Lawfare Daily: Full Stack Policymaking

Published by The Lawfare Institute
in Cooperation With
Lawfare Senior Editor Eugenia Lostri sat down with Winnona DeSombre Bernsen, nonresident fellow at the Atlantic Council and founder of the hacker conference DistrictCon, and Nina Alli, Executive Director of the Biohacking Village, to talk about their recent report, “It Takes a Village: Spotlighting Practitioner Driven-Cybersecurity Successes and Future Opportunities.” The report collects the insights of seven cybersecurity villages and outlines the value they can bring to security research and how policymakers can benefit from engaging with them.
To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/lawfare-institute.
Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.
Transcript
[Intro]
Nina Alli: I walk in
and I have like a dossier of, this is the research I did. Here's, here's fiscal
factors. Here's everything you need to know. And here's the other entities that
maybe you want to have a conversation with because it's not just an FDA
problem. It's ONC, it's ONCD, it's CMS. So we're hurting the system by not
thinking in a full stack.
Eugenia Lostri: It's
the Lawfare Podcast. I'm Eugenia Lostri, Senior Editor at Lawfare
with Winnona DeSombre Bernsen, non resident fellow at the Atlantic Council and
founder of the hacker conference DistrictCon and Nina Alli, executive director
of the Biohacking Village.
Winnona DeSombre Bernsen:
And ultimately, the village is moving into 501(c)(3)s as full year round
organizations is another step in that direction of showing policymakers that
you can bridge this so called hacker-policymaker divide to make more
technically informed decisions.
Eugenia Lostri: Today,
we're talking about the value cybersecurity villages bring to security
research, and how policymakers can benefit by engaging with them.
[Main Podcast]
So Nina, Winnona, you recently authored a paper on cybersecurity
research and workforce development entities that are also known as villages,
and that's what we're going to call them throughout the conversation.
And so I want to start by providing maybe a little bit of
context about these villages. I think if we understand kind of how they came to
be, then we can understand what the role can be and is in the policy ecosystem.
So let's just start with that. Can you start by defining these villages? And
also if you could tell us a little bit about what motivated you to write a
report about them?
Nina Alli: The villages
started at DEF CON and primarily the DEF CON is the largest hacker conference
in the world and the villages are subconferences to DEF CON. They are all
independently of most of them are independently owned and they focus on
singular parts of industry or infrastructure. So aerospace focuses on
helicopters and, and airplanes and things like that. Biohacking village focuses
on biomedical technology, cyber security, patient safety.
So the village has been around for 11 years. I've run it for
10. And about 11 years ago is when the regulations and the laws started
changing and it became a massive influence in healthcare, in medical devices,
in the interoperability. And there was no village, there wasn't a lot of focus
on that.
So a group of people got together, had a lot of conversations,
brought about this village to at least be, be on the edge of what is happening,
what happened, so we could have more conversations to make it better.
Winnona DeSombre Bernsen:
And so, about this time last year, actually, Nina and I had gotten together for
coffee and I told her that we wanted to start one of our own hacking
conferences here in the heart of Washington, D.C. and I asked her how villages
currently get involved in the policymaking processes. And villages like
Biohacking, Aerospace, are largely 501(c)(3) organizations, so they're nonprofits,
they're focusing primarily on making things safer, and so naturally they would
be more engaged in the policymaking process, or so I thought.
But ultimately, after our discussion, we realized that there
were a couple of things that would prevent villages from entering the room to
showcase their voice, which is largely that of technical practitioners who are
not involved in more vendor related type activities. Or manufacturing the
devices or the airplanes themselves.
The first was that ultimately, not very many policy makers, at
least back in the day, came to DEF CON or other large conferences. You still
have that like anti hacker stigma.
And then the second is that when policy makers go to these
conferences, they're engaging with villages at some of the busiest times of
their years. And so there's a mismatch in when they're actually engaging. And
so when we have this discussion, I went, oh, interesting. I wonder if some of
the other villages feel that way too. And this spun up this whole process of us
gathering these opinions from seven different villages and writing this report.
Eugenia Lostri: So
let me just ask you two questions. We know now one, can you be more specific
about who is a part of the villages, who is the, we are focused on making
things safer? And what does look like? What does making things safer entail
from the village's perspective?
Winnona DeSombre Bernsen:
I mean, I'm, I feel like that's a Nina question better than it is me. At least
from an external counterpart, I would say that villages are comprised largely
with individuals who want to, A, build community in their particular security
space.
There's two primary goals of a village across a lot of these
organizations. The first is capacity building, and working with vendors and
manufacturers of these products, be it cars, medical devices, you know, even
power plant, power plants, energy grids, voting machines and making those
safer. It's kind of like an advocacy role.
But the second part of it is training and workforce capacity. Many
of these organizations provide training and workshops. I want to give Nina an
opportunity to talk about the amazing stuff she does at, at Biohacking Village.
To do that she works with plenty of medical device manufacturers to bring in
some of these devices so that way they could get hacked at these conferences.
Nina Alli: So US2R we,
as the village leadership or the people that are coming, we are all security
practitioners, or most of us at least in the leadership positions are security
practitioners, industry partners, we're hackers, we're, we're the users of
these particular industries. That's why we're there trying to push the
envelope. And we push the envelope. It's a lot of we're on the cusp of that what
happened technology and what's emerging technology.
And going back to something that Winnona said before, where
it's people are coming to us at the busiest time of the year. There's a lot of
policy people that come to us during DEF CON, and it is during the busiest time.
So they get the vantage point of seeing the chaos without too much interaction
of conversation, because they'll usually stay in one place, you know, take a
gander, look around, have very brief conversations, and then they have to move
on.
Because there's, I think it's 36 different villages at DEF CON,
for instance, so there's a lot of movement that has to happen over either the
day that they're there, or the two days that they're there, and it's constant
conversations. So, when it's, are we, how are we involved in policy, or how are
we not involved in policy?
You've got about five minutes to make a, a mental impact on, on
the people that are walking through. And you have to be so to the point, blunt
and say, here's, here's everything that's happening and what are we working on?
And here are the medical device manufacturers, here's the medical devices, and
this is how many vulnerabilities are found. And they're like, great. And then
they have to move on.
Eugenia Lostri:
That's a lot of pressure on a, on an elevator pitch.
Nina Alli: Yes.
Right. So you've got about three seconds to, to mentally gird your loins. And
then have the conversation, right? You have to steel yourself for this too.
Eugenia Lostri: So I,
I want to dig into that a little bit, Nina. You mentioned before that the
villages grow from the conferences like DEF CON, but they're now kind of
independent, right? So what does that evolution look like and how do they go
from being sub conferences to becoming, you know, NGOs, independent, they are
their own thing. You know, what is the relationship still between DEF CON and the
villages?
Nina Alli: So I think
there's a growth mindset where there's a group of people that are suddenly
like, but this is not being focused on at DEF CON, RSA, or just generically as
a village. So, they gather their friends, they get the EIN number, the not for
profit status, and then they become a conference. We are related to DEF CON, we
are not part of DEF CON.
It's not a DEF CON village, it's a village at DEF CON. So the
nomenclature part is the I think that's the confusing part for everybody
because of how we function. Because we're so integrated and it's been such an
integration over the last 25ish years, just maintaining that we are our own
stronghold from an intellectual standpoint.
Eugenia Lostri: Yeah,
but it also sounds important to point that that makes it a year round thing,
right?
Nina Alli: Yes
Eugenia Lostri: You're not just active during DEF CON,
which is your busiest time, but people could actually reach you when, when
you're not there.
Nina Alli: Right
Winnona DeSombre Bernsen:
I also think that goes to the parallel trend in this industry of people still
retaining this, like, hacker identity.
Like, you go to DEF CON, you go to Code Blue, you go to all of
these local BSides, which are notoriously known as hacker meetups. It's where
people who identify as this word, hacker, which means, like, a lot of different
things. I know that there are cyber criminals who you would call hackers, but
there's also white hats or red teamers or blue teamers who participate in this
profession legally who identify with that term as well.
And there are plenty of people who would call themselves
hackers, but as a job, they're security researchers. It's this identity versus
profession distinction where the villages, as they are creating their own 501(c)(3)s,
they're professionalizing. They're effectively saying, we can't do this once a
year. We actually have to be doing this all year round.
Eugenia Lostri: Yeah.
Thank you. Thank you for setting that up perfectly because that was exactly my
next question, Winnona. Because that's something that I find honestly
fascinating and it's the relationship between particularly government and the
hackers and then that transition to security researchers.
So when you say that the villages are show the
professionalization of the industry. What does that mean? What does that
entail?
Winnona DeSombre Bernsen:
I mean, when you think about the word hacker, there's a lot of counterculture
angst that is, is around that term. Ultimately that word actually predates the
concept of a cybercriminal. It was, you know, in the 1950s where students at
MIT were trying to get more computer time on these like huge, massive machines
that had to get like rented time leases type of situations.
And so the, the ethos of hacking in the United States is all
about this intellectual curiosity. How do I make something do something that
it's not necessarily meant to do? There's that glee that comes with that. And
nowadays, you can call that red teaming. You can call that pen testing.
You can call that any number of things that is sanctioned, as
in permitted, by the U.S. government, by governments everywhere. And you have,
you know, billions of dollars of industry popping up to be able to, to
professionalize cyber security in that way, that, that inherent act of breaking
into something in an authorized way.
And so there's this inherent tension between we used to be a
very counterculture, and I think in some case, the hacker community is still
quite counterculture in its own way. There's an element that had, you know, cybercriminals
could be called hackers as well and so there's an inherent tension in the name
of the word and the associations that follow.
But ultimately, you see at least villages are an example of
where white hat hacking started out in that counterculture type environment and
has professionalized while taking with them that same identity.
Eugenia Lostri: Nina,
anything that you want to add to that?
Nina Alli: I'm
professionally known for countering people, so, so, I don't necessarily agree
with, I love you, that is my proviso to the next part.
I don't necessarily agree with the white hat part, because-
Winnona DeSombre Bernsen: Fair.
Nina Alli: professionally, I'm a senior strategist,
cybersecurity engineer. That's what I do at work. When I have conversations
about biohacking village, I am a biomedical engineer and hacker. That's what I
do. And when I am building, breaking, and programming into things, I don't
necessarily throw down that, like, I'm a white hat hacker because-
Winnona DeSombre Bernsen: White hat is also so overused
as a term.
Nina Alli: Right. Yeah. And I think you have to know all
sides of hacking to be really good at what you do. So when I throw down, I say
I'm a gray hat because to counter who I don't want in the system, I have to
know what they're doing. And I have to know what the good people are doing to
make sure that this is secured appropriately. So that is mid-loving counter to
you.
Winnona DeSombre Bernsen:
Hey, this is why Nina and I make great coauthors. I, I love this back and
forth. We have it all the time.
Eugenia Lostri: This is what you need. Yeah.
Nina Alli: I think
that's why the villages work the way that they do as well, because we all go
against each other. I have relationships with a lot of the villages and I'm
like, why would you do that?
Let me tell you why healthcare is very much involved in your
village and why we need to be working better together because I think that's
another problem with policy. There's so many silos and everybody is doing a
very distinct thing for their industry because that is best practice. Amazing.
Great.
However, there's, everything is, is tied together. So if one
industry can help the other one with whatever best practices and laws,
regulations, whatever, that's what we as the villages are starting to promote
more, I think, in the last three years, at least since COVID more so.
We've started doing more preemptive preparedness of this
happened, let me tell you why. We should work better together. So we've got
integrations, that's how village of villages started getting more traction.
Those are communities, those are villages that Biohacking Village started
working more with of every patient is a voter. So now we're working with Voting
Village, et cetera.
Eugenia Lostri: So
Nina, I'm actually going to ask you to expand a little bit on this because you
are the executive director of the Biohacking Village. So I'm interested in
hearing a little bit about how this history, this evolution that we've been
talking about actually reflects in your experience running the village and what
do you see as the path forward?
Nina Alli: The Biohacking
Village started more as a DIY bio where you know, everybody is putting the, the
implants in their hands and looking to do more of their own DNA functionality
or change it and see how that goes. And we still do some of that. There's some
DIY farm stuff, but we've expanded. So DIY bio, the manufacturing side, medical
devices, application products.
We are trying to do more training because a lot of the U.S.
government, at least in Europe, are also like, we need to start training more
people. There's a huge deficit. So here we are trying to get people more
engaged with what we do and how ICS is integrated into that and how this would
work with a helicopter because it's a medical helicopter, helovac, ambulances
from car hacking, things like that.
Winnona DeSombre Bernsen: What trainings are you
providing to governments, Nina?
Nina Alli: My statement for this is always you can't
change workflows that you don't understand. And I think when we looked at how
many doctors were in Congress, so Senate and the House, I think it was nine. So
nine out of 545 people have actually worked in a hospital or done clinical
practice or whatever.
And yet there's all these other people that are very invested
in, in how the acts should go and what they should say and, and how patient
safety should look. So, when we go and try to have conversations with them,
it's, let's talk about my background. I've worked in the hospital for 20 years.
I've, I've done all of these things.
The impact of this act adds 5 minutes, 3 minutes, 2 minutes, 55
seconds to a doctor's appointment. Because there's added technology that either
they're not trained on, it's not done well. There's an interoperability that,
that we didn't see, that we have to implement. And all these other factors.
So explaining to them the tiers of how a patient's workflow
goes, as opposed to what their normal patient workflow is, because it's a very
different dynamic, right? Those are two very different paradigms of somebody
that's in Congress that gets immediate care, and somebody that's out in the
civil society that's like, I had to wait three weeks to get an appointment, and
I was already not sick by then, or whatever happened.
So when we do the trainings with them, it's tell me what you
see. Before I even talk to you, give me an explanation of why this is best
practice that you engaged with. Amazing. Great. Love your observations. Now, in
practice, this is what it looks like. These are the complexities, and these are
the things you have to add. Because along with the acts and everything else
that they're doing, there's, there's fiscal responsibility that has to come
either from the government, or from the entity to implement those things.
There's trainings. There's more people. There's different kinds
of resources. So I walk in and I have like a dossier of this is the research I
did. Here's, here's fiscal factors. Here's everything you need to know. And
here's the other entities that maybe you want to have a conversation with,
because it's not an FDA problem. It's ONC, it's ONCD, it's CMS, and it's
whatever other part of HHS. And then the rest of national security issues that
go along with it. So we're hurting the system by not thinking in a full stack.
Winnona DeSombre Bernsen:
I also love how Nina's saying full stack because that's an engineering term
that she's applying to all of the different systems of government, right?
Eugenia Lostri: I was
just thinking the same thing. Love it. I think we should incorporate it. I
mean, what's one more buzzword?
Winnona DeSombre Bernsen:
Full stack policymaking? Oh my gosh.
Eugenia Lostri: I
think there's a paper there.
Winnona DeSombre Bernsen:
Oh no.
Eugenia Lostri: So, I
think that's a really great overview of the way that you engage with, with the
policy ecosystem. Is that approach similar across the villages, would you say? And
if you had to describe it, maybe in more general terms, what is the value out
of the of the villages here? How are they participating? How are they driving
change?
Winnona DeSombre Bernsen:
After talking with the seven villages that participate in this study, obviously
that is not every village, but it is some of the larger 501(c)(3)s that call
themselves villages.
Ultimately, we found a couple of different ways that they
largely engage in the policymaking process. Some are kind of like think tanks.
They'll create dialogues, they'll have talks, they'll go to these conferences,
have their own speaking stage and engage in emerging trend dialogues.
So I think one of my favorite examples is that Crypto and
Privacy Village, which is one of the very first villages that happened at DEF
CON. I think they were hosting talks on post quantum cryptography a full year
before NIST even started doing research on it. Really, you're seeing these
practitioners go in, pull out all of the threads of what they're seeing as
practitioners who will see these emerging trends first and showing it to the
rest of the world.
You'll also see that villages will partner with government,
private sector and academia. So at some of these events you saw, I think in the
last year, the big one was the AI generative red team that happened a couple of
years back and I think happened again this past year at DEF CON where they're, going
through and, and partnering with all of these AI organizations, companies, and,
and parts of the U.S. government to really figure out, you know, what are the
risks to artificial intelligence and, and these large language models.
There's also, I think my favorite that people don't know as
much about is Aerospace Village's Hack-A-Sat, which was a capture the flag
hacking competition which was hosted on a satellite orbiting in space. And so
these contestants were hacking into the satellite while they were on the ground
and, and the satellite was up in the air.
Of course, I think the most important thing though, is that
villages will interact not just with governments, not just with other hackers,
but also with the manufacturers themselves. So they, they get this 360 degree
view of everything that's going on.
I, ICS has focused on engaging with energy companies and
biohacking. I want to hear Nina talk more about this so I won't speak for her,
but working with some of these medical device manufacturers to make their
devices more secure, to engage with them as a bridge between the security
professionals who might not ever get to see a pacemaker and the pacemaker
manufacturers themselves.
Nina Alli: So,
there's a couple of things. There's an event called Hackers on the Hill that a
lot of the DEF CON village folks and just hackers in general go to the Hill,
have conversations with congressional staff, and talk about what they're
working, what the congressional staff is working on, and how we can help mold
that a little better and give them advice on whatever that could look like.
There's also a lot of fellowships. I was a presidential
innovation fellow at BARDA DRIVe. And they were, there was a lot of questions
about what does security look like? And at that time, they weren't even
considering cybersecurity in the devices. They were just like, the devices are
great. Let's just put them out into the world. And I was like, no, that's not
how we, that's not how FDA functions.
And then from a Biohacking Village point of view, we have
partnerships with some of the administrative agencies. So we have a partnership
with the FDA because the medical device manufacturers are coming in. And if
they come in and they get hacked for the time period of DEF CON, they can write
that on their submission form of this device was taken to the Biohacking Village
at DEF CON and here's some of the results.
And then if there are vulnerabilities that are found that
either they don't have the vulnerability disclosure program for, or there's
just too much, they don't want to be a middleman between the hacker and
themselves, the Biohacking Village is a CVECNA, a Coordinated Numbering
Authority. In case they find a vulnerability, where we can walk them through
the whole thing and have the conversations between them.
Because what life goal is with the device lab at Biohacking Village
is that the manufacturers understand that there are vulnerabilities, there are
findings. And they can make them, they can improve them in the software so that
when they go out to sell things, there's patient safety, national security,
cyber security, things already implemented into it. So we're trying to help
them make this better.
Eugenia Lostri: So do
the villages work mainly with the U.S. government, U.S. agencies? Are they
primarily focused on what's happening in the U.S. in terms of regulation? Or do
you have participants that are maybe located in other countries? Do you engage
with other governments that might also be thinking about their own approach to cybersecurity?
Nina Alli: The answer
is yes. The villages have people that live in different areas of the world, so
they have those focuses in those areas. For Biohacking Village, we have, we do
international conferences. Our last one was last month in Japan. And we had the
conversations with their police department and their legislative bodies and
their legal teams of what is happening, what isn't happening, how are their
devices matching up to other international standards.
So we do have those conversations, we do have the conferences.
At least for Biohacking Village, we're very embedded in the international
device regulatory bodies because when it comes to, specifically anyway, for
medical devices people don't make a device specifically for Argentina, or they
don't make a specific device for Germany, right? So, they just make a device.
So when we talk about policies, you have a very distinctive
wording over here that maybe not everybody else is considering. How are we
going to harmonize those? Because there's a huge push, generically in all
regulations, to do more harmonization, so that we can all be together on this
endeavor to better safety in the cyber way.
Winnona DeSombre Bernsen:
I'll also say that that matches up pretty well with the international hacking
community, right? Like, if Apple or Microsoft has a bug bounty, the likelihood
that you're only going to get U.S. participants in that bug bounty when
something is vulnerable is quite low. The community, at least the hacker
community, as we're talking about security professionals, and then also that
identity distinction of what is a hacker, is international.
There are people who want to participate into making devices
more secure worldwide, and that's quite a stark difference if you're thinking
about how the United States is approaching some parts of its industrial policy
as well.
Eugenia Lostri: So
you've described all of these great ways in which the villages are engaging and
providing value, right? What do you see as the maybe untapped potential in that
relationship? Is there something that the other stakeholders could be doing
that would, you know, increase the value add? Is there something that you're
like, I wish people were doing this and they were talking to us about X, Y, or
Z?
Winnona DeSombre Bernsen:
I think one of the big things is going back to that 360 degree view. Ultimately,
when a policymaker puts out an ANPRM or, you know, you go through the notice
and comment process for regulation-
Eugenia Lostri: Can you say what the acronym is?
Winnona DeSombre Bernsen: Oh, a notice of proposed
rulemaking. And if you're going through and soliciting comments in your, your
notice and comment rulemaking process, a lot of the individuals that are going
to be putting forward their views in the matter are going to be highly polished
organizations.
You're looking at the large manufacturers. You're looking at
people with large economic interests in the matter. You're looking at
potentially some nonprofits, but ultimately you're not necessarily going to get
the views of the security practitioners who are trying to make this device or
this particular sector more secure, or think about data regulation or data
security on a day in day out basis.
There's that element where there's some aspect of
professionalization and moving forward and, and trying to encourage these
organizations that are comprised of technical individuals into that process.
The other element of it is that as nonprofits who don't
necessarily have a primarily economic stake at hand. Most of these people are
volunteers, biohacking. Nina, this is not your day job. She's the executive
director as a full-time job, which she does out of the love of the game. There
are plenty of other people who are leads of villages who are exactly the same
way.
And I feel like policy makers don't think about the fact that
these are very passionate advocates, who might have an untarnished view of the
security situation that could be starkly different from that of a vendor. Whereby
vendors, Nina mentioned the, the medical device manufacturers that are willing
to come to DEF CON and other conferences and open up their security open up
their medical devices to a hacker. Not all of the medical devices, especially
not all the manufacturers are willing to do that yet, let alone some other
vendors who not aren't in the medical community.
So thinking critical infrastructure sectors, thinking about
other voting machines, for example that aren't necessarily coming to the table.
And if we are trying to create a more secure ecosystem domestically, being able
to talk to individuals who are willing to give an unvarnished opinion is a
pretty valuable asset.
Nina Alli: I love
your, your untarnished moment because my first thought of this whole situation
is, this takes so much conditioning, right, from a mental standpoint and from a
practitioner's standpoint. So when we go into the policy folks, the example I
keep coming up with is, they were, I think it was the House, the House was
trying to come up with this policy and they were like, this other association
said that it's, they, they wouldn't back it.
And I was like, but they don't need to. There's another
organization that actually has more weight. There's a certification that comes
with this organization. So why wouldn't you just reach out to them? This other
administrative agency has already backed them. So if we come in and that's part
of the power play, you can get this done because it was for a cybersecurity
certification for hospitals. And it was something that the person hadn't even
conceptually thought about.
So now they're being brought in. So approximately a year later,
this agency and organization are starting to work together. But it's still, mentally,
the people that are in the villages, or help with the villages, or do anything
with the villages, we are real life practitioners, as well as the hackers
behind everything else.
So when, again, going back to that full stack engineering, full
stack thought process, we go through every possibility of how this is going to
go absolutely wrong, so we can start mitigating the factors. Which, from a
policy standpoint, I understand that it's supposed to be broad, I understand
that it's, you know, it's the, it's the act or directive, whatever.
And then the administrative agency starts diving in and putting
in more details and then it goes out to whoever is supposed to be doing it. But
if we gave more structure to people and very distinctly said, this is what we
are looking for. This is what we need. This is what we want. And this is why we
want it.
I have another issue that I've brought up to congressional
people before. I talk about my mistakes all the time. I need to know how you
thought this problem through. I need to see your scratch pad. Because when I
program, I still comment stuff out. Because what doesn't work today, if they
update something, may work in two years, and I already got it done.
So, I want more understanding of why the thing was brought up,
how it was brought up, what else did you try? Fiscal analysis, I don't want it
to necessarily be that OMB or that comes up and like two years later says, this
really isn't working because it's not fiscally responsible or just nobody cares
about it. I want it done because if I have to write a report like that for
industry, why can't the government provide that for me as well?
Winnona DeSombre Bernsen:
That actually brings up a really good follow on, which is that individuals like
Nina, like other village leads, are wealths of institutional knowledge. And so
they might know something that an administrative agency has tried five years
ago that didn't get off the ground that might have the political willpower now
to be able to accomplish.
Eugenia Lostri: So
would you say that this untapped potential in a way comes from, maybe not all
the actors are aware of the villages and the work that they do? Or is it
because there's still some sort of stigma regarding the hacking community?
Nina Alli: I think
it's both. I think there's so much of them either not wanting to come to DEF
CON because of the reputation that it has.
And realistically, I am very aware that Biohacking Village has
hacking in it. So it's automatically people are mentally checked out because
we're evil and all these other things. But then they come in and they, we have
the normalized conversation of this is my background. I do this because
patients and hospitals and whatever.
And we're humanizing the level of work that we're doing. We
are, we are tarnished from the war of the cyber security wars. We're constantly
doing a recon. Like how do we help you help us is essentially all we're looking
for.
One more thing, communication is always how every relationship
breaks down, right? It's the first thing to go and the last thing to be talked
about. So if we can embed that more, I'm not looking for a seat in the House or
Senate or Congress or anything like that. If it's situationally, if we can be
an advisor where we just get 30 minutes of, let me give you as much as I can,
and they can take that into consideration, that would be amazing.
Winnona DeSombre Bernsen:
I'll say, as someone who is currently creating a conference with Nina, with
other people who are involved in the villages, and I tell individuals and
policymakers, even someone who has a decent amount of policy chops, I'm in law
school, I'm a fellow at a think tank, I’ve worked doing policy related work. They'll
still come to me and go, oh, you're planning a hacker conference?
And there's some stigma still, despite there being so many
leaps and bounds. Like there's not an automatic association with all hackers
being criminals or anything like that. And there's a lot of great work that the
villages have done pushing forward this advocacy to make devices more secure,
to make our ecosystem more secure.
And ultimately, the village is moving into 501(c)(3)s as full year-round
organizations is another step in that direction of showing policymakers that
you can bridge this so called hacker policymaker divide to make more
technically informed cybersecurity policy.
Eugenia Lostri: And Winnona,
tell us a little bit about this conference that you're participating in.
Winnona DeSombre Bernsen:
Oh my gosh, I'd be happy to.
Eugenia Lostri: If it's
not a hacker conference, what is it?
Winnona DeSombre Bernsen:
Well, I would actually say it is a hacker conference. It's a D.C. hacker
conference. The paper is one part of it. Again, we're trying to, as our own
burgeoning nonprofit, push other security policies. 501(c)(3)s like the
villages, more to the forefront of policymaking.
Similarly, as a D.C. hacker con, we are going to have some
policy elements, but we're ultimately going to bring this community of hackers
together in that counterculture way and showcase that you can live in that
duality. You could be someone who wants to contribute to security and security
research, but you can also be a little bit countercultural and like edgy about
it, I suppose.
Eugenia Lostri: That's,
that's great. Thank you. I do want to talk a little bit about a part of your
report where, you know, as you've mentioned a couple of times, you brought
members of several villages to discuss what are issues of growing importance
that the next administration should be paying attention to. What were, you
know, the biggest findings out of that?
Winnona DeSombre Bernsen:
Sure. When we engaged the seven villages and we had a roundtable discussion at
the Atlantic Council Cyber Statecraft Initiative, it was a long series of
discussions that touched upon some of the trends that we've already talked
about. But when we're thinking about challenges, especially going into the next
administration and beyond, there were three primary ones.
And I don't think this is anything that will surprise a regular
listener here on Lawfare, but there's some added elements to it that
bring forward that village perspective. So the three were supply chain
security, regulatory harmonization, and workforce development. But there's, there
are a lot of things within those large three buckets that aren't necessarily
talked about.
So, for example, when we say supply chain security, people
might think about chips. People might think about the whole set of Chinese
owned cranes and port security. Yes, those were some of the issues that were
surfaced at this roundtable. But ultimately automotive and battery supply chain
security as well was something that we had touched upon, whereby a decent
number of battery manufacturers are now also within the PRC, are more in that
international supply chain.
And if we're thinking about the COVID pandemic and the lack of
batteries that were able to power any sort of electric vehicle alongside the,
the shortage of particularly automotive type chips, it's surprising how short
term some of the, the memory is when we're thinking about supply chain
security, at least in the automotive sector.
On the regulatory harmonization front, Nina's touched a little
bit about this already, but thinking about not only are we wanting to have some
sort of, I guess I'll start using full stack policymaking, whereby certain parts
of the executive branch are trying to all get in on AI security, healthcare
security, biomedical security, and are not working, at least according to
people on the outside, working in a way that makes sure that everything is
harmonized, where individuals who have to go and corporations have to have to
go and implement those policies don't get overly confused about you know am I
adequately complying with everything?
This is doubly concerning if you're a small security vendor
thinking about our red teaming village, one of the villages who came to the
roundtable. They’re a bunch of security practitioners who specifically focus on
breaking into systems for a living. That can comprise of companies that are,
you know, 500 people, but it could also comprise of companies that are 10.
And so thinking about how smaller businesses can comply with
these regulations and cybersecurity is incredibly important, especially when
you also have these huge behemoth tech firms that are doing a lot of the notice
and comment process when providing feedback to regulation.
And so the third, workforce development. I mean, I think you
guys have had ONCD members on this podcast before. I won't go too far into the
workforce strategy. The thing that many of the villages thought was missing was
the understanding of how cyber security workforce is trained up, particularly
when it comes to sector specific industries.
So you see Biohacking and Aerospace and ICS Village in
particular, all of these subsets of the cybersecurity industry rely on access
to specialized equipment. You can't hack a biomedical device without the
biomedical device. You cannot train yourself up on all of the different aspects
of IT and OT if you've never been able to access an OT device.
You'll never be able to train yourself up in aerospace or
satellite security if you've never touched a satellite before. And so there are
plenty of organizations that want to try and train these people up in these
very highly specialized fields, but simply don't have the vendor relationships
or don't have access to these specialized equipment to do so.
And so these, you know, nuanced different lenses of takes
alongside the overarching topics were, were some of the things that we talked
about that could be focuses of the next administration and moving forward.
Eugenia Lostri: Nina,
let me, let me turn to you. And again, as the person running the Biohacking Village,
what are some of the issues that are keeping you awake at night? Specifically
when it comes to healthcare security, if you could recommend anything to the
next administration to focus on, what would it be?
Nina Alli: I'm going
to side with you on this one. The harmonization is so important because as a
regulatory person at my job, I read like a million pages a week. That is, I
feel like that's not an over exaggeration, right? And you have to find the
sameness in what they're saying. And then the differentiations, and then
there's a compliance factor. So how are we complying?
So I was a PIF, I was a presidential innovation fellow when
Trump was leaving and when Biden was coming in. So I have some experience in
here. I am very afraid of the tariffs because I think about the, the money
that's going to have to be expended on the medical devices, right? A lot of
them are, the brain thoughts are happening here to make them, but they're,
they're manufactured overseas, which means they have to either be brought over
by plane or by ship. And then there's the cargo fees.
And let's layer on, associated, but not really, to the Science
and Chips Act that, the United States didn't want to give chips to China, but
China has the elements that America needs to make the chips. So now we're in a
kerfuffle about, do we do we do this? Do we give them chips while we get the
things? Or is there, what's the, what's the agreement going to be? So that
creates the other problem because so much of the device, so many of the devices
run on these chips, right?
Let's keep going on chips though. We need AI remediation
because we're still in the midst of the UHS, the United Healthcare Insurance
moment where they were like, yeah, we know that healthcare is really messed up.
Because a lot of statistics are also coming out now that they had an AI program
that was declining or denying 90 percent of claims for people that required surgery,
required a procedure, required something.
So when, when I look at this, I see there's, there's such an
immediate decline in healthcare and how we manage it from a patient perspective
and the physician side and the manufacturer side.
So if we were going to do more, I think there's an endorsement
that needs to be done with, we trust the healthcare practitioners. Right?
Because we need more doctors to say this is going to help us or this won't help
us. When I was implementing EMRs and all the medical devices along with it, I
got a lot of feedback.
And that feedback was very heavy most of the time because they
were like, I am not a technologist. I don't know how to type. I do not care.
This isn't my best life. And initially it was a lot of unstructured data. So
eventually we had to move away from the unstructured data to structured data
with click down boxes. And we added time to their appointments, which they were
not prepared for, and neither were the insurance agencies.
So we are not, again, we're still not having that
communication. So for, for this next administration, if we are going to do
anything better, maybe it is that we focus on healthcare as a first point.
Because if we do not have healthy people to help the economy that we are trying
to thrust forward, what are we doing? Why are we still in the same position
that we were decades ago?
Eugenia Lostri: If
there's anything else you'd like to add, anything that we didn't get to cover
today, but you think it would be important for our listeners.
Winnona DeSombre Bernsen:
Nina and I have had plenty of conversations about Chevron, and I think
there have been a couple of, of great Lawfare episodes on Chevron's
impact on, on cybersecurity as well.
I think on our end, the report that we've put out has all of
the contact information for every village by sector. So you have aerospace, car
hacking, biohacking, voting, maritime hacking, speaking of ports and ships, red
team, blue team. And so I just want to stress that villages aren't just events
that show up or exhibitions that show up at large security conferences.
They're year round organizations. They want to advocate for
better security. And they have this 360 degree view as to what's going on with
a practitioner's eye. They're going to be very blunt about the security
situation on the ground, but I think that that's kind of what our security
ecosystem and our cyber policymaking needs at the moment.
Nina Alli: I think a
lot of the villages lead conversations with facts. We are motivated, we are
motivated by facts. We are motivated by the integrity that which we come into
these fields with. When I think about all of this, I love data. I love how the
points start connecting, or in statistics, there's a, when you look at a bell
curve, there's a missingness, right?
So everybody is here in the center, but then there's just the
little ends, or the missingness. And I think we don't look so intimately at
those small pieces to say, if we change something, what can get everybody in
this center area?
So if we have the, the broader conversations with policymakers,
with legislation, with whoever is, is creating a new act or piece of
legislation, I think giving them more perspective would give them more insight,
would make the, the piece of legislation more robust. We would have an impetus
to be better.
Eugenia Lostri: Nina,
Winnona, thank you so much for joining me. This was great.
Nina Alli: Thank you.
Winnona DeSombre Bernsen: Thank you for having us.
Eugenia Lostri: The Lawfare Podcast is produced
in cooperation with the Brookings Institution. You can get ad-free versions of
this and other Lawfare podcasts by becoming a Lawfare material
supporter through our website, lawfaremedia.org/support. You'll also get access
to special events and other content available only to our supporters.
Please rate and review us wherever you get your podcasts. Look
out for our other podcasts including Rational Security, Chatter, Allies, and
the Aftermath, our latest Lawfare Presents podcast series on the
government's response to January 6th. Check out our written work at
lawfaremedia.org. The podcast is edited by Jen Patja, and your audio engineer
this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi
Music. As always, thank you for listening.