ETHICS VILLAGE - Nations and Nationalism and Cyber Security

Video thumbnail (Frame 0) Video thumbnail (Frame 2884) Video thumbnail (Frame 4808) Video thumbnail (Frame 7838) Video thumbnail (Frame 9619) Video thumbnail (Frame 11330) Video thumbnail (Frame 13651) Video thumbnail (Frame 15711) Video thumbnail (Frame 17508) Video thumbnail (Frame 19844) Video thumbnail (Frame 22024) Video thumbnail (Frame 24597) Video thumbnail (Frame 29001) Video thumbnail (Frame 31873) Video thumbnail (Frame 34965) Video thumbnail (Frame 38699) Video thumbnail (Frame 42646) Video thumbnail (Frame 45835) Video thumbnail (Frame 48343) Video thumbnail (Frame 51586) Video thumbnail (Frame 53620) Video thumbnail (Frame 57160) Video thumbnail (Frame 62569) Video thumbnail (Frame 64385) Video thumbnail (Frame 66898) Video thumbnail (Frame 69845) Video thumbnail (Frame 73772) Video thumbnail (Frame 81953) Video thumbnail (Frame 96669) Video thumbnail (Frame 107947) Video thumbnail (Frame 119225) Video thumbnail (Frame 131536)
Video in TIB AV-Portal: ETHICS VILLAGE - Nations and Nationalism and Cyber Security

Formal Metadata

Title
ETHICS VILLAGE - Nations and Nationalism and Cyber Security
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
When talent comes from intelligence agencies, what masters do we server, who takes priority, and how can companies ensure providers are supporting their interests above past masters? And how have companies muddied the waters so that these questions are relevant in the first place? Some exploration of conflicting duties and possible responses.
Point (geometry) Cybersex Dependent and independent variables Arm Prisoner's dilemma Multiplication sign Cybersex Cognition 2 (number) Twitter Sign (mathematics) Goodness of fit Software Term (mathematics) Operator (mathematics) Statement (computer science) Information security Information security Spacetime
Information State of matter Closed set Cybersex Execution unit Non-standard analysis Disk read-and-write head Perspective (visual) Category of being Self-organization Quicksort Information security Information security
Torus Modal logic Multiplication sign Flash memory Event horizon Goodness of fit Malware Malware Software Operator (mathematics) Telecommunication Order (biology) Statement (computer science) Boundary value problem Traffic reporting Information security
Multiplication sign Bit Student's t-test Field (computer science) Wave packet Neuroinformatik Degree (graph theory) Radical (chemistry) Logic Uniformer Raum Cube Order (biology) Formal grammar Quicksort
Dependent and independent variables Service (economics) Evelyn Pinching Civil engineering Weight Incidence algebra Vector potential Revision control Exclusive or Operator (mathematics) Quicksort Analytic continuation Metropolitan area network
Revision control Mapping Operator (mathematics) Equaliser (mathematics) Sheaf (mathematics) Non-standard analysis Whiteboard Parameter (computer programming) Förderverein International Co-Operative Studies Information security Perspective (visual) Power (physics)
Source code Information 1 (number) Line (geometry) Field (computer science) Goodness of fit Process (computing) Integrated development environment Quicksort Information security Information security Traffic reporting Physical system Spacetime
Cybersex Information Design by contract Electric power transmission Event horizon Power (physics) Royal Navy Military operation Operator (mathematics) Royal Navy Quicksort Information security Traffic reporting
Mobile Web Group action Cone penetration test Client (computing) Limit (category theory) Mereology Perspective (visual) Element (mathematics) Revision control Goodness of fit Different (Kate Ryan album) Personal digital assistant Military operation Operator (mathematics) Internet service provider Infinite conjugacy class property Order (biology) Right angle Quicksort Information security Data structure Spacetime Self-organization
Point (geometry) Area Presentation of a group Cybersex Execution unit Sound effect Bit Mereology Connected space Human migration Arithmetic mean Term (mathematics) Hacker (term) Self-organization Quicksort Information security Information security
Service (economics) Direction (geometry) Source code Combinational logic Client (computing) Mereology Vector potential Perspective (visual) Revision control Goodness of fit Term (mathematics) Hierarchy Energy level Series (mathematics) Information security Physical system Area Multiplication Information Sound effect Vector potential Personal digital assistant Quicksort Information security Spacetime
Multiplication sign Client (computing) Perspective (visual) Field (computer science) Power (physics) Revision control Malware Term (mathematics) Information security Polygon mesh Channel capacity Open source Sound effect Client (computing) Line (geometry) Flow separation Vector potential Connected space Perspective (visual) Malware Software Personal digital assistant Self-organization Quicksort Routing Electric current
Logical constant Group action State of matter Simultaneous localization and mapping Parameter (computer programming) Perspective (visual) Field (computer science) Power (physics) Revision control Programmer (hardware) Goodness of fit Term (mathematics) Moving average Software framework Utility software Endliche Modelltheorie Data conversion Förderverein International Co-Operative Studies Physical system Social class Execution unit Dependent and independent variables Information Radar Fitness function Sound effect Bit Price index Line (geometry) Category of being Software Integrated development environment Personal digital assistant Self-organization Hill differential equation Quicksort Resultant
Classical physics Point (geometry) Dynamical system Open source State of matter Multiplication sign Cybersex Source code Perspective (visual) Twitter Explosion Goodness of fit Tablet computer Term (mathematics) Analogy Software framework Extension (kinesiology) Compact space Area Cybersex Compact space Dependent and independent variables Focus (optics) Bound state Vector potential Mixed reality Order (biology) Quicksort Resultant Spectrum (functional analysis)
Server (computing) Simulation Service (economics) Chemical equation Design by contract Client (computing) Mereology Perspective (visual) Product (business) Power (physics) Revision control Antivirus software Mechanism design Process (computing) Bit rate Personal digital assistant Order (biology) Cuboid Self-organization Software framework Quicksort Computer-assisted translation Information security Physical system
Hoax 1 (number) Student's t-test Parameter (computer programming) Theory Power (physics) Twitter Term (mathematics) Hacker (term) Reduction of order Information security Cybersex Electric generator Information Software developer Sound effect Denial-of-service attack Bit Sphere Orbit Category of being Message passing Process (computing) Software Commitment scheme Personal digital assistant Telecommunication Order (biology) Right angle Quicksort Resultant
Parity (mathematics) Multiplication sign Cybersex Sampling (statistics) Combinational logic Sound effect Bit Parameter (computer programming) Open set Mereology Event horizon Flow separation Neuroinformatik Revision control Malware Integrated development environment Software Personal digital assistant Reduction of order Quicksort Game theory Information security Physical system
Axiom of choice Context awareness Arithmetic mean Infinite conjugacy class property Continuum hypothesis Sound effect Knot Parameter (computer programming) Instance (computer science) Quicksort Entire function
Physical law Cellular automaton 1 (number) Morley's categoricity theorem Revision control Sign (mathematics) Data mining Software Hierarchy Order (biology) Negative number Software framework Negative number Quicksort Imperative programming Information security Position operator Reading (process)
Group action Multiplication sign Decision theory Direction (geometry) Focus (optics) Power (physics) Mathematics Hacker (term) Term (mathematics) Operator (mathematics) Electronic meeting system Selectivity (electronic) Information security Self-organization Focus (optics) Discrete group Planning Line (geometry) System call Process (computing) Software Integrated development environment Internet service provider Order (biology) Self-organization Information security Resultant
Raw image format Game controller Group action Civil engineering State of matter Weight Multiplication sign Physical law Revision control Natural number Quicksort Information security Information security Fingerprint
Classical physics Cybersex Compact space Game controller Equals sign Software developer Physical law Virtual machine Cyberspace Parameter (computer programming) Perspective (visual) Twitter Revision control Software Integrated development environment Ring (mathematics) Personal digital assistant Factory (trading post) Order (biology) Interrupt <Informatik> Quicksort Information security Spacetime God
Point (geometry) Compact space Keyboard shortcut Rule of inference Event horizon Degree (graph theory) Goodness of fit Normed vector space Statement (computer science) Normal (geometry) Data conversion Position operator Resultant
Axiom of choice Group action Decision theory Multiplication sign Equaliser (mathematics) 1 (number) Parameter (computer programming) Mereology Disk read-and-write head Perspective (visual) Expected value Computer configuration Different (Kate Ryan album) Hill differential equation Information security Position operator Area Cybersex Boss Corporation Channel capacity Closed set Keyboard shortcut Database transaction Arithmetic mean Process (computing) Angle Internet service provider Order (biology) Self-organization Right angle Quicksort Information security Resultant Spacetime Vacuum Open source Civil engineering Real number Vector potential Field (computer science) Power (physics) Goodness of fit Term (mathematics) Operator (mathematics) Energy level Dependent and independent variables Information Physical law Line (geometry) Group action Vector potential Software Personal digital assistant Video game Game theory Table (information) Routing
Axiom of choice Group action State of matter View (database) Decision theory Multiplication sign Parameter (computer programming) Client (computing) Mereology Likelihood function Perspective (visual) Dimensional analysis Usability Cuboid Software framework Information security Physical system Exception handling Cybersex Arm Software engineering Touchscreen Software developer Physicalism Instance (computer science) Flow separation Virtuelles privates Netzwerk Arithmetic mean Internet service provider Order (biology) Self-organization Right angle Quicksort Information security Resultant Spacetime Classical physics Point (geometry) Service (economics) Civil engineering Vector potential Event horizon Goodness of fit Term (mathematics) Energy level Boundary value problem Computer-assisted translation Metropolitan area network Dependent and independent variables Standard deviation Physical law Extreme programming Frame problem Uniform resource locator Blog Infinite conjugacy class property Universe (mathematics) Game theory
Suite (music) Group action Context awareness Building Weight Multiplication sign View (database) Workstation <Musikinstrument> 1 (number) Set (mathematics) Parameter (computer programming) Mereology Perspective (visual) Bookmark (World Wide Web) Neuroinformatik Computer configuration Circle Software framework Series (mathematics) Data conversion Hill differential equation Extension (kinesiology) Information security Position operator Exception handling Physical system God Moment (mathematics) Multitier architecture Electronic mailing list Bit Message passing Process (computing) Telecommunication Order (biology) Self-organization System identification Hill differential equation Right angle Quicksort Information security Resultant Spacetime Point (geometry) Implementation Civil engineering Real number Density of states Similarity (geometry) PCI Express Limit (category theory) Protein Event horizon Automatic differentiation Field (computer science) Product (business) Number Revision control Goodness of fit Hacker (term) Term (mathematics) Authorization Gamma function Computer-assisted translation Game theory Metropolitan area network Installable File System Form (programming) Addition Execution unit Interactive television Line (geometry) Cartesian coordinate system Vector potential Software Personal digital assistant Logic Statement (computer science) Video game
Point (geometry) Axiom of choice Group action Context awareness Game controller Multiplication sign Decision theory 1 (number) Design by contract Mereology Event horizon Field (computer science) Power (physics) Revision control Goodness of fit Term (mathematics) Different (Kate Ryan album) Hierarchy Operator (mathematics) Energy level Software testing Office suite Extension (kinesiology) Information security Physical system Information Nuclear space Physical law System call Connected space Category of being Word Process (computing) Integrated development environment Software Personal digital assistant Chain Self-organization Video game Right angle Quicksort Resultant Spacetime
Information Multiplication sign Disk read-and-write head
everyone thanks for all for coming and here is Joe Slovak welcome to our second ethics village talk and yeah good afternoon everyone hope everyone's having a good DEFCON so far thank you everyone for showing up nice packed room which is always a good sign my name is Joe Slovak and today we're going to talk about something I wittily named nations nationalism and cyber security network security actually might have been better from a literary standpoint but it's like with cyber security for this one because cyber first a warning as we go into this you know as I thought about this subject actually just to back up one like if you need to like get in contact with me that's actually a very easy way to do that so Twitter is InfoSec life but as we move in two things you know first a warning I'm gonna mention some security companies it's not that I'm necessarily calling out specific companies as being unethical or doing something wrong but rather as good examples of where we might have certain dilemmas in terms of duties and responsibilities within the security space so there's no claim of wrongdoing but at the same time you know perception equals reality when you start seeing things mentioned in the press or public statements it certainly casts certain impressions in terms of how we operate as an industry so I think everyone's familiar with this story at this point as far as Kaspersky and their trials and tribulations with the US government and the Dutch government and maybe the European Union that you know Kaspersky is just an arm of the russian government and they know therefore cannot be trusted in sensitive networks that's fairly clear-cut I mean certainly the legal regimes surrounding where Kaspersky is domiciled makes them into a fairly sticky situation resulting in their announcement that they will move some indeterminate amount of operations to Switzerland in the near future whether that actually solves the problem or not is probably not the case but at least they're cognizant that there is a concern there and they're trying to address it but a little closer to home some of you may remember or may not remember because this didn't seem like
it received all that much attention at the closing day of RSA last year you had former NSA director general Keith Alexander on stage with Nadav severe who is former head of Israel's unit 8200 their NSA like equivalent or at least for hacking in such is Sharon of stage together talking about what we need to do from a cybersecurity perspective that's really weird I thought it was really weird at least and what made it even more weird
was when you look at what these guys are up to these days the fear runs something called teammate which is a sort of catch-all technical investment richer capitalist organization that really seems to spend a lot of money in you know helping former 8,200 companies kind of get started up and then mr. Alexander started something called iron at cybersecurity and there are some controversies around some of the initial talent collection from the National Security Agency and especially some intellectual property items there but certainly very much people with former state sponsored or state directed signals intelligence and information security information warfare leadership roles moving into private industry into some fairly high-profile roles but what really led to me doing this talk was a little after this happened you had Kevin
India at a fireEye event in DC that was for the US government community going on stage and making some very curious comments again I'm not trying to say that fireEye bad others good or something you get that flash movie from like 2000 good on you but you know really looking at this from the perspective of like okay when you look
at some of the statements that were made publicly and unprompted like this it was just really freaking weird so among other things you know before putting out a public intelligence report fire I will typically tip off intelligence officials from the five eyes alliance about the release okay data sharing that's kind of cool yeah but then especially in light of the alleged Joint Special Operations Command operation which Kaspersky labeled a malware slingshot you know there were also some comments of like you know we'll play friendly with the home team we won't out publicly this sort of malware and some other just comments that made it really interesting like well where Doyle T's really lie because if you you know go back in time a little bit and look at some things that have been publicly released you know put yourself in the shoes of say Belgic on it's not dull to come anymore they've been like subsumed under a greater I believe but they were the victims of a packing operation that was ostensibly for counterterrorism operations but alleged nation-state linked that activity the NSA broken door GCHQ one of the other broke into the network in order to start monitoring and capturing communications ostensibly related to counterterrorism counterterrorism is not a bad thing you know from an ethical standpoint that seems like a worthy goal but from Belgic own standpoint pretty sure they wanted anyone and everyone who is trying to break into their networks to get out of there what are the reasons were show us or otherwise and so when you start getting into situations like this it's a question of for those who you're investing or entrusting the security of your network you know where do their necessary boundaries or values lie so we've done some headlines why are
we here so I haven't done an introduction yet that's intentional I figured we'd start with you know what's going on and then we'll talk about me because me has a lot to do with why I think about this way too much so my story is I was actually a philosophy
graduate student once upon a time I ended up quitting at the University of Chicago back at like 2005 I escaped with a terminal master's degree I spent my time mostly doing deontological ethics like post County and sort of work in that field and a little bit of logic stuff and and whatnot it's been a few years my German sucks now I found that out to my sure drain when I went to troopers in Heidelberg this past year but nonetheless that's kind of my foundational background like I think about this crap a lot and in ways that have been sharpened by some formal training and work but like I said I
dropped out and then I ended up in a cube farm because you got to do something in order to pay the bills cube
farm was boring so I joined the Navy so did that you know thinking that I wanted to do cool stuff but then they put me
back in a cube farm because I had done I done computer stuff in the other cube farm so then I did some other stuff I
made a drug deal and end up going to Afghanistan with some people who do interesting things and wear fancy uniforms like that one you know that
ended up finishing up and I continued doing government service so then I ran incident response operations at Los Alamos National Laboratory for a few years after I got out so continued government service
and then I joined a bender dirty vendor you know Drago just company I work for right now I do threat intelligence work there you know we have some very interesting taglines superheroes don't do infrastructure it's why we're here that's very humble I guess you know company mission safeguarding civilization it's like alright interesting you like you're coming from this background like weights are you a
Fed now full disclosure I do still hold certain credentials with the Department of Energy I'm a guest scientists which coming from an almost exclusive humanities background for most of my education I find it be absolutely hilarious but you know so there is a pinch of potential conflict than my end like you know I'm but to phrase it that I'm willing to help any and anyone out to solve the problems of Defense and want nothing whatsoever to do with offense but that same sort of thing that we were talking about with mister man dia and his company and some other entities like so Joe where do your loyalties lie well the main thing is is
that am I fed no don't pay me any money among other things and I'm happy to collaborate with them but I don't work for them but it's really touching trying to phrase that in a way to get others to really trust you and accept that what you're doing is above board so to speak
because again as I mentioned at the start of this you know for better or ill perception equals reality for example
you look at this map you'll see that the lovely Drago's headquarters is located up here in Hanover Maryland just off of Dorsey Road which is about a if there's no traffic which is never no traffic you could do this in about five minutes to get to the main entrance to Fort Meade so that almost screams like oh you guys are an NSA spin-off and if you look at the resume for the people that work for the company like yeah there's a lot of people who have backgrounds and the intelligence community so again perceptions equal reality can you really come up here and tell us or whatever like Oh ethical quandary and conflict of duties where do you stand it's like yeah it's a really touchy subject because again this perception is a hard thing to fight off against especially if you're trying to tell someone who is running say electric power operations in Saudi Arabia or you know oil and gas operations in Russia from an infrastructure perspective as an ICS security company I don't want an oil and gas plant in Russia exploding that's not cool I don't think anyone should be in civilian power infrastructure of Iran Iran might not be a very nice place to live in but their people are just as nice and just as valuable as anyone else in my mind and civilian power infrastructure that's just not a place where anyone should be playing around that's a separate argument we could have offline over drinks somewhere in a less crowded section of the glourious place that is Caesars but you know the main
thing is that we look at governments as especially when you start getting into spaces like critical infrastructure industrial control systems and a lot of the really fancy sort of industrial espionage secret stealing who's running most of the offense its governments but
private companies though in a sort of weird way that this field has played out are often the ones who are at the forefront of security so I don't have
that slide next we'll get back to it it's very strange that in an environment where you have things that are supposedly very vital towards the common good of a public good that are being attacked by ostensibly public entities or public serving entities I'll be it for different countries and then the ones who are entrusted with defending against then we're at least doing the best job for defending against them no offense to anyone here who works for DHS that you know it's private companies that are motivated mostly by the profit motive I think I'm a little bit different but at the end of the day if Drago's doesn't make money I don't have a job the same goes for Kaspersky fire I said Symantec etc so furthermore you
know when you look at who are the ones disclosing these breaches and sort of pushing the defensive line forward like yes DHS German BSI Japan cert Boston people sir ku all released you know pretty cool reports and whatnot but a lot of the information driving this or releases by private security companies in the course of their business so
examples we can go all the way back seems like it's weird saying all the way back to apt one Stuxnet drink fancy Bayer electrum charming kitten etc you know all state-sponsored sorts of cyber intrusion events and all broadcast by private security companies which also when you start looking at the private security companies in question either have lots of sort of government intelligence community ties or lots of intelligence and government style contracts so examples of this you know
the rere rere release of this of Russia's hacking the u.s. power grid from last year which was then made public again two weeks ago and then made public again a week ago with the same story you know DHS certainly has taken the lead and a lot of the public reporting on that drago's has responded to some of that and Symantec really pushed that narrative forward a lot as well but then
you also have stories like China hacking a navy contractor okay again caught by a private security company and pushing that information out in the wild probably a little embarrassing that government might not want that information to have come out and then it
referenced this earlier Kaspersky disclosing the JSOC operation that was ostensibly for counter-terrorist purposes in the greater Middle East so
in looking at this you know we have private companies involved in this space doing their thing what are their incentives you know they're in sensor theoretically shaped by clients and determined by markets again the end of the day they wanted to make money if you adopt the perspective which is a very strange perspective to adopt that companies are citizens or at least you know have some element of personhood you know presumably they have a right to continue existing or whatever you're trying to make a living with in this you know capabilities and limitations of what is right and what is wrong but as part of that and you start getting into the sort of organizational needs in order to continue operations continue mindshare build revenue and business growth and what sort of compromises and actions do you start to take and so now you start getting into a potential conflict between those sort of you know private needs and those otherwise strategic or public requirements so looking at those how do these you know presumably you know you can argue for
example that terrorists are bad maybe killing them is wrong but certainly making them not capable of terrorism is probably a good thing people would be better off but in the course of doing this like okay so slingshot is very was very much a endpoint directed item but they were midpoint sort of items to come into play to allow it to occur so any of those innocent midpoints it's not like the telco providers or the mobile device providers or whatever we're willingly assisting terrorists but in the course of their being compromised or otherwise their security circumvented has the private security company done something wrong maybe not in this case or whatever but it starts getting a lot fuzzier as you get into different sorts of activity
another consideration and we're kind of jumping around a bit at this point so I apologize for that you know so we've talked about organizations talked about relationships of organizations to governments let's talk about the excellent people so I've told you my story already and you know how I have a background that might make some suspicious of my intentions and where I'm coming from but you know it's not
like I'm the only one certainly the mass exodus of technical talent from the National Security Agency over the years has resulted in a great many people throughout the greater DC in Southern Maryland area now working for various private companies but that's certainly not the only one I don't know if anyone
here works for a security company but has anyone been like 8,200 before in terms of a presentation so that's a term used or whatever for and the same goes for the NSA that yeah our company we have all these X hackers from Israel unit a 200 or for the NSA or CIA or whatnot companies and individuals for that part in terms of building up a resume really want to trumpet their connections to these sorts of communities as a means of instilling some sense of maybe not legitimacy but certainly technical proficiency and technical talent and it's not just us
you know you see the same sort of cross over just look at mr. Kaspersky you get a Eugene column Eugene you know the same sort of thing he's a notionally X FSB or certainly Russian military intelligence connected and now as a founder of one of them you know largest it's certainly a very effective ad engine companies in
the world so what we look at this in terms of sources of talent and people on the ground is that you have a combination of you know military and intelligence communities is your primary aim a primary but very much one of the leading sources of talent you know whether it's enlisted servicemen and women getting out of the military and then tripling their paychecks as they go work for a private security company or a private company in their security department or people former intelligence community intelligence community contractors etc but then as they move into these private sector and in often cases with clients that are multi or transnational and origin origin you start getting a lot of potential concerns and conflicts of interests well one thing that's important to note you know from the perspective of the u.s. system at least in most of the five I general system is that the obligations taken by accepting of security clearance essentially lasts a lifetime you don't disclose that information you have to protect that information etc you may no longer have access to that but you still need to make sure that you no longer you know use it or in other sort of ways well okay so there's a lifetime obligation that an individual is entered into with a body that has its own purposes interests and directives and now that individuals also entered in into a series of obligations as part of their employment where they have at least a fiduciary like duty to the companies that they're providing security for providing security services for that their clients best interest is in heart so in cases where say the duty of you know lifetime protection of secrets and you know etc conflict with a now duty to a specific client what do you do my answer to that is I quite frankly don't know um this really gets you into the area like well in a hierarchy of duties what wins out but as
I hinted before so we've talked about like a potential fiduciary duty to clients and whatnot so from a client's perspective what do you do again governments although they're trying to muscle their way into this space for good or for ill for effectiveness or lack of effectiveness that to say at the end of the day most especially major companies are relying on private corporations to provide this level of protection from them against both criminal and state-sponsored activity so
from a private company's perspective like what sort of questions should they have and what worries should be on their mind when entering into an agreement with another organization in this case a security company of some sort you know simplest one is does the company of my best interests in mind you know that's a fairly obvious one but as we see statements like mr. Mandy is mr. Kaspersky's it's etc that are out there that there seems to be a desire to have it both ways that we have these government connections and support and whatnot but at the same time we also want to make sure that we put our clients you know over all else and really making sure like okay when you have a question where you have individuals that are still in some capacity working for or have government obligations or have a background in that field how are their potential requirements and duties balanced against the requirements and duties for properly sir serving that private company that they've now entered into an agreement to protect so listen to goals and missions you know how do those personal or legacy missions that some of us including myself have signed up for mesh with the things that we're trying to do now in terms of protecting infrastructure like for example if I am now responsible for protecting civilian power infrastructure in I don't know pick a semi adversarial country maybe Ukraine or something along those lines and Ukraine ends up you know following completely under Russian influence and whatnot now there's sort of a conflict between you know us separate interests and what's going on there and maybe for all we know someone's starting to get into their network that has a five eyes connection I would certainly say I have an obligation on the behalf of my client do something about that but I'm pretty sure people I worked with in the past to be pretty pissed off with me that I was doing such a thing so really how do those balance out and then find out it takes us to this sort of ethics and motivation item you know one thing I like to say all generalizations are stupid based upon that comment are all intrusions bad or some okay so looking back at that slingshot malware that Kaspersky publicly released counterterrorism mission trying to take bad guys off the street so to speak it seems like it might not be a terrible idea how will they actually execute that might lead to some qualms but again there's you know you can work out several explanations for how that's not necessarily a bad thing but that's also an intrusion and you know compromise of other organizations in route to delivering that effect so really trying to figure out when if ever our duties to clients overcome by duties to country or maybe even perhaps wider duties overall
so for example a scenario I can't edit
this already is that say we get a state utility company somewhere I'm sorry I have an ICS background right now so most of my examples are gonna be industrial control focused but we have a state utility company that gets breached bad guys are in a civilian power infrastructure network right now the model that I operate under like that is never okay the investigation though reveals that you have a fairly advanced adversary in question the state in question where the intrusion takes place is one that's not my country maybe not an even one that necessarily friendly to where I live and continued investigation reveals that well actually the people who broke in there happened to work within the same country I do for the same government that my taxes go to there's no clear indication of intent or purpose yet could just be probing running around seeing what's there you know establishing some initial access so what do you do in that scenario now for myself personally and you know again this goes back to what sort of ethical framework you've designed for yourself and try to adhere to I look at this as a clear you know sense of you know what are my obligations and duties in this perspective like nope based upon no intrusions and civilian power infrastructure chop this off the knees take them out on there it doesn't matter but I can definitely see the counter-argument that well this might be the prelude say to armed conflict in one sense or another and perhaps by virtue of being able to you know manipulate what is ostensibly civilian power infrastructure that you also have follow-on effects intended following effects for military systems of some sort such as say a missile defense system or early warning radars and things of those lines and by virtue of doing this the country or nation that is executing the attacking question that's a million power infrastructure may end up saving more lives by being able to deliver a more precision strike with fewer weapons as an example and so from a purely utilitarian or consequentialist argument you've ended up with something that looks epically permissible I don't buy that argument but I could at least understand how someone could make that
so what do we have here so we've got many victims and strategic targets are private organizations you know that's kind of where we're fitting in in terms of things and we're in the really weird situation where private resources are expected to protect what is private infrastructure but with very heavy public general good sorts of implications that's not just the constant ICS examples I'm citing but for example you know economic pillars of the local economy it's not good for the US when a lot of intellectual property walks out the door and winds up in another country for state-sponsored industries to just take up and start producing things that seems bad about any way that you can possibly slice or dice that one so there's lots of consequences that come about these actions and certainly lots of people who are either state directed or state sponsored that are engaged in this field so given that public infrastructure has public consequences but public resources either can't because it's illegal for say the US Army or you know Cyber Command operate domestically that's gonna be a really weird conversation over the next several years by the way that's one to keep an eye on so you're left with the FBI DHS for the USA or you're left with something like BSI and Germany SSG IDI or whatever in France etc you know domestic theoretically non-military agencies that have responsibility for this but in many cases they don't have the talent I'm sorry all all the talent tends to go out the door after they get a little bit of an experience and get a bigger paycheck elsewhere or they know the tools then of the access etc they might have access to certain sorts of secret information but not a lot of the tools that then you find migrating into that private environment as a result you have these obligations or responsibilities to protect falling to private companies which are often staffed with lots of former public officials of one sort or another either because it's startup Li founded after they retired as a four-star general and so they're doing double dipping into their pension in their VC money or you're talking about private first class Jimmy who was a really sweet Python programmer when he was in the Army got out decided to quadruple his salary and working for McAfee or something so this
is a really awesome tweet he is he in the room it's unfortunate only I never met him in person I want to someday but a really excellent tweet by hostile spectrum here that this assumption is crept into policy I don't know if it's an assumption as much as it is a fait accompli at this point based upon just how the market has shifted out that private firms should be accepted to absorb and take responsibility for at their cost protecting against and mitigating a potential cyber attack that would have dire public consequences either of an economic cape sort or going all the way into the sort of scary sensational ICS power plants going to explode sorts of scenarios you know when you've cashed this within the scope of you know the Westphalian compact of non-interference and other state borders you know one of the items behind that to sort of mix analogies and mix sources on this is the Max Weber in concept of a monopoly monopoly on the dynamic violence threat talking like classical violence here we're talking about cyber violence does anyone use that term before I don't think so so we can get that one built up we can push back against that other AOL area definition of cyber but in looking at this though you know it's almost like this state has been forced to or is willingly as stated the role of having a monopoly on cyber impacts or influence at least on very vital infrastructure you could look at this that you know the horse left the barn back in the 70s especially when you look at a lot of the you know sort of Anglo American style western countries through Thatcherism and Reaganism and Nick Sounion ISM for that matter of deregulating economies where lots of previously public goods were privatized in the scope of you know liberal ish liberal in the classical sense capitalism so as a result we've you know somewhat deliberately pushed these obligations outside the bounds of the state and into private hands and I don't think there's any stomach in most of the Western world in order to take that back in if you look at some other countries for though you know Russia China India even to a certain extent you know a lot of this infrastructure still isin somewhat stay Hin so you have much more state intervention into those realms and arguably much better state resources and efficacy applied towards protecting these but I think most of us are u.s. European or something like that so we'll stick with that framework for now just as a point of focus the main thing being is that you've got this responsibility for protecting public or public influencing goods resting almost primarily on private entities which
leads us into the idea of duties hinted at this multiple times I'm gonna try and hit this both from the individual standpoint as well as from the you know notional person that is the corporation perspective I hate that idea and it's based upon a really crappy legal opinion but it seems to you know garnered some following or whatever at least in this country so we can look at conflicting
duties putting yourself in the analysts shoes my shoes for example now that I worked with in the private sector that I've got duties to my organization you know drago's wants me to do a good job to fulfill my obligations to the company so that we make money continue to exist we all pay our mortgages and maybe someday I get to send my kids to college although with this rate that's probably not gonna happen as part of that though in order to make sure that actually happens with duties - client though someone some entity whether it's a financial services firm a oil and gas producer or a large retail corporation you know it says like hey you know we have a security problem that we cannot solve internally therefore I will pay enter into a contract with you give you money in order to step in and take over this vital service for me and protect that that's you know a pretty heavy duty that's being you know seated out to an external party and then taken on by that third party so should not be taken very trivially when you say that oh I'm gonna sell a product to someone that's more than just saying I'm gonna ship a blinky box they put it in their server rack and I walk away I at least like to think that you means that you have now taken upon yourself that for whatever you sold a you know intrusion defense system detection system antivirus system some big fancy sim product or whatever that within the scope of what that's supposed to do you've told your client that yeah I'm gonna make sure that we got you there hopefully it's not the case if you want the black cat last week there's probably lots of people that don't have that conception of things unfortunately but lastly you know there's also this sort of communitarian idea that well I just don't exist in isolation you know I live someplace I have neighbors those neighbors have neighbors I pay taxes towards something to make sure that I live in a nice comfortable safe secure place with clean water power etc you know presumably and entering into this framework I accept or you know now have taken upon duties to that community and when you look at community more wider you did you know simply define that as a country the US government make sure that borders are secure you know through various mechanisms of how funding is passed along the streets get paved my kids go to school etc so you know there are non-trivial things in question here it's like yeah the United States has been good to me they do really crappy stuff sometimes but you know balance of payments and whatnot from my perspective they've been pretty good to me and therefore it's almost like I at least passionately owe them something at the end of the day but what wins then if you
have all of these three things that are out there it's sort of in latent if not outright conflict with one another depending upon what you're doing so for
example you have a monetizing intrusion ransomware hits a network that's easy nuke it from orbit kick it out of there criminals you know pass the information on the FBI Interpol or whatever and their story we're going to talk about that anymore industrial espionage this could get a little more interesting still say this is fairly clear-cut you know someone's trying to steal secrets from someone that you are trying to protect all right take you out of the network we're done end of story but like what if we're talking about a situation of here to throw you a very interesting you know thought experiments we're always the most fun thing is a philosophy student because you end up with situations that don't seem really plausible but as a result of how you construct them lead to ways where it's like do it yeah that might happen it probably won't but no like my way of thinking about this is needs to change a little so for example say you have a country that has some latent cyber capability and state-sponsored industry and research and development and they steal secrets related to say clean electricity generation said developing or middle-income country relies almost exclusively on coal for electricity generation right now and as a result is contributing significantly to global warming which I hear is not just a theory it is not something that you can believe in that it is a real thing and you know you could tell a very easy story where stealing clean power tech and then applying it within domestic industry can lead to again a consequentialist overall good in that you reduce harm effects from having you know reduced coal generation reduction in admissions all of humanity and especially unnamed middle-income country which maybe it starts at the sea and ends with an ina is better off with that you know I'm not saying that well this has actually happened but you know from an intellectual property individual Duty standpoint it seems like it's a clear click wrong but if you start you know being a little more flexible with how you're approaching or viewing the problem you can at least tell a story or make an argument that is cogent and sound that makes it sound like well that what not be a worse idea and maybe there's actually an obligation to share that it's not the place for that debate we can have that over drinks later
political interference also something that I hear that happens and may not just be a story that one finds or whatever on the Twitter's and whatnot this seems to start getting a little bit more clear-cut but what's interesting about this is that political interference isn't just a question of like aha I'm going to hack party XYZ and do stuff rather it's been interference by manipulating channels of communication and other sorts of then use in order to pass a message on well in that case that seems pretty damn obvious that like nope that take the network but again you know we look at this mostly from the standpoint of Russia influence on us or other elections they're not the only ones who try to influence elections though so what if you're trying to influence say for example look at Montenegro for you know who everyone here know where Montenegro is okay cool so little country in the Balkans you know there's a traditional Russian sphere of influence sort of thing there recently voted to join NATO but there was a lot of back-and-forth over whether or not that was a good idea and so there was a lot of manipulation into how their political process was going about well if say a five eyes country NATO or whatever started surreptitiously inserting fake stories and whatnot about the other side you know presumably we like to think like well joining NATO can be a good thing you know there's no commitments to human rights and whatnot and it's a easy stepping stone to the EU it's probably the best interest of the Montenegrins in the long term but is it really ethical to say start seeding you know dicey information into the public sphere and we're gonna make that come about and if I'm a security company and I catch that what should I do there might be a good result of doing this but the way in which it's being executed is not indefensible but rather much more touchy to try and defend so again not as clear let me get to this
I'm gonna say that short of some very very very narrow examples this is just no you're not allowed to do that everyone says like what Stuxnet drink Stuxnet is not a very good example for this because if you look at how it was designed and deployed it was a software that was designed to take a very specific effect and only a very specific environment to cause centrifuges to spin a little faster a little slower and make sure that people couldn't really see what was going on if you weren't running a siemens step7 PLC of a specific version and especially not in an environment that was enriching nuclear fuel you didn't really have much to worry about what Stuxnet it did spread a little bit further so everyone got a sample of it and could do things like fancy TED Talks and whatnot but otherwise like you know from a harm reduction standpoint you could say that it did a pretty good job and try to minimize its impact even if the reason for doing so is to try not get caught as opposed to you know trying to be nice and ethical about it but then you start moving over into some other things like take sort of a combination of something like Asha moon event so wiping a bunch of computers in Saudi Aramco several times over several years and also like look at something like Olympic destroyer which gets us into whirlpool malware in this case targeting the opening ceremony of the South Korean Jung Hyung Olympic Games well in that case now you're getting potential physical destruction certainly cyber destruction for all those poor systems that needed to be wiped and rebuilt and at Aramco but if you start tying those in to industrial control systems of some sort well now you start getting something that is less targeted far more of a ruined and with the potential to do a lot of damage that just doesn't seem cool ever so in this case I would say it's fairly clear that if you catch this like you should kick it out but again like it this sucks that case like is Iran having nuclear weapons a good thing I don't know it doesn't seem like a good thing you can make an argument though that well it kind of a Jerusalem you clear parity in the greater Middle East with another country that doesn't actually have nuclear weapons but really does have nuclear weapons that's a little further west of them so again you can make a potential case where this might make sense but for the most part I'd say this one is fairly obvious now
from a security practitioners standpoint you can try and take a stance so it's like ok nothing else do no harm this is a very nicely illuminated copy of the Hippocratic oath it seems like a very nice idea it's like ok you know I don't have to be part of any of this offensive or whatnot or whatever I'm gonna step away from this and I'm just gonna make sure you're like but do no harm I should be fine right well problem is
like when you say do not harm what the hell do you mean so there's the idea like well don't deliberately in effect inflict harm so no I won't do offense okay that's pretty easy and cool but then like do not allow harm to be inflicted that starts getting a little tougher and looking at some of the examples I cited that you can again tell stories some of them might seem a little more far-fetched than others but certainly make arguments that this is a little harder to achieve because you can get into instances where you're you know very rapidly coming up with counterfactuals or counter examples to your general idea that tie you in knots like they do for me and you know the lastly and this is sort of a see no evil hear no evil do no evil standpoint just don't allow harm that you like really no ever actively are investigating you occur so it's like I don't see it I'm like carrot or you know try to ignore it look away whatever that seems to be sort of a cop-out approach if you're doing this you're engaging in weasel enos of some sort doesn't mean it's nest you know not a choice it's just not the best choice but really there's an entire continuum of things that underlie you know the
otherwise seemingly simple seductively simple idea of just do no harm and this
gets us into the distinction between what is a positive and what is a negative Duty uh-huh this was an ethics track so I'm expecting everyone to have a hey you know somewhat idea but positive like I need to do something negative I need to refrain from doing something to some other entity which
leads us into the idea of the hierarchy of obligations so especially when I'm talking about something that is you know the sense that I have an obligation to do something on behalf of another party a positive Duty you know when those start conflicting how do those rat can stack against each other so that when there is a conflict I know which ones to
do those already getting to an idea and this is a very much an oversimplification you know what is by driving goal underpinning those duties like am i saying that tey a communitarian approach that what's good for my society and that I live in the people that I know that are close to me you know my fundamental duties are to them and that's going to define my ethical world you and shape my decision-making or am I saying you know this is really like a sort of Aristotelian ethics and versus a more contine framework and these days I kind of light and hear personally or am I taking a Universalist approach that that which I cannot we'll into a universal law is not ethical that is the rephrasing of the Contin categorical imperative that means that you're entering into something that as the name says Universal your flexibility in there is dramatically limited there's ways of reading that or whatever for like situation ality and whatnot that make it a little more flexible than that is and you can read things like Christine Cora's guard and whatnot in order to get into that but you know overall you're talking about some very Universal hard-and-fast obligations here well actually you can get into some sort of honor and and start going like completely Yolo I'm gonna do my own convey or whatever my way or the highway and this could be the mercenary capitalism approach to doing network security I'm just in it to make money everyone else probably is too they got to protect their I'm going to Tec mine and you know through some magic you know natural selection bullcrap or whatever society as a whole advances as you can tell I don't think there's much to be said for this idea but people adhere to it so we'll talk about it and you know some very smart people adhere to this and we'll talk about it so you can see that there's different ways of frightening this that results in how you construct the duties under which you find yourself or rather the obligations under which you know you you operate that then frame your subsequent decision-making ha
so what is a conscientious neurotic over thinking security professional to do about this I'm not a hundred percent sure so there's a clean hands approach
this is where you know kind of like the weaseling way out or whatever it's like I'm just not gonna actively do anything you know the focus on the personal reprimand the cubicle next door he can go work this target or you know work this mission but I'm gonna stay away from it I'm gonna do something that's a little more amenable to my interest or whatnot call this you know to inject a little judeo-christianity into this the pilot approach wash my hands of the matter and walk away again there's you know it's it's an answer I don't think it's a very good one but you know it's certainly one way of at least making sure that you know I am NOT dirtying my soul in the process of you know participating in a certain action another idea is you know very careful selection so don't put yourself into compromising situations in the first place where you have to make the decision do I do something or walk away that might sounds similar to this but really what I'm looking for is you know things like very exceptionally discreet selection know who you work for so this is something that I've kind of done you know drago's is kind of a weird company and that we're full of X books and whatnot but at the same day none of us ever want to go back there and we've had some really you know touchy relationships with those organizations and very much adhere to no one in civilian powering this infrastructure . so that's one way of doing it find a company that fits your values so to speak and so you're less likely to find yourself in a situation of compromise but problem is that might not be practical or probable especially like you know you're just starting out in this industry and you want to like go into something like you know gonna be like the best white hat blue team or ever and I want to go save the world and whatnot you might not have much in the way of selection on who you go work for unless you feel like you know waiter you know being a barista in your spare time in order to try and make an injury and get health care so you know as a result of how at least we've structured Society in the United States you might not have very much scope in order to make that careful selection so it's not possible for everyone the last thing and you can try and doing this no it might not last very long is you can actively work for change within the organization and again if you're you know junior sake analyst Timmy you're gonna be looking for a job probably within about six months which it sucks you know quite frankly because we sort of stamp out that's like no organizational Athos oh you know we sit down the nail that sticks up shall be pounded down but not only that you know in terms of agency and the possibility for actually executing within you know the idea of this what direction do you actually push the organization into which still allows the organization to actually still fulfill some mission and the main solvent because it's you know one thing to say like for example like we won't do any business with oil and gas companies because they pollute the environment okay so does that mean that it's okay then if someone hacks into an oil and gas plant causes an explosion because that sounds pretty bad they might pollute the environment but I think we all have a general interest in not seeing you know gas pipelines over pressurizing and blowing the hell up okay all the gas is fine we're not actively contributing to their operations just making sure that they're reasonably safe we won't secure the manufacturing networks of firearms providers okay that's probably a little easier but then you start doing like some really strict salami slicing like okay so General Electric they make engines that go on more planes that mean there are up to you know how do you actually start breaking this down and where do you really get to a line that's both actionable feasible and you know sustainable across time within the scope of trying to run an organization so what
answer to this is again you can go the complete you know like whoo be versus everyone else state of nature Hobbesian whatever you know everyone's a mercenary it's actually a very interesting conflict to read about if you're not familiar with it the Rhodesian Civil War no well anyway but what security
tried to do is you know sort of mishmash their way through it through highfalutin sounding documents like the tech Accord that Microsoft is pushing if you print this out you would not be short of toilet paper for a little while but at the same time you also don't end up with anything that's especially meaningful in my opinion sort of a completely pseudo voluntary thing where you know will protect customers no matter that who they are or why they're attacked that is and they should know that because what if your customer happens to be a you know customer in another country for which there are exports controls in question or sanctions applied or is using that technology for criminal purposes yeah you can try doing this but very soon someone is going to
knock on your door and tell you that no you're gonna stop doing that now because guess what you still are physically located and you know subject to the laws of this country so that is a in actionable course of action to say it lightly alright those are the ideally
are all customers equal and if not who decides so that goes back to the idea like in cases of clear criminality and whatnot it's like they probably don't deserve protection are criminals they're assholes them put them in jail but when we start getting into the question like you know the export controls argument like you know it's probably a good thing for you know a factory environment in Iran or not North Korea Iran to operate in a safe environment and so to have access to you say software updates for the machines that are running their equipment but that's not allowed by sanctions control and if you observe that that technology is being transferred in some way what do you do well that's a dicey one or whatever cuz again I could see a conflict of duties there there are some very clear legal obligations though and so it's really become very hard very fast to decide just exactly how to approach that and that really gets into who decides so for approaching this from that classic Westphalian sense of sovereignty of non-interference comfortable with the Bavarian concept of minute monopoly on legitimized violence and in this case cyber violence you know it's very clear who decides whoever's passing laws where you happen to be based but since we've already talked the sort of Westphalian compact in the cyberspace oh god I just said that in the network security space has basically fallen away or eroding as we see it it's not very clear who's deciding at that point because if you're saying Microsoft you know yeah I've got research and development centers in Israel China Europe etc or whatever and so it's not just US law that you know over all the trends but I've got a lot of other sort of things that I'm also tacitly tying into certainly you know where your companies list it has some influence on that but again it gets
pretty dicey very quickly you know this gets into the idea that you know if you have this question of you know duties to you know especially from a communitarian perspective or just a law-abiding perspective yeah I'm gonna protect all my customers equally well okay you get a legal subpoena that the FBI wants to put a little implant on that device in order to interrupts a international child trafficking ring which is something I think we can all say is not cool okay all those duties then go away because of that well you've just made this
breaching you know overall statement which is why I said it's earlier that goes completely against that which again goes to the point that all generalizations are stupid going
faster than I thought so where are we right now where we are is very confused at least I am and I'm giving the damn talk so I'm very sorry you know we found
ourselves in a situation where we have private companies that are entrusted with protecting what are ultimately public goods things that are in the general interest and as a result of that situation you have individual analysts that are placed in positions with conflicting duties whether it's to varying degrees of obligations because they either used to be a government employee or they have some sense of patriotism for example versus who they are when on the clock trying to defend there are some attempts at norm creation like that tech compact accord whatever we talked about but they're so there's nothing really good there and there's nothing binding anyway there's nothing like a hard and fast rule especially when you're talking cross-border between places that really don't like each other that work here like you talk about us to EU us to Japan Australia or something yeah that's pretty cool there's stuff in place but like us at China Yolo you know really it's just whatever goes so the thing is is that is this an impossible problem to solve I had a conversation last night with Mark Tom about this at a small event even smaller than this one you know what would you do about this and I answer to her you know when approaching situations like this is like I know all I know is that kind of bother bothers me so really you know we have
companies have the greatest responsibility in my opinion in this space because they kind of sit in that middle ground between the poor individuals that are just trying to get by and make sure that they can put food on the table pay their mortgages and have helps with health insurance it's you're in the u.s. you know so they have a sitting in a position of particular power relative to the analysts and relative to governments and black unfortunately the skills expertise and some of the technology to do this area effectively the problem is that that their incentives are not really allowing to take action because at the end of the day any company worth its salt is going to work from a profit maximizing perspective and as a result make a lot of compromising decisions and route to doing that that's saying that everyone does that in a complete mercenary fashion again like when I spoke earlier like try to find a company that aligns to your interest I think we do a reasonably good job of this but we're also very young so it's only a matter of time before something like this happens and then it's a question of like do I really belong here or not I hope my boss doesn't watch this later anyway you know we've talked about individuals being most significantly impacted especially at an ethical level because at the end of the day who's hands on keyboard who is the one or whatever that is actually having agency over how this is applied even if they're you know the sort of good Nazi argument or whatever it's like but I was only following orders like order is good in another order you know how do you put yourself in a position where you can sleep at night where you don't end up compromising personal values and items of importance but just the fact of life requires that individuals are gonna have to make compromises because they're in a position of West's power and the other entities around them so as a result the problem is we were situated really is not solvable because you've got you know on the one hand the entities that seem like they're most concerned with this are also the ones with the least amount of power people like us in this room whereas those that have the most capacity for potential action on this are in a position where their incentives are misaligned towards really resolving it and on top of that they legitimately have to worry about things like oh crap like you know to kaspersky x' credit they don't really have a choice for cooperating with the russian government because there are laws in place that as long as they're operating the infrastructure they're all all maybe depending on anyone we'll look at it of their traffic has to be accessible to domestic security organizations they just lost the you know the game of life through letter whenever for where mister Kaspersky was born and where they happened to start the company is that their fault necessarily in which case can you look at this again from the standpoint of intentionality are they deliberately doing this or it just happens so matter that they have to comply with the law of the land of where they're based so the only thing I can
offer in terms of guidance is that you know we look at this for a couple of different angles so for an individual perspective recognize what your situation is like keep an eye on what your company does what your organization does and be aware of what's going on so that this doesn't blindside you out of left field one day like oh crap I can't live with this anymore but as part of that like I said earlier if Timmy in the jr. stock analyst starts raising hell about like why are we supporting this or whatever and then find himself without a job kind of need to keep your head down I'm trying to be pragmatic in terms of presenting this which is not always there like the most glorious ethical position to take but it's really hard to say die on this hill when dying on that hill might mean that you end up you know grossly in debt because you've got sick or something like along those lines but really the idea would be pick a mission and stick with it so from my perspective I picked a mission you know I don't do offense I want to kick bad guys out of important networks and I won't compromise on that because I'd like to think that non-combatants and whatnot all have equal I'll have an equal interest and right to clean water libel power etc and stick with it you know again try to find places that align with those values as much as possible but realizing that it might not be actionable or reasonable in all situations it's most like companies you know their days of having it both ways I think are going to be over soon whether because of things like you know all the press and attention for Kaspersky I was really surprised that the mandate comments some work by cyber scoop news notwithstanding he did a good job of covering this that that didn't garner more attention because it was just very strange that he very willingly just kind of said like yeah we give these guys a heads up or whatever and on the down-low or ever once in a while you know while taking what having cleared analysts sitting and watch floors in the greater DC area etc you know I think people will eventually get pissed off with this and there will be market signals or whatever saying that we can't do it you know and that will lead to I hope that eventually it's not gonna happen tomorrow and that can happen next year but maybe five years from now that will start moving away from the like we've got all these guys from 8200 who are sitting on our NOC right now or whatever they're gonna protect you and hack the bad guys and they certainly don't have any obligations to Israel anymore trust me you know trying to play that game from both sides is not gonna work going forward and you know they really need to just stick pick a mission and stick with it so from the Drago's perspective safeguarding civilization it's a goofy little term but at the same time so far we're following it pretty well this is where something like the Google don't be evil thing no for a while they actually followed it I mean good on them like that lasted for a longer than I ever expected and then it went away so so when those sorts of things happen that results in you know things going off the rails and then you have a lot of people that happen to work for setting company or whatever it's like well what am I gonna do now I got stock options I've invested for whatever benefits and I get the 20 days of vacation and whatnot I don't want to leave for another job so that makes it harder it really ends up when you start shifting gears along those lines or leaving that sort of mission amorphous puts again individuals who are the least powerful huh in these transactions in a bad spot but one other interesting thing from the InfoSec consumer perspective there's some level of power there you know they can try from a contractual standpoint a legalistic standpoint you're late expectations and requirements and writing it doesn't mean that they'll always be followed but at the very least that if you find out later on it's like you will let the freakin NSA in my network for six months and didn't tell me about it well it could be an interesting lawsuit if nothing else I don't know how realistic that is but at least it seems like an avenue worth pursuing I'm not a lawyer and never want to become one so that's for someone else to decide but yeah really looking into like sort of doing the due diligence work of okay what are your allegations who do your people work for you have people with active clearances do you do government-sponsored work and as a result what are your obligations in terms of the protection of my data how you handle my data how you handle discovered intrusions how does that work really asking those hard questions and putting private companies on the spot to you know show their hand like all right what you got well if you're in a situation where somebody's conflicting situations are up whose side you got in this scenario one of the problems that I see in this space is a sort of balkanization of security like as we've transitioned away from the you know post-soviet moment of like Oh liberal democracy democracy everywhere of free markets and you know globalization or whatnot and the return well not the return but the rise of evil liberal democracy and autocracy on the march again and really getting into a closed market standpoint where it's becoming really hard to be an international company operating in this space anymore because you've got lots of people that want to get their hands on the information expertise and what results from this so in a situation like that do you just make sure that you pick the home team for your certain security company so if I'm target that means that okay semantic good kaspersky not I find ROS neft well I don't think they have much of a choice but you know Kaspersky a everyone else boo some Chinese company the MSS I'm sorry 360 say for whatever yay and everyone else boo but then what if you're Germany as far as I know there is no like real major endpoint security provider or major security company that's domiciled in Germany you could say well ISA it's in the EU aren't they yeah okay there's a vacuum that's close enough maybe but still you know if you don't have a home team to pick what do you do then and then you really have to start asking these questions to figure this out you know fairly quickly because you'll wind up in a bad spot I think sooner than you really realize so
that's all I've got I know I can leave
that up because so we aren't staring at a fake blank screen you know I talk at you for fifty minutes now you have the opportunity to ask me questions and I might have things to say yeah I mean I hope that was at least interesting only a few people left okay that's cool Wow really okay I just don't know what the point would be to be honest with you so this is where like getting someone away from the ethical dimensions of it but just to be you know very practical like well what do you achieve like damn it someone stole all my what do you do you're gonna get it back no they may have copies nothing you're not getting it back once it's gone it's gone you can make yourself feel better oh I'm sorry so the question was yes I got that signal the question was you know does the circumstances under which we find ourselves really legitimize or incentivize the move towards companies hacking back and my answer is that even just from a sort of consequence driven standpoint I don't know what it achieves in terms of it doesn't enhance security whether because you're going to hit the wrong people as a result of like yeah I took out all those all those c2 points like all your c2 points are just some poorly secured WordPress instances and you just blow away Samantha's cat blog what the hell man you know so there's that part of it but also like you can't put Pandora back in the box once it's been gone and even if you're the victim of a cyber physical attack like Ukraine ergo after getting pwned a couple of times and the lights going out give ya tryin hat pack back doesn't mean the lights go back on and I would say from the standpoint especially from the adversaries that are most capable and most likely to commit some of the more egregious sorts of actions in this space it's not going to deter them either because you know the end of the day it's like arms race we got these arms this offensive down whereas private companies I think you know while on the defensive side a lot of the technical talent and whatnot except for some of your really shady pentesting firms and whatnot and companies that do software development software development and research that are headquartered along the i-95 corridor between like Northern Virginia and southern Maryland you know a private of offensive talent but for the most part you know Wells Fargo doesn't and even if they didn't have it I don't know what they do with it but lastly from an ethical perspective it also gets to the idea like what have you achieved in terms of you know improving the ecosystem overall and well you can go back into like you know eye for an eye tooth for a tooth okay that's argument you know I just don't see there being a way especially given the extreme likelihood of unintentional consequences for Samantha's cat blog where you you know don't end up waxing the wrong thing as a result because no sane adversary at least no one hacks from their own infrastructure no good / you no good or capable actor does that there are three or four hop points but maybe not maybe at least two between their stuff and others unless they forget to turn the damn VPN on twitch has happened but otherwise you're typically not hitting something where it's actually going to matter so it just seems like it's a wrong path to go down in general there is a game will start with gentleman I don't know that's where it comes down to like you know really what's driving you like for example I could see I know of Canadian citizens for example that are working in the Gulf region that are very nervous right now considering what's going on between Saudi Arabia and Canada on a diplomatic level it's having a lot of very immediate economic repercussions as a result of some you know like not very we can all be pretty clear or whatever that human right stuff is pretty important you know there's not really much of a leg to stand on in terms of the other side of this argument but you know like well what do I do I like took out an obligation with this organization or what not maybe I'm not in Saudi or you know maybe I'm sitting in Dubai or whatever but these are germane issues throughout the region and I'd find myself in an uncomfortable spot you know do I stick with I sign an obligation and therefore I'm required to complete it or it's like nope this violates a universal set of ideas that I have in my mind therefore I can no longer in good conscience conscience support what's going on I'm gonna pack up and leave and hopefully I can find a new job or from a you know communitarian sort of sense I'm either willingly adopted a new community and therefore I'm part of what company or whatever entity am with right now or you know Canada all the way I will continue to abide by what I think is useful there so it really comes down to in my opinion a personal choice for where your values lie and making sure that you're clear on that yourself going forward and then articulate your decisions around that again all generalizations are stupid now everyone's answer is going to be the same on that one I certainly personally have you know my own view on that would be a blend of that Universalist and communitarian approach so very much a virtue driven way of looking at these sorts of Pathak oak wander ease but it will likely be different from everyone else and I am okay accepting that so the question was and I didn't repeat the last question so I'm sorry I hope the gentleman in the back doesn't throw us something heavy at me the question was you know for states that sponsor or that sponsor but that publicized and you know create guidance that in response to a cyber physical or cyber event that we reserve the right to retaliate in kinetic fashion on the one hand from a like private industry standpoint makes me not want to tell the government what happened potentially depending on what I'm thinking it's like oh crap I don't want like you know the Russians are in the grid to mean that it's like oh the bulkan or the Baltics just got invaded because like you know things went off the rails or whatever really fast and things got kinetic but you know for the most part though that decision-making and you know where a lot of the agency lies seems to be within those government spaces my only pick up on that is you know that transition from virtual to physical or especially where there's a blend between the two is it's very much consequence driven in this standpoint of that saying that oh the financial system went down therefore we're nuking Tehran which may it well it didn't go to financial system didn't go down it was slowed a few years ago during Abbeville or however you pronounce that a physical response to that would have been disproportionate and in your classic Augustinian sense of laws of war like it's probably not a good idea but when you start talking about like for example what's happened in Ukraine several times I would say that they're probably well within their rights to say it's like you know what what you did could have had more dire repercussions than what actually happened and you didn't really know that going in therefore it seems reasonable that we could retaliate now they would lose that fight but at the same time though it seems from a you know just if you want to justify a potentially stupid action following that it would have been something reusable so again it depends but in looking for it it's one of those spaces where the private sector should just try okay so the question was you know mentioning fiduciary duties earlier as one way of phrasing how a private company enters into an arrangement with another private company to provide security services is that just like we have the idea of you know doctors lawyers have fiduciary duties to clients or just as we require civil engineers to be licensed and certified and continued we monitor to make sure that they fit within professional standards can we adopt such a framework for practitioners in the security space and software engineering etc I think we can there was a talk in an event last night that I really wanted to go to by Tom Miller who's Miller who's at DHS that touched on this subject and I did not get to attend it and I think he's a big proponent of it and I can definitely see there being space for it part of the problem that I have with the idea is it gets very you know licensing like for example with legal licensing or whatever that's pretty the way in which it's frame is let you pass a state bar and that govern like actions within a certain you know location or whatever were your practicing one that seems to link up fairly well if you're doing something internationally or across state boundaries you get licensed in both locations given the way that the security security and the organization's requiring security don't neatly fit into little boxes in terms of location it gets very hard very quickly in order to enforce or require that out of the box but just because something is hard doesn't mean that it's bad so as much as I like malign just because it's
a stupid idea you know this thing it's hearts in the right place so the idea of the tec accord is like yeah you know we'll try and set up like just a dos around which we will you know rally that you know like we will protect everyone anywhere or whatever having something along the lines of at least a minimally a minimal professional ethic something almost a protein that Hippocratic oath might be reasonable the only problem with that is that you get into scenarios where you know how are you defining harm or how are you defining those applications so I think it's certainly something worth exploring the problem is if that you are have a real attention to detail issue and are very neurotic and overthink things that you very quickly wind up with lots of exceptions and ways in which it falls apart so again I can see there being something for it but I think that any implementation is going to be difficult and if nothing else would only be extremely localized so a question was if my current organization was approached that hey in order to do business here that you know the home team for we're here is requires that hey you have to insert this thing into your product for reasons and those could be various reasons but certainly you know something along the lines of data gathering or something along those lines probably most likely or they don't tell you what those reasons are which is also scary I would say given what I know about our organization right now that the answer would be no I certainly don't know what that answer would be moving forward but that ties back into the idea or ethos that we've adopted as a organization that we've all sort of bought into which is easy when you're a small company it's not so easy when you become a much larger company which I can appreciate that yeah right now it's like new we can do things elsewhere doesn't sound good and if the answer was yes that's resume generating event for me because that's just not cool but I'm also in a position where I'm pretty confident I could find another job without a problem and that's not the case for everyone so again going back to that idea of you know the clean hands see no evil do no evil hear no evil or active intervention or whatever what do you do and individuals options and that framework might be constrained but overall I'd say just that approach of doing things which ties into again I forget the name of the Russian legislation that goes back to the 90s for what really goes back to telco wait 70s or something you know really provides for lots of potentials for abuse although also you know can depending on what sort of communications that you're capturing or data that you're capturing or analyzing as a result you know could lead to law enforcement things like for example when you know I want to make sure that I'm analyzing all of the classified ads that get posted to your portal or whatever despite you know anonymity and whatnot in order to fight human trafficking like well that's a really really good goal that access could be abused really easily though so what do I do there yeah I mean it gets tough but you know at least from the standpoint of the right now I would say it comes down to you know our organizations like hell no don't not interested at the moment but I can see other places where that's not the case okay okay I mean there's my favorite audience member if I don't know that's gonna be tough we got some good questions so far I got to remember all of them too but gentlemen over here someone was about to speak I thought okay yes I mean like with Israel - it's not just 8200 you've got people who are like in doing Shin Bet stuff and you know that everyone has tech talent sort of everywhere just the same as you've got you know GCHQ along with other sorts of organizations in the UK go to France who I don't think get anywhere near enough credit for their tech talent overall let alone the tech talent that they have within military and government circles they have a few organizations so everyone everyone lots of places have numbers of organisations involved in sort of statecraft and especially in the intelligence and military space they're doing these sorts of things and lo and behold they often seem to be the ones that you find later on who have found it you know successful or certainly you know very significant security companies of one form or another in the back cool so the question which I forgot in the last question I blend this guy for saying that I had my time back he distracted me the question concerns whistleblowing in the context of you know what I've talked about right now and I'd say whistleblowing is an important idea it gets into that sort of actionable approach you know certainly you know I could see you know a cascading series of obligations like my organisation is doing something blatantly illegal and harmful like okay if they won't stop I need to tell someone about that you know go to the authorities and they will take care of it you know hopefully yeah but then it gets a little you know diced here after that point where it's less clear-cut so as you know probably the most prominent example Eddie snow boy who is you know holed up in that beacon of democracy and freedom known as Rafa some of the things that he released I can definitely see the argument and accept the logic under which it came about that yeah similar domestic surveillance stuff like yeah that was really weird there may not have been the sufficient conversation about it other stuff though that came out of that were unrelated in really tight back and just like you know hackers gonna hack and don't intelligence agencies are gonna do their thing and you know I expect NSA to spy on China Brazil I expect the Russians to spy on the US I'm gonna try and catch him I'm gonna try and kick him out but that's kind of what they're there for and gonna really start reeling all those other stuff goes beyond mere what's the blowin almost like score settling so it's very easy to wrap oneself to the flag of or the mantle of like haha I am doing good by revealing evil and by the way look at all this other shady it's like actually that other stuff that shady it's kind of cool but it's yeah kind of kind of goes above and beyond then so really when it comes to the whistleblower idea it's an identification of you know what am I really blowing the whistle on what are my motivations for blowing the whistle in this case and does that pass muster as being a no ethical act or a morally morally justified morally praiseworthy sort of action and if you look at some of the cases of whistleblowing in the last you know a few years you see a lot of other motivations that might be in play in addition to the presumably you know altruistic well so the question
here this is a very interesting point from the perspective of you know goes to align yourself with the mission that you're doing and from becoming from the perspective of someone who's new in the field and trying to find a place that fits within one's ethical framework and are there any organizations that you know presumably fit a more altruistic framework you know in some cases government work is actually really good like some of the things that go on and deal we are pretty sketchy but you know end of the day making sure that a nuclear weapons laboratory doesn't have someone probing or on their network like no that's a pretty like good one I don't want anyone stealing that kind of so depending upon your sense of obligations there or whatever they're actually legitimate options I'm sure that no one wants the Department of Interior to have a bad day they don't seem to do anything too bad so like looking for options there but also you get into organizations like the Electronic Frontier Foundation although they do some things that are kind of weird sometimes trying to think of like I've know the names of them no they're all escaping me because I'm standing up here in front of all of you but you know there are a number of organizations like really vital ones from a civil society standpoint from like NGOs and whatnot then I found themselves in the cross hair of some very bad actors that I actually operate in my opinions like Belling cat was one that just popped in my mind thank God yeah that you know not only are you talking about a good mission but like there's some serious adversaries that are trying to get into those networks so that could be a fun job too but you know again it's one of those like they can't exactly pay all that wealth usually so it's very much mission must from paycheck and especially if you want to live in the Bay Area might find yourself or whatever at least sharing a house with four people but yeah okay yeah yeah I'm sorry a house like you know I mean I'm in a studio so enjoy your closet but but no I mean there are possibilities and really it's just investigating and that's where like having a broader view of what it's like to operate in the security space is important because it's not just a question of you know I'm going to work for a fire I a CrowdStrike or a nice set or whatever it's like you know what I want to work for you know this hospital system for example you know you can say many things especially for private health care within the United States that there are certainly many things to take issue with there but end of the day I don't want the nurses stations to get ransomware on them so that's could be an altruistic mission to have and they don't pay all that badly either so there are options once you go beyond like I have to work for a top-tier cybersecurity company into the actual organizations that need security and aligning mission in that respect so or a couple of hands over here you guys can fight thank you I happen to know and people from kaspersky in and also people from monomer time two thousand eight thousand two hundred yeah and basically that's kind of one lose big team which is have no legions absolutely none not to Israel not to Russia not to anything and that during the war between Russia and Ukraine that was actually people from kaspersky that helped Ukrainians and obviously people from Ukrainian and all this which was a clearly Russian spies so I mean all of the definition it's really like in real life it's little bit belief that it exists in fact it's not because the coder from Kaspersky Lab can be hired from wherever Russian FSB or something obligated to threaten over ever and do something but in fact and you know coming home and taking your computer and work for I don't know Trotsky or for you know for freedom for Russia or something so it's again and it's extend to UK and extend to Europe so for me it's it's a little bit I understand like if there was so fickle point of view it's very good questions but in practical I I don't believe it's it's really it's really big big big community which is you belong to also yes yeah exactly that's why I made sure that I highlighted exactly where I'm coming from and continuing to come from to a certain extent so I know some of that was on microphone which is still at least what I think question and really more comment was that you know you look at the example of Kaspersky for example like it or you know any of the underlying agencies there's lots of people there and a lot of them are you know diligent hard workers that are trying to fight the good fight or are fighting the good fight and you know pushing back against evil so to speak and I don't dispute that for one minute uh I don't have friends this is a holy but hey you know I don't have friends necessarily at Kaspersky but I certainly have people who continue to work there or have worked there that I've had positive interactions with and Township bullying I'd say is very close to a friend who works in their ICS practice and I know there's great people there who do good work and which is why I didn't it would be it would have been deceptively easy and constructing a straw man argument to have left that is the only example which is why I went to the fire I won as well as some of the other things that you know from the perception equals reality standpoint and whether or not some of these things are you know ground truth exists that there is at least the continuing perception in the building perception of their having some conflict of interest in terms of what obligations you face based upon what country that your company is based in and who your people are and where they come from in their background so you know even though in many cases where I don't think it's them you can look at believers the hill quoted me a few months ago on the kaspersky interview like yeah I think the US government's perfectly with its rights to say is like it when I can use your product the way in which that was communicated that was really weird because it cast aspersions without evidence in a way that I didn't think was helpful and that when leads the perception that's like well what's really going on but this work goes to and I think mr. Kaspersky has tried to do a very good job of communicating lists for his own company that you know know we will protect anyone anywhere anytime although with that statements like I don't think you really can do that but I understand what he's trying to say they are really trying to drive that message and with the was it a libel suit in the Netherlands or some other legal action against what was a very bad news story so yeah I mean it part of this too is that as you know even if it's not just one of the companies that I've used in as an example there are others like my ideas comment that have resulted in you know just cementing this impression that there is a problem and then making others like my company for example having to answer the same thing it would not surprise me whatsoever if there is a non-trivial proportion of the overall security community and especially the ICS security community that just thinks that we're an NSA spinoff because we have so many dim people that used to work there and so for our perspective I can definitely appreciate the problem earthlike no not
really but how do I actually prove that and it's hard it's hard to prove a negative in this case because it's like saying like no I we have no connection to this well you talk to DHS well we have to we don't much of a choice like both law of the land and like you know we want to make sure that they're getting some good info as well so yeah I mean I definitely appreciate the point thank you for making it and again it gets very fuzzy very fast too so I don't know there we go um I'm afraid I don't I can't really add much more than I recognize that the answer this is more or less it yeah it's complicated but so uh with a lot of the larger engineering firms will say your floors geez et cetera that are going out of their way and building up stronger you know network defense capabilities but also say have military contracting also civilian infrastructure and engineering contracting also civilian infrastructure contracting in like mostly friendly countries and then also majority but non controlling stakes in countries that are mostly friendly but they don't own the company but still oversee their operations to an extent I don't where do you see all of that kind of blending in when it comes in to the conflicting loyalties and obligations because again they don't necessarily control them but they have mm-hmm yeah sorry my answer is it depends but no I mean that highlights the the conflict quite nicely is that very rarely just like you know we can construct very interesting fun experiments involving trolleys and babies and whatnot like one does in the ethical research but you know even the examples provided in real life could very complicated very fast especially in spaces where you're talking about you know different systems different requirements and different levels of you know connectivity and just what sort of approach you're taking and so you know really not going back to the idea that all generalizations are stupid that coming up with one definitive right answer and I used to be very much a Universalist in scope or whatever it's like there are right answers to these problems that apply universally at all times and then I grew up and realize that that actually doesn't work and so it's really about applying contextual attea around individual events in having the awareness self-awareness as well as an individual agent of what's in play what are repercussions of a specific action and what sort of hierarchies of obligations and needs hold at any given time and then you know based upon that knowledge ball than what's around you and self knowledge acting in a way that you can then at least defend no and that's no I'm going to say that there are cases where there are no right answers or it's just a questions like where do I do the least harm and those are the ones that suck but even then that goes back down to you like well what sort of a situation am I in and how does this play out gentleman wants to get in you're kind of encouraging people okay that's an excellent question so or really more ya know the question so much is a comment but no it was a good comment that you know the idea being we've incentivized individuals to go work for organisations that end up being in murky situations or whatever like your defense contractors or but way bandits sort of organizations and this sort of driving people if they want to be successful in this field towards places where they might be not necessarily being the most pleasant of environments in terms of how they feel with what they're doing reflect something broader Society I'm going back to the point I made earlier for the question you know for someone new in this environment I think we've done a very poor job as a community in appreciating and articulating the value that security practitioner is bringing to smaller organizations that are not traditionally associated with the security field I know some individuals who are really good at this job that work for like power co-ops in Mississippi or healthcare networks in Kentucky and the problem is that they do a good job they like what they're doing we're not looking to go anywhere else right now but if they wanted to they're experienced by just by virtue that's like oh what could they have really had done here doesn't look as good as the person that's like well I work for Lockheed Martin for five years or whatever and did penetration testing was behind the fence for part of that time like that guy or a girl was probably getting a hell of a lot more return phone calls than the power co-op dude in Mississippi which is unfortunate because you know it also comes back to how do you start expressing this and appreciating how those different missions contribute and you know for those of us who are in you know HR ish decision making chains and whatnot is really having a broader scope when looking at resumes for example or you know trying to reach out into the community of making sure that we're you know recognizing these people understanding their contributions and making sure that we're mentoring junior people to appreciate that hey you don't need to work for the big you know flashy company with the offices in DC London Singapore and Dubai or whatever you can go work for Adventist Health System or for you know something else or whatever and you can get a hell of a lot of experience there and maybe you're aligning yourself to a mission that you can better some you know support personally as a result and it's not gonna hurt you professionally we're not there yet unfortunately that's the question was yeah that company X developed security solution Y for country a but as a result of the contract under which company X is working with country why they cannot transfer the intellectual property behind that solution to any other entity and it just so happens that electoral property could be very useful in helping a lot of people out it depends but from the way that I approach the problem I look at that as being a very much suboptimal solution in terms of making the world a better place for everyone having said that I could see that well you know there's also the case that not all of networks are equal so maybe we want to make sure that you know the network environment that's holding weapons design and test results for the nuclear arsenal and it's this really special security solution making it unhackable that's a word of Miller in the hallway and get some attention it's not a Bitcoin wallet trust me but or whatever cryptocurrency wallet but you know maybe from that case of again depending on how you want to frame the problem that well some networks are more important than others and making sure that one that level of protection is there and then is not revealed for others to muck around with might actually have something to be said for it so and it really does you know go back to the case where it's like there is no one-size-fits-all answer to that it really depends but overall I would say that the burden is on the entity asking for that restriction to prove why that restriction is necessary more beneficial than the opposite so yeah I
mean again it depends on like not only who are you but which way are you approaching the problem that there are different ways of you know where do my obligations lie but yeah I know time to kick me out yeah we have time for one more question does anybody have one more burning question yeah oh yeah sorry and as a heads up these talks will be online contact information for our speakers will also be online yeah so we have time for one more question
Feedback