Las Vegas, NV

August 10, 2024

Remarks As Prepared for Delivery

Thank you, Jay.  It’s a pleasure to be here for the first time on the DEF CON stage. And, as a whiskey drinker myself, I’m a bit disappointed that more of my speeches don’t start that way!

I’m looking forward to our conversation, Jay, where we will dig into memory safety, BGP security, firmware vulnerability, and open-source software – all of the nuanced, technical topics that make Hacker Summer Camp such a draw, even in this new venue. 

But before we get into the hard problems that really define our work at the White House Office of the National Cyber Director, I want to say a few words about the importance of this community to our efforts to make our Nation more cyber secure, innovative, and prosperous.

This is my first DEF CON – I guess you already know that from my baptism by bourbon. But while I have been thoroughly impressed by the people, presentations, and even policy proposals I have seen over the past couple days, I cannot say I’m surprised.

From my early exposure to coding as a graduate student to my time at NSA to arriving at the White House, I’ve known how special the security researcher community is. Special, but often misunderstood.

As a society, we are predisposed to celebrate builders – inventors, engineers, and the titans of industry: all are lauded for what they’ve designed and constructed.

So it can be quite jarring to hear about a culture where tinkering is turned toward breaking things. Where rather than synthesis and cohesion, we talk about de-compiling code to find its weaknesses. Where manipulating people in the form of social engineering is venerated as a way of finding the weak points in a system.

And if there’s one place in the world where those concepts are particularly foreign, it’s Washington, DC. Our elected officials and civil servants swear an oath to protect and defend the Constitution – and it is far from intuitive to many of them as to how “hacking” could possibly be in that interest.

I can see where they’re coming from. But I also challenge them to look deeper.

To understand that, for the folks in this community, the desire to take things apart is rooted in a hope that they will be made stronger. To recognize that the Internet – decentralized, governed largely by a simple set of rules written decades ago – is a miracle of human ingenuity. And that, miraculous as it may be, the Internet also needs protecting.

That ethos – of trying to make the Internet a safer place – is what makes this community so important and vital to our way of life. It’s why it’s so important to me that I made the pilgrimage out to the desert, along with so many of our cybersecurity colleagues. And I’ve got good news for you. My voice is not alone in Washington, and the chorus is growing.

Jay, I know that when you were on the National Security Council staff two decades ago, you weren’t even allowed to come to DEF CON. Today, not only are the Feds here in force to learn from and celebrate your work, they’re recruiting!

Vulnerability disclosure policies used to be a pipe dream at Federal agencies. Today, they’re required – and they’ll soon be required for Federal contractors as well.

One of the first projects we launched at ONCD after I arrived was a white paper focused on memory safety, titled “Back to the Building Blocks.”

I will admit to being a bit surprised to see such a technical product coming out of a White House Office. Yet, after reviewing the report and learning about the research and consultation underlying it, I was completely convinced that it was vital that the White House shine a spotlight on the need to adopt solutions for the most critical vulnerabilities around.

The White House endorsing formal methods is now a bit of a meme – and I couldn’t be happier.

These are outward signs of progress. At least as important, though, is the cultural change happening in Washington.

For the first time, we are seeing policymakers consider how to leverage the unique aspects of the security research community to solve some of the very hardest problems in cybersecurity. Some of that is manifesting at the operational level as collaboration, not simply information sharing, increasingly becomes the norm at NSA’s Cybersecurity Collaboration Center and CISA’s Joint Cyber Defense Collaborative.

And it extends to more strategic proposals too. Yesterday, ONCD and our partners in the government’s Open Source Software Security Initiative released a report summarizing key findings from the request for information we announced at last year’s DEF CON. Importantly, we also describe actions we are taking in response to the feedback from the community.

Some of those actions are inherently governmental. For instance, as part of the Bipartisan Infrastructure Law, the Department of Homeland Security is investing over $11 million in open-source software security.

Today, I am proud to announce the launch the Open Source Software Prevalence Initiative, which will take advantage of that investment in America. Along with partners at our National Labs, the initiative will assess the prevalence of open-source software in operational technology used by critical infrastructure owners and operators. We know that open-source underlies our digital infrastructure, and it’s vital that, as a government, we contribute back to the community as part of our broader infrastructure efforts.

But many more of the recommendations go beyond what government can do alone and that’s where you all come in.

More than that: these policy proposals rely on the dedication of researchers and their willingness to freely share their findings in order to work. In our conversations on developing a software liability regime, too, we are increasingly aiming to leverage this unique community as part of novel policy solutions.

Our reliance on all of you does, however, come with a commensurate increase in responsibility.

In the President’s National Cybersecurity Strategy, we call for more of the responsibility for cybersecurity to fall upon the more capable actors in the ecosystem. That means technology producers, yes, and certainly the Federal Government. But it also means all of you.

I know you all are up for it.

I know that the same value set that drives responsible vulnerability disclosure will lead you to continue to step up for the protection of the Internet.

I know the Internet is a safer place today because of all of your efforts.

But I challenge you to have empathy for those of us in Government who are trying to tackle the hard problems in cyberspace. They may seem easy to some of you, but the President can’t issue an order and solve them.

We’ve known about vulnerabilities in the Border Gateway Protocol for decades; still, much of U.S. Internet traffic is subject to hijacking.

Memory-safe programming languages have similarly been around for years; still, critical software that underlies our society is written in C simply because that’s what’s convenient. The “tragedy of the commons” around open-source software development is a well-understood phenomenon; still, vital packages are maintained by tiny bands of volunteers operating on a less-than shoestring budget.

Policy can help address these problems. No, I’ll go further – policy is needed to address these problems. But policy takes time.

The people of the United States have entrusted their Government with awesome authorities. As we work to use them to improve our cybersecurity posture, we must ensure that we do so responsibly with an eye toward outcomes that preserve the innovation and decentralization that have made the Internet the miracle it is today.

Most important, though, is that we do so together.

At the core of our approach at ONCD is partnership. I prioritize hearing and learning from a diverse array of stakeholders, and you all are key constituents of ours.

I know that Jay and I will dig into some more of the details of our various initiatives, but I will also continue to seek feedback from all of you throughout the weekend.

So thank you again for everything you’re doing every day to passionately protect our digital ecosystem.

And thank you, again, for welcoming me to DEF CON.

Stay Connected

Sign Up

We'll be in touch with the latest information on how President Biden and his administration are working for the American people, as well as ways you can get involved and help our country build back better.

Opt in to send and receive text messages from President Biden.

Scroll to Top Scroll to Top
Top