I'm spending time in 2024 "closing the loop" on a few topics as I wind down my career. One of the most exciting? I'll be giving a talk at the DEF CON Conference in just a couple of weeks.
https://defcon.org/html/defcon-32/dc-32-index.html
https://defcon.org/html/defcon-32/dc-32-speakers.html
In 2007, I was an invited keynote speaker at both the Black Hat and DEF CON Conferences. This was a bit of a "coming out" party for our work at the National Security Agency. We had recently reorganized the Information Assurance Directorate, and I had the honor of creating and leading the Vulnerability Analysis & Operations Group (VAO). This brought together all elements of vulnerability-finding in the name of defense into a single technical organization of several hundred people, across many technical disciplines. I think it is fair to say that, for that time, it was the largest organization of this type in the U.S. Government – at least for defense. I often spoke of this as the best job in the entire industry, and I meant it.
In the talk, I described the business of vulnerability finding in the name of defense and what we did about it at NSA. My goal was to share how we were scaling vulnerability analysis, integrating the results across multiple disciplines, and making it more effective in creating solutions to the problems we were finding. I wanted the audience to see us and themselves as part of a more significant movement to turn understanding of vulnerabilities into real solutions.
When I went out there in 2007, I might have been the most senior "working person" to have spoken at Black Hat and DEF CON, at least publicly. So, I wasn't sure if I would be greeted by villagers with torches and pitchforks. Even back then, Black Hat was heavily attended by government and mainstream industry folks, so it was a friendly audience. I thought I might be in trouble when I read the schedule and saw that my talk was in parallel to one by Richard Clarke. But no problem, my conference room was full, and overflowed towards the end of the talk.
DEF CON was a little more concerning. Lots of very young people, black was the uniform color of the day. Lots of tattoos, piercings, and a counter-culture vibe. Besides tech pranks and mischief, DEF CON was also well-known for the "Spot the Fed" Contest – if you could identify an undercover Federal employee (and there were lots of them out there, trust me), you'd win a t-shirt.
I decided that no one would use me to win a t-shirt, so I showed up for my registration and keynote in an NSA polo shirt. I also went to the NSA gift shop ahead of time and bought a stack of NSA embroidered patches. Anyone who stopped me and asked about the NSA shirt got a patch and an upbeat pitch about a career in public service!
But I did not need to worry. The audience was overwhelmingly respectful and interested. Well, that was one fellow who stalked me for a day or 2, complaining that I was reading his email. He eventually gave up. Overall, people expressed their thanks and respect that a senior executive in the U.S. government came out out to speak to this crowd. I think they also recognized our organization at NSA as "kindred spirits." That is, people who had the skill and determination to dig into technology with an attacker mindset and do the analysis that would help us all better understand the risks of technology. The title? “Creating Value from Vulnerability”. Video of the presentation is available at multiple places.
The talk that I will be giving this year at DEF CON is one of a series that I am working on. I’ve given a lot of thought to the unique circumstances of my career. For a cyber defender, spending your career inside of an intelligence agency is like going to grad school every day. You get to watch and participate in, the nation vs nation fight up close. Us attacking Them, Them attacking Us. And Them vs Them. Every day.
The title is a bit of wordplay for science fiction readers. It’s a short tale of technical challenges, organizational culture and sub-cultures, and the institutional evolution of missions into coherence. Lots of lessons learned. Usually the hard way. I’ll follow up this talk with some more detailed written and oral history.
But here’s the bottom line – I am very grateful for the chance to have worked at the National Security Agency. It was - and still is - an extraordinary place for service, personal growth, and opportunity.
—tony
TITLE:
Stranger in a Changed Land
ABSTRACT:
What's it like to spend a career as a cyberdefender for the DoD and the nation, but homed inside of an intelligence agency? In this talk, I'll offer a historical and personal perspective based on 35 years at the National Security Agency as a vulnerability analyst for the defense, from junior analyst to executive manager. The common element across my career was the search for vulnerabilities in the name of defense - finding them, making sense of them, leading organizations to find them, and then translating that knowledge into action to prevent or manage them. I'll share lessons learned as cyberdefense evolved from a focus on mathematics and cryptography to systems and software; and from government security to a global internet. And we'll focus on the mission, technical, and cultural interplay of cyberdefense and offense/intelligence as it played out at NSA. War stories, culture clashes, bureaucratic mazes? Of course! But in the end, better security for all
.
I didn't make a career of it--I tried twice but it didn't work out--yet my years at NSA as a contractor were some of the best of my career.
Love the bridge building, with patches in hand!