Black Hat and Def Con have concluded. Here are few observations about the discussion of technology and policy that took place at the events.
We heard speakers in several sessions at Def Con urge that those professionally involved with cybersecurity also involve themselves with legislators, that they attend Congressional hearings, send direct messages to their representatives, and so on. Some of this was civics-class, good-government advice, some advocacy, and some a call to contribute from the distinctive perspective security expertise might lend a citizen. There were signs of mutual interest: several members of congress attended, which speaks to some recognition of the security community's importance, and of interest in the conversations taking place last week in Nevada.
Some such cross fertilization was intended by Def Con's organizers. "We are trying to breakdown the barriers between the people in tech who know what they're doing and the people in Congress who know how to take that knowledge to make laws," Phil Stupak, an organizer of the AI Village and a fellow at Cyber Policy Initiative at the University of Chicago, told CNN.
There were comparable signs of such interest at Black Hat. Bruce Schneier delivered an address in which he called for technologists to contribute their expertise to the policy process. "No policy makers understand technology," Infosecurity Magazine quoted him as saying. "Technologists are in one world, and policy makers are in a different world. It's no longer acceptable for them to be in separate worlds though, as technology and policy are deeply intertwined." Your influence as a consumer, he argued, is negligible, but your influence as a technologist can be considerable. And that influence can also be wielded within the companies technologists work for.
Contributions of knowledge by those who have it are surely welcome, as no thinking person would want laws to be written (and amended in committee) and passed by the ill-informed or clueless. Part of the expertise one hopes the technologists would deploy is a clear understanding of the scope of their knowledge. A self-appointed clerisy pushing whatever views they happen to hold on various topics because they're having difficulty distinguishing an "is" from an "ought" would quickly prove tiresome. Everyone has a right to an opinion, and to that opinion's expression, but of course that right doesn't automatically confer expertise any more than passionate expression does. Lawyers have plenty of valuable expertise, but it doesn't necessarily extend to, say, quantum entanglement. And the cogency of a line of reasoning is seldom well-correlated with the volume used in expressing it.
That said, there was commendable self-awareness and appreciation of complexity on display. A proposal for widespread online voting, for example, received a cool reception because the audience of technologists perceived how hard it would be to pull that off.
And on right-to-repair laws, a hot-button issue to many, one salient point made to the hacker crowd was that corporations are not necessarily malicious in their intent, and that they are often good people making decisions answerable to a different set of criteria from those a consumer (or hacker) might use. Others noted that decisions about the right-to-repair are largely made in first-world settings that have moved toward a more disposable economy. The same rules might not necessarily apply to emerging economies where equipment has a much longer lifecycle, and repair and reuse are not only common, but necessary.
We'll have more later this week as we wrap up our discussion of the events in Las Vegas.