7 must-see talks at Black Hat and DEF CON 2019

Infosec is political. It's about power — who has it, who doesn't, and how it will be used. Some geeks like to pretend otherwise, but that will be harder this year during hacker summer camp in Las Vegas, as politicians and policymakers join hackers to merge tech and policy in some much-anticipated talks.

Here are our top seven talks to watch out for this year in Las Vegas.

Can You Track Me Now? Why the Phone Companies Are Such a Privacy Disaster

Senator Ron Wyden brings his "Wyden Siren" to DEF CON to talk about US cell phone carriers and privacy, or rather lack thereof.

"America’s phone companies have a hideous track record on privacy," the talk description states. "During the past two decades, these descendants of 'Ma Bell' have been caught, repeatedly, selling (or giving away) their customers’ sensitive data to the government, bounty hunters, private investigators, data brokers, and stalkers."

Wyden's vigorous questioning of former Director of National Intelligence James Clapper (who lied under oath to Wyden's face in 2013) is one of the reasons Edward Snowden stepped forward to reveal secret mass surveillance programs. The senator from Oregon remains the most tech-savvy defender of Americans' civil liberties on Capitol Hill, and a friend to good-faith hackers.

"Join Oregon Senator Ron Wyden to learn why the phone companies have gotten one free pass after another, and what he’s doing to hold them accountable," the talk description concludes.

Expect fireworks.

Event: DEF CON
When & where: Friday at 4:30pm in Track 2
Duration: 20 minutes

Hacking Congress: The Enemy of My Enemy Is My Friend

Two Congresscritters and a former Congresscritter walk into a hacker conference. A think tank rumbles into the room. What policy proposals should the tank turret fire? A high caliber, we can guess, given Rep. Ted Lieu, Rep. James Langevin, and former Rep. Jane Harman are sitting topside.

Now that we've tortured that bad joke long enough, make a point of turning up to hear — and ask questions of — the handful of Congress folks with a technical clue, and who care about the future of cybersecurity.

"The Wilson Center, Hewlett Foundation and I Am the Cavalry are teaming up to bring public policymakers together with security researchers and others to discover how our nation might respond to a wide-scale 'cyber crisis,'" the talk description says. "Work in tandem with sitting Members of Congress to understand what levers of power Congress wields and how Members can address policy gaps in the future."

A world with well-informed politicians in it seems like something hackers ought to support, no?

Event: DEF CON
When & where: Friday at 10:00am in Track 2
Duration: 45 minutes

D0 N0 H4RM: A Healthcare Security Conversation

The future is cyborg. Human and machine merge, making flesh and blood vulnerable to the gamut of attacks we see on the cyber domain. Are we ready? Uh, Houston, that would be a negative (the most polite way we can think of saying it without swearing).

Worse, medical device manufacturers lag on security, making hacking hospital equipment the digital equivalent of hacking into a cardboard box with a butter knife. We're talking life-threatening security debt here.

Regulators, physicians and hackers come together is this two-hour conversation at DEF CON's "Fireside Lounge" to mull how to move forward. The all-star line up includes the very clueful Suzanne Schwartz, MD from the FDA, as well as security researchers Marie Moe, Billy Rios, and Jay Radcliffe.

Event: DEF CON
When & where: Friday at 8:00pm in Firesides Lounge
Duration: 120 minutes

Information Security in the Public Interest

Like lawyers, security pros should give back to society by working pro bono in the public interest, Bruce Schneier argued at RSA. He'll be beating the drum again at both Black Hat and DEF CON. The all-day track on public interest technology was well-received at RSA, and we expect his presentation to spark conversation and debate during hacker summer camp.

As well it should. "I would like to see an ecosystem where if you are going to be a senior manager in cybersecurity, you will have been expected to do some work in the public interest," Schneier told CSO earlier this year.

Public-interest technologists "combine their technological expertise with a public-interest focus, either by working on tech policy, working on a tech project with a public benefit, or working as a more traditional technologist for an organization with a public-interest focus," Schneier writes at his Public-Interest Technology Resources blog.

Pro bono work changed the legal profession in the 1970s and may well change the information security landscape as well. Led by Schneier, expect changes. A talk worth your time.

Event: BlackHat
When & where: Thursday at 9:45am in South Seas ABE 
Duration: 50 minutes

Event: DEF CON
When & where: Saturday at 10:00am in Track 3
Duration: 45 minutes

Cyber Insurance 101 for CISOs

For every stick there must be a carrot, and cybersecurity insurance holds the promise of (maybe, possibly) being the carrot to the regulator's stick.

Widespread security failings (along with motivated attackers) has led to all-too-frequent data breach headlines. As CSO reported in 2018, "Underwriting cyber risk remains more art than science, but in the absence of regulation, cyber insurance might still be the best hope for improving cybersecurity practices across the board — at least for now."

Transferring limited amounts of risk to an insurance company is not only an option for enterprises today, it is quickly becoming a best practice. Note use of the word "limited." Purchasing cyber insurance no more absolves companies of practicing good security than car insurance absolves a driver for reckless driving.

The so-called "moral hazard" of insurance haunts both insurers and insurers alike. With luck, this talk at Black Hat will provoke a discussion of what security gains cyber insurance can — and cannot — help enterprises achieve.

Event: Black Hat
When & where:  Wednesday at 1:30pm in Mandalay Bay CD 
Duration: 50 minutes

Responding to a Cyber Attack with Missiles

The cyber domain, or fifth domain, has four cousins: land, sea, air and space. What happens when those domains intersect and a cyber incident provokes a shooting war — or worse?

"The lines between real and virtual worlds are blurring fast," Mikko Hypponen of F-Secure writes in his talk description. "Several governments have publicly stated that they reserve the right to respond to cyber attacks with kinetic force. Now we are seeing that happening for real. What are the rules of engagement in these new conflicts? And where is the cyber arms race taking us next?"

Industry veteran Hypponen will bring his three decades of experience in infosec to this talk, and we expect it to be a sober look at the developing cyber arms race, how things could go badly, and what we can do to stop it.

Event: Black Hat
When & where:  Wednesday at 2:40pm in South Seas ABE 
Duration: 50 minutes

The Cyber Shell Game — War, Information Warfare, and the Darkening Web

The playful joy of the early internet has been replaced by games of power and influence, espionage and sabotage. What the devil went wrong, and how do we avoid the looming dystopia?

We're not sure if speaker Alexander Klimburg has an answer to these difficult questions, but kudos for asking them. The talk description suggests a narrow "America good, everybody else bad" philosophy that is likely to prompt international visitors to roll their eyes, but if you can get past that take this talk for what it is — a provocation — then you'll find it a valuable contribution to your Black Hat lineup, and fodder for beer track discussion.

Event: Black Hat
When & where:  Wednesday at 4:00pm, Islander EI 
Duration: 50 minutes