Security Nation, Episode 4

How Beau Woods and Meg King Promote Collaboration Between Policymakers and the Cybersecurity Community

August 02, 2019

 

In this episode, Beau Woods of I Am the Calvary, the Atlantic Council, and Stratigos Security and Meg King of the Wilson Center discuss their mission to improve collaboration between policymakers and the security community and better educate congressional staff on industry issues. Central to this mission is immersing congressional staff in the tech world by having them travel to Hacker Summer Camp in Las Vegas so they can learn and absorb all things cybersecurity.

Learn what it takes to put a program like this together, what challenges Beau and Meg have encountered along the way, and what advice they would give people who want to get involved and work with policymakers.

We also chat with Patrick Kiley of Rapid7 about his recently released research on the security of CAN bus systems in small aircraft, and Tod breaks down what you need to know about RDP and BlueKeep.

Appears on This Episode

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Patrick Kiley
Patrick Kiley
Senior Security Consultant, Rapid7

Patrick Kiley (GXPN, GPEN, GAWN, GCIH, CISSP, MCSE) has over 15 years of information security experience working with both private sector employers and the Department of Energy/National Nuclear Security Administration (NNSA). While he was with the NNSA, he built the NNSA’s SOC and spent several years working for emergency response and management teams. Patrick has performed research in Avionics security and internet-connected autonomous vehicles, and CAN bus.

Beau Woods
Beau Woods
Cyber Safety Innovation Fellow with the Atlantic Council, a leader with the I Am The Cavalry grassroots initiative, and Founder/CEO of Stratigos Security
Beau Woods is a Cyber Safety Innovation Fellow with the Atlantic Council, a leader with the I Am The Cavalry grassroots initiative, and Founder/CEO of Stratigos Security. His work bridges the gap between the security research and public policy communities, to ensure connected technology that can impact life and safety is worthy of our trust. He formerly served as Entrepreneur in Residence with the US FDA, and Managing Principle Consultant at Dell SecureWorks. Over the past several years in this capacity, he has consulted with the energy, healthcare, automotive, aviation, rail, and IoT industries, as well as cyber security researchers, US and international policy makers, and the White House. Beau is a published author, frequent public speaker, often quoted in media, and is often engaged for public or private speaking venues.
Meg King
Meg King
Strategic and National Security Advisor to the Wilson Center President and Coordinator of the Science and Technology Innovation Program (STIP)

Meg King, the Strategic and National Security Advisor to the Wilson Center President and Coordinator of the Science and Technology Innovation Program (STIP), guides and manages the work of the executive office, while overseeing cutting-edge training programs to equip generations of Congressional staff with cybersecurity skills. A former senior staff member on the House Homeland Security’s Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, she has written on topics ranging from ISIS hackers to encryption.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to this episode of Security Nation, the podcast where we talk to people who are advancing security in some cool and interesting way. This episode, we are going to be talking to Meg King and Beau Woods about how they are building opportunities for policymakers to collaborate with the security community out at the events in Vegas next week. I am your host, Jen Ellis, I am Rapid7's VP of Community and Public Affairs, and as usual, I am joined by my amazing co-pilot, Tod Beardsley.

Show more Show less

Tod Beardsley: Hi everybody.

Jen Ellis: Hey Tod.

Tod Beardsley: Hey.

Jen Ellis: How are you doing?

Tod Beardsley: I'm great.

Jen Ellis: So before we get into talking to Beau and Meg, we are going to do the Rapid Rundown, where you tell us what is going on in the world. And I think that this episode, one of the things we want to talk about is actually one of the things I'm most excited about for Vegas next week, which is that this year, for the first time ever, there is going to be an aviation village at DEF CON. So like a village focused on the security, the cybersecurity, of aircraft. Which I think is super cool. We are going to start off by talking about an aviation research report that Rapid7 put out in conjunction with DHS just this week. We have a special guest, Patrick Kiley. Patrick, welcome.

Patrick Kiley: Hi there.

Jen Ellis: Thank you for joining us. Can you introduce yourself quickly?

Patrick Kiley: Sure, my name is Patrick Kiley. I am a senior security consultant with Rapid7 on the penetration testing team. I am also a pilot and I am building my own aircraft.

Jen Ellis: Wow, that is amazing. So Patrick, you did a thing this week, you released some research. You and DHS, I heard that they also issued an alert. So tell us about it, tell us about the research.

Patrick Kiley: So a few years ago, I was at an aviation-related airshow, down in Florida. I was talking to some people that were building an aircraft similar to mine and they were talking about the avionics that they put in and how it used CAN bus. So, my ears immediately perked up, as I had been researching CAN bus as it related to automotive vehicles, as used in cars. And I started to wonder if the same vulnerabilities that surround CAN bus in automotive segments also applied to avionics, as they're implemented in those scenarios.

Jen Ellis: Two very quick questions. What are avionics? And what is CAN bus?

Patrick Kiley: So avionics are the instruments that a pilot uses to fly an aircraft. Everything that is displayed to the pilot, kind of on the instrument panel in front of them, are considered avionics. That includes the radio, GPS, the instruments that measure your air speed, your altitude, your attitude in space, you know whether you are pointed up, down, sideways, are your wings level, and a bunch of other of those types of instruments. As well as the instruments that are used to display what is going on with your engine.

Jen Ellis: Okay, all right. So kind of a big deal.

Patrick Kiley: Yeah, so CAN bus is a networking technology built in the '80s primarily designed to run automobiles, that is easy to implement, it only uses two wires. It allows a bunch of devices on a network to communicate with one another. It's lightweight, it's relatively inexpensive and easy to implement, and it is resistant to noise, it's resistant to EMI.

Jen Ellis: I mean it sounds kind of great, but I'm guessing from the fact that you've released research on it that it's not all that.

Patrick Kiley: Yes, and there is a lot of research already. I won't go over that, the stuff that are problems with CAN bus and how it relates to automotive technology. I wanted to see if those same problems applied to CAN bus as it was implemented in avionics. It turns out, surprise, it's the exact same problems. However, the effect, you're not on the ground, you can't just pull over if your plane starts to malfunction, you have to find somewhere to land. The impact of a problem with CAN bus, when it came to avionics, could actually be much more severe.

Jen Ellis: So that all sounds pretty scary, should people be scared?

Patrick Kiley: No they won't, because one of the biggest things about CAN bus is to gain access to CAN bus you have to be on the CAN bus. You have to physically connect a device to the network or compromise a device that is currently connected to the network. That is hard to do.

Tod Beardsley: There are regulations, there's laws, there's plenty of security around most airports and air bases. So the defense against all of this is physical security. That said, we are network people. Right? Physical security tends to not be good enough for folks like us.

Patrick Kiley: Yes, and it shouldn't be the only single line of the defense. One of the biggest things in our industry is defense and death.

Tod Beardsley: Physical security can and should be a control in place on CAN bus, but it shouldn't be the only control. We should have other additional compensated control in place.

Jen Ellis: All right, that makes sense. I mean obviously it's serious enough that the DHS felt that an alert was warranted. What is their angle on this?

Patrick Kiley: Yeah, so basically they are trying to get ahead of it. So basically the companies that are deciding to implement CAN bus within avionics consider that they don't use physical security as their only sole means of control. Because eventually someone will be able to bypass it, someone will compromise a device on the network, through something that is connected, because planes are going to become more and more interconnected as we get further along in this industry. These systems when they are implemented tend to stay in place for decades. With cars the lifetime is may ten years, but with planes it is much much longer. We are trying to get ahead of this so that as these technologies are implemented, then engineers are aware of this and they build in additional compensating controls, so that physical security is not the only protection.

Patrick Kiley: When CAN bus was originally designed, they never planned on interconnected vehicles. It's just like when SCADA came out. When SCADA came out, they never planned on the SCADA systems ever being accessible from the internet. The same thing exists with CAN bus, now vehicles are becoming interconnected. You can get to them via WiFi, you can get to them via Bluetooth. Eventually we could be looking at some technology that no one has even thought of yet when it comes to aircraft, and that is one of the reasons why we want to get ahead of this today, is because if some day we have interconnected aircraft, and these interconnected aircraft all have CAN bus, that could become a nightmare scenario very quickly. So, we want to get ahead of this quickly.

Jen Ellis: So, it sounds like what you are going for here is really trying to spark more of a conversation around cybersecurity in the aviation industry, is that fair?

Patrick Kiley: Absolutely. When I came up with the idea to do this research, I started to do some of my own research. Okay, what has already been written about this? And I didn't find anything. I didn't find anything written about any of the avionics-related network technologies out there, and there are many.

Jen Ellis: So you think what we really need is a little bit more discussion, a little bit more investigation, and a lot more transparency.

Patrick Kiley: Absolutely, that was my whole goal with this report is to basically start the discussion so that our airplanes can be more secure than they are today.

Tod Beardsley: Yeah, I mean fundamentally these protocols were developed in a time where we don't imagine an adversary on the local network, right? We know today that adversaries do show up on local networks, regardless of physical controls. So this is the time to really start talking about this. I mean five years ago would have been a great time, but today is the second best time to start thinking about CAN bus in avionics.

Jen Ellis: Awesome, so people should come and check out the research paper, which I am guessing they can get from rapid7.com/research. Is that right? And so if they want to know more they should come to the Aviation Village at DEF CON.

Patrick Kiley: Yes, they should definitely come to the Aviation Village. This is the first year ever we are going to have the Aviation Village. It is going to be in a big space, occupied by also the Car Hacking Village, and several of the other villages at DEF CON.

Jen Ellis: That was nice, I feel like maybe your also involved in another village that you may have just given a plug for. Very smoothly done, well done. So yes, do check out the Aviation Village, the Car Hacking Village, IoT Village, we will have Rapid7 people at it. All of the villages, we love the ICS Village and the Biohacking Village. Special shoutout to the village people, all of them. We love you.

Tod Beardsley: Voting Village as well.

Jen Ellis: Oh yeah, Voting Village.

Tod Beardsley: If you are not into planes and are into democracy, come by the Voting Village. You could do both.

Jen Ellis: You can be into both at the same time. Yes a quick plug, Tod is going to be speaking at the Voting Village, so definitely check that out. All right Patrick, good luck with the research. Thank you for coming and talking to us about it. We really appreciate it and we look forward to seeing you at the villages.

Jen Ellis: Tod, what else is happening in the world at the moment? Do not say Capital One. There's been way too much coverage on this. Let's not go into it. I hate the whole like shaming the victim thing. Let's just relax.

Tod Beardsley: So, aside from the Capitol One trash fire, that is everything about the Capitol One story, the big thing I want to talk about this week is... I've talked about it before, RDP and BlueKeep.

Tod Beardsley: Very quickly, there is a bug in remote desktop protocol that is common on Windows and more common on pre-packaged Windows. So things like point-of-sale systems, and medical tech, and other things that run like old-timey Windows XP. RDP has a big bug. It's cool though, right? 'Cause it's been patched. It was patched on May 14. The patch was issued but as we know from from other lessons in patching, not everyone gets the patch on the day that it's released.

Tod Beardsley: When this airs on Friday it will be day 80 after the patch. I am going to make a very rare prediction that we are staring down the barrel of an RDP disaster. There are millions of RDP endpoints exposed on the internet, millions more on the internal networks. All it takes is one phishing email and your RDP servers are are going to be exposed to bad guys.

Tod Beardsley: We know about at least one commercially available public exploit and probably three or four others, like privately held exploits. So, it is now... Like that clock. I don't even want to say the clock is ticking. The clock is done. If you have not scanned and patched for your RDP, stop what you're doing. Stop listening to this podcast and go do that because it is coming up.

Jen Ellis: The net here is the people need to be patching.

Tod Beardsley: Scan and patch. It's a matter of keep it secret, keep it safe. Take your RDP off the internet and patch it when it is.

Jen Ellis: Nice. I like it. Advice to live by. Hooray. Okay, I think that that's the Rapid Rundown, right? We were not as rapid as we could have been and we have now run down.

Tod Beardsley: I feel pretty run down.

Jen Ellis: All right. Me, too. Let's talk to Beau and Meg, they'll make us less run down. Thanks Tod.

Jen Ellis: So in this episode we're joined by two awesome people, Beau Woods and Meg King. Beau is one of the driving forces behind I Am The Cavalry, which I'm sure he'll tell us a little about in a bit, but if you're not familiar with that, iamthecavalry.org, go check it out. It's one of my favorite all-time things in the security community and well worth getting involved in. Beau is also a fellow of the Atlantic Council, which is an international think tank, and he's the CEO and founder of Stratigos Security. And I managed to say it correctly, I think, I hope, did I say it correctly, Beau?

Beau Woods: Yes.

Jen Ellis: Yay! I have a long tradition of screwing this up, so yay for me. Meg runs the Science and Technology Innovation Program at the Wilson Center, which is also an international think tank, or I might be characterizing that slightly wrong, but they do good work in the policy world and have done some great things to help educate congressional staff on cybersecurity, which is really the theme of our chat today.

Jen Ellis: It's all around how we build better collaboration between policymakers, particularly those on the hill but not, not limited solely to, and the security community and specifically how Beau and Meg have been leveraging the opportunity presented by Hacker Summer Camp, which is coming up, to create better opportunities to build education and collaboration between those two groups, policymakers, and the security community. So welcome Beau and Meg, thank you very much for joining us.

Meg King: Thanks for having us.

Beau Woods: Happy to be here.

Jen Ellis: Are you both like unbelievably excited about Vegas or just a bit exhausted?

Meg King: Both.

Beau Woods: A little of A and a little of B.

Jen Ellis: I resemble that remark. Okay. So why is this a thing that you guys care about? Why the whole like let's meet, let's be nice friends between policymakers and the security folks?

Meg King: So we at the Wilson Center and we've now partnered up with Beau, have a mission. And that is to get actual knowledge to those who need it. And No. 1 on that list are policymakers who are, for the most part, well-intended, politics aside, and want to understand how they can make our country better and more secure. So they need to understand how technology works in order to both create useful legislation and oversight, and to prevent bad legislation and bad oversight.

Jen Ellis: Amen to that. Yup.

Beau Woods: Yeah. And I'd just kind of add to that that, you know, if you rewind the clock like 10 years, most people in Washington couldn't even spell "cyber" and didn't know that like infosec was even a thing except for the annoying training that they had to take every year, which I think we can all empathize with.

Beau Woods: But in the last five years, it's really, it's becoming, you know, the tip of everybody's tongue here in D.C. I moved here in 2016 to work at the Atlantic Council. And you know, my perception coming here, even having engaged with some public policy people, is that it would be hard. It would be an uphill battle. You know, it was all about money and power. But one of the things that I've found is that actually, you know, members of Congress and people in agencies and congressional staffers, they're actually some of the most receptive audiences you can have because they want to get things right.

Beau Woods: They know the great obligations they have, you know. A lot of cases, especially in agencies and for the staffers, they're making well below industry salary to come and do something that they think is really important. So in some ways they even resemble some of the security researchers in the infosec community that you might know and love. And I think, you know, right now we're at a time in history where security researchers can make a huge impact. Folks in the information security community can make a huge impact by engaging in policy. And there's an open invitation, more or less, from D.C. to go do that. So if we don't step up and if we don't become part of the solution, then they'll look to others who merely fill the void with whatever agendas or bad ideas that they have. So it's kind of incumbent upon us to do what we can to make sure that the policies that we're setting today, or avoiding setting today, are the best that they can possibly be.

Jen Ellis: Awesome. I completely agree with everything you just said. I love it. So tell us a little bit about how you guys are leveraging the opportunity of Hacker Summer Camp, Black Hat, DEF CON, BSides, which is coming up in just a few days.

Beau Woods: Don't remind me.

Jen Ellis: There's no escaping it now, Beau. How are you making the most of that opportunity?

Beau Woods: Yeah, so a couple of years ago with the Atlantic Council, I started a thing called D.C. To DEF CON. The idea was we wanted to get a couple of the members of Congress to come out to DEF CON and get completely, fully immersed to engage with the hacker community and say, "Hey, these guys are not so weird other than, you know, their hair and the way that they dress." But you know, we all want the same thing. And there's actually an untapped resource out here.

Jen Ellis: I'm sorry, I'm sorry. I have to, I have to stop you there. I'm sorry, they're not so weird?

Beau Woods: Well, okay. I mean they're weird, but in, in superficial ways. Well, all right, always.

Jen Ellis: You mean they're not harmful.

Beau Woods: Mostly harmless!

Meg King: And you think policymakers aren't weird? Come on now.

Jen Ellis: Oh, we set standards for weirdness, come on. All right, please continue.

Beau Woods: But the idea was to immerse the policymakers in this environment where they could really learn and just absorb. And one of the things that we learned after doing that is that by spending, you know, 24 to 36 hours in a single headspace, all of the other good advice that they had had kind of snapped into place in their minds. Right? So it was an amplification effect of the things that they were already learning. And then they were able to go into conversations with people and call BS. Right? Say actually, you know, I've met a bunch of the people out there, they have a different opinion than that. And that can be a good thing. Like I can learn from them and bring that into my policymaking. And Meg, last year, brought even more staffers. I'll let her talk about that program. But so we said, look, we're two great tastes that taste great together. Why not combine forces and start working on this as a collaborative effort to get even more people engaged, involved from all sides from all of the different communities?

Beau Woods: And I think we've got something that's really amazing this year in the D.C. to DEF CON are bringing policymakers out. Also working with the BSides Las Vegas Conference, which is probably my favorite of the three in terms of just the people that show up to run an event called Public Ground, which is a dedicated track where we've got one- to two-hour sessions, mostly focused on public policy-level topics and with some of the folks from D.C., the folks who are making and informing policy every single day, to come and engage and have those conversations with the security researcher community, the infosec community out in our domain.

Jen Ellis: So if people want to find out about what's on the agenda for Public Ground and get involved, how do they go about doing that?

Beau Woods: Yeah, bsideslv.org and go to schedule and check out the list of talks going on and roundtables going on at the public ground as well as the I Am the Cavalry talk, we'll have a lot of public policy stuff going on there as well.

Jen Ellis: And can you just briefly give us like a, you know, the 30-second elevator pitch on what I Am the Cavalry is?

Beau Woods: Yeah, sure. So I Am the Calvary is a global grassroots initiative from the security researcher community. Basically a bunch of hackers who said our dependence on connected technology is growing faster than our ability to secure it in areas impacting human life and public safety. So unlike a lot of the privacy or confidentiality things that we've done in our careers, this is a space where, you know, people can die and that has consequences on a more national and global scale. So as we saw that, you know, by and large the cavalry wasn't coming, you know, no matter who we talked to, there wasn't this like, you know John Wayne coming in at the end of the movie to save us all from innovating ourselves off a cliff with all this new technology adoption.

Beau Woods: We said, if no one is coming, if the cavalry isn't coming, then it falls to us to be the technically literate voice of reason. Passionate individuals trying to work proactively and positively through the existing system to get things fixed faster than they would be otherwise. That's been going on about five or six years now. Actually this is going to be our sixth anniversary. And we've had a huge amount of impact and influence in actually changing things for the better, not just in policy but also in industry and setting standards and doing things like that. So it's a really cool thing. Jen, you mentioned the URL, but iamthecavalry.org come over and check us out and you know, maybe get involved with the mailing list or Slack channel or what have you.

Jen Ellis: Awesome, thank you. And I have never wanted to be able to do a John Wayne impersonation more than I do right now. Unfortunately for everybody, I'm not so talented. Nobody needs to hear that, and I'm bashful, you know. So Meg, I'm pretty sure that what I heard Beau say is the basically you're doing a thing he did but better. That's what I heard. Right? So tell us about that. Tell us about what happened last year and how you're building on it this year and what the plan is.

Meg King: Sure. Well to take a step back, cause or correlation, Beau, our program's been around for five years exactly. So I'm just saying cyber is now on the agenda. That's why we've teamed up. So we've not actually knowing about Beau's efforts to bring members of Congress, the Wilson Center's programming focuses on congressional staff, although the idea is that when their bosses need, or are interested in training, we go and we do personal trainings for them.

Meg King: So the idea is that, I hate this term, but I haven't come up with a better one. The knowledge trickles up and as a former hill staffer, I know what kind of resources they have and what they don't. And so we have all, we have three times a year or six-week programs on cybersecurity, but as well as other emerging technologies, and to be eligible for our study trips like the one we took last year and then when we came in this year, you have to have gone through our whole programs. So you have to be dedicated, and you have to have a knowledge base. So we're not just bringing staff out to DEF CON to have fun. They have to have a dedicated amount of time learning this-

Jen Ellis: Do they know this? Have you told them? Have you said it's not all going to be Vegas?

Meg King: The itinerary that we've put together, it's brutal. We have breakfasts, and early hours, we have dinners. It's kind of an, you don't sleep at DEF CON but you really don't because we make you work.

Meg King: So last year we brought about 15 or so staffers and we're bringing about the same this year as well as this year we're bringing members. And so last year, not to name names, but we had some senior staff who were blown away by what they saw.

Jen Ellis: In a good way?

Meg King: In a good way, absolutely. Blown away by the opportunities that they had been missing by not coming to DEF CON, the chance to talk with the infosec community, to literally sit side by side and have them walk through how to hack your car, how to hack…they had those mobilized scooters. They sat in on the social engineering village, which was surprising to them. And you know, and they came back and they were just absolutely raving. They took videos, they showed their bosses, their bosses got excited and a lot of good ideas came out of the conversations that they had there, and were integrated into their work on the hill. And one thing I want to mention is that not only were they able to kind of, you know, be human, and develop relationships with a new kind of community, but it's also helpful to explain, you know, we're real people too policymakers, despite being possibly weird. We're not.

Meg King: But that, but also to explain things that you know, may not make sense. You know, for example, what I was going to say is that Congress, you know, there are lots of problems with it politically or otherwise, doesn't just pass bills or attempt to pass bills. I mentioned oversight earlier. There are a lot of levers of power that can help in specifically this challenge, including everything from, you know, going to the press when there's a major problem. If they can't get something done politically or, you know, careful investigation of a problem that the infosec community cares about, or you know, writing letters to agencies that aren't doing things in the right way, or communities. So there are a lot of things that Congress can do and I know they're often written off, but there's a mutual benefit to bring the staff out to DEF CON and we saw that in action last year and are excited to bring them back this year.

Jen Ellis: Yeah, and I have to say Meg, you know, all joking aside, like I have definitely heard from some staffers who came on the trip last year who are planning on coming on their own dime this year because, as you say, they were blown away by it in a good way and did realize that there is a lot of opportunity here. So you know, thank you for bringing these people out. And you know, Tod and I were talking on the last episode about how one of the things that we look forward to the most are the villages, Tod was talking about which villages he's getting involved in. It sounds like the villages are going to be on the agenda for you guys. Any particular villages that you're super excited to show them?

Beau Woods: I'm really excited to show them the Lockpicking Village. I think somebody called that the gateway drug to cybersecurity and to really like understanding that every security measure is defeatable. So that's one of my favorites. I'm also really partial to the Biohacking Village because I'm helping to run it.

Jen Ellis: Oh, that's so funny, Beau, really? You like the Biohacking Village?

Beau Woods: I don't know why. That and you know the Aviation Village, ICS Village, Maritime Village, you know. But I think, you know one of the things that I've, that we've seen in a shift in the last few years, at least for some of the villages that I've been working with is that policy folks are interested in these topics now. So aviation security obviously has been a big topic over the last couple of years. And healthcare, medical device security has been a big topic in D.C. for the last couple of years as well. So I think there's a good nexus in some of those areas to talk about the subject matter expert, or the subject matter areas in a way that public policy makers really want to know. They want to get more information cause they know that these things will be coming up in the next session of Congress, for instance.

Jen Ellis: Right, right.

Jen Ellis: So, it sounds like you've got a lot of good stuff lined up for the D.C. folks to get involved in and to create better collaboration opportunities with the community. What have some of the challenges been on pulling all of this together and getting to this point?

Beau Woods: Myriad! So, I mean just, you know, as you can imagine trying to get time on a member of Congress's schedule to fly out to a place that they wouldn't normally go even in the best of times, in probably the worst of times in the middle of the summer in the middle of the desert, has been difficult. But you know, there's been a huge amount of interest in the policy folks to come out and you know, some of them like have been planning for a year in advance to make sure that they were able to make time and some canceled other things that they were doing to be able to come out.

Meg King: Or are taking red eyes to get back to things they have to get to. That's dedication.

Jen Ellis: That is dedication.

Beau Woods: That really is. But yeah, I mean it hasn't been the challenge of trying to convince people to come. It's been the challenge of trying to get on their already over-busy schedules in, you know, the run-up to an election next year when everybody's trying to make sure that they've got the right schedules when they're back in their home territories to be able to campaign and to see the outcomes that they want.

Jen Ellis: And Meg said something right at the beginning, she said, you know, it was a sort of a throwaway comment. You said politics aside. How when you're like doing stuff like this, when you're bringing policymakers out, particularly when you bring congressional members out, how easy is it to put politics to one side? How, you know, how feasible is that to focus on policy, not politics?

Meg King: Very. That's the whole point of getting them out of Washington and we've seen this even in our own program, which is at the Wilson Center between the White House and just on Pennsylvania Avenue actually down from the Capitol. When you get people behind closed doors, they actually, some of them are friends with each other, they talk, they come up with ideas. But politics is the art of the possible. And so the problem is when you have to go back into the spotlight and you're accountable and there is this kind of polarization that we're seeing, which is regrettable, but it's kind of, it's what we have right now. And so when you get staffers, when you get members outside of Washington, they usually have an opportunity to come up with some ideas that they want to work on together. It is possible to come up with some good policies. It's just a matter of figuring out how to make them fit into reality. And it's not easy, but it's doable. And the nice thing is about this topic, it's a little far less partisan than many others.

Beau Woods: Yeah. And I'll say we did extensive research on the members, or I did extensive research. Meg already knows a lot of their positions. To make sure that they'd be the right, not just policy positions. Not just that they had an interest in security, but that they'd be the right personality fit to be able to, you know, fit in with the group that, let's face it, we are kind of weird. All right, I'll admit it. That's fine. But you know, there's definitely some members who in talking with staffers and others, they're like, oh yeah, that person really wouldn't fit in there but this other person would be great. You know, they're young, they're vibrant, they're super cool. So I think I take a lot of pride in the fact that we tried to match personality, not just policy position.

Jen Ellis: Great.

Tod Beardsley: Yeah, that does bring up a question I have specifically for Meg. Like how would you characterize the, you know, the staffers that you do get to, that do get to come out to Vegas? Are these like first-year dewy-eyed interns who already know everything about Instagram, or are these 20-year career, you know, insiders like, or is it both?

Meg King: So we have maybe one or two. No, actually we don't have any, we have, they're right in the middle. If I had to kind of give a generalization, you have to have gone through our course. So that means you're pretty dedicated and already a little bit on the nerdier side of the staff continuum. And to do that you have to get a letter of recommendation from your boss, your member of senator, which is not small thing to do to just get through the program. And then you have to apply to our trip and we have a huge waitlist. And so you have to really be dedicated to this enterprise to get out.

Tod Beardsley: Really?

Meg King: Yeah.

Tod Beardsley: So it sounds like there's a lot of appetite here.

Jen Ellis: Yeah. And by the way, like congrats on having a waitlist.

Tod Beardsley: Yeah, exactly. Good job.

Meg King: We had staff last year who asked to be on the waitlist just in case there was a last-minute dropout. I said there won't be, but sure. Because we're not going to bring them back if they've already been out there. I mean they're welcome to come and join us, you know, like Jen said, on their own dime. But you know, we want to make sure we're giving this opportunity to as many people as we can to be as impactful as possible. So they're a really smart group, a nice blend of both parties, a nice blend of women and men. So they're on the rise. They are in important positions to influence policy. This group in particular that we're bringing out. It's funny, my theory was that committee staff, and this, tell me if this gets a little boring and weedy, but it matters. Committee staff, you've got committees have and then you got personal staff on both Senate and House side.

Meg King: So personal staff are the people who are dedicated directly to the senator or the member. And committee staff get to spend their time just focused on a particular issue like cybersecurity. And so I thought they have plenty of resources. They have lots of money. They do this all day long. But in the end, in the last minute, you know when you're on the floor and it's midnight and you're passing the national defense authorization act in there are about 50 amendments, your boss is going to turn to you if you're on the personal staff and say, explain what this means and which way I should vote. And that's not where the committee staff sits. So I, our program is focused on personal staff because they just have fewer resources and so much more to do. And so they needed this more than the committee staff. But it's funny that committee staff have been knocking on the door, actually banging down the door asking to be part of this program and to come out to DEF CON because everybody has gaps in knowledge. Right? And so it's been kind of interesting to see that.

Tod Beardsley: And like DEF CON is, you know, the biggest one around. Right? I'm curious, are you looking toward or already have plans to visit some more regional conferences? You know, I spent some time with Beau at THOTCON in Chicago just a couple of months ago. One of my favorite regional conferences. And I'm curious like if you have any designs on some of these, like smaller, more intimate conferences for staffers.

Meg King: As much as Beau I think would love to expand, the part, the, this all goes back to the art of the possible. It's not just in actually making policy, but it's the calendar and the schedule. We stick very closely to the congressional calendar and we do our study trips during recess. So if you can find a conference during a recess, let me know. We'll organize a group. But it all has to do with the congressional calendar.

Beau Woods: And we've also, so I've talked with some of the folks at BSides Global as well as some of the people in like governor's offices and some of the regional offices that the members have. And I think there's an appetite, you know, and I think there's a possibility of like connecting with all of the different Bsides that are, going on to some of the local chapter or some of the local offices, you know, government, you know, state local as well as federal to bring more of that cross-pollination. You know, plus being in D.C. we've got ShmooCon that happens and Jen, I know you've had some staffers to come to ShmooCon and give talks, which I think has been really eye opening for a lot of people even who live in the D.C. area to you know, get to talk and engage with somebody who you know on a day-to-day basis is informing national policy discussion.

Meg King: Which is interesting and something that you guys should kind of keep in the back of your mind. When I was a staffer, I'm not even going to say when, and I'm not that old, but still you were forbidden, and it wasn't just my office, from speaking publicly and that has been a big shift. Partly I think because of social media and partly just because staff are increasingly so important as there's so many issues on the agenda that staff are now regularly speaking at conferences and at meetings and are representing their bosses. And that is a huge change. And it means that you've got more people who can have a more productive conversation.

Jen Ellis: Well one of the things I, so I completely agree with you and I do think it completely changes the dynamic and one of the things that I like to do as well is even if it's not staff speaking at a thing, Schmoo is a great example because it's in D.C., I like to basically just be like there are going to be, you know, five congressional staffers in the bar between this time and this time and we have a giant table and you just come chat with them and it's super informal, and we've seen it be really, just really popular. Because you know, people can self-select if they're interested. And it takes some of the pressure off. It's just a very relaxed thing. Staffers love it. They get to talk to people who are really working in security and hear about the stuff that they care about and worry about. They get to hear where all the like misunderstandings or misinterpretations are. And you know, step in on some of that stuff. They seem to really enjoy it and I'm always like amazed by how much they're willing to give up their weekend time to do it, but they seem to appreciate it. So I think it's a win-win, honestly.

Jen Ellis: So tell, tell us like for people who are going out to these events in Vegas and they want to figure out like how do I participate in some of the stuff or how do I like get involved in policy conversations? What are the things that they should be doing? By the sounds of things, one is they should be checking out the public ground track and the I Am the Cavalry track if they're going to BSides. And I think it's worth noting for Public Ground, you don't actually necessarily need a BSides badge, is that correct?

Beau Woods: Yeah, that's right. For Public Ground and for I Am the Cavalry have kind of a hack on the system to be able to get folks in who don't have a badge. And we did that, you know, to make them more open for government folks who sometimes have ethics rules and other things. So you know, come on out, find a Public Ground discussion you want to get involved in. Something that interests you and go, you know, either be a fly on the wall or dive into the conversation.

Jen Ellis: And also like having looked at the agenda, one of the talks in the Cavalry track that I'm most excited about is we have a couple of guys from DHS and OMB, the Office of Management and Budget, who are going to come out and talk about how the U.S. government is currently thinking about building a program for vulnerability disclosure for all civilian federal agencies, which you know, for a lot of people who work in security and particularly people who work in security research, the idea of more and more entities, whether government, or otherwise having a VDP is a thing that they care about a great deal. And it's a sort of watershed moment that the government is looking at this really seriously and saying like, this is something we should have and we should make sure that all of the agencies have one. And like thinking about how they do that from a pragmatic point of view. So I highly recommend that.

Jen Ellis: And as usual, I like to give a shout-out to my British colleagues. So I'll say as well that Richard Manning's coming over from NCSC in the UK government. He's going to be talking about what the UK is doing around IoT security and he will be running both I think a Cavalry session, then a Public Ground conversation. And then he'll also be doing something in addition, which I want to mention quickly, which is the Hewlett Foundation, who play a huge role in all of this stuff by basically writing those checks. They are, they're very big supporters of advancing cybersecurity policy in productive and helpful ways. And so the Hewlett Foundation have a suite during DEF CON and they use that suite for people to host sort of informal discussions on policy or policy-related topics.

Jen Ellis: So they are sending out their full agenda of sessions I think in the next week or so. But I do know that there will be one with the Department of Justice, which is we're calling it the DoJ Salon mainly because I knew it would wind Leonard up if I used the word salon. So that will be what it is, which is a super informal like come hear about how the relationship with DoJ has changed, what like come talk about any challenges that you think still exist. What are you mad at them about? And then let's talk about like opportunities to sort of improve and collaborate going forward. So that is, I believe 3:00 to 5:00 p.m. on Thursday, Aug. 8. And then Richard's one for the NCSC on IoT security, which may be UK-centric. But if the UK legislates it will have an impact for the U.S. So it's not, you know, it's, it'll have an impact for the U.S. It'll have an impact for the EU. It'll have an impact for every country because we live in an interconnected world and we're talking about the internet here, which is not, you know, it's not regionalized in the same way. So it is relevant.

Jen Ellis: That talk, that Hewlett Session will be I believe 11:00 to 1:00 on Thursday, Aug. 8. So if you are interested in participating in those, I think probably check out Hewlett's website. That's the Hewlett Foundation. Not Hewlett Packard Enterprise. Do not go to their website. That's not going to help you.

Jen Ellis: So there's a few things that I am aware of that people can come to. What are the, what are other ways that people can get involved?

Meg King: Well, we've got a mainstage talk on Aug. 9 at 10 a.m.

Jen Ellis: Oh my God, how did I not give a plug for that? Oh, it's because I'm terrified. That's how. So tell us about that Meg.

Meg King: Well, there's this exciting person named Jen who's going to lead the conversation. So we've got a 45-minute slot at 10 a.m. that congresswoman, former congresswoman Jane Harman, who runs the Wilson Center, is going to moderate. Jen and a guy named Space Rogue and two members of Congress, Congressman Langevin from Rhode Island and Congressman Lieu from California. And it's going to be a pretty cool kind of conversation, breaking down a specific threat, and then how Congress might react to it and then kind of at the end figuring out what Congress can do better.

Jen Ellis: It is highly entertaining to me that it doesn't matter how many times I brief congressman or meet them in some capacity or other, the idea of being on a stage with them always fills me with like a, do people not know that I'm five years old? Do they not know? It's very, it's like there's like this like naughty child inside of me that thinks I'm just going sit onstage giggling. And then I'm like, no, I'm going to have to like try not to do that. So yay! And a special shout out Space Rogue, who is hopefully going to help me look like an adult in some way, shape, or form. So yeah, check that out. That is 10 a.m. on Friday, Aug. 9 at DEF CON. And thank you for organizing that, Meg. We really, really appreciate it. I will try not to make you regret it too badly.

Jen Ellis: Is there any other advice that you would have for people? Like whether it's at the events in Vegas or whether it's just in general, people who want to get involved and work with policymakers and they're not really sure how to go about it?

Beau Woods: Yeah, I'd say reach out, right? Reach out to the district offices or you know, to a state and local group. Or even, you know, your member in D.C. and just say, hey look, you know, here's who I am, here's what I do, and I'm interested in helping. I think there's a feeling that those types of folks in those types of offices are unapproachable, and that's just not the case. You know, they'll take help, they'll listen to you. Even if you go and talk to them for a half an hour and it seems like, you know, they're distracted, well maybe it's because they had something, you know, 15 minutes before that just really shook them on a national security stage or something like that. But you know, they're highly inclined to potentially reach out the next time they have a question and say, hey, you know, we've got the CEO of this company and the CEO of this company talking to us about these issues, but we just want an independent voice from somebody who knows the technology side. Can you come in and give us 15 or 20 minutes?

Jen Ellis: Awesome, Meg, anything you would add to that?

Meg King: Be persistent. Everybody wants to do the right thing. That's staff wise. But I mean there are just so many requests and so sometimes it just takes a little while to get through, but then you really will get to the right person and you will have an impact.

Jen Ellis: Awesome. And Tod, anything you want to add?

Tod Beardsley: I do actually. So like even, you know, I, you know, Meg and Beau are the experts here, you know, and it's great to hear, it's like, oh yeah, just reach out to your member. But like if you're shy and that's fine and you just want to talk to hacker types, like honestly like getting involved in I Am the Cavalry, you know, talking to somebody at Center for Democracy and Technology, for example, has been, has been really great for me. Like I'm interested in you know, election security, not just voting machines but the whole thing. And so I just kind of started talking to the CDT people-

Jen Ellis: You are very shy.

Tod Beardsley: I am terribly shy. But this is what I'm saying, right? Like if you're not, if you're not ready to like hit that main stage, you know, you can get involved in, there are groups out there you know, the CDT and I Am the Calvary are two great ones.

Jen Ellis: Yeah I think that's really great and EFF as well will be able to point you in the direction of people you can speak to who will have ideas. Like nonprofits and think tanks are a good way of getting in and also keeping up on what's happening. So the ACLU, Keep Up Today, New America, the Open Technology Initiative, they keep up-to-date with what's going on too, like check their websites. They'll give you examples of ways of getting involved. And look out for events that are perhaps a little bit more policy-centric in their leanings.

Jen Ellis: Awesome. Well, I'm going to wrap it up there and I'm going to say thank you so much to Beau and Meg, not just for coming on Security Nation, but also for all of your efforts in this area. We really appreciate the work that you're doing to build better collaboration and to actually help advance the right kind of cybersecurity policy. So thank you for that. Thank you as ever to Tod for being the best copilot there is, and thank you to Bri, our producer who puts up with us. And thank you for listening!