Law professor will you and yeomans on hate crime laws in the united states. If James Madison is the architect of the constitution George Washington is the general contractor. More about what the general contractor has in mind and with the architect has an mind. President washingtons role in unifying the country and ratifying his First Federal document. Recruit him into as part of the coup detat. Hamilton had talked to washington about democracy. Youre going to have to be our king. Every weekend book tv brings and authors. Here is what is coming up this weekend. A history of the debate between the executive and legislative branch over the constitutional right to declare war. The class between president s and congress. In philadelphia is the dean of the university of pennsylvania law school. The two branches are in a dance with each other all of the time. ,ongress checking the president backing down from the president , pushing congress, being worried about taking it too far, getting too close to congress. Sunday, gary young looks at gun deaths in america over a 24hour period. He is interviewed by williams, a staff writer for the atlantic. It is a broader societal thing which dehumanizes them in when their life is taken, that is already accounted for. Theres a real problem. Was inu start saying he a student, theres a suggest in their is a great you could get where it would be worthy. Go to book tv. Org for the complete weekend schedule. With many new members of congress elected this year we have been talking to some in the freshman class. Here is a interview with Paul Mitchell of michigan. Paul mitchell joins us. Republican serving in that seat. Filling the shoes of Candice Miller who is running orientation here. Does that give you extra inside and the orientation process . Sale. S big shoes to High Expectations part of my district. What did you do before you came to congress . I helped people try to retrain for jobs. I decided it was time to do something more to serve. How do you feel about going from the ceo of a company to now being in the legislative body, one of 435. A good ceo works with the people around him to come up with the best ideas. You may not get them done but if you get everyone committed you can move things forward. The same approach works in congress. See if you get a consensus. There are few perfect solutions. As you go through with the orientation process what sticks out to you . Speakerning to the talking about the responsibility i have. Serving in congress is a rare opportunity, a huge responsibility. Few people get to do this. To treat them with respect and honor. There is this debate about how long members of congress should stay in d. C. Should they sleep in their officer get a house in the city . How are you dealing with that . , to children in school. Im one have an apartment. But my home is in michigan. I will be back there. We have 50 acres. Long time members think washington is one of the way you can build consensus, get to know fellow members and move legislations when there is so much gridlock. There are going to be many weeks i will be here. It is not that you neglect those. But home base is home base. The people who elected me are from there. Im going to make sure not to lose track of that. What committees do you want to work on . I am hopeful i get a chance to serve on transportation and infrastructure. The other is education and the workforce, i spent my whole life doing that. I hope i can have an impact there. Thank you. Year, Auto Industry officials took part in the first annual conference on automotive Cyber Security. They discuss the unique challenges in protecting internet connected and self driving cars from hackers and criminals. This is one hour. This is really exciting time for our industry, for the Cyber Security industry, and the Auto Industry. Really an exciting time for industry, the Cyber Security industry. Also, the Auto Industry. Bringing this together and having the inaugural summit is timely. The discussion is securing the car. Some of you are probably thinking, what does that mean . That is what we are here to tell you about today. Crowdsourcing of security vulnerabilities. A number of other previous panels have discussed this. We are going to dive into some details. I would like to start off by giving each panelist a twominute opening comments. Talking about their role and what they are doing. Lets start over to my right. Casey ellis. Casey it is a pleasure to be here. It is amazing to see such a turnout. We are seeing this conversation of all at an incredible pace so it is good to have you in the room. My background, im clearly not from america, i am australian. I started of craft in 2012. It was a combination of two things. The realization there is an Incredible Group of good guys that think like a bad guys and girls. Already wanting to help. What we are looking at his two groups of people who need to have a conversation but are historically terrible at getting along. There is a need to adjust that and improve that. The other side of it, i have been in the Security Industry for my entire career. Looking at basically the deficit and how we are discovering vulnerabilities and creating feedback loops, to firstly remove the stuff already there. And then get better at avoiding it next time around. What we are doing, we have automation. We try to fill that gap. There are unfilled Cyber Security jobs. You have one person being asked to compete, to find a vulnerability first. When bug craft started, it was feedback from a bunch of different organizations that i work with that were more traditional. Saying, this makes sense. This is a logical way to level the playing field. It is a pleasure to be here today. Dan he is the senior manager of security architecture. Titus i have the least interesting accent on the stage, i just learned. To tell you more about my role, i am in the i. T. Organization. What we are doing as far as the Security Program is, making sure we are a cross functional multidisciplined. I have a team that are consulting, helping the vehicle side. Understanding the threats we see on the i. T. Side and how those can be applicable to the vehicle. One idea was the idea of the bug bounty. We see it on the technical side. We think it would be applicable for an automotive company. We are excited i. T. Got to be part of that. That we have a seat at the table. Our input is valued. Dan to my right is martin. Martin we are in this together. Hacker one is the number one platform for Bug Bounty Programs and coordinated this closer. There are over 500 companies. 60,000 hackers around the world ready to hack you for your benefit. When you know your vulnerability, you can fix it. As a result, the companies are the most secure in the industry. We are working with car Mapping Service companies. General motors. Uber. We were handpicked to run the heck the Pentagon Program for the secretary of defense announced a program where hackers were invited to hack the pentagon. In just a few weeks, we had 1400 hackers who discovered 138 severe vulnerabilities. They had paid previously 5 million over three years to find 10 vulnerability. They reached out, paid 150,000, and found 38. The first report came within 30 minutes of opening the program. That is how fast the 15yearold kids hack. I have an accent, i am from finland. I have been in california for the past 13 years, mostly in open source and infrastructure and now in security. Dan can you describe for us, how does the Bug Bounty Program work . Marten a Bug Bounty Program is liking either could watch. You are traveling and ask your neighbors to take a look at your house. No matter how well you build your house, no matter what alarms and locks, you cant protected against everything so we ask the world around you to help you. The Bug Bounty Program, coordinators disclosure, does exactly that. You ask the world to look at your software system. You say, look and report, dont do harm. These people think bad but they act good. You invite them to come in. When they have reported something useful, you reward them for the results that bounty can be as little as 100. We found a bug that was so severe, the company decided to pay so much back to the hacker. The result is the hacker is more committed and will look for more. You will get more and more vulnerabilities found. It is actually good for you. It is as good as going to the doctor and doing checkups you dont really like to do. Much better to know your weaknesses than not to know. Titus i would like to add and say, it is not always hackers. We are talking about vehicles. People have been tuning give vehicles, trying to get as much performance as possible. When you made the vehicles connected, you wanted people to figure out, what can i do with the mobile app and website . They are finding, as they are trying to get additional functionality, they are finding vulnerabilities. I know some people had already been reaching out to us and saying, i saw something. After a few of those discussions, we said, we need to have a coordinated program to make sure we are communicating with them. If you are going to do research, this is how you do it safely. Saying, i saw something. After a few of those this is how we want to reward you for that research. Dan why is chrysler doing this now . Titus it is an evolution of the program. We have already been working with them. There are a lot of passionate people, people who like to hack, test and break things. Make sure those are considered in our designs. There have been a couple of articles recently since the announcement 1500 was the headline, may not be enough. Good and bad criticism, posi i would say that it is a motivator. We have to start somewhere and that is where we are working with our friends. Giving us an idea of where we should start. We may evolve. We will revisit it. Casey the way these programs work, one of the mistakes that happened on early on, they went out with the number that was interesting to the press more than a commitment we were willing to uphold to the community. What we have seen, we have been running as tight as mentioned, programs for technology programs. A lot of organizations in more traditional verticals. Including a number of automotive manufacturers. The idea is, start at a level that is sane. We are putting a lot of work into figuring out what this is. I think this industry is just getting started. We are at it went where we can start to collect data. And say, what is a sane starting point . The number, i responded to some of those comments, is more about, it is not about putting out this flashy number that is never going to be upheld. It is about aligning expectations between the organizations starting this conversation and the people who are going to participate. Doing it in a way that can be upheld. What we see with these programs is, you start at a particular point. You reach a stage where the velocity of submissions drops below certain level. We generally go and say, congratulations. You have graduated from the level of security that you are going to get feedback on at this level. It is time to think about upping your game. Dan when you say there are other motivations besides money . Other motivations besides money . A discussion we had last evening, for a young hacker in college, a Computer Science major, they can get that on their resume. Casey definitely. It is time to think about upping the initial motivation, the preeminent one, hackers are going to hack. We have heard that before. These are people who are fascinated and compelled to understand the true nature of how things work. Try to be able to manipulate them to do things maybe they should not or are not designed to do in the first place. There is that intellectual curiosity, the preeminent feature. Beyond that, we are seeing a lot of people get employed. By the reputation they build in bug programs. It is purely meritocratic. It is not, where did they go to school . This person had this company. That is proof they are skilled in the real world. Cash is king. As things normalize, that is going to be the steady and consistent motivation. The others still exist. Titus think about auto security. There are names we know. This allows us to identify those people. Seeing the future, we do a closed boundary program. These are the researchers we went to work with because they have a history of finding things. Dan the benefits of coordinated disclosure programs are vast. We heard a couple of them this morning. Why are some companies or vendors still resisting . What are some reasons why companies are not adopting this . Marten the must not care about security. The fact is, i have tried to provoke you. It has been proven not just the best that the only way to detect vulnerabilities in live software. When human beings create problems, only human beings can find them and not the same human beings. We have seen this effect in open source software. I remember, the database people said, i cannot use it, it is open and dangerous. Companies decided against it because they thought it was a cancer and a risk. Today, if you do not run an open source software, you are doomed. There is a similar principle with software. The principles are taking over security. We will look back and say, how could he have had a time when we did not do this . It is a question of how fast minds will change. I see evidence of this changing much faster. Here we have the secretary of defense launching a Bug Bounty Program for the department of defense. They are working with Nuclear Weapons but they are using the help of 15yearold kids. It is a shift. Defense. You must have the courage to face yourself and say, tell me about my vulnerabilities. In return, i will share my experience with all of you. That takes some confidence. Not every company has that. If i can add to that. Completely agree. The two others i believe are the mix, we talked about good guys that think like bad guys. Most people think the types of people that can do these types of things to a computer are bad guys. That is the perception. That is what we have to overcome. The reality is it is not true but it is more interesting to talk about crime then good things. The other component is the with the community trying to give you input. They are at the table, they are very effective. It has efficiency issues. A lot of the considerations people have before they launch these programs, sometimes that can be a blocker. That is a big part of what we have tried to make easy. Particularly for traditional verticals. Can be a blocker. Dan we are getting great audience questions. I want to go over to titus. What else is being done . What are automakers doing to change the way they manufacture vehicles . What else in addition to the bug bounty . Titus considering security at the design phase including all the other experts. Understanding these are a connected system. We segment as much as we can. We engineer as best we can. The threats are evolving. We have to make sure we can respond very quickly. Dan we are getting some Great Questions from the audience. I will jump to one of these really quick. Why are researchers offended by the word responsible versus coordinated . People may not understand the difference. Casey it is a term that gets a moral wording attached. That is the main reason. The term responsible has been abused. The reality is, the idea of this conversation has been happening for the last 15 years. This is not a new thing that is happening. It is just picking up a lot of steam. That wasnt always the case. That has been basically thrown at the researcher community. Not all of them are justified. There are cases where there is the element of, you are getting someone calling you ugly. No, i dont like that, youre being irresponsible. That is part of the precedent. I like that term because the responsibility is not just on the hacker side. The thing that is becoming more of a feature, companies becoming proactive, that sense of their responsibility to hold up their end of the bargain. It is an ageold debate. Do we use this word or coordinated disclosure which is end of the bargain. It is an ageold debate. Technically accurate but people to understand what it means . There is a rich history. Marten i would go back to that question and put blame to those who have it in security for 15 years. You have created the worlds most complicated terminology. We should come up with easier words and make this an everyday part of what everybody is doing. Just like in my view, the Automotive Industry did with safety. They embedded it without thinking much noise about it. That is what we need to learn. It needs to start from the beginning of the lifecycle and we must give it simple, understandable names. Casey id like to apologize for the language. Dan we have five questions in the nature of white hat, black cat. A number of different renditions of this. Lets start with, how do you bet to you are talking to . How do you know it is a good guy and he is not going to somehow do evil . Marten if you are bad guy, guy means man or woman, young or old, you are already hacking. You dont wait for any program to start. It is already happening. We are adding good guys to the mix. The second major thing, the programs we run reward you only for good results. A good deed every day and that is the only thing that gets rewarded. If you have a malicious and could nation, why would you spend time . You get no benefit. That is the basis of the environment. Knowing sociology, we know bad guys are maybe one in 10,000. There are bad actors but 1000 more good actors. 15yearold kids in the philippines, morocco, pakistan. Everywhere. They have good intents, they want to do good. They are a little too intelligent to fit into society. They are sitting at home and wondering what to do with their lives. When you give them real work to do, they will do wonderful things that are good. That is how you make sure the form is positive. In programs like hack the pentagon, we did vetting. I would throw it back to and say, how do you know your employees are all good actors . You dont score them the way we do. We keep track of everything they do. We know more about our hackers then you know about your employees. Titus i couldnt agree more. They are earning a reputation. They are also given the parameters. Parameters. They are going to see, these are the parameters. This is the only place we want you to look. Do not do denial of service. We do not want you to go to jail. They know, this is what we will keep me out of trouble but allow me to experiment. Dan we have a number more in that area. I want to get a broader perspective. A crowd issued its research on bug bountys. How does the Auto Industry adoption compared to other industries . Casey i think the people in this room have the maturity to get it. You can control your vulnerability if you know where it is. You cant compare the best control the behavior of an adversity. Is that the right question to be asking . You cannot control the behavior of someone who is intent and skills to attack you early. They are just going to do it. The task becomes, how resilient are you going to be when they come along . What we have seen is an incredible acceleration in adoption. You think of it as a spectrum. Facebook and google. The crazy bay area Tech Companies. More aggressive when it comes to their adoption of technology risk. At the other end, folks like the dod. Western union. A bunch of conservative companies in this mix. The consistent trend we have seen, it is moving a lot quicker than we thought it would. That is driven by the results. That is driven by the efficiency. The severe need to get better at this quickly. Given how quickly consumer demands are accelerating. Having a way to have security be a part of that. It is driving demands. They are looking at the president being set by these Tech Companies and saying, that is kind of scary. It is going to make some of us uncomfortable. They are stepping in and starting to do it. The other thing is there are those that understand sometimes you have to wear a suit and tie to work. If you are running a private program or a program in which you are trying to give an elevated level of trust to the people participating, you have to trust them more. The adoption of that as a way people are thinking about augmenting or replacing the things they are doing today when it comes to testing or even automated tools. Spreading across the market even more rapidly. For every public program, there are another five private programs. Dan you see this bug bounty going across all industries . Casey part of my job is to predict the future. So far, we have done ok. In terms of how it looks moving forward, i see five years time in this room, everybody is going to be doing this in some fashion. It is not going to be because it is cool or a social pressure. It is going to be because you realize this is the most efficient way to get things done. Given the symmetry between what they have at their disposal and what we are doing to compete, we are going to be poor off if we dont adopt it. I am a see it as inevitable. Dan when you think of your role, chrysler, what do you think in terms of Insider Threat versus outside threat . How do you think about that . It can be bug bounty but broader. Do you worry more . Is it equal, 5050 . Titus i think they are 5050. Those inside have greater access, but the Insider Threat is not necessarily someone purposely trying to damage. It is more they are clicking on that link and responding to emails the are not supposed to. I wish we could patch stupidity, but it has not happened yet. You are going to see analytics coming. There was discussion about ai. It will be easier to detect weird internal behavior. Dan marten, back to you. Software is eating the world. What does that mean for the Automotive Industry marten we see everything of value to human beings is being governed by software to we love it because everything is fast and we can have apps and social networks. The problem is, all software is vulnerable. When the software eats the world this way, Software Needs to change. I come from the Software Industry so i am guilty as accused. The Automotive Industry learned on to build safe cars, at least i think so. I remember safe cars with all kinds of arrangements to keep my life safe. That mechanical safety was, we need to have the same principle developing software. We operate at the far end. We have to reflect the knowledge back to the designers and coders so they start developing code not as vulnerable. You can never get to 100 security. But we can get closer to it. This whole thing of the future where everything is secure will not happen until we create a Software Development lifecycle where security is an everyday consideration at every step of that chain. We need to feedback what we find to the designers. So they reduce the numbers of injections, possibilities for overflows and all kinds of things. That is a job for the Software Industry. It is a societal challenge and societal problem. Dan one question from the audience, do we need to shift safety Critical Systems to open source . Marten i think we have shown transparency trumps Everything Else when you build something you can trust. Doing that with security, this is something there was a dutch researcher who said the essence of security must not be based on secrecy. It was a logical a flock to think secrecy would lead to security. It is the opposite. The more eyeballs you have watching, the quicker you can fix it. I certainly believe so. The world hasnt shifted 100 there yet. In the real world, things dont happen as beautifully as we would like but they are on a good path. Dan question from the audience, you see aspects rolled out to dealerships . An extension to the vehicle inspection they do . Good path. Titus i dont have any insight into that but use by dealers and mechanics to manipulate the car, that is part of our information Security Program. That is something that is a possible point of attack. Something we are tackling together with the Product Development and electrical is nearing teams. Engineering teams. It doesnt always get the attention it deserves but we take it seriously. Dan over to casey. Is there sufficient anonymity enforced in Bug Bounty Programs . Any comments . Casey basically the precedent out there is, pseudonym. Hackers have a tendency to use handles. That goes back a million years. Not really but you get what i mean. It comes down to how much trust do you require in your interaction with these people. For a public program, you are getting the vulnerability. You have a payment flow set up. Dan thank you, dark lord, for your submissions. Casey in terms of what we do in terms of behavioral analysis, we do have other tiers that involve Proof Positive identity verification. From an ideological perspective, i dont think that should be necessary. Ultimately it should evolve toward being an open conversation where it doesnt matter who involved. You are transactioning data