30 December 2023

Meet Joe Biden’s Favorite Hacker

Eric Geller

When Jeff Moss got a phone call from the White House in the early months of Barack Obama’s presidency, he thought the new administration was trying to get one of its officials on the speaker lineup for the world-famous Black Hat security conference that he had created and still helped run.

Instead, the staffer on the other end of the line asked Moss, one of the country’s most respected hackers, if he would be interested in occasionally reviewing and commenting on government reports in his area of expertise.

Moss agreed, figuring it wouldn’t take too much of his time. Two months later, when he started receiving paperwork to apply for a security clearance, he learned what he’d actually signed up for: a spot on the Department of Homeland Security’s Homeland Security Advisory Council, a role usually given to big-name corporate executives, who covet the position as a sign of credibility and prestige. The group of outside experts help steer the department’s work on everything from immigration to aviation security to Moss’s domain of cybersecurity.

“That was my big introduction into the big tent, into the government space,” Moss said in a recent interview.

Fourteen years later, Moss — who still helps organize the corporate-owned Black Hat conference and also runs its more freewheeling sister event, DEF CON — has become one of the government’s most trusted advisers on cybersecurity issues. With the ear of President Joe Biden’s top cyber aides, Moss tries to help the feds harness the energy and talents of independent security experts to better defend the U.S. from digital attacks — and, in the process, overcome decades of mutual suspicion and hostility between Washington’s stodgy bureaucrats and the country’s nonconformist techies.

Moss no longer serves on the Homeland Security Advisory Council after failing “the political vetting that the Trump administration introduced,” he said, but two years ago, he joined the Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Advisory Committee, where he leads a group that delivers policy advice from independent researchers, cyber threat analysts and security professionals.

“Jeff Moss is a legend in the security field, and one of the most respected voices in the community of hackers, researchers, and cyber defenders,” CISA Director Jen Easterly said in a statement.

With artificial intelligence and other emerging technology issues challenging governments in new ways — reminiscent of an earlier era when computers and their security risks first appeared on politicians’ radars — Moss said it’s more important than ever for the cyber community to get involved in policy debates.

“As time goes by, the consequences of security research and hacking [have] more policy implications,” Moss said. “It’s just ballooning.”

MOSS’S ROLE as a liaison between the government and the security community has expanded over the past few years as policymakers have increasingly come to rely on independent experts to find and report security issues.

Public-spirited hackers pride themselves on warning about vulnerabilities that no one else will discuss — not the foreign governments and cyber criminals exploiting them, not the U.S. spy agencies monitoring those attacks and not the manufacturers whose focus on speed and profits led to the flaws.

The U.S. government has sought to capitalize on hackers’ eagerness to raise the alarm. All agencies are required to maintain portals where anyone can report flaws they discover on public-facing government websites, and several agencies have offered monetary rewards for such reports.

With a culture that celebrates radical transparency, the security community revels in “speaking truth to power,” Moss said, offering “a sanity check” by holding manufacturers accountable: “‘Hey, how come you’re manufacturing these locks and claiming these locks have [perfect] security when I can open them with a ballpoint pen?’”

These techies’ tinkering obsessions have made them vital resources for policymakers seeking unbiased security advice, Moss said. “If you actually want to find out what the best lock is, you have to go to … people who like taking apart locks.”

Easterly said Moss was one of the first people she consulted with when she became the director of CISA. “He provided me an invaluable perspective on how CISA could build trust with this important community—through outreach, transparency, accessibility, and humility.”

AS CYBER THREATS have grown more common and dangerous, both hackers and policymakers have realized that they should be talking to each other more.

For hackers, this realization emerged as their activities drew more of a spotlight. In the early days of hacking, Moss said, there was nothing to break or steal, and curious tinkerers played around without much concern. But as the internet enveloped more of daily life, the financial and safety risks of computer disruptions increased, and new laws began to restrict unauthorized activity.

Moss recalled an incident in which a subway fare-card manufacturer sued a group of Massachusetts Institute of Technology students who had spoken at Moss’ Black Hat conference about how they’d hacked the cards. “They weren't using it to … commit fraud,” Moss said, “but just the fact that they had done it was scary enough to the manufacturer that they sued them.”


The Messenger; Moss: Dark Tangent; Code: Andriy Onufriyenko

Hacking is no longer “a pure tech experience,” Moss said. “It’s all political now, because it's all related to power or money.”

Over the past 30 years, as more critical infrastructure has begun relying on computers, hackers have seen their work hunting for and exposing digital vulnerabilities become much more important to national security, even as it has also attracted more legal repercussions from negligent corporations hoping to cover up their mistakes. During the same period, the security community has repeatedly gone to war with the U.S. government over policies that experts see as dangerously misguided, such as subverting the encryption used in communications devices like smartphones. With their skills both in demand and under attack, hackers slowly began to assert themselves more in Washington.

At around the same time, some government officials began to realize that they needed to understand technology better before they could successfully contain its risks.

In 2016, Moss started seeing congressional aides and even a few lawmakers attend his DEF CON conference in Las Vegas. But those early interactions between cautious suited staffers and security geeks sporting T-shirts with defiant libertarian slogans were largely superficial. The bureaucrats wanted to “come see the hackers with green hair and then go back to D.C. and tell their friends that they saw the crazy thing in the desert,” Moss said, while the hackers just “wanted to say that they got to talk to a congressional staffer.”

Over time, though, the conversations became more serious, and politicians grew more eager to tap the talent on display at DEF CON, where boisterous conference rooms showcase subcultures devoted to hacking cars, medical devices, voting machines, satellites and, most recently, artificial intelligence. Moss and others started building the infrastructure for more formal engagement with Washington, eventually resulting in the creation of a DEF CON policy track. “That part of the community of DEF CON is really growing,” Moss said. “All of a sudden, their expertise is relevant.”

DEF CON improved the state of medical device security by bringing insulin-pump makers together with biohacking enthusiasts, and it has done the same for many other industries. Now Moss hopes the new policy track can solve the challenge of connecting politicians who need expert advice with techies who want to help but don’t know how to navigate Washington.

The latest sign that this partnership is bearing fruit: In August, the Biden administration co-sponsored an AI hacking event at DEF CON and announced that next year’s conference will host a prize competition to develop AI systems that can automatically identify software bugs.

“If you told me 10 years ago the White House would be announcing a contest happening at DEF CON,” Moss said, “that wouldn't make sense to me.”

Moss’s credibility as one of the government’s favorite hacker whisperers made him an obvious choice to lead the CISA advisory board’s Technical Advisory Council, one of the few formal channels dedicated to bringing the security community’s perspective into policy conversations.

When recruiting members for the council, Moss said, he sought to represent both diverse opinions and diverse skills. He looked for people with no previous government experience, as well as experts in disciplines that might seem unrelated to cybersecurity but actually have a lot to do with it — like cognitive psychology, which can help explain why people fall for email scams.

After CISA assigns the group a topic to study, Moss’s team meets virtually every week or so, receiving briefings from experts and developing lists of findings and recommendations. The team consults with CISA about how the government has addressed the topic in the past and what previous approaches haven’t panned out. After the group submits its report, CISA reviews the recommendations and tells the team which ones it’s accepting, rejecting or modifying. Moss appreciates that CISA officials explain their decisions — sometimes the result of legal or bureaucratic restrictions — because it gives his team a better sense of how the government works: “They feel like they’re contributing. They can learn from it.”

In early December, Moss’s team submitted a report recommending ways for the government to encourage software makers to write their code in programming languages that are “memory safe,” meaning they are impervious to flaws that could let hackers steal data from devices’ memory. Memory safety has become a top priority for CISA as its tries to encourage the software industry to write better code that leaves fewer gaps for hackers to exploit. “The buzzword of ‘memory safety’ is getting thrown around a lot,” Moss said, “so we're trying to help [CISA] understand what it is and what it isn't and what's realistic.”

Moss recalled council meetings where representatives from competing cloud companies traded ideas about the best ways to promote memory-safe programming languages. It was the kind of collaboration that he rarely sees in public. “That's rewarding,” he said, “to participate in that kind of experience.”

NOW THAT policymakers are eager to hear from the hacker community, Moss has some advice for security experts who want to volunteer their wisdom.

It’s important to “look at where you can make the most impact,” he said, and not waste time on agencies with a history of ignoring outside advice or “areas where you don't think any change can occur.” He’s also learned that technical experts’ advice won’t “change the world overnight,” he said, because “the speed of policy is not the speed of technology.”

Most importantly, Moss said hackers need to understand that “what you're working on might have broad political implications, and you just don’t see it yet.”

In the summer of 2017, Moss and his colleagues were putting the finishing touches on DEF CON’s Voting Village, a new section of the conference that promised to let anyone tinker with recycled voting machines that the organizers purchased online. The organizers had no idea that the new showcase would be any different from the ones that already existed for other electronics. But they soon learned otherwise.

Donald Trump’s election as president turbo-charged fears of voting machine hacking by shadowy foreign powers, and the Voting Village courted controversy as it shined a spotlight on vulnerabilities in the literal machinery of democracy. Voting machine manufacturers sent the organizers threatening letters. “Everybody was terrified,” Moss said. “It was a constant [refrain of], ‘Any minute now, we're going to be sued.” The lawsuits never came, but soon another danger emerged. After Trump’s defeat in 2020, right-wing election deniers began distorting the Voting Village’s findings to support their false claims of vote-tampering.

Moss is proud of the event, which he said has “accelerated the state of voting machine security … by a decade or more.” But he also admitted that he was surprised by the role it played in the political discourse — a reminder, he said, of why hackers should tread carefully when they wade into the policy world.

AS SOMEONE who has watched hacking go from a basement hobby to a vital part of protecting national security, Moss is circumspect about the consequences of policymakers taking an interest in his community. “I joked a couple years ago at a Black Hat that it’s a dangerous period for us.”

On one hand, “we're being asked to participate,” which is “what we've been asking for for a long time,” he said. But on the other hand, “once you're invited in the room, it's kind of hard to complain from the outside, so be careful what you wish for.”

In addition, advising the government means representing the hacker community in places where it may still be viewed with suspicion. “If you screw it up or provide really bad advice,” Moss said, “you can also poison the well of future participation from others.”

Despite these risks, Moss sees hackers’ increasing engagement in public policy as a clear force for good. And he believes that all of this exposure to the political process will give techies a better appreciation for the nuances of policymaking.

“We want to have a voice,” Moss said. “We just need to know that our advice was taken seriously and considered against all the other advice. There may be totally valid reasons not to follow our advice, but at least we're in the room and we understand the trade-offs.”

No comments: