We could have done so make cool, great things but all these ethical blogs, all these things keeping us from the, sort of like this attitude is, like this profit driven world and all these kinds of things have kept us from exploring incredible possibilities. Like if we could and views that curiosity precisely in this different way of approaching all this, which is like what new incredible societies could we get to if we harnessed our genius in a purposeful weight in that direction a . See what i mean . By turning it on its head. We really are out of time but if you have a last comment from the panel i would welcome the chance. Short sweet comment. Spill i totally get what your talking about because ive seen a. Ive seen it over and over again. The biggest opportunity for biocurious 2010 was getting equipment together, getting maybe 1 million worth of Lab Equipment that we bought for 20,000. That was the opportunity. That opened it up to lets say a couple thousand people, a couple thousand labs around the world. The biggest opportunity for biocurious now is its given permission to other people to come in. What weve established is people who are really curious and really driven can come into biocurious and to experiment and they make their way there. The opportunity is to add the ability to bring in more people, to say you have permission not to lead. You have permission to ask a lot of questions. You have permission to not have a project. I think thats the next up for biocurious is more about the basic, basic classes, basic education, bringing in different people who have different insights into biotech and opinions on things that might involve biotech but are not, you know, that top layer people are so driven that they will try to our to come to our microscope project. Its amazing to see and now the opportunity for 2016 is to go beyond that, to bring in people that otherwise you can like i dont know really where i fit in, but if he gives them a place and a wakeup conversations about that they start to ask really good questions. So i get what youre saying it is something that we use. Weve learned to our experience is that the biggest opportunity for us. Okay, im going to call it a night, tito genachowski, Elliot Hosman and peter shanks comp wonderful evening. Cspan, thanks for filling it. Comeback in two weeks and will have a discussion on keeping the oil in the soil with antonio and i forget who else but you will have a very good discussion that night. Leo salazar from amazon watch will be here as well. We look forward to basic living in these kind of conversations on an ongoing basis so any of you have ideas for future battles and discussions talk to me. We look forward to resuming this one again because its a discussion that is not going to end in our lifetimes obviously. So thank you very much. [applause] [inaudible conversations] recently our campaign 2016 bus made a visit to pennsylvania during its primary stopping at grove city college, Slippery Rock university, washington and jefferson college, and Harrisburg Area Community colleges where officials on about our road to the white house coverage and our online interactive resources covering the campaign trail. Our bus int ended the week at wr and in where it visited middle schools to august 7, 9th graders. A special place our Cable Partners comcast and armstrong cable for the help in coordinating these visits. You can view all the winning documentaries at studentcam. Org. Next a panel of i. T. And legal professionals discuss the future of smart Home Technologies and the potential risks they pose to security and privacy. The Atlantic Council posted the 90 minute event. Good afternoon, everyone. Welcome to the land account of my name is barry pavel, the director of the Brent Scowcroft center here and a Vice President for the council. We are thrilled to welcome you to our event Smart Designs for smart phones for the launch of a new issue brief which we have out there. Smart phones and the internet of things, and discussion also on the opportunities here that networked homes will offer to society as well as the commensurate risks that they pose a security and privacy. So it was interesting top of it will be increasingly prevalent in our daily lives but also with the broader implications. It is a thursday and this afternoon conversatios converst of our monthly cyber risk wednesday sued i will go home he tonight and tried to get a. Thursday but it is wednesday. But its the series as many of you know if you come every month is designed to contain cyber experts from berries sectors to examine topics at the core of the councils cyber mission. Today is a special cyber thursday because it is my great pleasure to announce that one of todays panelists joshua corpsman will be starting tomorrow april 1 as a good new director of our cyber statecraft initiative. Even though it is april 1 that is a true statement. Josh is also the cofounder happier than me about that. [applause] josh is also the cofounder of i am the cavalry, Grassroots Organization that encourages new security approach is in cyber space and beyond in response to the world increasing dependence on Digital Infrastructure, so sort of watch this space. The program will be heading more in the direction of todays conversation but even much further. Josh has avoided their unique approach to security and policy by connecting human factors, adversary motivation, social impact to a position as one of the most trusted names in this space. Before joining the council he served as the chief Technology Officer for selling a type, an adjunct faculty member for the Carnegie Mellon heinz called and we are really thrilled to have him do before the josh take the stage, i would also like to thank our media partner passcode from the Christian Science monitor for joining us and welcome those of you who are following the conversation online. I encourage all of you to join the conversation on twitter using the hashtag at ac cyber as well as at csm passcode. Josh will give you another account to also tweak from there and not josh, over to you. Thanks very much. All right. Thank you for all coming to my name is joshua corpsman im very excited at least for the next hour i was to be the chief Technology Officer but it was exciting start more. I think a key point in history, about three years ago we decided to try to do this i am the cavalry thing and if so was it a terrible name and in other ways its a wonderfully. But will be found as we are growingrowing more concerned abe depends on connected the dots was going much, much faster than our ability to secure. While many of the best and the brightest were going to protect credit cards in highly replaceable assets, we saw this dependence was no permeating our automobiles, medical devices, the internet of everything. We are putting software and connectivity into every aspect of our life. What we know is how richard is one just love you make something hackable. What you connected to Something Else he may get exposed. So to me the unit of things its not that software is eating the world cup its that software was infecting the world. If we want to place are depends upon we need to make sure it wasnt dependable and worthy. The name came from the recognition that cavalry isnt coming and it was a call to action to the voice of reason and technical literacy and the Research Community to say stop waiting for someone to come solve this for you. Look to your left, youre right. It is not sitting in your chair. They are not coming. I will be part of the solution and the idea was to get outside our comfort zone and go talk to Public Policy makers, the general public and affected industries were bits and bytes meet flesh and blood. We wanted to focus on the intersection of technology and human condition but more specifically where the consequences of failure include Public Safety and human life. Without much of a plan other than boldly going in that direction, we started the chain of influence and meeting with people in washington and going to places we didnt only go and speaking with people we didnt only speak with, but really with empathy at its core and the heart of an advisor we tried to bridge the divide between the Technical Community as a policy community. And just in the last three years of extreme edition weve seen the fruits of that labor. In fact, writer on the stage last march i met Susan Schwartz from the food and Drug Administration which really catalyzed a very high trust high collaboration relationship. And if any of you saw this januarys post market guidance for connected medical devices theyve done a complete 180 in their attitude towards researchers, almost requiring that medical Device Manufacturers have a positive relationship with Research Community i encouraging the adoption of coordinated Disclosure Program for vulnerability research. Weve seen the extended work and what has become clear in the meantime is if you look at the headlines, this has gone from a concern that we are worried about on the rise and one that is happening in realtime. Just a week before the security conference we saw the hack of a nissan leaf. We saw the first selfdriving car have an accident. It may have been at two miles an hour but google did hit a bus. More recently we saw it somewhere be so debilitating to hospital in hollywood, california, that they had to move patients. Potentially medical care patients. And now we are seeing yet another one which is now actively probing other hospitals. Whether they are targeted attacks are indiscriminate collateral damage, this dependence in areas affecting Public Safety and human life are coming to the forefront. I was just in munich for the sake of the comments discussing how maybe this isnt about norms and treaties between nationstates but maybe we should look at our cyber safety seat exposure, activist, people may be with less resources and less talking skills. But with more willpower to use any certain will on others. And as using recent we saw the unsealed documents confirming some iranian hackers many believing controls and a facility. So if not now, then when . What im really excited about coming here and todays topic is somewhat has to go before and we have to act quickly to know what the right thoughtful and plan full response will be to cyber safety. Im really honored to be picking up where jason healy left off with the initiative and bring a heavy focus into cyber safety. Because this is not only going to be measured, the impact will not be michigan Public Safety and human lives but also key markets like automotive, medical. If we like to avail ourselves of the safety dance as we can get them connected vehicles or if we would like to improve the state of safety care to modern technology, a critical held as the public trusts these technology. Its up to us in this room to try that conversation and make sure we dont wait for a really serious failure that scares people away from trusting these technologies that we preserve and these are the trust weve already placed upon them. In todays installment we would like to talk about a paper that was a collaboration between members of i am the cavalry and the Atlantic Council and greg lindsay on smartphones. What are some reasons you look at safety and privacy in the home with the other connected, Consumer Electronics and home alarm systems and appliances, et cetera and whether promises we want to make sure and our desire to adopt these technologies we can maintain the trust and confidence in them so we dont have a nightmare scenario. The report came out today and if you havent looked at it, if you read one and only one thing please look at the snare from 2025 with a haunted house. But we are going to get into that a little bit on the panel, so without further ado im very excited to get my first coherent at the Atlantic Council. In a different role. And lets invite our panelists up to the stage, please. We can clap for them while i do so. [applause] all right. And i will go down the line. Please wait her hand, greg lindsay. And andrea matwyshyn, and beau in internet of things and smart home devices. So if youre a special a kickstarter size project and you think youve got a 10 million potential pipeline, that is the only thing 1 million you go out of business. Your Business Model will not sustain a 90 degradation of your market. Same thing for larger players only with less severe consequences to the Business Model for some of those things may go offline. You may not have the products and Services Associate with the smart home that you thought you would when you bought it. Because of the financial impacts if we dont recognize and realize the market potential that exists for these are the projected market potential. I think thats one of the kind of hidden things that could come up in two or three years is we start to see some significant investments that have been made by corporations, i cities and connecting everything. Functionality. Thinking about those hidden costs and whether market is Rewarding Companies that are investing in security and taking care of the consumers, trusting those products with access and information. On Consumer Protection side, there is a bigger conversation playing up on some of the other comments about the question of what i Call Technology suitability, or more better problem. Sometimes fancier technology is not necessarily the Better Technology for getting a particular task accomplished. I say better with bacon, as some troops overzealous chefs think if they sprinkle bacon on everything it is that much better but if your diner is vegetarian you stealthily destroyed the diners meal. What task are we trying to accomplish when bringing a device into our home or our enterprise and how those connections facilitate or add risk to the Bigger Picture of our lives. So, lets just quickly take an example. Say im a state Department Employee. I live in d. C. And im out shopping and i see this really neat connected oven with an app and i can operate my oven from my phone. Gee whiz. Thats kind of cool and but, thinking through how the oven connects to my wifi network, what kinds of information i access from home with respect to my professional life, whether there is Sensitive Information that could potentially be compromised if the security on my internetconnected oven is not necessarily up to par and whether vulnerabilities are getting patched. Weve seen first internet ovens exist and first vulnerabilities on internet ovens. Wholly apart from the data control aspect, if you have a small child in the home for example, and the child likes to play with ire phone maybe internet connected oven with easily accessible app for your home is not necessarily the best choice at that point in your life. Thinking through the totality of circumstances and how Technology Capabilities of devices you bring into your home connect with those tasks and risks that are the realities of your existence. That is the Consumer Protection side of this puzzle. On one hand we want to reward companies in the marketplace that are doing great job and thinking about security and protecting consumers. On the other hand we want train consumers help themselves be informed and make good purchasing decisions on those Higher Quality i. T. Products. So thank you. Speaking of that, when we had lunch originally we talked about the four different products because they had four different markets and four different set of regulators, four different set of dynamicses. One was automotive safety and medical safety and infrastructure and large and difficult grab bag youve been probably researching and the last was consumer and iot in the home. We put iot in the home on the backburner with focus on Public Safety and human life. We love our privacy. We would like to be alive and enjoy it and mortal him and consequences were found in the others. It was exciting opportunity to work with the Atlantic Council and greg because we solved some. Problems with the ate motive devices. We published it on our first birthday in august of 2014. While it has fancy names the way i would describe casually to my neighbor, all systems fail. Tell your customers how you avoid failure. How you take help avoiding failure without suiting helper. How do you capture and study failure. Awe who you respond to failure and how do you contain and isolate failure. They recently published hippocratic oath for internet connected devices. We try to apply to smartphones, we have a question, this is your warning, those controls are useful but there were Additional Market enableers and service for customers that were required. What you would do to help the consuming public avoid that may endanger their familys safety and privacy. Well pose the same question to our panelists which im going to join them. All right. First question, if we got smartphones right, this is jump ball, if we got it right, i know youre are skeptical we get a smart home right or it has been a big letdown. What is the case you want to see out of intelligently connected smart home. Anyone . I will go first. I like convenience features of some smart home stuff. I dont have a amazon connected device to order or reorder. That appeals to me. Im sometimes absentminded and i forget to buy detergent or lawn did i detergent. If i have a way to say in the air, alexa, buy laundry detergent, that would be real easy for me. Maybe i show up to work in clean clothes one day when it wouldnt have happened otherwise. For me the convenience factor is really where the sweet spot is for smart homes. Knot necessarily to automate my process and help inform the process. Anyone else . I disagree beau with the reason it will happen, cognitive disis a dense theyre terrified framework they exist now by facebook, google and others. We harvest your data and resell to others. If the service for the product is you, bruce sterling, the Science Fiction author written about this, the epic struggle of the internet things, he looks at internetenabled fridge which is icon of failed dreams of smart home. True internet of things fridge is one supplied by amazon free at least at cost for you in exchange of harvesting data, you wont need to tell alexa that you ran out of detergent. Use everything it gets from you to define patents to ship things before you even occur to buy them. That is one of the problems, convenience will create this data regime, data capitalist regime which is about harvesting personal information. That will lead to the vulnerabilities we have and some use cases about it. Im excited about the some of the stuff around home utilities and energy stuff. Most exciting Consumer Product is tesla power wall. Which is interesting because they canceled larger capacity version of it. The notion what has been doing talked about for 35 years at Rocky Mountain institute to have resilient micro grids to ship solar powered energy and storage products so you can feed it to electric cars. That is it has all sorts of interesting implication for Climate Change and really Strategic Issues for the united states. So, i like to think that it will be that. For me i think the bestcase scenario is a home where the iot gadgets are totally personalizable, totally customizable. The assumptions that work for say, the majority of people, dont necessarily work for all people. For example, i travel a lot. So if i have automatic reordererring of certain things, there would be a constant rancid food and various products sitting outside my door blocking entry and fire hazard and my neighbors will hate me. There are individualized needs that consumers have, whether facilitate with particular product or their life is structured a certain way or special limitation on their environment puce of a particular other human in the home or their own physical challenges that they have, there is a need for customization that sometimes is absent in some iot devices. So i think my ideal iot home would be one that where human overrides existed on all the things and the devices would allow me to tell them what i want them to do, not assume that they know what i want them to do. Okay, interesting. I think ive always been interested in the power savings and the smart meters and the nest dynamically picking cheapest price for me, et cetera, kind of idea execution is little different. One i struggled with i thought there was a lot of promise in smarter use of Network Sensors for Home Security. Stunningly though ive been very disappointed to find every bluetooth door lock or hightech Home Security system has been compromised one of our friends. I dont think they failed yet on any equipment they tried. Ironic that the devices we buy to keep bad guys out of our homes may be attack vector that lets them into our homes. We talk about nightmare scenarios in this distopian future, what do you think realistic first hack. I know we have Baby Monitors screaming but what is compromised first in the smart overconnected home . I will take that one again first. So, ive, if you read the news lately about hospitals, ran some wear is a big ransom wear is big thing and compromising hospitals of the one of the things i thought about early on, if you have a fridge with a monitor on it, that might be hackable, right . If i have your Attention Span for two seconds, im going to serve you an ad, right . So, whether product maker intends that to be the outcome or whether somebody hijacks the process to serve you as when youre opening the fridge to get milk, maybe it serves you an ad for different milk brand or Something Like that. But i would expect that type of driver to be the first catalyst for somebody to want to hack a smart home device, be able to advertise to you. If you do it in the right way, dont want to give any ideas, if you do it in the right way it is going to be undetectable from normal operation of the device. Somebody will say, oh, this fridge they must have updated software and now theyre selling me ads. I dont like that. You will think manufacturer that did it. There will be brand reputational impact. You can also see a similar thing accomplished not by actively reaching out to change something but one of these smart homes makers go under or forget to renew their website and somebody goes and buys domain name, right . They have complete control of infrastructure that your smart device is connecting back to. They can change the firmware do whatever, if they put a file out there and you and your fridge retrieves it and pulls it back down that might be totally legally. I dont know. It is conceivable, we have someone who knows or would be able to tell us but conceivable that is totally legal just that somebody forgot to renew the domain name. That would be my first expectation somebody would hijack it to serve ads or some other financial mechanism. Yeah i think a lot of people look at the device themselves and how you manipulate sensors or actuators, but some have backend harvesting or storage or configuration. So the amount of information gleanable about you even if they never touch your device could be interesting on the back end. Anyone else . I dont want to be the first i think one of the more interesting ones that will happen isnt a hack at all. It will be simply be extension of logic how the stuff develops and that is a notion tim oreilly, publishes oreilly books, Business Model of web 1. 0 advertising, then web 2. 0, internet of things will be insurance. There is another saying, i forget who said it, said every piece of data is piece of credit score data. A whole raft of startups who you are friends on facebook, using that figure out your financial viability. One of the things to put in nightmare scenario, which is not nightmare, something followed from Phillip Dicks in the nist 70s, protagonist cant open door because he is behind on payments to landlord. He unscrews the door off the hinges. In the future, youre behind or your credit score says youre unviable to run the smart home essentially youre locked into your house until you agree to pay your back bills. The first draft nightmare scenario turn power off the day, crawl out one window you had not turned into a smart window. We could see this. This logic comes from uber vehicles, fall behind on payments. Cars are basically switched off remotely and unable to drive for uber. We see systems evolve there are punitive punishments if youre unable to conform to the terms of service, financial materials of service. It will be interesting. We think you own smart home. We know from the digital little len yaw software act, your license from the companies you have if you fail to meet terms of service on this you will be suddenly shut out of your house not even by being haars but actual companies that supplied it to you. We can also assume that the techniques for marketing that weve seen used in the smartphone space will extend naturally extend to iot devices. Currently there are some Enforcement Actions potentially in progress relating to apps that surreptitiously slash somewhere buried in the user license agreement consent, question mark, turn on the microphone on your phone in order to monitor your tv viewing habits in your living room. Now undoubtedly you will have Additional Information also being collected about the private conversations happening in the room. We had some smart tvs behaving in similar ways through the Remote Control collecting information with a microphone. So i think it is reasonable to extrapolate for marketing purposes all of the devices will look for new streams to comodify the information they have access to. Short of voluntarily binding themselves to never do and in some sort of nonamendable way in the contract i think it is reasonable to expect most of our iot devices are planning on that secondary stream of income. To the example of locked up coarse, we also had in a consumer scenario, we had creditors who were cutting the engines on some cars while the debtors were driving. That caused some safety issues. And so while a car is maybe not strictly part of iot home, though it sits in the garage, vaguely connected, it is all part of this bundle of iot devices that have Remote Access capability, not only for the consumers, but for the authors of the code and that creates a wrinkle in some of the traditional relationships of control that consumers come to expect with respect to the products that they purchase. Yeah, i will give exotic one and more mundane one. As soon as i learned of all cost savings you could have with intelligent thermostats like from nest, thank goodness were good guys but we had idea of essentially small manipulations on a Large Population of nest devices to essentially pump and dump based on investment in Energy Sources in the region. So you can make a significant amount of money very, very quickly making small adjustments en masse to many homes consumption of electricity. That is the more exotic one. I think one of the more prosays i can, more troubling ones think how many device right now are connected in your home to the wifi. Is it five . Is it 10 . Is it larger than last year . How many will be there in a couple of years. If you look just at the home router, wifi routers, about half of the infection of heartbleed, most of you reset passwords and Banking Institutions or social media accounts, about half of the original infections spread were unpatchable. So you had devices that were vulnerable to the attack but could not be remediated at all. And a lot of these devices you may not known they were running this or connected. Im more worried about the zombie or leper colony of these devices where any one of them that fails now has Privileged Access as stepping stone to every other part of my home network, including more sensitive work material, cameras that monitor my children, the front side camera on my Television Without turning light on. Im actually looking for devices that arent smart. I want a market for traditional dumb devices in some cases. Goes to my competition point as we go bravely into the iot, it is about Consumer Choice with respect how technologically connected these devices are. Losing bottom end of not connected devices that is form of impoverished Consumer Choice. Our marketplace becomes i am positive visioned if we eliminate ability to have less vulnerable option if we need it. Scenario of home and one point of device be compromised, not only information on the home network but if youre that state Department Employee i referenced, that attacker who accesses your network through that one unpatched security camera, can then potentially follow you on to your Employers Network because, if you are accessing that network from your home network, they canopyinggy back on. Suddenly they are not only obtaining your privileged information but privileged information for your employer. Depending who your employer is that could be National Security information, right . Weve seen accidental compromises happen for consumers simultaneously Government Employees. When we look at sony drm root kit from from circa 2005 where cds had code on them intended to be Digital Rights management code but in reality it was coded in such a way opened a security hole in every system the cd was played in. Dod employees, played cds in the work machines. Other Government Employees played cds in the work machines. They clearly never intended to cause a problem with their employer. They were listening to their music. Certainly same way consumers will never intend for their comical cyber toaster they purchased on a whim to cause security problem for their government employer with Sensitive Information. Real interesting point to come out that. I was at event in new York Auto Show we were discussing security issues. Backdoor to one car, exploiting cds again, pop it into the cd player suddenly unlock access to the systems below. That is very interesting. You bring up, funny you bring up the notion of purchases your cyber toaster on a whim. There has been this really interesting of proliferation i think sites like wish. Com, sell really inexpensive chinese manufactured goods out pearl river delta and we dont know total provenance of it, and we can imagine state actor level of stuff where you put profusion of compromised devices out there create trojan horses into the homes where youre buying this for 5 off mobile phone. Youre pooh emoji lights up into your house and hacks into your wireless network. That has been discussed by august cole and can imagine sort of stuff into their house. I think also, about a month ago, i forget who it was, but someone in Law Enforcement apparatus of u. S. Government. We love internet of things proliferation. We cant wait to use it to find flaw, map them, use them to track down, identify, surveil, potential criminals. Well kind of extending that, a few years ago, dod forbid any use of usb sticks because they said, well, these could potentially be gateways to transfer malware into sensitive networks. Now does that mean dod is going to issue new memo you cant have any smart home devices . Going back to earlier point, what will that do for the market of smart home devices maybe potentially dod or any state, u. S. Employee might be forbidden from buying certain classes of device because theyre so poorly secured over the life cycle, right . So thats one of those things that could become a wicked problem in the future is, what are the interrelations that we cant even think about or expect right now that will come about 10 years down the line based on choices, Design Choices and purchasing choices that we make today . I think there is interesting dissew dance in security dizzy dense of security professionals, what technology you can use, what systems can access the network. Were very locked down, people work their work home and incredibly lax there. I remember one christmas there was big story of digital picture frames of best buy were certified preowned from china to quote mud, but that is not rare occurrence especially low end device. I remember leaving all my electronics at military base, i couldnt bring anything in. The general i was speaking with had a digital frames and i asked why is that allowed in here . If i was hacker trying to do competitive industrial espionage, i would absolutely compromise the microphone capabilities on smart tvs and flat panels in all boardrooms of my competitors. There are number of use cases. Were not creative what assessment people will do because our guard is down in our home. So my question is, usually i want to ask i am so questions too for the security experts. On this, to me what is interesting coming from analyzing industry view there is not something where individual consumers should be required to handle their own security. This has to be enforced at manufacturer level. It is interesting right now the whole internet of things is gigantic glacial battle of various standards consortia. Cisco pushing internet of everything and ge industrial internet and negotiateing in various boardrooms and security is very low level discussion. How do we bring that to forefront with manufacturers. B. Is there a way to create sort of nested hierarchies of secure Networks Inside of homes so whatever i bring home doesnt automatically have the same little of access privileges . These are not new es problems. This has been addressed in every government level, military and enterprise i. T. Deal with it. We refuse to deal with it. I would love to probe some of these. One framework we have been using for iot is very obvious questions is, we solved in enterprise which we havent, assumption we solved in enterprise how is iot different . There are different adversaries with different motivations. There are different consequences of failure. There are different operational context. You will not behind security and layers. There are different compositions of hardware, firmware and software used. There is different economics which is one of the big problems here. And theres different time scales. Some of these things the time to live might be a year or some might be 30 years. How often do you replace your oven, right . Those things take some of our best practices and shatter them. That is one thing, within those i think there is number of things preventing us from doing very well. What do you guys think . If you look at corporate i. T. Security apparatus, there is a about 80 billion a globally spent yearoveryear on products and services. The cost is 250 billion if you include i. T. People. These are just addon stuff to secure it f you buy couple hundred dollars worth of smart home gear, will you also buy a couple hundred dollars of worth of security gear and then manage it and maintain it and keep it up . I have done i. T. Stuff. Ive done i. T. Security stuff as my day job. When i go home i dont want to do that, right . Like story of cobblers kid has no shoes. I will be one of worst people, my stuff will be woefully unprotected and insecure if you leave me to do it. I know what im doing. Im capable of doing it. I do it professionally. People like my mom and other people less educated in cybersecurity, what is the hope they could possibly be able to secure their devices in that corporate i. T. Security space transplanted on to smart Home Security . One of the other problems that exist we really havent created the what i might call Digital Infrastructure around security flaws generally, not just in iot context but more broadly in traditional contexts. We have nomenclatures assessing severity of vulnerabilities. We have numeric system trying to identify them but those systems are not scaling optimism alley particularly in a world where there billions of iot device of the these are Bigger Picture problems about infrastructure and information infrastructure for vulnerability of information should have sharing we need to bolster and in order to improve the to get the information in sensible way, allow for comparison, that type of comparison of products based on security, to help consumers make good security choices. These underlying steps are not yet fully developed. So we like to talk about information sharing frequently and discussions of Information Security when were talking about paradigms but just sharing the existing information doesnt solve the underlying structural deficits that we still need to work through. And iot is potentially crystallizing the inability of what were currently using to scale in the best possible way to build our society out with this high degree of connectivity while maintaining the traditional balance of Consumer Protection and competition in the marketplace. I am going to ask one more rapid fire speed round of the panel and i will encourage you to also ask questions. As far as what to do, agree my neighbor will not be security professional and want me to i. T. Their home across dozens of devices. We outlined recommendation of things to add transparency to consumersexpected capabilities to reduce possibility of harm. What do you think would be free to use one or more, what do you think would be some good additions that we recommended here or elsewhere that we dont have to secure these things that we are bets more inherently secure and defensible things . I think one of the biggest things some of the existing consumer practice in nonSmart Devices, right . One of the things i found really fascinating in talking to some people in the Retail Industry is, of course we go in to buy something and we bombard people with questions there unless we have done tons of research and know exactly what it is. That is one of the retail folks big concerns. So if there is some way that a store employee at Retail Outlet an be able to have a quick answer of, yes, its secure, rather than well, heres what you do. You put this in front of it and do that, if they can have those quick answers that helps them sell more product which goes back, so the Market Competition drivers. So if somebody comes into a store and says what is the most secure xdevice and retail employee can say this one and i can tell you why in three simple bullets but also you can read for yourself. That is something very powerful that goes up through a retail channel. Barring that there is remediating action you can go through for instance if someone markets something as secure webcam or secure baby monitor you find out very much not a secure device, there are ways you can cant the ftc and report these things, right . Maybe not technical thing but definitely something my mom can do and has done before to call the Better Business bureau or somebody take that step which a lot of people dont talk about in our industry. I think we should talk about those things more. Okay. Whos next . Ill go. Think might be utopian, earlier there was discussion about regarding device, smart televisions anything else. This might be apocryphal, the samsung television, if you reed terms of service recording conversations and says do not have personal conversations among your samsung television. That said everything to me. Rather than having television that didnt record conversations rather than option not recording conversations you simply assume the risk you record everything you said would be used against you. The utopian, broader political discussion we need to have we need to end the current Data Collection regime which is fact that you know, any hardwaremaker what their services are will collect everything they possibly can from you and they own it. We need some sort of scheme or start all the egg aring scheme you own your data. The new deal on data or approach that creates real Legal Protections around your data which would force manufacturers and as far as providers to treat it with appropriate seriousness, dont have any personal data in front of our devising anytime because you dont have to worry about it being stolen which is the current regime. Andrea. Price of devices dont represent the Data Collection happening which goes to a broader transparency point. One other thing i contribute before we open up for questions is the hopeful question mark note, this is a space where Technology Tools can help to translate concepts for consume consumers, policymakers and creators of these technologies. We have a Robust Community of experts who can act as third party auditors. Sometimes that information doesnt translate well and filter into the public consciousness to inform the Less Technology sophisticated consumers with respect to the state of the art of what we know to be true in the security Research Community. Building Technology Tools, having forums such as this to facilitate that translakes effect both among consumers but help Small Business creators better embrace the importance of security by design from the ground up and to recognize that security isnt something you can slap on at the end of the process. Its not a bandaid that can be layered on. It needs to be inherent the broader structure of the device and architecture of the device or it is a lose lose for both the creator and the consumer. Very large thrust of the fivestar for automobile crash test you dont have to know what difference is between threestar, fourstar, fivestar it become as device for public to tell relative safety ratings of different vehicles. Our framework was not met to be checklist of all security things thou shalt do, but things you had had invest in, when the public becomes more savvy or interested in this as buyer criteria they at a glance in consistent way tell what people are doing. Several of those are outlined in here as well. I think one came to mind because i did a webinar yesterday, there actually was a congressional action from chairman royce from house on foreign relations, National Transparency act of 2014 essentially asking for food labels to software. If you sell to government you need a bill of materials of third party software, known security defects and they should be patchable. You can imagine how much Software Industry hated this bill but just yesterday we did a web far with the webinar with the Financial Services industry said its a great idea. They are saying to Big Software Providers we want to see food label of software youre selling us in your commercial goods. That is where they stopped. They didnt ask for other two things. This allows you to make more informed decision. Would that be good for my motherinlaw . No. But could that allow organizations to tell who has better or worse hygiene . One thing im telling all my friends and family, if you buy internet connected device, it better be patchable. That is simple thing to ask for. Other thing im telling them to dont buy internet connected device if you dont really need it. You must be this tall to ride internet things, if you connect it and expose it you must have the ability to fix it. So with that, is anyone in the audience have a question . We have a microphone. Feel free to also say what you think we should do for the actionable decision making. Go ahead. So one thing that, im a security practitioner as well and one of the things i noticed, im looking at these devices stop for a moment, okay, if i wanted to see how secure this device right here is, what would have i have to do . I think about it. And i think about it. And i think about it. Compared to what i would have to do for piece of software on one of my computers or computer software, it is unbelievable. I do this, like i have a logic pro. I have the gear to do this. I dont want to have to buy two toasters, take one apart and Start Connecting to the pins and, oh look, it is certificate and clear memory and that kind of thing. So i think the problem that calls for the star rating or what not, i think it extend fort in this world than it ever has before. It is kind of weird there is level of transparency here even those these devices are in a way simpler and more ubiquitous, they are even more opaque than complex ones were in cyber. Moreover may be illegal to do your analysis thanks to the Computer Fraud act or digital exemption springs to life at end of october for iot devices. Thanks for comment. Take three of these and throw them into the melee over here. Speak loudly for the video. There is new Security Research exemption for research on, including iot devices. So Security Research that conforms to the limitations of the exemption. So basically everything that is Consumer Product is loosely covered by this exemption which allows for the circumvention, not being a vie like of the dmca for the purpose of good faith testing and analysis of the code and Consumer Products such as iot devices in order to analyze them for the integrity of the code and whether theyre wait for the mic, please . My voice is so loud. There is recording. For tv okay. Im in a different generation than you are, we used to play games with peoples minds. If i had something in my house and i knew somebody was monitoring it, i just play with the information. But seems to me now were passing laws that makes it illegal theyre collecting information on me and it is illegal for me to play games with their mind. That is my real question. They will turn it into security thing. Oh, by the way you just cant well one of the reasons a lot of Research Community descended upon this cycle of exemptions for the digital copyright act was to try look at white hat Hacker Community for example, as untapped domestic resource, that can find and, find flaws and get them fixed more quickly, then why wouldnt we activate and catalyze that domestic resource . There are quite a few prominent researchers and patients tried to get exception for medical devices. Automobiles which kick in october and this broader category. The part that is messy well see all sorts of messing with smart homes. It will not necessarily be by individuals. The example of microsofts twitter ai run amok, point to people messing with your house to turn you into a fascist. We could have seen already with alexa, amazons echo personality already begun responding to radio and Television Ads over here. We can already look forward to subliminal messaging going into Television Ads designed to trigger your in house ai or attack us somehow. So well see a lot of gaming of it but could happen below the levels of actual individuals intervention wit. It will be large corporations and ais messing with each other rather than people. We could have several panels on dnca and cfa we probably wont. You were next. Yeah. Looking at issues we had with Industrial Control Systems stuxnet, et cetera, how do we address those before they happen with smart homes or can we or do we just have to wait and see . Thats a good question. So some of the issues that weve had with Industrial Control Systems, i think it is, kind of open secret that theyre widely considered highly vulnerable and highly exposed and there is high consequences from their failure. We saw recently there is an iranian guy who was charged with hacking a dam. Luckily apparently the slews gate, was a, not operable remotely and b, there wasnt that much water actually behind the dam. I dont know well head off all the disasters. I dont know what the impacts will be. Having a plan to respond is important because well need some kind of response if and when that does happen. Doing all we can before that, by having this design layer that takes security into account going to be really important. Being proactive here certainly has a benefit. If we look at other historical legal contexts, for example, in environmental regulation, we needed to wait for a river to actually be on fire. Wasnt until the Cuyahoga River was inflamed we passed and environmental law and one of the most aggressive liability regimes we have, rather than waiting for a river on fire event, it might be a more desirable and more logical strategy to be proactive and to think through the optimal pathways for crafting both responsibilities and structures of information transfer before we have a river on fire and in Information Security context. Yeah, we may not get to it, but one topic comes up here is the lack of any Software Reliability as part of the issue here. Also stymies the activating insurance world as well to cover residual. But one thing that we shouldnt assume is, just because you can connect it to the internet, doesnt mean youre required to do so, especially in Industrial Control Systems. One of the things i lose sleep over if you ever played with shodan, essentially google for things that should not be connected to the internet but are and have coded passwords you couldnt change even if you wanted to. I said instead of worrying about sophisticated nationstate attacks, handle meta split, if you cant handle that you cant handle anything. Wait a second were not patching known vulnerabilities for 10 years. Verizon breach Investigation Report about this time last year had stunning graphic showed 97 of the successful attacks last year were due to 10 known vulnerabilities. Eight of them had a patch available for more than a decade. I say, wait, maybe the lower level of minimum hygiene is make sure your Industrial Control Systems are not nakedly exposed to the internet. That is the shodan rule. We have lot of things we could be and should be doing the easiest way to secure the 30yearold industrial control system, not have it exposed to internet. We are taking significant elective risks through our really unnecessary elective attack surface. I saw you first. Then you. Hi. Russell walled with Stanford University hoover institution. I have a question. There is a lot of focus talking about the Software Assurance here but given fact the iot in the home has toasters, ovens, refrigerators, driers, and washers, were not looking at hardware assurance as well. Vulnerabilities embedded within hardware. And since this supply chain coming from overseas, what are your thoughts on hardware safety we talk about adversaries and fourth ones asking difference in competition. Ask wear, hardware, Firmware Software stack is wildly different than a enterprise device. Some cases common component netty. You buy a pallet of some embedded chinese odm chips cheapest that day wand might be different next day. There is no assurance, and margins on incredibly small devices not likely to be assurance on some of these things. There is experiment going on with underwriters labtoresries to cyber seal. Industrial control systems at higher price points and more sueable entities but likelihood when we talk about different economics in the home and for consumer this might be kickstarter size thing with two employees in a garage and might be next thing bought for 3. 4 billion. Doesnt usually get completely scrapped and rewritten later this is particularly pernicious issue including hardware thaw referred to. I would say, hardware going back to your earlier point about nest energy fluctuation arbitrage, there is that at the bottom end. Is, you know, odm chips youre buying off random auction sites. Highend, your nest brought to you by enron. The entity supplying to you is engaging in various practices that would be found illegal. We have risk of that too which is not even hacking. Simply manipulation. Yeah, i think i think what well end up with, well have some minimum standard of choir. Think about like commercial restaurant, right . You cant just have commercial restaurant. Even though the Hacker Community hates any sort of regulation there are times when the government asserts its will for Public Safety and public good in the form of minimum kitchen sanitation code, right . There may end up being Something Like a gold star seal where more of a carrot than a stick or minimum standard but well have to come to a point where a device that can meet a certain threshold is going to allow is certaining citizens to discerning citizens to buy those and only those. It may not be underwriter laboratories guarantying this would catch fire. Cybersecurity is not. You have adversaries and a whole lot more complexity but i also think what well end up doing is happening to employ a whole lot segmentation and isolation way we set up our dependence. You dont have to put software and bluetooth on everything. You dont have to connect it to everything else. It will take a lot of stumbling and fumbling before we get there. Anybody else for that particular point . I will just briefly compliment one of your points. So on the point of a minimum standard of care for security, federal trade commission has instituted a reasonableness standard for security in all companies and in all products as super protection measure. So their enforcement activity and over 50 enforcement auctions with respect to security and reasonableness is the hallmark of that activity and there is a report called the start with security report that provides a list of practices that have been considered in various Enforcement Actions and it is intended partially in assisting documents to startups that are trying to struggle through these questions of hardwire and Software Security and in their new device. There is a Sister Organization as well i should mention from build it securely and their unique focus is on very small indy go go start kickstarter projects. If you make a device on raspberry pie her is how you might do it in secure way or use take popular small electronic, low margin iot platforms and provide free guidance and Reference Architectures so there is better chance being done less horribly, better chance of less horribly . All right. Earlier you also asked about ideas for what we know to do to fix things and one of the things i actually am starting monday going to be a cybersecurity analyst for the state department and i dont have anything smart in my house. If i were going to have something smart in my house i would have three dim routers and i would completely put all the internet of targets behind one router, on one end of the y. Have internet come through the other and put anything i wanted any level of security on on completely different subnet and completely different branch, probably wired. By same token i would like to know an opinion of you, considering some people dont want to use the internet of things and to have mandatory rule or lou that every device has mechanical, nonsoftware control on off the switch, so i can shut off internet can physically be turned on through software and hacking. Turn off my tvs wifi, refrigerators wifi and oven wifi if that would be first step to help people who dont have enough security sense, bos mom told by beau, mom, there is switch back here, click it you will be fine the question . Like smart witch it to a dumb device, right . Yeah. In fact we were car shopping about three years ago and i tried to find, even though i knew hackers looked at most of the cars i could not tell which car had the best security program. Now practices forward three years later we have to get another lease right now. And i know on firstname basis some really intelligent security person at every single car company and three years later i still cant answer what the best programs are. We have little glimpses and pieces. One of the more stunning moments on a trip they said to my wife, this car has 4g, lte wifi standard in all vehicles. Doesnt that make you want to buy this car or the other . I dont think you know my husband. But then he had to say you always shut it off. Im not an engineer im pretty sure i cant shut it off. I called, no nope, you cant shut it off. I like a lot a less connected mode you should describe to your customers what happens, how much it still functions when it is not connected or how much you know what are the failsafe modes if it were compromised . Would it degrade to safer connection state. These are kind of discussions we wanted to stimulate such when you start making recommendations to Consumer Electronics companies we have at least a list of options that we choose from. Help consumers to know to ask that question. Thats right. Because unless you are married to a secure pro or study it, you might not even know to ask that question of the car manufacture you are and it is multithousand dollar purchase youre investing in. And you just, it is something you care about but it didnt occur to you to ask. To help consumers know which questions to even ask and put pressure with their buying dollar on companies, to have good programs in place, have open door policies with Security Researchers who find flaws, to have feedback loops, have Information Available to consumers about whether there is kill switch or human override if say, Autonomous Car and something going horribly wrong simply not anticipated by coders who were building this device. Code is written by humans. We cant anticipate everything. Same way i cant write a 50page paper without making a typo, it just doesnt happen because were human. Code is written by humans. So sometimes im, youre going to have mistakes and im a Firm Believer in importance of maintaining human overrides in circumstances where unforeseeable event causing something to go off the rails. A lot of Industrial Control Systems in medical, clinical environments they have requirement for analog override. I think were losing discipline in some of these other safety critical use cases. Well have to find a way to get it back. All right. I saw, alan . Alan friedman, department of commerce. Trying to say that there are parts of the government that are strongly encouraging cooperation between vendors and Security Researchers but i wanted to talk about what we can do to sort of leverage some of the Market Forces independent of just combating control regulation. One example i will fire out is collaboration between the National Association of realtors and Industrial Consortium to have a checklist as youre selling your home. If youre buying a new home you want to know what is in there. You already know to get furnace looked at and hvac system looked at. There is checklist, say the a least what Smart Devices are the home . When were they built. Not best for security because it is not written around security but its a good start. Are there other economic forces we can use to sort of collaborate so it is not just consumer versus vendor but actually get some large, powerful commercial forces on the side of the consumer . I like your example. Win of the things that we talked about a little bit in the paper is right to be forgotten for hopes. When you resell your homes you change locks, right . When you resell homes, did you delete all data from the nest system personal data about you essentially because of new owner . What does that look like . Would you have to just change the entire nest thermostat because tied to your account with your password . Do you happened overpass word to new people that move in . Thinking of those things entire life cycle of device used in a home. Fridge or oven or one of the things tends to survive ownership of home itself, how do you, how do you as consumer as that buyer of the new place or the seller of the old place, do that to andreas point . Maybe your fridge keeps buying meat and having it sent to your house and youre vegans and you move in, just get all the meat shipped to your house . How do you stop it . You dont have password for amazon account to stop sending it so what happens . So i like your specific example. Building off that, im curious, this goes beyond my ken in current stateoftheart but interoperability standards with competing manufacturers . One of the things we have in the 2025 nightmare scenario, each room from your house is separate vendor because you added to it piecemeal over time. What happens when amazon kitchen stops talking to microsoft bathroom because theyre in corporate cold war. What happens with siri and jostling with competing demands or perhaps preying on each other to send white noise. We have no guaranties manufacturers some sort of basic inneroperability other than whatever arrangements they worked out among themselves. I dont know how you legislate the equivalent of tcip to for what a smart home is or standards. I dont that that is looked into enough what happens with manufacturers go to war between each other or glitches between the two, where you have un reproducible or not understandable glitches in the room. Every mistake with computer architecture we fill in in hourour homes. Siri, court town that and refrigerator will buy the meat. Race to do so in high frequently milliseconds to do it. I like to take parallel from automotive lemon laws, right . So the reason the market wasnt efficient there was information asymmetry seller of vehicle knew more about the history than the buyer so there was device put in place that didnt add more information but maybe give you an escape clause if you found something with lemon laws. You can argue those arent necessary now that we have things like carfax more transparency about events and maintenance that went into that particular vehicle. For our part, if you spend anytime with Research Community as i know you have they are not big fans of legislation or power structures. So, but most seem to be okay with the okay of transparency to enable free market choice and thats one of the reasons we tried to talk about food labels or demonstrate if it is patchable. One of the things were starting to tell people meantime while we dont have fivestar ratings i look for vendors with Disclosure Programs for your information at ncia, in lieu of information i might glean friable as there is short list of Car Companies who about to have according to disclose sure program to invite researches to invite them. Someone with welcome mat, instead of empolice it beware of dog sign and will learn of issues and fix issues than organization that doesnt. One of them is ip version 6 is probably necessary. Another is theres a whole list of local and regional Building Code and building inspector issues that go on in terms of doing that that retrofitting is almost impossible, designing becomes the answer. Another word that probably hits the cards, i think, too, is something called emp, either by terrorists or by Natural Causes like a solar flare could bring down the whole network and you might not be able to crawl out of your window, so some of that hardening might be really interesting. So one of the interesting things that you mentioned that i will want to talk to, maybe im taking the point too far, but if you look at the fleet buyers of out mobiles, when they have to do an update today and requires physical access to update, they have to get the car out of service to get the update. So if you go to any of the rental car agencies, they might have a fleet of lets says 00 cars at that location. How many hours does it take per vehicle if they have to go out and do that and when do they take them out of service so that theyre no longer producing revenue . I could see a scenario in the future saying, im sorry, i cant serve any food because we are waiting on the person to come and update the refrigerator. On the cell phone they updated at 3 00 oclock in the morning. Yeah, on your cell phone they have automatic updates, maybe theres something you can do, but then again, you must be connected to the internet. If its isolated from the internet already, then you have a better window, i would say, to be able to wait and maybe you dont have to shut down that you are fridge before you update, and so the connecting to the internet part is what makes you have to shut the fridge down before you can go and use it. Lets take one more question and then well do some Closing Remarks and i think you have the mike here. Im sort of with greg on the whole vision of the smart home with the jetsons. I want to know where my fine car is. [laughter] and but seriously, if you look at cars in the Highway Safety institute and all the testing they do, until there is some entity that actually tests, im not talking about standards, right, that are quote voluntary, talking about people crash things or do the equivalent for the iot, how the consumers will never really know what is safe and what isnt until this actual testing, and so in order to accelerate Something Like that, josh, you were talking about liability. You know, if you look at places like the mayo clinic who have imposed liability on their vendors, you know, if your Software Fails and theres a breach, youre liable. Through contract. Through contract, unless theres a Consumer Movement to demand liability on the manufacturer whose bringing something into my home that has this vulnerability known, then then i dont without those two things, im not sure that, you know, just relying on the goodwill of manufacturers to do the right thing, because we know thats simply not going to happen. Theyll push product out the door because they can. So here is where you get into interesting legal territory. We are talking about physical objects, a chair, a table, traditionally a refrigerator, theres been certain protections as a matter of law under the version of this thing call called the universe commercial code that is incorporated an gives consumers certain right of resource and you can reject products, for example, that arrive to your door that are not conforming to what they are supposed to be when you purchased. We have protections for physical objects, but then over here in codeland, the software has generally been shared with these license agreements, you use it at your own risk, whatever happens, not our problem and when it was the chapter of your latest book on your laptop, you were annoyed but you kind of dealt with it. But the blue screen of death on a medical device thats iot is real death, right, and so here we have this physical space norm of liability and a higher level of Consumer Protection because of the information disparities and over here we have this as is where is norm for software and they are clashing in the iot context and thats what we need to resolve. Courts are going to struggle with this and thats where rubber is hitting the road and the iot car. Maybe future discussion, one of the ways i met andrea a couple of years ago was posing the question is Software Liability the worst possible idea except or all others, specially when it comes to bits and bites meets flesh and blood. You want to post the cost burden and make offset with redidual. Iot will set condition. Its better to set for the moment than have a
comparemela.com © 2020. All Rights Reserved.