The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.
Q&A with Jeff Moss
Jeff Moss is in a unique position to offer a long-view perspective on the past and future of the field of cybersecurity. In 1993, when he was 18, Moss founded what has become the influential and infamous hacker convention DEF CON, which originated as a going-away party in Las Vegas for one of his hacker friends (who was moving overseas…with his parents). Four years later, Moss (known online also as Dark Tangent) founded a sister conference, Black Hat Briefings, which since 1997 has been held just before DEF CON in Las Vegas. Whereas DEF CON is primarily for individual hacker enthusiasts, Black Hat attendees are more likely to be computer security researchers or security professionals working for corporations or government. Black Hat has grown beyond the flagship Las Vegas event into a series of conferences held annually in cities around the world.
Today, Moss is a leading commentator on cybersecurity issues, seen as someone uniquely qualified to bridge the gap between the underground researcher community and law enforcement, between the worlds of pure research and responsible application. Besides continuing to head up the DEF CON and Black Hat events, Moss is a member of the U.S. Department of Homeland Security Advisory Council and the Council on Foreign Relations, among other organizations. He is a graduate of Gonzaga University, with a degree in criminal justice.
In this interview with CIO Straight Talk Editor-in-Chief Paul Hemp, he talks about how the evolution of the cybersecurity field is reflected in the history of Black Hat.
How did Black Hat get started?
It was sort of by accident, actually. I was running DEF CON, the hacker convention I had founded in 1992. And I kept getting these emails from people saying, “Write me a professional-sounding announcement about DEF CON that will convince my boss to send me.” So I began sending out announcements about the upcoming DEF CON that had a very corporate-ese tone. And finally Ray Kaplan, an old friend from our UNIX hacking days, said, “Why don’t you just start a real conference, a professional conference, charge people real money, give them real food—and then you don’t have to write those announcements anymore!”
It was a great idea. So I saved and borrowed some money and started Black Hat in 1997. In those days, there weren’t a lot of people in infosec. There weren’t a lot of “security professionals.” So I invited my friends. The first year’s speaker list was made up of people I knew, people at Microsoft or Novell or wherever, who I could call up and invite. All I wanted to do was to get them in a room and hear what they were working on. What’s cool to them? What are their problems? What are they hacking on?
What’s the origin of the name?
Originally it was called Black Hats Briefings—technically, it still is—and it was meant to provide companies with briefings on what the bad guys, the Black Hats, were up to, to help companies protect themselves. DEF CON was more for individual hackers and enthusiasts, where you’d be taking apart a PlayStation one day and hacking a drone the next—not things maybe your boss at work will pay you to learn about . Black Hat was meant to be more enterprise focused, offering professional development for people with real jobs.
From the beginning, we held Black Hat right before DEF CON in Las Vegas. We soon realized, though, that we couldn’t hold the two at the same hotel, because the DEF CON people would come early and eat all your food and drink all your booze!
So we separated the two, and Black Hat began to develop its own strong culture. Even when there has been some controversy—for instance, the time the ATMs in the hotel lobby were hacked—corporate interest in the conference has remained high. In fact, while in the past some companies tried to ban researchers who presented at Black Hat from disclosing certain product vulnerabilities, today vendors will actually challenge hackers to attack their products.
How has Black Hat grown over the years?
I didn’t realize when we started that we’d created kind of a magic formula. When I asked people why they were attending Black Hat, they said it was like a crystal ball. If hackers and security researchers were talking about it today, then in six months or a year it was going to be their problem. By coming to Black Hat, they got a jump start on what they were going to be seeing.
A couple of years after Black Hat began, we saw a lot of telecom people showing up, because security was beginning to show up on their radar. Some years after that, we started getting people interested in mobile security. And once vendors’ customers started showing up, the vendors came, too.
Over the years, we’ve held Black Hat events not only in Las Vegas but around the world, in places like Barcelona, Amsterdam, Abu Dhabi, Singapore, London, and Tokyo. In 2017, at the Las Vegas event, more than 17,000 people from 80 countries attended.
How do changes you’ve seen at Black Hat reflect changes in the field of cybersecurity?
Well, we’ve seen the types of people who attend the conference go from technology generalists to technology specialists—and the need now is for them to again become more generalist in their viewpoint. There’s also been an increasing emphasis on social issues, along with Black Hat’s core technology focus. And with that, there’s been a shift from a cybersecurity culture that sometimes has been kind of elitist to one that increasingly needs to be more inclusive and that welcomes diversity.
Let’s take those one at a time? What do you mean by a shift from generalist to specialist and back to generalist?
Back in the UNIX era, back in the early days of the development of the Internet, everyone was a generalist. But over the years, people in the field have specialized. They’ll say, “For the next four years, I’m going to focus on this one technology.”
But this mindset makes it hard to get a big-picture view. If you’re trying to explain a security problem to the board of directors, they’re not going to be asking micro-targeted technical questions. They’re going to want the larger context of the problem. So increasingly at Black Hat, we’re trying to include presenters, keynotes especially, who can provide that big-picture view. We help people attending Black Hat, who may think of themselves as cogs in the information security process, to see how their particular cog fits into the larger picture.
In what ways has Black Hat given greater emphasis to social issues in recent years?
I was always more technical. And I didn’t quite understand the importance of the social until later on. But if you think about where we’re going as an industry, it’s more social. Going forward, your success in the field may even be more dependent on your social skills than on some of your technical skills.
Take my example of speaking to the board about security issues. This isn’t like communicating with your boss or colleagues. It’s a different skill set. For more than a decade, everyone in our field complained that no one was listening to them. Well, now everyone’s listening to us, and we need to learn how to communicate with them.
Halvar Flake [the founder of a company called Zynamics that was acquired in 2011 by Google, where Thomas Dullien, Flake’s offline name, now works] spoke about this at the 2017 Black Hat Singapore conference. I agree with him that offense—cyber-attacks—is a very technical game. Very sophisticated but with very simple metrics. Did you succeed in breaking in or not?
Defense—foiling cyber-attacks—is much harder. The metrics—well, what are the metrics? Up time? Dollars saved? Opex? And defense is hideously social. How much money are we going to spend on defense? Whose budget does it come from? How important is this asset to protect? Is it being protected, quote unquote, enough? All of those questions are social and political and bureaucratic. And because of that, someone’s social savvy is increasingly important in how cybersecurity professionals’ careers develop. Halvar’s speech at Black Hat was a high-profile statement about this change.
How is the culture of cybersecurity changing?
Acknowledging the important social aspect of cybersecurity is an example of this culture shift. Related to that is the realization that cybersecurity culture, which grows out of hacker culture, needs to be less elitist and more inclusive.
While hackers traditionally have had respect for one another, they have often been dismissive of people who weren’t part of our “in crowd” as being not all that smart. Not just business people but people who build the computer systems that hackers break into. That arrogance prevents us from building the relationships so necessary if we are to strengthen security, both internally at companies and more broadly. Brilliantly fending off cyber-attacks is no longer enough. We need people who can build more resilient systems, reduce attack surfaces, eliminate coding flaws. And that means we need to reach out and educate people who have less security experience than we do.
Being inclusive also means encouraging diverse groups of people to enter the field. At its core, hacker culture has always been democratic. Back in the early days, my formative years, before social media and Instagram and Snapchat, you weren’t judged by who you were—what you looked like or where you lived or what your race or religion or gender was. You were judged by what you thought and how you behaved online. I remember being 13 years old and having this full rich adult online experience—having conversations about sex, drugs, and rock & roll—because no one knew how old I was!
I assumed that was way the world worked. And that’s had a big influence on how Black Hat has grown. It’s always been a place where everyone was welcome and where speakers with an interesting viewpoint gave presentations even if they were controversial – for example, 2013 keynote speaker General Keith Alexander, then the director of the National Security Agency, who was criticized for the NSA’s citizen-surveillance tactics. I see Black Hat as kind of neutral territory, like Switzerland.
But now we need to actively encourage diversity in the security community, to reflect the diversity of the global community of people we protect. Silicon Valley’s risk model may not be everyone’s risk model. We need to encourage and mentor the next generation of cybersecurity talent. At Black Hat 2017 we awarded 205 scholarships to students who wouldn’t normally be able to attend. And we need to maintain what diversity we currently have in the industry. That’s why at Black Hat 2017 we had numerous programs devoted to providing support to women in the cybersecurity field.
Where does the field of cybersecurity go from here?
A lot has happened in the world and in our community since Black Hat first began 20 years ago. The cybersecurity community field has become central to the task of keeping people and businesses safe and secure around the world. The world relies on us to help protect the infrastructure not just of the past but the systems of the future – the Internet of Things, autonomous cars, spac e travel. This community is close to the levers, close to the technology. We understand it. That gives us a social responsibility to, for example, help enable “secure by default” instead of “open by default” systems. We have, I think, a special obligation.