Event Recap / May 2023

Marc Rogers: Cybersecurity for the Greater Good

On April 17, 2023, the Center for Long-Term Cybersecurity and the School of Information presented a talk by Marc Rogers, formerly CSO at Q-Net Security and Co-Founder of the CTI League. The talk was presented as part of the CyberMētis Speaker Series, which invites graduate and undergraduate students, researchers, and faculty from the UC Berkeley campus to engage with experts and practitioners from various segments of the cybersecurity field.

With a research career that spans more than twenty years, Rogers has been hacking since the 80’s and is now a white-hat hacker renowned for breaking technology like Apple’s TouchID, Google’s Glass, and the Tesla Model S. Previously Marc was the VP of Cybersecurity Strategy for Okta and the Head of Security for Cloudflare, and he spent a decade managing security for the UK operator, Vodafone. He is a Senior Technical Advisor for the Institute for Security and Technology, and a member of the US Ransomware Taskforce.

“Cybersecurity isn’t just a career, it’s a calling,” he said. “And if you do get involved in it, there are so many rabbit holes that you can go down.”

He explained that he is a hacker by the original definition, “somebody that changes a system, ideally without destroying it, and makes it achieve a different purpose than the one that it was intended.”

“If you think about this definition, it can apply to everything,” Rogers said. “It doesn’t just apply to technology. It’s not just about breaking into software, breaking into computers, or breaking into networks. It can also apply to public policy. It can apply to law. It can apply to sewing, it can apply to anything, where you’re able to think up something outside of the box that allows you to do something differently with a system that was designed to do something.”

A well-known and active member of the hacker community, Rogers is one of the organizers and Head of Security for the DEF CON security conference. He also worked as technical advisor on the TV show “Mr. Robot,” where he designed and built hacks for the show. “The little thing that’s sort of not apparent is I actually did those hacks,” he told the audience. “All of the hacks that I built for Mr. Robot, I built and tested.”

In his talk, Rogers discussed his volunteer work in cybersecurity, which has included helping the White House shape the recent National Cybersecurity strategy, using automation to defend people below the cybersecurity poverty line, and building volunteer-driven internet emergency service programs. Rogers shared how cybersecurity is a “team sport,” with teams working in real-time on issues, bound together by trust. “For those of you who are going to become cybersecurity professionals, real-time collaboration is going to be your secret weapon,” he said. “Trust groups are going to be really important to any of you working in cybersecurity, because a trust group allows you to have a force multiplier. Trust groups come in all sorts of shapes and forms.”

Rogers is also deeply involved in public policy where he focuses on driving change in defending the “undefendable,” or protecting critical infrastructure like healthcare. During the pandemic he co-founded the CTI League, an award winning, multinational cybersecurity initiative that combines security industry professionals, government agencies, and law enforcement from 81 different countries. “It just happened a bunch of us got together in the pandemic and decided that we were going to defend things,” he explained. “And that then opened the doors to the public policy side of things, because policymakers started asking us questions, the FBI started asking me questions, other agencies asked me questions, and it just sort of snowballed from there.”

He described how he famously hacked a Tesla, and even steered it remotely with an iPhone; he then used the car’s systems to hack into the Tesla factory. “Whether it’s a medical device that connects to a network, or it’s a home automation system that connects to a network, it’s connecting up to something, and quite often the manufacturers don’t think about that as an attack pathway,” he said. “We were able to jump from the car into what Tesla calls the ‘mothership network,’ which is the thing that collects all the telemetry, and then from there into the robots that build cars. We didn’t do anything, but we were very tempted to see if we could build a VW-shaped Tesla.”

“Everything made by humans can be hacked by humans, and there are literally no exceptions,” Rogers said.

He discussed the recent breach of 3CX, a cyberattack suspected to have been carried out by North Korea, as a kind of “supply chain, massive-scale attack that is becoming commonplace.” Such large-scale attacks are likely to persist, Rogers said, because “whatever is successful gets repeated and escalated, and the bad guys get better at doing it.”