From August 8th through the 11th this year, over 30,000 “hackers” converged in Las Vegas for DEF CON 27. Founded in 1993 as a grassroots convention, DEF CON 27 has become an integral part of the hacker community scene. In fact, it has achieved increasing notoriety as cybersecurity threats have gained national and international attention. This year, NSA Director General Keith Alexander was even in attendance trying to recruit hackers for federal assistance. Certainly, the relationship between hackers and the government have come a long way in the last two decades.
From this perspective, DEF CON 27 has attained a higher level of respect from those in the cybersecurity arena. Among those include Shane Morris, a veteran consultant in cybersecurity who headed information services at DEF CON 27. This position might sound rather routine, but it is far from it. Morris not only organized and recruited others to help provide information to DEF CON 27 attendees, but he also provided detailed information to a very sophisticated group of participants. Because of this, and his tremendous background in cybersecurity, Bold Business asked Morris to share some of his insights.
DEF CON 27 was a A huge success with more than 30 thousand people in attendance.
Bold Business Interview with Cybersecurity Expert Shane Morris
Bold Business: What is bold about DEF CON 27 and what has DEF CON achieved since its inception?
Morris: The bold thing about DEF CON 27 is to spread the idea of security awareness and information sharing. Since DEF CON’s inception back in 1993, the idea has been to bring like-minded individuals into the Nevada desert to share information. Yes, it may be viewed as a “hacker” conference, but the goal is and continues to be the sharing of information. One person may discover a flaw in some piece of technology, and another will be able to provide the information on how to resolve the flaw.
Bold Business: Which events at DEF CON 27 did you want highlighted? Which ones were top-billed?
Morris: I think the Skytalks were worth attending. They were given by security researchers, and these talks were not allowed to be recorded. If you missed one of the talks, there was no way to obtain the information. The Voting, Car Hacking, and Lockpick Villages were also worth visiting. I did manage to make it to the aviation and car hacking villages. Both are very interesting and can be scary when you learn how easy it is to take over the computer in cars and airplanes.
There were around 30K people in attendance this year. With the event spread across four hotels, it made it hard to see and attend all of the activities being offered. Also with the event being spread out, it is harder to see friends/colleagues. Overall I think the event went really well. As a department head, I didn’t get to attend many/if any talks. I tend to watch all the talks later when they are released on video.
Bold Business: How has DEF CON contributed to the development of the cybersecurity industry?
Morris: I think DEF CON started something great by trying to make the community aware of the security issues and how to mitigate them. It is not all about a person saying, “This is how I broke into this one computer.” It is about the same person saying, “This is how I broke into this computer, and this is how you can prevent it from happening to you or your company.” It is really about making the community aware of the issues and how they can be resolved. It is about all of us working together to make things better.
Bold Business: Help us understand a little bit more about the role that you played at DEF CON.
Morris: I was the department head for the information booth (IB) and information services. As the lead, my volunteer job was to recruit people to work the information booths and provide information to the attendees. With the exception of DEF CON 27 leadership, all of the people who worked at the conference were volunteers.
Bold Business: Tell us more about yourself. Which companies, institutions, and groups have you been a part of and at what capacity?
Morris: With a Master’s degree in Computer Science Computer Systems Security, I have been involved in numerous projects. I’ve been a cybersecurity consultant for over ten years. And I’ve been involved in computer security for two decades. Prior to being a consultant, I was a Security Lead in a utility organization. Likewise, I have worked in various industries including retail, government, commercial, financial, health care, and service provider. Also, I have taught classes on vulnerability assessments for the National Security Agency (NSA). And along the way, I have attained numerous certifications and affiliations related to information systems security. Indeed, I have seen so much in such a short time regarding cybersecurity and evolving security threats.
Bold Business: What are the biggest challenges related to cybersecurity that industries are facing today?
Morris: Overall, systems processing, transmission, and/or storage of critical data have changed greatly. Critical data is now in numerous places, such as smartphones, tablets, laptop computers, and the cloud. This presents additional challenges on how to protect the critical data when it may be located in several locations on several different devices. For example, China’s Advanced Persistent Threat (APT) groups pose serious threats to cloud infrastructures. Once these APT groups gain access into the cloud provider’s network, they are able to access all of the companies using the cloud provider’s services. This has led to several companies losing critical data. Finally, another challenge is the Internet of Things (IoT). IoT devices such as coffee pots, thermostats, doorbells, smart locks, and others have little to no built-in security. This presents an additional threat landscape if used in the corporate environment.
Bold Business: How has cybersecurity evolved in recent years?
Morris: Cybersecurity has evolved in recent years by shifting from a defined perimeter security boundary to a constantly changing security boundary. Having critical data being processed, transmitted, and/or stored by mobile devices and the cloud has demanded this evolution. The goal of cybersecurity to protect the company’s critical data has not changed. But the manner in which this now accomplished has changed a great deal. At DEF CON, security awareness and privacy protections continued to be the hot topics. But the growth in collaborations trying to achieve these goals is evidenced by the variety of people who attended DEF CON.
Bold Business: What do you see happening in the cybersecurity space and DEF CON over the next five to ten years?
Morris: The goal for cybersecurity will still be the same over the next five to ten years. But I think the threat landscape will continue to change requiring cybersecurity to evolve with it. I see DEF CON continuing to grow and continue with its cybersecurity and threat awareness message. This year was the inaugural year of DEF CON in China. This is a great example of how DEF CON will continue to expand and broaden its impacts.
Bold Business: What message would you want to share to the readers of Bold Business?
Morris: Cybersecurity is not all about checking the box to pass an audit. Cybersecurity identifies a company’s critical data and ensures the proper controls and protections of that data are in place. Likewise, cybersecurity is a business enabler so that business can be conducted in a safe and secure manner. That will require cybersecurity professionals to be solution seekers and part of a business’ critical thinking team. And it will require enhancing skills in communication so that all audiences, and not just cybersecurity “geeks”, pay attention. In short, everyone needs to understand the threats and participate in cybersecurity solutions in order for companies to truly excel.
Collaborative Initiatives Already in Place at DEF CON 27
As Morris pointed out, there is an increasing need for collaboration when it comes to cybersecurity threats. Going along with this concept, assessments by independent auditors is one way to advance this type of thinking. At DEF CON 27 this year, for example, the Defense Advanced Research Projects Agency (DARPA) asked hackers to help. They introduced their own open-source services hardware platform and allowed DEF CON 27 attendees opportunities to identify flaws and issues. This is a perfect example of how independent assessments by cybersecurity auditors can enhance a business’ position against threats.
Attendees at DEF CON 27 are among those who may be ideal at fulfilling these types of auditing services. For example, Morris is part of Bold’s Intelligence Threat Service helping companies mitigate cybersecurity risks and protect critical data. As he noted, cybersecurity threats will continue to evolve and change. And businesses will need to adapt along with these threats in order to survive. Employing qualified cybersecurity professionals to perform independent auditor assessments is a great way to achieve this. When it comes to hackers, the best way to beat them may be to have one join you.