself don't let yourself get too intimidated I guess. Grant Versfeld 19:45 Very good advice. And you know, here we are now at DEF CON with some of the great's of the policy world. So thank you so much for the time and enjoy the rest of the conference. Mike Sexton 19:52 Yeah thanks, you too. Unknown Speaker 20:14 [Music] Grant Versfeld 20:11 All right. Um, hi there. So thanks for talking to us today. What is your name? Safa Shahwan Edwards 20:16 Hi, everyone. My name is Safa Shahwan Edwards and I am the Deputy Director of the Cyber Statecraft Initiative at the Atlantic Council. Wonderful. So how's it going today? What of what have you learned at DEF CON so far? So today's been going really well. We're on the last day of conference today, and I'm currently gooning with my team at the policy village. Some things that I've learned this week include, I figured out how to mess around with some latches at the lockpick village, learn how to break down the adhesive in boxes for packages that I received, which is really, really cool. So spent some time at the physical security village, also learned a lot about different ways that that government and industry can collaborate more effectively with the security research community. Grant Versfeld 20:56 Wonderful. That sounds like really awesome stuff. So you're both a Goon and a speaker. What has that experience been? Like? Like, what's the highlight of that been for you? Safa Shahwan Edwards 21:04 It's honestly just been extremely overwhelming in the best way possible. I think the first thing that comes to mind is like one, this is my first time at the conference as well. So I'm seeing this, for the first time in person, I'm speaking at getting to connect with people who are also interested in simulations and war games, which is a lot of the work that I do in my day job. But in addition to that, having the responsibility of being a Goon just means like being there for people and supporting them as they navigate the conference being you know, being present to answer their questions. But also just making sure that we stay on schedule, we're on a super tight schedule this week, with all the programming that's going on, we want to make sure that people are able to access all of it, and just try to stay on schedule. Grant Versfeld 21:39 Awesome. So as someone who's doing simulations, war games, similar types of made up events. What do you see is the biggest issue on the horizon for cyber in the future? Safa Shahwan Edwards 21:49 The way I see it, I think workforce development is the biggest issue. We can talk about all these different cybersecurity challenges but if we don't handle workforce development, we're not going to be able to achieve or respond to any of those challenges to begin with. Grant Versfeld 22:00 Awesome. And then do you have any advice for people in the future who might be coming to their first DEF CON, particularly those interested in the policy department? Safa Shahwan Edwards 22:06 Definitely. So my first piece of advice is do your homework. Take a look at the schedule, see what things you're interested in, take a map, highlight all the villages you want to take out and pace yourself. It's a massive event with tons of socializing. If you're an introvert, like me, take some time to socialize with people and get to connect with folks. But also take some time to disconnect and go for a walk around the villages. And just have some time to yourself to also just learn and absorb a ton of information. It's a great event and extremely informative. Grant Versfeld 22:31 Definitely sounds like an awesome time. Thank you so much for the time Safa and best of luck with the Goon duties. Safa Shahwan Edwards 22:36 For sure. Thanks so much for having me. Reema Moussa 22:42 Thanks for listening to this episode of The Tech policy Grind Podcast. Be sure to check out the Foundry on LinkedIn and Twitter. And if you enjoyed this episode, leave us a review and give us a five star rating. It really helps out the show. If you're interested in supporting the show, reach out to us at FoundryPodcasts@ILPfoundry.us. You can find our email in the show notes as well. You can see the full show notes and download the episode transcript for every episode on our website ILPfoundry.us/podcast. The Tech Policy Grind Podcast comes out every Thursday. See you next time. Unknown Speaker 23:23 [Music] Reema Moussa 23:24 The Tech Policy Grind Podcast was created by the fellows at the Internet Law and Policy Foundry. It's produced and edited by me, Reema Moussa, with support from the incredible Foundry Fellows. Special thanks to Lama Mohammed, our Social Coordinator, and Allyson McReynolds, our Accessibility Coordinator, as well as Grant Versfeld for all his help with this episode. Transcribed by https://otter.ai