Lawfare Daily: Full Stack Policymaking

[Intro]

Nina Alli: I walk in and I have like a dossier of, this is the research I did. Here's, here's fiscal factors. Here's everything you need to know. And here's the other entities that maybe you want to have a conversation with because it's not just an FDA problem. It's ONC, it's ONCD, it's CMS. So we're hurting the system by not thinking in a full stack.

Eugenia Lostri: It's the Lawfare Podcast. I'm Eugenia Lostri, Senior Editor at Lawfare with Winnona DeSombre Bernsen, non resident fellow at the Atlantic Council and founder of the hacker conference DistrictCon and Nina Alli, executive director of the Biohacking Village.

Winnona DeSombre Bernsen: And ultimately, the village is moving into 501(c)(3)s as full year round organizations is another step in that direction of showing policymakers that you can bridge this so called hacker-policymaker divide to make more technically informed decisions.

Eugenia Lostri: Today, we're talking about the value cybersecurity villages bring to security research, and how policymakers can benefit by engaging with them.

[Main Podcast]

So Nina, Winnona, you recently authored a paper on cybersecurity research and workforce development entities that are also known as villages, and that's what we're going to call them throughout the conversation.

And so I want to start by providing maybe a little bit of context about these villages. I think if we understand kind of how they came to be, then we can understand what the role can be and is in the policy ecosystem. So let's just start with that. Can you start by defining these villages? And also if you could tell us a little bit about what motivated you to write a report about them?

Nina Alli: The villages started at DEF CON and primarily the DEF CON is the largest hacker conference in the world and the villages are subconferences to DEF CON. They are all independently of most of them are independently owned and they focus on singular parts of industry or infrastructure. So aerospace focuses on helicopters and, and airplanes and things like that. Biohacking village focuses on biomedical technology, cyber security, patient safety.

So the village has been around for 11 years. I've run it for 10. And about 11 years ago is when the regulations and the laws started changing and it became a massive influence in healthcare, in medical devices, in the interoperability. And there was no village, there wasn't a lot of focus on that.

So a group of people got together, had a lot of conversations, brought about this village to at least be, be on the edge of what is happening, what happened, so we could have more conversations to make it better.

Winnona DeSombre Bernsen: And so, about this time last year, actually, Nina and I had gotten together for coffee and I told her that we wanted to start one of our own hacking conferences here in the heart of Washington, D.C. and I asked her how villages currently get involved in the policymaking processes. And villages like Biohacking, Aerospace, are largely 501(c)(3) organizations, so they're nonprofits, they're focusing primarily on making things safer, and so naturally they would be more engaged in the policymaking process, or so I thought.

But ultimately, after our discussion, we realized that there were a couple of things that would prevent villages from entering the room to showcase their voice, which is largely that of technical practitioners who are not involved in more vendor related type activities. Or manufacturing the devices or the airplanes themselves.

The first was that ultimately, not very many policy makers, at least back in the day, came to DEF CON or other large conferences. You still have that like anti hacker stigma.

And then the second is that when policy makers go to these conferences, they're engaging with villages at some of the busiest times of their years. And so there's a mismatch in when they're actually engaging. And so when we have this discussion, I went, oh, interesting. I wonder if some of the other villages feel that way too. And this spun up this whole process of us gathering these opinions from seven different villages and writing this report.

Eugenia Lostri: So let me just ask you two questions. We know now one, can you be more specific about who is a part of the villages, who is the, we are focused on making things safer? And what does look like? What does making things safer entail from the village's perspective?

Winnona DeSombre Bernsen: I mean, I'm, I feel like that's a Nina question better than it is me. At least from an external counterpart, I would say that villages are comprised largely with individuals who want to, A, build community in their particular security space.

There's two primary goals of a village across a lot of these organizations. The first is capacity building, and working with vendors and manufacturers of these products, be it cars, medical devices, you know, even power plant, power plants, energy grids, voting machines and making those safer. It's kind of like an advocacy role.

But the second part of it is training and workforce capacity. Many of these organizations provide training and workshops. I want to give Nina an opportunity to talk about the amazing stuff she does at, at Biohacking Village. To do that she works with plenty of medical device manufacturers to bring in some of these devices so that way they could get hacked at these conferences.

Nina Alli: So US2R we, as the village leadership or the people that are coming, we are all security practitioners, or most of us at least in the leadership positions are security practitioners, industry partners, we're hackers, we're, we're the users of these particular industries. That's why we're there trying to push the envelope. And we push the envelope. It's a lot of we're on the cusp of that what happened technology and what's emerging technology.

And going back to something that Winnona said before, where it's people are coming to us at the busiest time of the year. There's a lot of policy people that come to us during DEF CON, and it is during the busiest time. So they get the vantage point of seeing the chaos without too much interaction of conversation, because they'll usually stay in one place, you know, take a gander, look around, have very brief conversations, and then they have to move on.

Because there's, I think it's 36 different villages at DEF CON, for instance, so there's a lot of movement that has to happen over either the day that they're there, or the two days that they're there, and it's constant conversations. So, when it's, are we, how are we involved in policy, or how are we not involved in policy?

You've got about five minutes to make a, a mental impact on, on the people that are walking through. And you have to be so to the point, blunt and say, here's, here's everything that's happening and what are we working on? And here are the medical device manufacturers, here's the medical devices, and this is how many vulnerabilities are found. And they're like, great. And then they have to move on.

Eugenia Lostri: That's a lot of pressure on a, on an elevator pitch.

Nina Alli: Yes. Right. So you've got about three seconds to, to mentally gird your loins. And then have the conversation, right? You have to steel yourself for this too.

Eugenia Lostri: So I, I want to dig into that a little bit, Nina. You mentioned before that the villages grow from the conferences like DEF CON, but they're now kind of independent, right? So what does that evolution look like and how do they go from being sub conferences to becoming, you know, NGOs, independent, they are their own thing. You know, what is the relationship still between DEF CON and the villages?

Nina Alli: So I think there's a growth mindset where there's a group of people that are suddenly like, but this is not being focused on at DEF CON, RSA, or just generically as a village. So, they gather their friends, they get the EIN number, the not for profit status, and then they become a conference. We are related to DEF CON, we are not part of DEF CON.

It's not a DEF CON village, it's a village at DEF CON. So the nomenclature part is the I think that's the confusing part for everybody because of how we function. Because we're so integrated and it's been such an integration over the last 25ish years, just maintaining that we are our own stronghold from an intellectual standpoint.

Eugenia Lostri: Yeah, but it also sounds important to point that that makes it a year round thing, right?

Nina Alli: Yes

Eugenia Lostri: You're not just active during DEF CON, which is your busiest time, but people could actually reach you when, when you're not there.

Nina Alli: Right

Winnona DeSombre Bernsen: I also think that goes to the parallel trend in this industry of people still retaining this, like, hacker identity.

Like, you go to DEF CON, you go to Code Blue, you go to all of these local BSides, which are notoriously known as hacker meetups. It's where people who identify as this word, hacker, which means, like, a lot of different things. I know that there are cyber criminals who you would call hackers, but there's also white hats or red teamers or blue teamers who participate in this profession legally who identify with that term as well.

And there are plenty of people who would call themselves hackers, but as a job, they're security researchers. It's this identity versus profession distinction where the villages, as they are creating their own 501(c)(3)s, they're professionalizing. They're effectively saying, we can't do this once a year. We actually have to be doing this all year round.

Eugenia Lostri: Yeah. Thank you. Thank you for setting that up perfectly because that was exactly my next question, Winnona. Because that's something that I find honestly fascinating and it's the relationship between particularly government and the hackers and then that transition to security researchers.

So when you say that the villages are show the professionalization of the industry. What does that mean? What does that entail?

Winnona DeSombre Bernsen: I mean, when you think about the word hacker, there's a lot of counterculture angst that is, is around that term. Ultimately that word actually predates the concept of a cybercriminal. It was, you know, in the 1950s where students at MIT were trying to get more computer time on these like huge, massive machines that had to get like rented time leases type of situations.

And so the, the ethos of hacking in the United States is all about this intellectual curiosity. How do I make something do something that it's not necessarily meant to do? There's that glee that comes with that. And nowadays, you can call that red teaming. You can call that pen testing.

You can call that any number of things that is sanctioned, as in permitted, by the U.S. government, by governments everywhere. And you have, you know, billions of dollars of industry popping up to be able to, to professionalize cyber security in that way, that, that inherent act of breaking into something in an authorized way.

And so there's this inherent tension between we used to be a very counterculture, and I think in some case, the hacker community is still quite counterculture in its own way. There's an element that had, you know, cybercriminals could be called hackers as well and so there's an inherent tension in the name of the word and the associations that follow.

But ultimately, you see at least villages are an example of where white hat hacking started out in that counterculture type environment and has professionalized while taking with them that same identity.

Eugenia Lostri: Nina, anything that you want to add to that?

Nina Alli: I'm professionally known for countering people, so, so, I don't necessarily agree with, I love you, that is my proviso to the next part.

I don't necessarily agree with the white hat part, because-

Winnona DeSombre Bernsen: Fair.

Nina Alli: professionally, I'm a senior strategist, cybersecurity engineer. That's what I do at work. When I have conversations about biohacking village, I am a biomedical engineer and hacker. That's what I do. And when I am building, breaking, and programming into things, I don't necessarily throw down that, like, I'm a white hat hacker because-

Winnona DeSombre Bernsen: White hat is also so overused as a term.

Nina Alli: Right. Yeah. And I think you have to know all sides of hacking to be really good at what you do. So when I throw down, I say I'm a gray hat because to counter who I don't want in the system, I have to know what they're doing. And I have to know what the good people are doing to make sure that this is secured appropriately. So that is mid-loving counter to you.

Winnona DeSombre Bernsen: Hey, this is why Nina and I make great coauthors. I, I love this back and forth. We have it all the time.

Eugenia Lostri: This is what you need. Yeah.

Nina Alli: I think that's why the villages work the way that they do as well, because we all go against each other. I have relationships with a lot of the villages and I'm like, why would you do that?

Let me tell you why healthcare is very much involved in your village and why we need to be working better together because I think that's another problem with policy. There's so many silos and everybody is doing a very distinct thing for their industry because that is best practice. Amazing. Great.

However, there's, everything is, is tied together. So if one industry can help the other one with whatever best practices and laws, regulations, whatever, that's what we as the villages are starting to promote more, I think, in the last three years, at least since COVID more so.

We've started doing more preemptive preparedness of this happened, let me tell you why. We should work better together. So we've got integrations, that's how village of villages started getting more traction. Those are communities, those are villages that Biohacking Village started working more with of every patient is a voter. So now we're working with Voting Village, et cetera.

Eugenia Lostri: So Nina, I'm actually going to ask you to expand a little bit on this because you are the executive director of the Biohacking Village. So I'm interested in hearing a little bit about how this history, this evolution that we've been talking about actually reflects in your experience running the village and what do you see as the path forward?

Nina Alli: The Biohacking Village started more as a DIY bio where you know, everybody is putting the, the implants in their hands and looking to do more of their own DNA functionality or change it and see how that goes. And we still do some of that. There's some DIY farm stuff, but we've expanded. So DIY bio, the manufacturing side, medical devices, application products.

We are trying to do more training because a lot of the U.S. government, at least in Europe, are also like, we need to start training more people. There's a huge deficit. So here we are trying to get people more engaged with what we do and how ICS is integrated into that and how this would work with a helicopter because it's a medical helicopter, helovac, ambulances from car hacking, things like that.

Winnona DeSombre Bernsen: What trainings are you providing to governments, Nina?

Nina Alli: My statement for this is always you can't change workflows that you don't understand. And I think when we looked at how many doctors were in Congress, so Senate and the House, I think it was nine. So nine out of 545 people have actually worked in a hospital or done clinical practice or whatever.

And yet there's all these other people that are very invested in, in how the acts should go and what they should say and, and how patient safety should look. So, when we go and try to have conversations with them, it's, let's talk about my background. I've worked in the hospital for 20 years. I've, I've done all of these things.

The impact of this act adds 5 minutes, 3 minutes, 2 minutes, 55 seconds to a doctor's appointment. Because there's added technology that either they're not trained on, it's not done well. There's an interoperability that, that we didn't see, that we have to implement. And all these other factors.

So explaining to them the tiers of how a patient's workflow goes, as opposed to what their normal patient workflow is, because it's a very different dynamic, right? Those are two very different paradigms of somebody that's in Congress that gets immediate care, and somebody that's out in the civil society that's like, I had to wait three weeks to get an appointment, and I was already not sick by then, or whatever happened.

So when we do the trainings with them, it's tell me what you see. Before I even talk to you, give me an explanation of why this is best practice that you engaged with. Amazing. Great. Love your observations. Now, in practice, this is what it looks like. These are the complexities, and these are the things you have to add. Because along with the acts and everything else that they're doing, there's, there's fiscal responsibility that has to come either from the government, or from the entity to implement those things.

There's trainings. There's more people. There's different kinds of resources. So I walk in and I have like a dossier of this is the research I did. Here's, here's fiscal factors. Here's everything you need to know. And here's the other entities that maybe you want to have a conversation with, because it's not an FDA problem. It's ONC, it's ONCD, it's CMS, and it's whatever other part of HHS. And then the rest of national security issues that go along with it. So we're hurting the system by not thinking in a full stack.

Winnona DeSombre Bernsen: I also love how Nina's saying full stack because that's an engineering term that she's applying to all of the different systems of government, right?

Eugenia Lostri: I was just thinking the same thing. Love it. I think we should incorporate it. I mean, what's one more buzzword?

Winnona DeSombre Bernsen: Full stack policymaking? Oh my gosh.

Eugenia Lostri: I think there's a paper there.

Winnona DeSombre Bernsen: Oh no.

Eugenia Lostri: So, I think that's a really great overview of the way that you engage with, with the policy ecosystem. Is that approach similar across the villages, would you say? And if you had to describe it, maybe in more general terms, what is the value out of the of the villages here? How are they participating? How are they driving change?

Winnona DeSombre Bernsen: After talking with the seven villages that participate in this study, obviously that is not every village, but it is some of the larger 501(c)(3)s that call themselves villages.

Ultimately, we found a couple of different ways that they largely engage in the policymaking process. Some are kind of like think tanks. They'll create dialogues, they'll have talks, they'll go to these conferences, have their own speaking stage and engage in emerging trend dialogues.

So I think one of my favorite examples is that Crypto and Privacy Village, which is one of the very first villages that happened at DEF CON. I think they were hosting talks on post quantum cryptography a full year before NIST even started doing research on it. Really, you're seeing these practitioners go in, pull out all of the threads of what they're seeing as practitioners who will see these emerging trends first and showing it to the rest of the world.

You'll also see that villages will partner with government, private sector and academia. So at some of these events you saw, I think in the last year, the big one was the AI generative red team that happened a couple of years back and I think happened again this past year at DEF CON where they're, going through and, and partnering with all of these AI organizations, companies, and, and parts of the U.S. government to really figure out, you know, what are the risks to artificial intelligence and, and these large language models.

There's also, I think my favorite that people don't know as much about is Aerospace Village's Hack-A-Sat, which was a capture the flag hacking competition which was hosted on a satellite orbiting in space. And so these contestants were hacking into the satellite while they were on the ground and, and the satellite was up in the air.

Of course, I think the most important thing though, is that villages will interact not just with governments, not just with other hackers, but also with the manufacturers themselves. So they, they get this 360 degree view of everything that's going on.

I, ICS has focused on engaging with energy companies and biohacking. I want to hear Nina talk more about this so I won't speak for her, but working with some of these medical device manufacturers to make their devices more secure, to engage with them as a bridge between the security professionals who might not ever get to see a pacemaker and the pacemaker manufacturers themselves.

Nina Alli: So, there's a couple of things. There's an event called Hackers on the Hill that a lot of the DEF CON village folks and just hackers in general go to the Hill, have conversations with congressional staff, and talk about what they're working, what the congressional staff is working on, and how we can help mold that a little better and give them advice on whatever that could look like.

There's also a lot of fellowships. I was a presidential innovation fellow at BARDA DRIVe. And they were, there was a lot of questions about what does security look like? And at that time, they weren't even considering cybersecurity in the devices. They were just like, the devices are great. Let's just put them out into the world. And I was like, no, that's not how we, that's not how FDA functions.

And then from a Biohacking Village point of view, we have partnerships with some of the administrative agencies. So we have a partnership with the FDA because the medical device manufacturers are coming in. And if they come in and they get hacked for the time period of DEF CON, they can write that on their submission form of this device was taken to the Biohacking Village at DEF CON and here's some of the results.

And then if there are vulnerabilities that are found that either they don't have the vulnerability disclosure program for, or there's just too much, they don't want to be a middleman between the hacker and themselves, the Biohacking Village is a CVECNA, a Coordinated Numbering Authority. In case they find a vulnerability, where we can walk them through the whole thing and have the conversations between them.

Because what life goal is with the device lab at Biohacking Village is that the manufacturers understand that there are vulnerabilities, there are findings. And they can make them, they can improve them in the software so that when they go out to sell things, there's patient safety, national security, cyber security, things already implemented into it. So we're trying to help them make this better.

Eugenia Lostri: So do the villages work mainly with the U.S. government, U.S. agencies? Are they primarily focused on what's happening in the U.S. in terms of regulation? Or do you have participants that are maybe located in other countries? Do you engage with other governments that might also be thinking about their own approach to cybersecurity?

Nina Alli: The answer is yes. The villages have people that live in different areas of the world, so they have those focuses in those areas. For Biohacking Village, we have, we do international conferences. Our last one was last month in Japan. And we had the conversations with their police department and their legislative bodies and their legal teams of what is happening, what isn't happening, how are their devices matching up to other international standards.

So we do have those conversations, we do have the conferences. At least for Biohacking Village, we're very embedded in the international device regulatory bodies because when it comes to, specifically anyway, for medical devices people don't make a device specifically for Argentina, or they don't make a specific device for Germany, right? So, they just make a device.

So when we talk about policies, you have a very distinctive wording over here that maybe not everybody else is considering. How are we going to harmonize those? Because there's a huge push, generically in all regulations, to do more harmonization, so that we can all be together on this endeavor to better safety in the cyber way.

Winnona DeSombre Bernsen: I'll also say that that matches up pretty well with the international hacking community, right? Like, if Apple or Microsoft has a bug bounty, the likelihood that you're only going to get U.S. participants in that bug bounty when something is vulnerable is quite low. The community, at least the hacker community, as we're talking about security professionals, and then also that identity distinction of what is a hacker, is international.

There are people who want to participate into making devices more secure worldwide, and that's quite a stark difference if you're thinking about how the United States is approaching some parts of its industrial policy as well.

Eugenia Lostri: So you've described all of these great ways in which the villages are engaging and providing value, right? What do you see as the maybe untapped potential in that relationship? Is there something that the other stakeholders could be doing that would, you know, increase the value add? Is there something that you're like, I wish people were doing this and they were talking to us about X, Y, or Z?

Winnona DeSombre Bernsen: I think one of the big things is going back to that 360 degree view. Ultimately, when a policymaker puts out an ANPRM or, you know, you go through the notice and comment process for regulation-

Eugenia Lostri: Can you say what the acronym is?

Winnona DeSombre Bernsen: Oh, a notice of proposed rulemaking. And if you're going through and soliciting comments in your, your notice and comment rulemaking process, a lot of the individuals that are going to be putting forward their views in the matter are going to be highly polished organizations.

You're looking at the large manufacturers. You're looking at people with large economic interests in the matter. You're looking at potentially some nonprofits, but ultimately you're not necessarily going to get the views of the security practitioners who are trying to make this device or this particular sector more secure, or think about data regulation or data security on a day in day out basis.

There's that element where there's some aspect of professionalization and moving forward and, and trying to encourage these organizations that are comprised of technical individuals into that process.

The other element of it is that as nonprofits who don't necessarily have a primarily economic stake at hand. Most of these people are volunteers, biohacking. Nina, this is not your day job. She's the executive director as a full-time job, which she does out of the love of the game. There are plenty of other people who are leads of villages who are exactly the same way.

And I feel like policy makers don't think about the fact that these are very passionate advocates, who might have an untarnished view of the security situation that could be starkly different from that of a vendor. Whereby vendors, Nina mentioned the, the medical device manufacturers that are willing to come to DEF CON and other conferences and open up their security open up their medical devices to a hacker. Not all of the medical devices, especially not all the manufacturers are willing to do that yet, let alone some other vendors who not aren't in the medical community.

So thinking critical infrastructure sectors, thinking about other voting machines, for example that aren't necessarily coming to the table. And if we are trying to create a more secure ecosystem domestically, being able to talk to individuals who are willing to give an unvarnished opinion is a pretty valuable asset.

Nina Alli: I love your, your untarnished moment because my first thought of this whole situation is, this takes so much conditioning, right, from a mental standpoint and from a practitioner's standpoint. So when we go into the policy folks, the example I keep coming up with is, they were, I think it was the House, the House was trying to come up with this policy and they were like, this other association said that it's, they, they wouldn't back it.

And I was like, but they don't need to. There's another organization that actually has more weight. There's a certification that comes with this organization. So why wouldn't you just reach out to them? This other administrative agency has already backed them. So if we come in and that's part of the power play, you can get this done because it was for a cybersecurity certification for hospitals. And it was something that the person hadn't even conceptually thought about.

So now they're being brought in. So approximately a year later, this agency and organization are starting to work together. But it's still, mentally, the people that are in the villages, or help with the villages, or do anything with the villages, we are real life practitioners, as well as the hackers behind everything else.

So when, again, going back to that full stack engineering, full stack thought process, we go through every possibility of how this is going to go absolutely wrong, so we can start mitigating the factors. Which, from a policy standpoint, I understand that it's supposed to be broad, I understand that it's, you know, it's the, it's the act or directive, whatever.

And then the administrative agency starts diving in and putting in more details and then it goes out to whoever is supposed to be doing it. But if we gave more structure to people and very distinctly said, this is what we are looking for. This is what we need. This is what we want. And this is why we want it.

I have another issue that I've brought up to congressional people before. I talk about my mistakes all the time. I need to know how you thought this problem through. I need to see your scratch pad. Because when I program, I still comment stuff out. Because what doesn't work today, if they update something, may work in two years, and I already got it done.

So, I want more understanding of why the thing was brought up, how it was brought up, what else did you try? Fiscal analysis, I don't want it to necessarily be that OMB or that comes up and like two years later says, this really isn't working because it's not fiscally responsible or just nobody cares about it. I want it done because if I have to write a report like that for industry, why can't the government provide that for me as well?

Winnona DeSombre Bernsen: That actually brings up a really good follow on, which is that individuals like Nina, like other village leads, are wealths of institutional knowledge. And so they might know something that an administrative agency has tried five years ago that didn't get off the ground that might have the political willpower now to be able to accomplish.

Eugenia Lostri: So would you say that this untapped potential in a way comes from, maybe not all the actors are aware of the villages and the work that they do? Or is it because there's still some sort of stigma regarding the hacking community?

Nina Alli: I think it's both. I think there's so much of them either not wanting to come to DEF CON because of the reputation that it has.

And realistically, I am very aware that Biohacking Village has hacking in it. So it's automatically people are mentally checked out because we're evil and all these other things. But then they come in and they, we have the normalized conversation of this is my background. I do this because patients and hospitals and whatever.

And we're humanizing the level of work that we're doing. We are, we are tarnished from the war of the cyber security wars. We're constantly doing a recon. Like how do we help you help us is essentially all we're looking for.

One more thing, communication is always how every relationship breaks down, right? It's the first thing to go and the last thing to be talked about. So if we can embed that more, I'm not looking for a seat in the House or Senate or Congress or anything like that. If it's situationally, if we can be an advisor where we just get 30 minutes of, let me give you as much as I can, and they can take that into consideration, that would be amazing.

Winnona DeSombre Bernsen: I'll say, as someone who is currently creating a conference with Nina, with other people who are involved in the villages, and I tell individuals and policymakers, even someone who has a decent amount of policy chops, I'm in law school, I'm a fellow at a think tank, I’ve worked doing policy related work. They'll still come to me and go, oh, you're planning a hacker conference?

And there's some stigma still, despite there being so many leaps and bounds. Like there's not an automatic association with all hackers being criminals or anything like that. And there's a lot of great work that the villages have done pushing forward this advocacy to make devices more secure, to make our ecosystem more secure.

And ultimately, the village is moving into 501(c)(3)s as full year-round organizations is another step in that direction of showing policymakers that you can bridge this so called hacker policymaker divide to make more technically informed cybersecurity policy.

Eugenia Lostri: And Winnona, tell us a little bit about this conference that you're participating in.

Winnona DeSombre Bernsen: Oh my gosh, I'd be happy to.

Eugenia Lostri: If it's not a hacker conference, what is it?

Winnona DeSombre Bernsen: Well, I would actually say it is a hacker conference. It's a D.C. hacker conference. The paper is one part of it. Again, we're trying to, as our own burgeoning nonprofit, push other security policies. 501(c)(3)s like the villages, more to the forefront of policymaking.

Similarly, as a D.C. hacker con, we are going to have some policy elements, but we're ultimately going to bring this community of hackers together in that counterculture way and showcase that you can live in that duality. You could be someone who wants to contribute to security and security research, but you can also be a little bit countercultural and like edgy about it, I suppose.

Eugenia Lostri: That's, that's great. Thank you. I do want to talk a little bit about a part of your report where, you know, as you've mentioned a couple of times, you brought members of several villages to discuss what are issues of growing importance that the next administration should be paying attention to. What were, you know, the biggest findings out of that?

Winnona DeSombre Bernsen: Sure. When we engaged the seven villages and we had a roundtable discussion at the Atlantic Council Cyber Statecraft Initiative, it was a long series of discussions that touched upon some of the trends that we've already talked about. But when we're thinking about challenges, especially going into the next administration and beyond, there were three primary ones.

And I don't think this is anything that will surprise a regular listener here on Lawfare, but there's some added elements to it that bring forward that village perspective. So the three were supply chain security, regulatory harmonization, and workforce development. But there's, there are a lot of things within those large three buckets that aren't necessarily talked about.

So, for example, when we say supply chain security, people might think about chips. People might think about the whole set of Chinese owned cranes and port security. Yes, those were some of the issues that were surfaced at this roundtable. But ultimately automotive and battery supply chain security as well was something that we had touched upon, whereby a decent number of battery manufacturers are now also within the PRC, are more in that international supply chain.

And if we're thinking about the COVID pandemic and the lack of batteries that were able to power any sort of electric vehicle alongside the, the shortage of particularly automotive type chips, it's surprising how short term some of the, the memory is when we're thinking about supply chain security, at least in the automotive sector.

On the regulatory harmonization front, Nina's touched a little bit about this already, but thinking about not only are we wanting to have some sort of, I guess I'll start using full stack policymaking, whereby certain parts of the executive branch are trying to all get in on AI security, healthcare security, biomedical security, and are not working, at least according to people on the outside, working in a way that makes sure that everything is harmonized, where individuals who have to go and corporations have to have to go and implement those policies don't get overly confused about you know am I adequately complying with everything?

This is doubly concerning if you're a small security vendor thinking about our red teaming village, one of the villages who came to the roundtable. They’re a bunch of security practitioners who specifically focus on breaking into systems for a living. That can comprise of companies that are, you know, 500 people, but it could also comprise of companies that are 10.

And so thinking about how smaller businesses can comply with these regulations and cybersecurity is incredibly important, especially when you also have these huge behemoth tech firms that are doing a lot of the notice and comment process when providing feedback to regulation.

And so the third, workforce development. I mean, I think you guys have had ONCD members on this podcast before. I won't go too far into the workforce strategy. The thing that many of the villages thought was missing was the understanding of how cyber security workforce is trained up, particularly when it comes to sector specific industries.

So you see Biohacking and Aerospace and ICS Village in particular, all of these subsets of the cybersecurity industry rely on access to specialized equipment. You can't hack a biomedical device without the biomedical device. You cannot train yourself up on all of the different aspects of IT and OT if you've never been able to access an OT device.

You'll never be able to train yourself up in aerospace or satellite security if you've never touched a satellite before. And so there are plenty of organizations that want to try and train these people up in these very highly specialized fields, but simply don't have the vendor relationships or don't have access to these specialized equipment to do so.

And so these, you know, nuanced different lenses of takes alongside the overarching topics were, were some of the things that we talked about that could be focuses of the next administration and moving forward.

Eugenia Lostri: Nina, let me, let me turn to you. And again, as the person running the Biohacking Village, what are some of the issues that are keeping you awake at night? Specifically when it comes to healthcare security, if you could recommend anything to the next administration to focus on, what would it be?

Nina Alli: I'm going to side with you on this one. The harmonization is so important because as a regulatory person at my job, I read like a million pages a week. That is, I feel like that's not an over exaggeration, right? And you have to find the sameness in what they're saying. And then the differentiations, and then there's a compliance factor. So how are we complying?

So I was a PIF, I was a presidential innovation fellow when Trump was leaving and when Biden was coming in. So I have some experience in here. I am very afraid of the tariffs because I think about the, the money that's going to have to be expended on the medical devices, right? A lot of them are, the brain thoughts are happening here to make them, but they're, they're manufactured overseas, which means they have to either be brought over by plane or by ship. And then there's the cargo fees.

And let's layer on, associated, but not really, to the Science and Chips Act that, the United States didn't want to give chips to China, but China has the elements that America needs to make the chips. So now we're in a kerfuffle about, do we do we do this? Do we give them chips while we get the things? Or is there, what's the, what's the agreement going to be? So that creates the other problem because so much of the device, so many of the devices run on these chips, right?

Let's keep going on chips though. We need AI remediation because we're still in the midst of the UHS, the United Healthcare Insurance moment where they were like, yeah, we know that healthcare is really messed up. Because a lot of statistics are also coming out now that they had an AI program that was declining or denying 90 percent of claims for people that required surgery, required a procedure, required something.

So when, when I look at this, I see there's, there's such an immediate decline in healthcare and how we manage it from a patient perspective and the physician side and the manufacturer side.

So if we were going to do more, I think there's an endorsement that needs to be done with, we trust the healthcare practitioners. Right? Because we need more doctors to say this is going to help us or this won't help us. When I was implementing EMRs and all the medical devices along with it, I got a lot of feedback.

And that feedback was very heavy most of the time because they were like, I am not a technologist. I don't know how to type. I do not care. This isn't my best life. And initially it was a lot of unstructured data. So eventually we had to move away from the unstructured data to structured data with click down boxes. And we added time to their appointments, which they were not prepared for, and neither were the insurance agencies.

So we are not, again, we're still not having that communication. So for, for this next administration, if we are going to do anything better, maybe it is that we focus on healthcare as a first point. Because if we do not have healthy people to help the economy that we are trying to thrust forward, what are we doing? Why are we still in the same position that we were decades ago?

Eugenia Lostri: If there's anything else you'd like to add, anything that we didn't get to cover today, but you think it would be important for our listeners.

Winnona DeSombre Bernsen: Nina and I have had plenty of conversations about Chevron, and I think there have been a couple of, of great Lawfare episodes on Chevron's impact on, on cybersecurity as well.

I think on our end, the report that we've put out has all of the contact information for every village by sector. So you have aerospace, car hacking, biohacking, voting, maritime hacking, speaking of ports and ships, red team, blue team. And so I just want to stress that villages aren't just events that show up or exhibitions that show up at large security conferences.

They're year round organizations. They want to advocate for better security. And they have this 360 degree view as to what's going on with a practitioner's eye. They're going to be very blunt about the security situation on the ground, but I think that that's kind of what our security ecosystem and our cyber policymaking needs at the moment.

Nina Alli: I think a lot of the villages lead conversations with facts. We are motivated, we are motivated by facts. We are motivated by the integrity that which we come into these fields with. When I think about all of this, I love data. I love how the points start connecting, or in statistics, there's a, when you look at a bell curve, there's a missingness, right?

So everybody is here in the center, but then there's just the little ends, or the missingness. And I think we don't look so intimately at those small pieces to say, if we change something, what can get everybody in this center area?

So if we have the, the broader conversations with policymakers, with legislation, with whoever is, is creating a new act or piece of legislation, I think giving them more perspective would give them more insight, would make the, the piece of legislation more robust. We would have an impetus to be better.

Eugenia Lostri: Nina, Winnona, thank you so much for joining me. This was great.

Nina Alli: Thank you.

Winnona DeSombre Bernsen: Thank you for having us.

Eugenia Lostri: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja, and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.