CIO Straight Talk - Issue 10 - 50

How did Black Hat get started?
It was sort of by accident, actually. I was
running DEF CON, the hacker convention I had
founded in 1992. And I kept getting these emails
from people saying, "Write me a professionalsounding announcement about DEF CON
that will convince my boss to send me." So I
began sending out announcements about the
upcoming DEF CON that had a very corporateese tone. And finally Ray Kaplan, an old friend
from our UNIX hacking days, said, "Why don't
you just start a real conference, a professional
conference, charge people real money, give them
real food-and then you don't have to write those
announcements anymore!"
It was a great idea. So I saved and borrowed
some money and started Black Hat in 1997.
In those days, there weren't a lot of people
in infosec. There weren't a lot of "security
professionals." So I invited my friends. The first
year's speaker list was made up of people I knew,
people at Microsoft or Novell or wherever, who
I could call up and invite. All I wanted to do was
to get them in a room and hear what they were
working on. What's cool to them? What are their
problems? What are they hacking on?

What's the origin of the name?
Originally it was called Black Hats Briefings-
technically, it still is-and it was meant to provide
companies with briefings on what the bad guys,
the Black Hats, were up to, to help companies
protect themselves. DEF CON was more for
individual hackers and enthusiasts, where you'd
be taking apart a PlayStation one day and
hacking a drone the next-not things maybe your
boss at work will pay you to learn about. Black
Hat was meant to be more enterprise focused,
offering professional development for people
with real jobs.

From the beginning, we held Black Hat right
before DEF CON in Las Vegas. We soon realized,
though, that we couldn't hold the two at the
same hotel, because the DEF CON people would
come early and eat all your food and drink all
your booze!
So we separated the two, and Black Hat began
to develop its own strong culture. Even when
there has been some controversy-for instance,
the time the ATMs in the hotel lobby were
hacked-corporate interest in the conference
has remained high. In fact, while in the past
some companies tried to ban researchers who
presented at Black Hat from disclosing certain
product vulnerabilities, today vendors will actually
challenge hackers to attack their products.

How has Black Hat grown over the
years?
I didn't realize when we started that we'd created
kind of a magic formula. When I asked people
why they were attending Black Hat, they said
it was like a crystal ball. If hackers and security
researchers were talking about it today, then
in six months or a year it was going to be their
problem. By coming to Black Hat, they got a
jump start on what they were going to be seeing.
A couple of years after Black Hat began, we saw
a lot of telecom people showing up, because
security was beginning to show up on their radar.
Some years after that, we started getting people
interested in mobile security. And once vendors'
customers started showing up, the vendors
came, too.
Over the years, we've held Black Hat events
not only in Las Vegas but around the world, in
places like Barcelona, Amsterdam, Abu Dhabi,
Singapore, London, and Tokyo. In 2017, at the Las
Vegas event, more than 17,000 people from 80
countries attended.

How do changes you've seen at
Black Hat reflect changes in the field
of cybersecurity?

In what ways has Black Hat given
greater emphasis to social issues in
recent years?

Well, we've seen the types of people who attend
the conference go from technology generalists
to technology specialists-and the need now
is for them to again become more generalist in
their viewpoint. There's also been an increasing
emphasis on social issues, along with Black Hat's
core technology focus. And with that, there's
been a shift from a cybersecurity culture that
sometimes has been kind of elitist to one that
increasingly needs to be more inclusive and that
welcomes diversity.

I was always more technical. And I didn't quite
understand the importance of the social until
later on. But if you think about where we're
going as an industry, it's more social. Going
forward, your success in the field may even be
more dependent on your social skills than on
some of your technical skills.

Let's take those one at a time?
What do you mean by a shift from
generalist to specialist and back to
generalist?
Back in the UNIX era, back in the early days of
the development of the Internet, everyone was a
generalist. But over the years, people in the field
have specialized. They'll say, "For the next four
years, I'm going to focus on this one technology."
But this mindset makes it hard to get a bigpicture view. If you're trying to explain a security
problem to the board of directors, they're not
going to be asking micro-targeted technical
questions. They're going to want the larger
context of the problem. So increasingly at Black
Hat, we're trying to include presenters, keynotes
especially, who can provide that big-picture view.
We help people attending Black Hat, who may
think of themselves as cogs in the information
security process, to see how their particular cog
fits into the larger picture.

Take my example of speaking to the board about
security issues. This isn't like communicating with
your boss or colleagues. It's a different skill set.
For more than a decade, everyone in our field
complained that no one was listening to them.
Well, now everyone's listening to us, and we
need to learn how to communicate with them.
Halvar Flake [the founder of a company called
Zynamics that was acquired in 2011 by Google,
where Thomas Dullien, Flake's offline name,
now works] spoke about this at the 2017 Black
Hat Singapore conference. I agree with him that
offense-cyber-attacks-is a very technical game.
Very sophisticated but with very simple metrics.
Did you succeed in breaking in or not?
Defense-foiling cyber-attacks-is much harder.
The metrics-well, what are the metrics? Up
time? Dollars saved? Opex? And defense is
hideously social. How much money are we going
to spend on defense? Whose budget does it
come from? How important is this asset to
protect? Is it being protected, quote unquote,
enough? All of those questions are social and
political and bureaucratic. And because of that,
social savvy is increasingly important in how
cybersecurity professionals' careers develop.
Halvar's speech at Black Hat was a high-profile
statement about this change.

CIO Straight Talk - Issue 10

Table of Contents for the Digital Edition of CIO Straight Talk - Issue 10