The clash of four groups of cyber-communities has created risk overlaps and occasional tension, but there is the opportunity to overcome that.
Speaking in the opening keynote of Black Hat Europe 2020, Black Hat and DEFCON founder Jeff Moss said the groups “collide and create tension” among the primary four actors in our space:
- Organized criminals – who are mostly interested in how to make the most amount of money with the least amount of risk
- Governments – who are not as single-minded as a crime group, as they may have differing interests among different agencies, and may “conduct some clandestine operations to steal some secrets.” He said on a domestic and policy front, we see governments with a handful of agendas
- Companies – who manufacture the product, build the infrastructure and are generally interested in maximizing return, minimizing disruption, regulation and embarrassment. “They are the experts who built the product, so they are the ones mostly seen in front of government and lobbyists”
- The academic, hacker and security research community – who are those trying to figure out how the product works and asking, under the surface, is it doing what the manufacturers claims and if not “we want to tell the world about it”
“Through this process we’ve come up with disclosure and that led to bug bounty programs, and we act as a neutral third party telling policy makers what is and isn’t possible, and this leads to tension,” he said. This can be tension between the researcher and government, as the government wants to know what is possible, and they need a voice to tell them something different that is not coming from the lobbyists.
He said security researchers have moved more and more into the realm of policy; “we’re now providing that information as policy makers have grown up with technology and computers and are now asking us our opinion.”
Moss said this is a “very dangerous time for us now” as, on one hand, we’re being asked for our opinion, which is a great thing, but this is also a risk “and if we screw this up we may not be taken seriously, so it is very important that the community of infosec researchers and the community of government learn from each other and we learn how to work through this tension.”
He concluded by saying that governments have been around for hundreds of years, while technology researchers are pretty new “and we’re not steeped in the ways of political navigation,” so researchers need to be given a chance and also need to be guided on how to get the most from our knowledge.