A major cybersecurity conference’s decision to cancel a keynote address by Rep. Will Hurd (R-Tex.) over his antiabortion voting record is dividing the cybersecurity community.
The move by the Black Hat cybersecurity conference also highlights how partisan politics is creeping into the once largely nonpartisan field of cybersecurity. Political disputes aren't unheard of at Black Hat -- but they usually center around debates over government hacking and surveillance that don’t break down along neat party lines.
Critics of the move say it sows unecessary conflict with one of Washington’s top lawmakers on cybersecurity issues -- and risks alienating other Republicans, whose votes will be vital to passing cybersecurity legislation or to raise funding to secure elections against digital attacks.
“Our community needs to build bridges to Congress & we publicly burned one [political party],” John Bambenek, a longtime cybersecurity intelligence researcher, tweeted. “They’ll remember when we show up with an ask.”
Susan Hennessey, a senior fellow at the Brookings Institution and a former National Security Agency attorney, tweeted that “to disinvite [Hurd] from Black Hat over his views on abortion, promotes a flawed and counterproductive narrative that cybersecurity & election security are partisan.”
Will Hurd is one of the smartest and most engaged members of Congress on cybersecurity, on either side of the aisle. To disinvite him from Black Hat over his views on abortion, promotes a flawed and counterproductive narrative that cybersecurity & election security are partisan.— Susan Hennessey (@Susan_Hennessey) June 15, 2019
Supporters of the move, however, say that inviting a lawmaker who has voted to restrict abortion unnecessarily alienates women who work in cybersecurity — a field that is notoriously male dominated and has a difficult legacy of gender discrimination and harassment.
“A keynote from a lawmaker who doesn’t believe women should have fundamental human rights is not a great way [to] make women feel welcome in the infosec community,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation digital advocacy group, said on Twitter.
Chad Loder, CEO of the cybersecurity company Habitu8, threatened that his company would boycott the conference before Hurd’s keynote was canceled and called the move a “slap in the face to women in cybersecurity.”
BlackHat's decision to have Rep. Will Hurd keynote their conference is slap in the face to women in #cybersecurity.— Chad Loder ✸ (@chadloder) June 14, 2019
Hurd has a ZERO approval rating from @NARAL for his votes against women's reproductive rights. How many women were on the approval panel? https://t.co/zzYwKjed3O
Hurd, a former CIA officer and cybersecurity executive, has led a number of bipartisan cybersecurity efforts in Congress — including recent legislation to improve the cybersecurity of Internet-connected devices. He’s also a frequent speaker at Washington cybersecurity conferences and has attended Black Hat’s sister conference Def Con several times, including with Democratic Rep. Jim Langevin (R.I.), another top cybersecurity policymaker, in 2017.
But he has a traditionally Republican voting record on abortion, including votes to outlaw the procedure after 20 weeks and to stop federal funding to Planned Parenthood, which provides abortions among other services.
Here are details from TechCrunch’s Zack Whittaker:
Rep. Will Hurd to keynote Black Hat later this year. He's one of only a few lawmakers who gets cyber, but he has a terrible voting record on women's rights. https://t.co/Q2smmGvtt8 pic.twitter.com/o1t8ozHjRl— Zack Whittaker (@zackwhittaker) June 13, 2019
Black Hat, which was founded in 1997 and is one of the largest annual gatherings of cybersecurity researchers, withdrew Hurd’s keynote invitation on Friday after publicizing it Thursday. Conference organizers said in a statement that they “misjudged the separation of technology and politics” and that the conference “is not the appropriate platform for the polarizing political debate resulting from our choice of speaker.”
Hurd’s communications director Katie Thompson told me in a statement that the congressman was “honored” by the initial invitation and “has always sought to engage groups of people that don't necessarily agree with all of his votes or opinions.”
Some critics of canceling the keynote echoed that sentiment, arguing that antiabortion views are widely held and shouldn’t restrict someone from addressing a conference on an unrelated topic.
Here’s security researcher Robert Graham:
Hurd is not "polarizing". He represents mainstream politics of roughly half the country. The polarization here comes from the other side that cannot tolerate that somebody disagrees with them. pic.twitter.com/pUnTmDdivj— Robᵇᵉᵗᵒ Graham (@ErrataRob) June 14, 2019
Jennifer Granick, a surveillance and cybersecurity counsel at the American Civil Liberties Union, fretted that the disinvitation could be a slippery slope that would preclude many lawmakers from addressing the conference — a troubling outcome at a time when Congress is facing an ever-increasing bevy of cybersecurity problems ranging from Russian and Chinese cyberattacks to the government's own digital vulnerabilities.
What other views disqualify someone from keynoting Black Hat? Best not to invite any legislator with more than a term under her belt. Should Black Hat now ask potential speakers for their views on abortion, or is it fine so long as we don't know? https://t.co/1TmcFMOLQk— granick (@granick) June 14, 2019
Yet Lesley Carhart, principal threat analyst at the cybersecurity company Dragos, argued Black Hat could invite lawmakers – just not for keynote addresses, which she said should be kept free from partisan politics and where “detaching a politician from votes impacting the audience is impossible.”
I respectfully and fundamentally disagree with you. I have no problem with anyone expressing any political view speaking at BH/DC. A keynote, however, is a gateway role which should remain nonpartisan. Detaching a politician from votes impacting the audience is impossible.— Lesley Carhart (@hacks4pancakes) June 15, 2019
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: A New York Times story Saturday describes another way the Trump administration is pivoting to more offensive cyber operations, after using digital attacks to protect the 2018 elections.
The story by David E. Sanger and Nicole Perlroth, which was attributed to current and former government officials, describes U.S. Cyber Command implanting malicious software in portions of the Russian power grid “at a depth and with an aggressiveness that had never been tried before… intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.”
The story did not detail where the alleged digital implants were placed or how they could be effectively used to deter Russian attacks – which can be immensely difficult given the complexity of electrical grid systems, Johns Hopkins University cybersecurity professor Thomas Rid pointed out on Twitter.
Let’s assume the “implant” part of the story is correct for a moment—what about deterrence?— Thomas Rid (@RidT) June 16, 2019
Implants don’t deter on their own. What *may have* a deterrent effect is the belief in the mind of the adversary that the offender can
b—cause harm, and
c—pull the trigger.
The Times also reported that President Trump “had not been briefed in any detail” on the operation out of concern he might “countermand it or discuss it with foreign officials, as he did in 2017 when he mentioned a sensitive operation in Syria to the Russian foreign minister.”
Trump, who has frequently disputed accurate news stories in the past, said on Twitter that the story was “NOT TRUE!” and called it a “virtual act of Treason.”
Cybercom declined to comment on the story to me.
PATCHED: Huawei’s revenue is expected to drop $30 billion over the next two years due to a series of U.S. government actions against the Chinese telecom giant, the Associated Press’s Dake Kang and Yanan Wang reported.
During a panel discussion at the company’s headquarters, founder Ren Zhengfei compared Huawei to a “badly damaged plane” after U.S. actions that restricted the company’s suppliers and banned it from U.S. government contractors and grant recipients among other restrictions, according to the AP.
“We never thought that the U.S.’s determination to attack Huawei would be so strong, so firm,” Zhengfei said.
PWNED: Government agencies need to stop verifying people’s identities with information from credit agencies including Equifax that could be widely available to hackers and fraudsters, a new government watchdog report says.
The Commerce Department effectively ordered agencies to stop using credit report information to verify people’s identities after the 2017 Equifax breach in which hackers compromised credit information about roughly 40 percent of the U.S. population.
And yet of the agencies named in the report, only the Department of Veterans Affairs has even partially introduced an alternative verification system. The U.S. Postal Service and the Social Security Administration had no timeline to phase out or reduce credit report-based verification. And the Health and Human Services Department's Medicare office flat out rejected the recommendation stating that alternatives to credit report-based verification, such as asking people to send in a cellphone photo of a driver's license, "are not suitable" for some Medicare recipients.
-- A bipartisan pair of senators wants to make sure the federal government isn’t doing secret work in buildings leased from Chinese companies that Beijing could have seeded with digital spying devices.
The Secure Federal Leases from Espionage And Suspicious Entanglements Act comes in the wake of a 2017 Government Accountability report which found that the FBI, Drug Enforcement Administration and other agencies were doing high-security work in offices owned by companies based in China and other foreign countries, presenting risks of “espionage and unauthorized cyber and physical access.” Most of the agencies didn’t know their office space was foreign owned, GAO found.
The bill from Sens. Gary Peters (Mich.), ranking Democrats on the Senate Homeland Security Committee, and Rob Portman (R-Ohio) would require the government to verify who owns any building that houses high-security work. “Sensitive materials and private data housed in properties owned by foreign adversaries, especially those with sophisticated intelligence agencies, is simply an unacceptable security risk for our nation,” Peters said in a statement.
More cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad:
- On Tuesday, the Senate Committee on Foreign Relations will host a hearing on regional security in Ukraine.
- The Senate Committee on Homeland Security and Governmental Affairs will consider a host of cybersecurity bills on Wednesday, including the IoT Cybersecurity Improvement Act of 2019.
- Thursday the House Committee on the Judiciary hosts "Lessons from the Mueller Report, Part II: Bipartisan Perspectives"