Participation, and a host of sirius xm radio make it plain. And the mayor of newark, new jersey. Even when we get together as black folks and have an agenda, we have to understand we have to unite with other people. Win. Bject is to there are hundreds of people that are in jail, that have been beat, that are dead. We are not activists and revolutionaries because its fun. Followed at 10 00 by nebraska senator ben sasson american value, the Founding Fathers and purpose of government. Turns out the meaning of america is persuasion. The meaning of america is love, building a better product or creating a Better Service or persuading someone to marry you or to join your church or synagogue heard there is a huge civic mindedness in american history. Sunday evening at 6 30, newt gingrich. Theirple have to change minds. They have to have some willpower. Because of the way opioids work, they also have to change their brains back. This is a biological thing. Your brain is in organ. Was the doctor hands you these pills once the doctor hands you these pills, for a lot of people, those pills damage that organ. Sunday, december 4, on ndepth, the attack on pearl harbor. The author of countdown to pearl harbor, the 12 days to the attack, the author of japan 1941, and the author of pearl harbor, from infamy to greatness, followed with an interview by pearl harbor survivor. We are taking your phone calls, tweets, and emails questions email questions from noon until 3 00 p. M. Information security and hacking experts including the ceo of hacker one, the founder and therowd, Information Security adviser from Fiat Chrysler talk about Cyber Security threats. You appeared at an automotive Cyber Security they appeared at an automotive Cyber Security conference. This is really an exciting time for industry, the Cyber Security industry. Also, the Auto Industry. Bringing this together and having the inaugural summit is timely. The discussion is securing the car. Some of you are probably thinking, what does that mean . That is what we are here to tell you about today. Crowdsourcing of security vulnerabilities. A number of other previous panels have discussed this. We are going to dive into some details. I would like to start off by giving each panelist a twominute opening comments. Talking about their role and what they are doing. Lets start over to my right. Casey ellis. Casey it is a pleasure to be here. It is amazing to see such a turnout. We are seeing this conversation of all at an incredible pace so it is good to have you in the room. My background, im clearly not from america, i am australian. I started of craft in 2012. It was a combination of two things. The realization there is an Incredible Group of good guys that think like a bad guys and girls. Already wanting to help. What we are looking at his two groups of people who need to have a conversation but are historically terrible at getting along. There is a need to adjust that and improve that. The other side of it, i have been in the Security Industry for my entire career. Looking at basically the deficit and how we are discovering vulnerabilities and creating feedback loops, to firstly remove the stuff already there. And then get better at avoiding it next time around. What we are doing, we have automation. We try to fill that gap. There are unfilled Cyber Security jobs. You have one person being asked to compete, to find a vulnerability first. When bug craft started, it was feedback from a bunch of different organizations that i work with that were more traditional. Saying, this makes sense. This is a logical way to level the playing field. It is a pleasure to be here today. Dan he is the senior manager of security architecture. Titus i have the least interesting accent on the stage, i just learned. To tell you more about my role, i am in the i. T. Organization. What we are doing as far as the Security Program is, making sure we are a cross functional multidisciplined. I have a team that are consulting, helping the vehicle side. Understanding the threats we see on the i. T. Side and how those can be applicable to the vehicle. One idea was the idea of the bug bounty. We see it on the technical side. We think it would be applicable for an automotive company. We are excited i. T. Got to be part of that. That we have a seat at the table. Our input is valued. Dan to my right is martin. Martin we are in this together. Hacker one is the number one platform for Bug Bounty Programs and coordinated this closer. There are over 500 companies. 60,000 hackers around the world ready to hack you for your benefit. When you know your vulnerability, you can fix it. As a result, the companies are the most secure in the industry. We are working with car Mapping Service companies. General motors. Uber. We were handpicked to run the heck the Pentagon Program for the secretary of defense announced a program where hackers were invited to hack the pentagon. In just a few weeks, we had 1400 hackers who discovered 138 severe vulnerabilities. They had paid previously 5 million over three years to find 10 vulnerability. They reached out, paid 150,000, and found 38. The first report came within 30 minutes of opening the program. That is how fast the 15yearold kids hack. I have an accent, i am from finland. I have been in california for the past 13 years, mostly in open source and infrastructure and now in security. Dan can you describe for us, how does the Bug Bounty Program work . Marten a Bug Bounty Program is liking either could watch. You are traveling and ask your neighbors to take a look at your house. No matter how well you build your house, no matter what alarms and locks, you cant protected against everything so we ask the world around you to help you. The Bug Bounty Program, coordinators disclosure, does exactly that. You ask the world to look at your software system. You say, look and report, dont do harm. These people think bad but they act good. You invite them to come in. When they have reported something useful, you reward them for the results that bounty can be as little as 100. We found a bug that was so severe, the company decided to pay so much back to the hacker. The result is the hacker is more committed and will look for more. You will get more and more vulnerabilities found. It is actually good for you. It is as good as going to the doctor and doing checkups you dont really like to do. Much better to know your weaknesses than not to know. Titus i would like to add and say, it is not always hackers. We are talking about vehicles. People have been tuning give vehicles, trying to get as much performance as possible. When you made the vehicles connected, you wanted people to figure out, what can i do with the mobile app and website . They are finding, as they are trying to get additional functionality, they are finding vulnerabilities. I know some people had already been reaching out to us and saying, i saw something. After a few of those discussions, we said, we need to have a coordinated program to make sure we are communicating with them. If you are going to do research, this is how you do it safely. Saying, i saw something. After a few of those this is how we want to reward you for that research. Dan why is chrysler doing this now . Titus it is an evolution of the program. We have already been working with them. There are a lot of passionate people, people who like to hack, test and break things. Make sure those are considered in our designs. There have been a couple of articles recently since the announcement 1500 was the headline, may not be enough. Good and bad criticism, positive response. How would you respond if somebody said, 1500 will not be motivating enough . Titus i would say it is a motivator. I understand the comments and criticism. We have to start somewhere and that is where we are working with our friends. Giving us an idea of where we should start. We may evolve. We will revisit it. Casey the way these programs work, one of the mistakes that happened on early on, they went out with the number that was interesting to the press more than a commitment we were willing to uphold to the community. What we have seen, we have been running as tight as mentioned, programs for technology programs. A lot of organizations in more traditional verticals. Including a number of automotive manufacturers. The idea is, start at a level that is sane. We are putting a lot of work into figuring out what this is. I think this industry is just getting started. We are at it went where we can start to collect data. And say, what is a sane starting point . The number, i responded to some of those comments, is more about, it is not about putting out this flashy number that is never going to be upheld. It is about aligning expectations between the organizations starting this conversation and the people who are going to participate. Doing it in a way that can be upheld. What we see with these programs is, you start at a particular point. You reach a stage where the velocity of submissions drops below certain level. We generally go and say, congratulations. You have graduated from the level of security that you are going to get feedback on at this level. It is time to think about upping your game. Dan when you say there are other motivations besides money . Other motivations besides money . A discussion we had last evening, for a young hacker in college, a Computer Science major, they can get that on their resume. Casey definitely. It is time to think about upping the initial motivation, the preeminent one, hackers are going to hack. We have heard that before. These are people who are fascinated and compelled to understand the true nature of how things work. Try to be able to manipulate them to do things maybe they should not or are not designed to do in the first place. There is that intellectual curiosity, the preeminent feature. Beyond that, we are seeing a lot of people get employed. By the reputation they build in bug programs. It is purely meritocratic. It is not, where did they go to school . This person had this company. That is proof they are skilled in the real world. Cash is king. As things normalize, that is going to be the steady and consistent motivation. The others still exist. Titus think about auto security. There are names we know. This allows us to identify those people. Seeing the future, we do a closed boundary program. These are the researchers we went to work with because they have a history of finding things. Dan the benefits of coordinated disclosure programs are vast. We heard a couple of them this morning. Why are some companies or vendors still resisting . What are some reasons why companies are not adopting this . Marten the must not care about security. The fact is, i have tried to provoke you. It has been proven not just the best that the only way to detect vulnerabilities in live software. When human beings create problems, only human beings can find them and not the same human beings. We have seen this effect in open source software. I remember, the database people said, i cannot use it, it is open and dangerous. Companies decided against it because they thought it was a cancer and a risk. Today, if you do not run an open source software, you are doomed. There is a similar principle with software. The principles are taking over security. We will look back and say, how could he have had a time when we did not do this . It is a question of how fast minds will change. I see evidence of this changing much faster. Here we have the secretary of defense launching a Bug Bounty Program for the department of defense. They are working with Nuclear Weapons but they are using the help of 15yearold kids. It is a shift. Defense. You must have the courage to face yourself and say, tell me about my vulnerabilities. In return, i will share my experience with all of you. That takes some confidence. Not every company has that. If i can add to that. Completely agree. The two others i believe are the mix, we talked about good guys that think like bad guys. Most people think the types of people that can do these types of things to a computer are bad guys. That is the perception. That is what we have to overcome. The reality is it is not true but it is more interesting to talk about crime then good things. The other component is the operational overhead, dealing with the community trying to give you input. They are at the table, they are very effective. It has efficiency issues. A lot of the considerations people have before they launch these programs, sometimes that can be a blocker. That is a big part of what we have tried to make easy. Particularly for traditional verticals. Can be a blocker. Dan we are getting great audience questions. I want to go over to titus. What else is being done . What are automakers doing to change the way they manufacture vehicles . What else in addition to the bug bounty . Titus considering security at the design phase including all the other experts. Understanding these are a connected system. We segment as much as we can. We engineer as best we can. The threats are evolving. We have to make sure we can respond very quickly. Dan we are getting some Great Questions from the audience. I will jump to one of these really quick. Why are researchers offended by the word responsible versus coordinated . People may not understand the difference. Casey it is a term that gets a moral wording attached. That is the main reason. The term responsible has been abused. The reality is, the idea of this conversation has been happening for the last 15 years. This is not a new thing that is happening. It is just picking up a lot of steam. That wasnt always the case. That has been basically thrown at the researcher community. Not all of them are justified. There are cases where there is the element of, you are getting someone calling you ugly. No, i dont like that, youre being irresponsible. That is part of the precedent. I like that term because the responsibility is not just on the hacker side. The thing that is becoming more of a feature, companies becoming proactive, that sense of their responsibility to hold up their end of the bargain. It is an ageold debate. Do we use this word or coordinated disclosure which is end of the bargain. It is an ageold debate. Technically accurate but people to understand what it means . There is a rich history. Marten i would go back to that question and put blame to those who have it in security for 15 years. You have created the worlds most complicated terminology. We should come up with easier words and make this an everyday part of what everybody is doing. Just like in my view, the Automotive Industry did with safety. They embedded it without thinking much noise about it. That is what we need to learn. It needs to start from the beginning of the lifecycle and we must give it simple, understandable names. Casey id like to apologize for the language. Dan we have five questions in the nature of white hat, black cat. A number of different renditions of this. Lets start with, how do you bet to you are talking to . How do you know it is a good guy and he is not going to somehow do evil . Marten if you are bad guy, guy means man or woman, young or old, you are already hacking. You dont wait for any program to start. It is already happening. We are adding good guys to the mix. The second major thing, the programs we run reward you only for good results. A good deed every day and that is the only thing that gets rewarded. If you have a malicious and could nation, why would you spend time . You get no benefit. That is the basis of the environment. Knowing sociology, we know bad guys are maybe one in 10,000. There are bad actors but 1000 more good actors. 15yearold kids in the philippines, morocco, pakistan. Everywhere. They have good intents, they want to do good. They are a little too intelligent to fit into society. They are sitting at home and wondering what to do with their lives. When you give them real work to do, they will do wonderful things that are good. That is how you make sure the form is positive. In programs like hack the pentagon, we did vetting. I would throw it back to and say, how do you know your employees are all good actors . You dont score them the way we do. We keep track of everything they do. We know more about our hackers then you know about your employees. Titus i couldnt agree more. They are earning a reputation. They are also given the parameters. Parameters. They are going to see, these are the parameters. This is the only place we want you to look. Do not do denial of service. We do not want you to go to jail. They know, this is what we will keep me out of trouble but allow me to experiment. Dan we have a number more in that area. I want to get a broader perspective. A crowd issued its research on bug bountys. How does the Auto Industry adoption compared to other industries . Casey i think the people in this room have the maturity to get it. You can control your vulnerability if you know where it is. You cant compare the best control the behavior of an adversity. Is that the right question to be asking . You cannot control the behavior of someone who is intent and skills to attack you early. They are just going to do it. The task becomes, how resilient are you going to be when they come along . What we have seen is an incredible acceleration in adoption. You think of it as a spectrum. Facebook and google. The crazy bay area Tech Companies. More aggressive when it comes to their adoption of technology risk. At the other end, folks like the dod. Western union. A bunch of conservative companies in this mix. The consistent trend we have seen, it is moving a lot quicker than we thought it would. That is driven by the results. That is driven by the efficiency. The severe need to get better at this quickly. Given how quickly consumer demands are accelerating. Having a way to have security be a part of that. It is driving demands. They are looking at the president being set by these Tech Companies and saying, that is kind of scary. It is going to make some of us uncomfortable. They are stepping in and starting to do it. The other thing is there are those that understand sometimes you have to wear a suit and tie to work. If you are running a private program or a program in which you are trying to give an elevated level of trust to the people participating, you have to trust them more. The adoption of that as a way people are thinking about augmenting or replacing the things they are doing today when it comes to testing or even automated tools. Spreading across the market even more rapidly. For every public program, there are another five private programs. Dan you see this bug bounty going across all industries . Casey part of my job is to predict the future. So far, we have done ok. In terms of how it looks moving forward, i see five years time in this room, everybody is going to be doing this in some fashion. It is not going to be because it is cool or a social pressure. It is going to be because you realize this is the most efficient way to get things done. Given the symmetry between what they have at their disposal and what we are doing to compete, we are going to be poor off if we dont adopt it. I am a see it as inevitable. Dan when you think of your role, chrysler, what do you think in terms of Insider Threat versus outside threat . How do you think about that . It can be bug bounty but broader. Do you worry more . Is it equal, 5050 . Titus i think they are 5050. Those inside have greater access, but the Insider Threat is not necessarily someone purposely trying to damage. It is more they are clicking on that link and responding to emails the are not supposed to. I wish we could patch stupidity, but it has not happened yet. You are going to see analytics coming. There was discussion about ai. It will be easier to detect weird internal behavior. Dan marten, back to you. Software is eating the world. What does that mean for the Automotive Industry marten we see everything of value to human beings is being governed by software to we love it because everything is fast and we can have apps and social networks. The problem is, all software is vulnerable. When the software eats the world this way, Software Needs to change. I come from the Software Industry so i am guilty as accused. The Automotive Industry learned on to build safe cars, at least i think so. I remember safe cars with all kinds of arrangements to keep my life safe. That mechanical safety was, we need to have the same principle developing software. We operate at the far end. We have to reflect the knowledge back to the designers and coders so they start developing code not as vulnerable. You can never get to 100 security. But we can get closer to it. This whole thing of the future where everything is secure will not happen until we create a Software Development lifecycle where security is an everyday consideration at every step of that chain. We need to feedback what we find to the designers. So they reduce the numbers of injections, possibilities for overflows and all kinds of things. That is a job for the Software Industry. It is a societal challenge and societal problem. Dan one question from the audience, do we need to shift safety Critical Systems to open source . Marten i think we have shown transparency trumps Everything Else when you build something you can trust. Doing that with security, this is something there was a dutch researcher who said the essence of security must not be based on secrecy. It was a logical a flock to think secrecy would lead to security. It is the opposite. The more eyeballs you have watching, the quicker you can fix it. I certainly believe so. The world hasnt shifted 100 there yet. In the real world, things dont happen as beautifully as we would like but they are on a good path. Dan question from the audience, you see aspects rolled out to dealerships . An extension to the vehicle inspection they do . Good path. Titus i dont have any insight into that but use by dealers and mechanics to manipulate the car, that is part of our Information Security program. That is something that is a possible point of attack. Something we are tackling together with the Product Development and electrical is nearing teams. Engineering teams. It doesnt always get the attention it deserves but we take it seriously. Dan over to casey. Is there sufficient anonymity enforced in Bug Bounty Programs . Any comments . Casey basically the precedent out there is, pseudonym. Hackers have a tendency to use handles. That goes back a million years. Not really but you get what i mean. It comes down to how much trust do you require in your interaction with these people. For a public program, you are getting the vulnerability. You have a payment flow set up. Dan thank you, dark lord, for your submissions. Casey in terms of what we do in terms of behavioral analysis, we do have other tiers that involve Proof Positive identity verification. From an ideological perspective, i dont think that should be necessary. Ultimately it should evolve toward being an open conversation where it doesnt matter who involved. You are transactioning data. We are far from us age where this is normalized and far from a stage where everyone is comfortable. What we end up doing is saying, if your paradigm is to require background checks or Proof Positive identification, we can provide that. Nine times out of 10 what happens is the customer comes back and says, we get it. That helped us get started but it limited the pool. Now that we understand how this works, we are going to start to relax those things. It is a complicated subject. What it comes down to, optimizing for the level of trust whichever vendor it is. Whether required to get the thing going. That is the important piece. Dan does the Bug Bounty Program only focus on systems related to risks . Only system risk . Business Operational Risk . Marten that is a great question. We make sure anybody can submit vulnerabilities and anybody can receive them. Customers get Additional Services where we go in and write long reports with recommendations. We go as deep as they like to go. We want customers to develop their own skill and practice. It needs to be an intrinsic function. Many of our customers say, we have just two security people. We need your help. There is a shortage of security experts. We need to make sure it really happens inside the companies. There are certain steps you take. One is you make sure it has attention from the top level. From the ceo and the Governors Committee on the board. We have customers who report to the board of directors once a quarter. You have a ceo who loves this stuff, saying Cyber Security is an issue of alex safety. That gives the mandate to whoever is in charge. You have to make sure the Security Team sits close to the Engineering Team. It is the Engineering Team who produces these problems. Engineers like to be focused on opportunities where a Security Teams like to focus on problems. Theres a lot of work to do and we do it with our largest customers. Dan we are out of time. I want to give 15 seconds to each panelist. If there is one takeaway, something you would want all the attendees to think about a week from now, what would be the one takeaway you could highlight . Casey in a weeks time, it would be interesting for everyone to revisit the thought of, how i am i going to get started with this . It not even is, it is how. Does this look like for my organization . It is true in five years time my entire industry and indeed most industries are going to be doing this, how am i going to be a part of that . Am i going to be a laggard or a leader . The Security Research team is an awesome resource and you need to find a way to engage in them and bring them to the staff. One time or two times or three times, listen to every word she said especially cybersecurity is a matter of public safety. Thank you our panel for a great session. [applause] good morning. Thank you very much for the opportunity to be here today to talk about the f dei and what we are doing