From the Houston Institute in washington starting at 12 15 p. M. Eastern. Recently our campaign 2016 made a visit to pennsylvania during the primary stop in a growth city college, slippery rock, university, washington Washington College and Jefferson College where students, professors and local officials officials learned about our resources covering the campaign trail. Visitors were able to share their thoughts about the upcoming election. Are best ended the week in warrington, pennsylvania where this it a middle school. A special thanks to our cable partners, comcast and armstrong cable for their help and coordinating the community visits. You can view that when he documentaries at cam. Org. Coming up next on cspan 2, a conversation on smart homes, homes that have lighting, heating and appliances controlled remotely by phone or computer. We will hear about the benefits of smart home since privacy and Security Risk from the Atlantic Council in washington. This is about 90 minutes. [inaudible conversations] good afternoon. Welcome to the Atlantic Council. I am the director of the center here and Vice President for the council. We are thrilled to welcome you to our event, Smart Designs for smart homes for the launch of the new issue brief which we have out there. Smart homes in internet of things. And discussion also on the opportunity here that networked homes will offer to society as well as the risks that they pose to security and privacy, so interesting topic that will be increasingly prevalent in our daily lives and also with broader implications. It is thursday, and this afternoons conversation is part of our monthly series. I will go home tonight and figure that out, but, the series as many of you know if you come every month is designed to convene cyber experts from different sectors to examine topics at the core of the councils cyber mission. Today is a special cyber wrist thursday because its my pleasure to announce when it todays palace, joshua corbin, will start tomorrow april 1, as the director, new director of our Cyber Statecraft Initiative and even though its april 1, that is a true statement. Josh is also the cofounder no one is happier than me about that. [applause]. Josh is also the cofounder of im the calvary. A Grassroots Organization that encourages new secure you purchase in cyberspace and beyond in response to the worlds increasing dependence on infrastructure, so watch this and the program will be heading more in the direction of todays conversation, but even much further. Josh has employed a very unique approach to security and policy by connecting human factors, adversary motivation, social impact to help position him as one of the most trusted names in this space. Before joining the council, he served as chief Technology Officer for soda type and adjunct faculty member park Carnegie Mellon heinz and we are thrilled to have him. Before i let to josh take the stage for his remarks, i would like to think our media partner pasco from the Christian Science monitor for joining us and welcome those of you who are following the conversation online. I encourage all of you to join the conversation on twitter using ac cyber as well as cm passcode and josh will give you another count to tweet from a now josh come over to you. Thanks very much. All that right. Think you are coming. My name is josh corbin and for the next hour i was to be the chief technology on certain, but i am excited to start tomorrow. I think its a key point in history about three years ago we decided to do this, i am the calvary thing and in some ways its a terrible name and another ways its a wonderful name, but we found we are growing more concerned our dependence on connected technology was growing much much faster than our ability to secure it and while many of the best brightest in the Cyber Security realm is trying to protect credit cards and highly replaceable assets, we saw this defendants was permitting permitting our automobiles, homes, everything and we are putting software and connectivity into every aspect of our life what we know and Cyber Security is once you had software you make something palpable and once you connect to Something Else is exposed, so to me that internet is not that software is eating the world, but software is infecting the world and if we are going to place our dependence upon it we need to make sure its dependable and worthy of trust, seven and came from the recognition the cavalry isnt coming and it was a call to action to the voice of reason and technical literacy in the Research Community to say stop waiting for someone to come solve this for you, look to your left, look to your life right if youre not sitting in your chair theyre not coming coming. Is the personal adaptation that i am the calvary and once were outside our comfort zone and talk to public policymakers, general public where bits and bytes mean flesh and blood. We want to focus on the intersection of technology and human condition, but more specifically where the consequences of failure included Public Safety and human life. Without much of a plan other than boldly going in that direction, we started the chain of influence and meeting with people in washington and going to places we didnt normally go speaking with people we didnt normally speak with, but really with empathy and a score in the heart of an ambassador we have tried to bridge the divide between the Technical Community and policy community. In at just the last three years of experience as weve seen the fruits of that labor. In fact, on this stage last march i met suzannes words from fda, which really catalyzed by trust, high collaboration relationship and you saw the januarys postmark that its for connected medical devices and anthony 180 in their attitude toward Security Research and now essentially almost requiring medical manufacturers have a positive relationship with the Research Committee by encouraging the adoption of court needed disclosure programs research. We have seen the excrement work and what becomes clear in the meantime is if you look at the headlines, this has gone from a concerned we are worried on the horizon to one happening in real time. Just the week before that security conference we saw the hack of eight nissan. We saw the first self driving car have an accident going at 2 miles an hour, but google did hit a bus. More recently we saw when somewhere we so did bill debilitating to a hospital in hollywood, 40, that they had to move patients, potentially Critical Care patients and now, we see yet another one, which is now actively probing other hospitals. Whether they are targeted attacks are indiscriminate collateral damage, this dependence in areas affecting Public Safety and human life are coming to the forefront. I was just in munich for the security conference discussing how maybe this is not about norms and treaties between nationstates, but we should also be looking at cyber safety exposure to sub nationals, activists, people maybe with less resources and less hacking skills than the will and might of a nation nation state, but with more willpower to use it and as you have seen recently we saw the unsealed documents confirming iranian hackers manipulating controls in a water facility, so if not now, then when . Im really excited up coming here and it todays topic is someone has to fill this void and we have to act quickly to know what the right thoughtful and plentiful response will will be to cyber safety and im honored to be picking up where jason healey left off with Cyber Statecraft Initiative and bring a heavy focus into cyber safety because this is not only the impact will simply be measured in Public Safety and human lives, but confidence in human key markets like automotive and medical and if we would like to avail ourselves of the safety advances or if we would like to improve the state of patient care through use of modern technology, a critical element of that is public trust with these technologies and its up to us in this room to dry that conversation and make sure we dont wait for a really serious failure that scares people away from trusting these technologies, but we preserve and deserve the trust we less upon them. In todays installment we would like to talk about a paper originally it collaboration between the members of the calvary and myself and the Atlantic Council of great lindsay on smartphones and while there are several reasons to look at safety and privacy in the home with ever connected Consumer Electronics and home alarm systems and appliances etc. And while there are promises we want to make sure in our desire to adopt these new technologies we can maintain the trust and confidence in them, so we dont have a nightmare state scenario. A report came out today and if you have not looked at it and if you read one and what only one thing please look at the scenario from 2025, but we will get into that a bit on the panel, so without further do im excited to have my first panel at the council. In a different role. Us about our panelist to the stage, please. We can clap for them. [applause]. All right and i will go down the line here. Please wait your hand, great lindsay. Andrew and beau woods, Deputy Director for Cyber Statecraft Initiative. Would you like to introduce yourself claimant im great lindsay. Greg lindsay. I am also a senior fellow in the city foundation, contributor as company and variety of other sort of posts regarding city, technology. Once we go down the line we will get opening remarks. Andrea matwyshye. I am a professor of law and Computer Science at Northwestern University and also a visiting Research Collaborator at the center for Information Technology policy at princeton and affiliate scholar of the Stanford Law School center for internet and society. I also had the privilege of serving in 2014 as a federal trade Commission Senior policy advisor focusing on securing privacy and their academic residence. And beau woods. I have to follow that intro, unfortunately. I am beau woods Deputy Director of the Atlantic Council Cyber Statecraft Initiative with about 10 years on the technical side and now, for the past couple years working with the calvary coming more to the policy side. Okay. We will start with greg and give us framing thoughts on the idea of smart homes, the promise, the peril, how do you see this is you . I have been covering really the notion of smart cities at my way into this issue and i covered when ibm and its big three during 2008, after that election of president obama and the financial crisis and there was a whole shift in how we approach what is now the discourse or at the internet of things. When we look at smart homes its always been extremely tech heavy market campaign. Theres more no organic reason to want a smart home. When you are back to the 1930s the first vision of smart home started appearing and that trickled in divisions in the 1960s of the jetsons. Walt disney and the notion of these pushbutton automated phones that would relieve us of drudgery, but in the 80s is that tech come hes like microsoft and others pushing this idea that the future of computing was the smart home, home of tomorrow and filled with these visions of how we would automate our homes. Consumers never really wanted them. We saw this elaborate push to create elaborate interoperable homes and of course they were buggy and brittle and taking great analog systems and make them harder to use. The real problem with smart homes separate from hacking is the notion we all remember in the early 90s when it was we could even make the computers worked our printers and the question is do you want your house to work the way. This led to consumers not embracing it and if you have seen the press release out there, poland 9000 people around the world asking about their appetite for smart homes and the american in the study who live with the vision the longest, 45 could see no reason at all why they would be smart home. By far the number one reason to want it would be costsaving, electricity and so even today this notion that we will live in these beautiful perfect seamless homes that of class where everything is a touch screen service, people just want cheaper electricity bills. So we are still looking for the first really killer app. We have a whole nightmare scenario in there that josh mentioned about what it will be like living in one of these haunted houses, made haunted by hackers and worms and every thing else but it boils down to the question of how will we realize the problems of the end realize this vision. Will it be powerball, electric cars that will free us from great dependence of [inaudible] you are the coauthoring we will let you go next on framing remarks. So, one of the things and doing the research for this that we can clear quickly is looking at statistics, some of the statistics until announced today, for instance, but also some of the other work done, it became clear that while consumers have an excitation that they will have to have these devices, they are terrified of them. Something like 66 are afraid their Smart Devices will be hacked and the data in them will be extracted out of their homes for some kind of commercial value by unwanted intruder. Thats a pretty scary number for anyone who is trying to sell into that market. So, what are the biggest things as josh highlighted early on is we are already trusting these devices and smartphones clearly consumers dont necessarily trust them. They may not want, but they feel like they will have to buy them and in going around to some of the other places and other Industries Like the automotive industry, like the medical device industry, every auto conference i go to know people say, i dont want one of these new cars, its hakuba. I will get an old car from the 70s or 80s and dry that around the cuts that will be way safer. Though, it wont. Thats the opposite thing. In medical you see people like diabetes patients like j radcliffe who have set i dont trust this device to working away thats automated that can affect my body chemistry. Im going to go back to it injecting myself 15 to 20 times a day within it insulin. These are personal choices people make, but in aggregate those choices have a really significant potential impact on the market Share Organization think they will get from some of these investments that they have made in internet of things and smartphone devices. So, if you are a kick starter size project and you think you got a 10 milliondollar potential pipeline, but it in the pulley being 1 million that you got a business. Your Business Model wont sustain a 90 degradation of your market. Same thing for larger players only with less severe consequences in their Business Model, but some of the internet connected things they are creating make offline. You may not have the products and services associated with the smart home that you thought you would when he bought it. Because there will be Financial Impact if we dont recognize and realize the market potential that exists for these or projected market potential, so i think that is one of the hidden bad things that could come up in two or three years is we start to see significant investments that have been made by corporations and cities in connecting everything go away. They are not realized and that has a significant financial consequence to us as well as to global product makers and markets. Indeed. All right. What about you, andrea . Following up on the excellent points i will highlight one competition concerns and one Consumer Protection concern. On the competition side following the comments, there is currently a deficit of Market Information to allow consumers to make informed decisions across devices. For example, pricing structure disclosures with products dont usually disclose what the lifecycle is of a particular product. How many years world cup product be patched . How may times have penetration test and run . The quality of the security and code integrity in a particular device is not necessarily something that a reasonable consumer can take into account when trying to decide whether this product a cost of 15 more is worth an extra 15 versus this other product when they are both apparently the same iot device with respective marginality. Thinking about those hidden costs rather the park is rewarding Iot Companies that are investing in security and taking care of the consumers that are trusting those products with access to their homes and information. So, thats a competition point and on the Consumer Protection side, there is a bigger conversation plane up on some of the other comments about the question of what i Call Technology suitability or sometimes the fancier technology is not necessarily the Better Technology for getting a particular task accomplished. I say better with bacon because as some perhaps overzealous chefs think if they sparkle bacon on everything that is suddenly that much better, but if your diner is a vegetarian you just destroyed the diners meal. So, thinking through what task we are try to accomplish when bringing a device into our home winter enterprise and how those connections facilitate or add risk to the Bigger Picture of our lives. So, lets quickly take a example, lets say im a state Department Employee and i live in dc and im out of shopping and i see this really neat connected oven with a nap and i can operate my oven for my phone geewhiz, thats kind of cool. But, thinking through how the oven can ask to my wifi network , but kinds of information i access from home with respect to my professional life, whether theres Sensitive Information that could potentially be compromised if the security on the internet connected oven is not necessarily up to par and whether vulnerabilities are getting patched. We have already seen the first internet of an exist in the first vulnerabilities on internet ovens, but wholly apart from the data control aspect, if you have a small child in the home, for example, and of the child likes to play with your phone may be an internet connected oven with easily accessible at is not necessarily the best choice for your home at that point time your life, so thinking through the totality of circumstances and how the Technology Capabilities of particular devices, iot devices you bring in your home connect with those tasks and risks that are the reality of your existence is the Consumer Protection side of this puzzle, so with one hand we want to reward the companies in the marketplace that are doing great job and thinking about security and consumer seven the other hand we want to train consumers to help themselves in form and make good purchasing decisions. Thank you. So, speaking of that, when we had lunch the calvary initially we talked about four different projects is wet for different markets and regulators and Market Dynamics one was automotive cyber safety, medical cyber safety, industrial control and public infrastructure, which is a large and difficult grab bag and the last was consumer iot and the home. We kind up at the iot and the home in the back burner because with a focus on Public Safety and human life we said wed love our privacy and we would like to be like to enjoy it and more of the life and limb kind of consequences were found in the others, but it was a very exciting opportunity to worth with the Atlantic Council and greg on this because it forced us to stretch which models we have been using to solve the problems andrea outline for cars medical devices and many of you have seen these, but we had a fivestar automotive connectivity for vehicles and while it has fancy names the way i would describe it partially to my neighbors, all systems fail, please tell your customers how your blitz belliard, how you take up avoided failure without suing the helper and how do you capture and study and learn from failure, how do you have a response to failure and how you contain and isolate failure. More recently this january, publish the hippocratic oath for medical devices which is similar. When we try to applied to smartphones and we will have the so, they question this morning, we found those controls are useful, but they were Additional Market enables and information to customers that were required, so the teaser to the audiences think of what you would do to help the consuming public avoid products that may endanger their family save your privacy. We will pose the same question to our panelists, which i will join now. So, first question, if we got smart phones right and this is for anyone, if we got it right and i know you have been skeptical that we can get a smart home right, what is the primary case you would want to see out of an intelligently connected home . Anyone . I will go first. Going through in looking at some of this i really like the convenience features of some of the smart home stuff. I dont have a amazon device to tell me when to reorder and automatically reorder, but appeals to me because sometimes i forget the to buy detergent, so if i could have a way to just like say into the air, alexa, by laundry detergent and it will automatically refill it then that would be easy for me and that would mean i could show up to work with clean close, maybe one day when it wouldnt have happened otherwise. So, for me i think that convenience factor is really where the sweet spot is for smart homes. Not necessarily to automate my decisionmaking process, but to make it easier to act on those decisions and help inform the process. Anyone else . I agree with beau in the sense that convenience is the reason it will happen. The fact that everyone anticipates a smart home will happen, but they are terrified of it and they dont know how i think is an extension that comes out of the framework that exists now by facebook, google and others which is we harvest your data and resell it to others. If the service is free the product is you, so the Science Fiction author has written about this where he looks at the internet enabled fridge, is like icon of failed dreams of the smart home and really the true internet of things is a fridge supplied by amazon for free or at least that cost in exchange for them harvesting data and you wont need to tell alexa you ran out of detergent because amazon already has the padded patent on predicable ordering. So, i think one of the problems is convenience will create this data regime, data capitalist regime which is all about harvesting your personal information that will lead to the vulnerabilities we havent some of the use cases about. Im most excited about some of the stuff around home utilities and energy stuff. The most exciting Consumer Product is the tesla power wall, which is interesting because they canceled the larger capacity version, but the notion of doing whats been talked about for literally 35 years by people to create more sustainable resilient micro grids to really enable the shift of more Renewable Solar powered energy because you have home storage products that could feed into electric cars leads to an interesting shift in how we produce and consume energy that has implications for Climate Change in other Strategic Issues where the us. I like to think it will be done. For me, i think the best Case Scenario is a home where the iot gadgets are totally personalize a ball, totally customizable because the assumptions that work for say the majority of people dont necessarily work for all people, for example i travel a lot and so if i had automatic ordering of certain things there would be a constant pile of rancid food and various products sitting outside my door blocking entry, fire hazard and probably my neighbors would hate being. There are individualized needs that consumers have whether its to facilitate their engagement with a particular product or because their life is structured a way or because they have special limitation on their environment because of a particular other human in the home or their own physical challenges that they have, there is a need for customization that sometimes is absent in some iot devices. So, i think my ideal iot home would be one where human override existed on all of the things and the devices would allow me to tell them what i want them to do, not assume that they know what i want them to do interesting. Yeah, i think ive always been interested in the power savings and the smart meters and the dynamically picking the cheapest price and that kind of idea. Execution has been a little different. One i have struggled with his eye that there was promising smarter use of networks that work sensors for Home Security. Stunningly, ive been disappointed to find nearly bluetooth door lock or automated hightech Home Security system has been comprised by one of our friends. I dont think that theyll get on any of that equipment they have tried, so its ironic the devices we buy to keep bad guys out of our home may be the very thing that with the mentor homes, so we talked about nightmare scenarios and here in this future, but what you think the most likely realistic first hack is . I know we have baby monitor screening, but what is likely to become demised first in the over connected home . I will take out again. So, i have if you have read the news lately about hospitals and the rent somewhere compromising devices to be able to monetize that and one of the things i think started looking at thinking about early on is if you have a fridge that has a monitor on it, that might be huggable and if i had your intention span for two seconds im going to serve you an ad, so whether the product maker intends that to be the outcome or whether someone hijacks that project to serve you ads when opening the fridge to get milk, maybe it serves for different the premise of the like that, but i would expect that type of driver to be the first catalyst for someone to want to hack a smart phone smart home device to advertise to you and if you do with the right way i dont want to give me ideas, but if you do it in the right way it will be on the pet undetectable of normal operation of the device. It will say this fridge must have updated the software and now they are selling ads. I dont like that. You will think its a manufacturer that did it. Again, they will be bred reputational impact. You can also see a similar thing accomplished not by actively reaching out to change something, but one of these smart homes go under or forget to renew their website and someone just goes and buys the domain name. Now they have complete control of infrastructure that youre Smart Devices connecting to and they could again change the firmware, whatever. If they just put a file out there, then you, your fridge goes and retrieves and pulls it, that might be totally legal. I dont know. Its conceivable. We have someone who knows or would be able to tell us, but its conceivable that its legal someone just got forgot to renew the domain name and that would probably be my first expectation would be someone would hijack it to serve ads or other financial mechanisms. I think a lot of people look at the device themselves or how you can manipulate sensors, but most of the internet of things have some sort of back and harvesting or storage or configuration so that amount of information through any of these even if any retoucher device could be interesting on the backend. Anyone else . I dont know if it will be the first, but i think one of the most interesting ones that will happen is one that is not hacked at all, but simply extension of the logic of how this is developed. Thats the notion 10 oreilly published with the oreilly books that the Business Model of 1. 0 was advertising then web 2. 0 and internet of things will be insurance. Theres another say nine i forget who said it, in the future every piece of data is a piece of credit score data and there is a whole bunch of startups using that to figure out your financial viability. One of the things in the nightmare scenario, which is not even a nightmare, just an extension, but the notion Something Borrowed in which a protagonist can open his door because hes behind on payments with the landlord so yes unscrew the door off the hinges and we start to imagine in the future we are like basically behind or your credit score says you are unviable to run the smart home and you are essentially locked in your house until you pay your back bills. We imagine you turn your power up during the day and crawl out the one window that you have not turned into a smart window and this is the logic that comes out of uber drivers taking vehicles that are financed by buber uber and there are financed in their cars are switched off remotely and they are unable to drive. We have already seen these systems evolve. Where there are punitive punishments. Its interesting. You think you own a smart home, but we know from things like the Digital Millennium Copyright Act that in the future your house will be a license from the Software Companies and if you fail to meet the terms of service you will suddenly be shut out of your house by not even hackers, but by the actual companies that supply this. I think we can also assume the techniques for marketing that we have seen used in the smart phone phase will extend naturally to all of that it devices, so for example there are currently some enforcements actions potentially in progress relating to apps that surreptitiously buried somewhere in the license agreement received consent to turn on the microphone on your phone in order to monitor your tv viewing habits in your living room. Now, undoubtedly you have Additional Information also collected about the private conversations happening in the room and we had smart tvs behaving in similar ways through the Remote Control collecting. Information with the microphone. So, i think its reasonable to extrapolate from marketing purposes that all of the devices will look for new streams to modify the information that they have access to. Short of voluntarily binding themselves to never do this, in some sort of non amendable way in the contracts, i think its readable to expect that most of our iot devices are planning on a secondary stream of income and it to the example of the locked up cars, we also had in a consumer scenario we had creditors who were cutting the engines on some cars while the debtors were driving and that caused safety issues. So, while a car is maybe not strict the part of iot home, it is in the garage and vaguely connected, its all part of this bundle of iot devices that have that Remote Access capability, not only for the consumers, but for the authors of the code and that creates a wrinkle in the some of the traditional relationships of control that consumers have come to expect. With respect to the product that they purchase. I will give an exotic one. As soon as i learned of the cost savings you could have with the intelligent thermostat like from nest, thank goodness we are good guys, but we had the idea of essentially small manipulation on a Large Population of nested devices to essentially pump and dump based on investment and Energy Sources in the region, so you could make a significant amount of money quickly by making small adjustments on too many homes consumption electricity. That the more exotic one. I think one of the more troubling ones is think how many devices right now are connected in your home to the wifi, just try to is it five, larger than last year and how me will be there in a couple of years . If you look just at the home router, the wifi routers, about half of the original infection that made many reset your passwords or your social media accounts, about half of the original infection spread were compatible, so you had devices that were warm herbal to the attack, but could not be remediated at all. A lot of these devices exposed, you may not have known they were even running this or connecting, so im more worried about the zombie leper colony of these devices were any one of them that fails is now access to every part of my home network including more sensitive work material, cameras that monitor my children, front side camera my Television Without turning a light on. Im actually looking for devices that are not smart. I want a market for traditional dumb devices in some cases. That goes to my competition point that as we march bravely forward into this world of iot, its not only about Consumer Choice along iot devices, its about Consumer Choice with respect to how technologically connected these devices are. Losing the bottom end of the not connected devices, a form of improv first Consumer Choice or marketplace because impoverished if we eliminate the ability to have a less vulnerable option when we need it. Of course, the scenario of the home and having just one device be a point of compromise, not only is the information on your home network, but if youre the state department of holy i referenced, that attacker who accesses your network through that one unpatched Security Camera can then potentially follow you onto your Employers Network because if you are accessing that network from your home network they can piggyback on and suddenly they are not only obtaining your privilege information, but the privileged information of your employer depending on who your employer is it to be a National Security issue. We have seen exit no compromises happen by consumers who are simultaneously Government Employees, for example, when we look at the sony drm root kit problem from 2005 where these cds had code on them that is intended to be Digital Management code, but in reality it was coded in a way that opened a security hole in every system that the cd was played in. Dod employees played cds in their work machines and other Government Employees played those cds. The employees clearly never intended to cause you problems for their employer. They were just try to listen to music the same way consumers will never intend for their comical cyber toaster that they just purchased on a whim to cause a security problem for their government employer with Sensitive Information. I was at an event at the new York Auto Show last week and we were discussing Security Issues and one of the things was they had discovered a backdoor into one of the cars where gus, exploiting the cds where various Character Strengths in the cd you can pop it in the cd and suddenly you can unlock access to the systems below. Also, its funny you bring up the notion of purchasing your cyber toaster on a whim because there is been this interesting proliferation of interesting sites like wish. Com. , mothers that so inexpensive chinese manufactured goods we dont know the total providence and we can imagine also said interesting state actor level stuff where you can push a profusion of compromised devices that can then create trojan horses into the homes where you are now your phone, your emoji and suddenly its based date hacked into your Wireless Network and a has been, but now, we imagine this stuff in the house. I think also about a month ago and i forget who it was, but someone in the lawenforcement apparatus of the Us Government said we love this internet of things proliferation cant wait to use it to find the flaws and use them to track down, identify, survey of potential criminals. Well, kind of extending that a few years ago dod for bid any use of these because they could became ways to transfer malware into sensitive networks. Now, does that mean dod will issue a new memo saying you cannot have any smartphone devices . Back to an earlier point, what will that do to some a smartphone devices for now maybe potentially dod or any state us employee might be for bid and from buying certain classes of device because they are so poorly secured over the lifecycle. So, thats one of those things that could become a wicked problem in the future. What her that in a relations we can even think about or expect right now that will come about 10 years down the line based on choices, Design Choices of purchasing choices we make today i think there is an interesting issuing professionals in the military where leaving incredibly strict guidelines, physical security access, what technology can use, with systems can access the network and we are locked out of people bring their laptop home for their work home and wearing currently lacks their. I remember one christmas there was a story about the digital picture frames a best buy where certified preowned from china, but this is not a rare occurrence. Especially on the lower end of the devices for the consumer. I remember having to leave my electronic at a military base and could not bring anything in, but the general i was speaking with had a rotating set of pictures on his digital frame and i said so wise that allowed in here. This isnt simply about your home. Its about these consumer grade electronics. If i were a hacker trying to do competitive industrial espionage i would, mise microphone capabilities on all the smart tvs and in the boardrooms of my competitors. There are a number of cases and we are just not creative enough in our assessment up what people will do because our guard is down when we are at home. So my question is on used to moderating panel so i will ask questions, also. To be whats interesting is coming from a industry view, this is not something where consumer should be required to handle their own security. Test b manufacturer level and to me its interesting that right now the whole internet of things is basically a gigantic glacial bottle of various standards. Yet cisco pushing the internet of everything and ge pushing the industrial internet and there is people are fighting this a negotiating and boardrooms and security is a lowlevel discussion and to me, how do we bring that to the forefront with the manufactures and also is there a way to sort of create the sort of nested hierarchies of secure Networks Inside of homes so that whatever i bring home does not automatically have same level of access privileges . These are not new problems. Its been addressed in every averment level, military and enterprise ideas. We have refused to deal with it. I would love to probe some of these. One framework we have been using for iot is a very obvious question is when we saw this in the enterprise, we have it, by the way, but the assumption is how is iot different and a really simple framework i use is very different adversaries have different motivations. There are different consequences of failure. There are different operational context. You will be behind a physical security and perimeters and network layers. There are different compositions of the hardware, firmware and software used. Theres different economics, which is one of the big problems and theres different timescales. Some of these things, the time to live might be a year and semi 30 years. How often do you replace robin . So, those things take some of our best practices and shatter them. That is one thing, but within those there are a number of things preventing us from doing well. What do you think . If you look at corporate it security apparatus, theres about 80 billion a year spent globally increasing it and about 10 yearoveryear on products and services. I think the total number is around 2,050,000,000,000 if you include it people and thats on top of the existing it investments made. This is just addon. If you buy a couple hundred dollars worth of smart home gear , will you also than by a couple hundred dollars worth of security gear and managing to maintain it and give it out . I have done it stuff. Denice it security stuff in my day job and when i go home i dont want to do that, so its like the story of the cobbler kid has no shoes. I will be one of the worst people whom i stop will be woefully unprotected if you leave it to me to do it and i am capable of doing it. I do it professionally, but poor people like my mom and other consumers who are less will educated in Cyber Security, what is the hope they could possibly be able to secure their devices in that corporate it security space transplanted onto smartphones secure to . One of the other problems that exist is that we really have not created what i might call digital of the structure around security flaws generally, not just iot context, but more broadly and traditional context. We have certain ways of assessing vulnerabilities, numeric system for trying to identify them, but those systems are not scaling optimally, particularly in a world where there are billions of iot devices and if so these are Bigger Picture problems about infrastructure information, infrastructure or vulnerability information sharing that we need to bolster an scale and improve in order to be able to get the information in a sensible way, to allow comparison of the products based on security to help consumers make good security choices, these underlying steps are not yet fully developed. So, we like to talk about information sharing frequently and discussions of Information Security when talking about legislative paradigms, but just sharing the existing information doesnt solve the underlying structural deficit that we still need to work through. Iot is potentially crystallizing the inability of what we are currently using to scale in the best possible way to build our society out with this high degree of conductivity while maintaining the traditional balance of Consumer Protection and competition in the market place. Im going to ask one more kind of rapid fire speed run of the panel and then i will encourage you to also ask questions. As far as what to do about it, i agree my neighbor will never be a security professional and they never want to have to be the it person for their own smart home across dozens of devices, so we outlined several recommendations of what either add transparency to consumers or basic spec to capabilities to reduce possibly harm. What do you think would be free to use one or more, what would be good additions to that we recommend or elsewhere that could make it so we dont have secure these things and were getting more inherently secure . I think one of the biggest things is some of the existing Consumer Practices in non Smart Devices. One of the things i found fascinating and talking to people in the Retail Industry is of course, we go into by something and we bombard the people with questions unless we have done tons of research and we know it is and thats also one of the retail folks that concerns. So, if there is some way that a store employee or Retail Outlet can be able to have a quick answer of, yes, its secure rather than well, heres what you do, put this in front of and do that and if they can have those quick answers, that helps them sell more products, which goes back to the Market Competition drivers, so if someone comes into a store and says what is the most to secure x device in the retail employee can say is this when i can tell you why with three simple bullets, but also you can read for yourself. I think that is something that is powerful to go goes up to a retail channel. Barring that, there is remediated action you can go through if for instance someone market something with a secure web cam or secure baby monitor and you find out its very much not a secure device. There are ways you can contact that ftc to report these things, so this may be a technical thing , but that is something my mom can do and she has done before, to Call Better Business Bureau or someone and take that step, which a lot of people dont talk about in our industry. I think we should talk about those more. Okay. This might be the utopia, but i was begin earlier the discussion about recording devices and smart televisions, if i recall correctly the Samsung Smart television where if you read the terms of service you that it was regarding accommodations and it actually said at the bottom do not have personal conversations in front of the television. Thats at every thing because rather than have a television that did not record your conversations and rather than have the option to have it not record your conversations he simply assume the risk it will record anything you say and be used against you. To me the utopian broader political discussion we need to have is we need to end the current Data Collection regime, which is the fact that any hardware maker with their their services will click everything they can from you and they own it. We need to have some sort of scheme or alter the scheme to create that you own your data, Something Like World Economic forum new deal data or some other approach i would create real protection around your data which would then force the manufacturers and providers to then treat it with the appropriate seriousness rather than, you know, just dont have personal data in front of our devices at any time because they need a have to worry about it begins the one, which is the current regime. Thats the price that it doesnt reflect, the Data Collection having which goes to the broader transparency point. I think one other thing i will contribute before we open up for questions is the hopeful . That this is a space where Technology Tools can help to translate concepts for consumers, policymakers and creators of these technologies. We have a Robust Community of experts who can act as thirdparty auditors, but sometimes that information doesnt translate well in filter into the public consciousness to inform the Less Technology sophisticated consumers with respect to the stateoftheart of what we know to be true in the security Research Community. Building Technology Tools, being able to facilitate the translation effect both among consumers, but also to help small businesses, creators better embrace the importance of security by design from the ground up and to recognize that security isnt something you can slap on the end of the process. Its not a bandaid that can be layered on. Data needs to be inherent in the broader structure of the device and architecture of the device or its a lose lose both for the creator and for the consumer. Well, a very large thrust of the five star for automobile crash test is that you dont have to know the differences between the three star, poor star, or five star and it becomes an actionable device for less informed public to tell relatives safety ratings of different vehicles and thats one of the reasons i fivestar automotive cyber was not meant to be a checklist of security things thou shalt do, but more the kind of things you had invested so when the public becomes more savvy or interested in this buyer criteria they can at a glance in a consistent way until the people are doing. In a several of those are outlined in here as well, but i think one that came to mind is there actually was a congressional action from a chairman of the house of Foreign Relations called the cyber supply Chain Management Transparency Act of 2014 essentially asking for food labels for software that if you sell to the government you should have Building Materials used and no security defects and they should be possible. You can imagine how much Software Industry hated this bill, but just yesterday we did a webinar with Financial Services industry where they said thats a great idea and they basically are now saying to the big software providers, we want to see a food label of the software you are selling us in your commercial goods. Thats where they stopped. What this allows you to do is make a more informed decision work with abby good for my mother lot . No, but could that allow organizations to tell who is better or worse hygiene and one thing im telling on my friends and family is if you buy an internet connected device it better be patch of all and thats a simple thing to ask for because and the other thing i tell them to do is dont buy internet connected device if you dont really need it, but part of it is you must be this tall to ride the internet of things that if you connected and expose it you must have the ability to fix it. With that, is anyone in the audience going to question . When a microphone. Feel free to also say what you think we should do for the actionable decision making. Go. So, one cannot im a security practitioner as well and one of the things ive noticed is im looking at these devices and i stop her moment and think if i wanted to see how secure this devices, what would i have to do and i think about it and i think about it and i think about it and compared to what i would have to do for a piece of software on my computers, its unbelievable. I mean, and i do this, like i have the gear to do this. I dont want to have to buy two toasters and take one apart and Start Connecting to the pins employees in that kind of thing. So, i think the problem that calls for the star rating or whatnot, i think it extends farther in this world than it ever has before. Its kind of weird in that there is a level of transparency here that even though these devices are simpler, they are even more opaque and more than the more complex ones we are used to in cyber. Moreover, it may be illegal for you to do that analysis things to the Computer Fraud and copyright. Thank you for the comment. Lets take three of these and throw them into the melee. Over here. You can speak loudly, for the video, please spirit there is a new Security Research exemption for research on including irt devices, Security Research that conforms to the limitations of the exemption, so basically everything is Consumer Product and loosely covered by this exception, which allows for the circumvention, not being a violation of the good faith testing and of the code in Consumer Products such as iot devices in order to analyze the time for the integrity of the code and whether they are flawed. [inaudible] im in a different generation then you are and we used to play games with peoples minds, so if i had something in my house and i knew someone was monitoring it , which is played with information, but it seems to me the networks passing laws that makes it illegal. They are collecting information on me and its illegal for me to play games with their minds and thats my real question, like they will turn it into a security thing and by the way you just cant scenic its one of the reasons a the Research Community defended this act was to try to if you look at the Hacker Community for example as a untapped domestic resource that can find flaws and improve and get them takes more quickly than why would we activate that resource, so there were quite a few prominent researchers to try to get exceptions for medical devices which kicks in in october. Messing with smartphones, it just wont necessarily be by individuals and not example of today microsoft twitter guy run amok turns to the point of people messing with your house to turn into fastest fascist. Do we just have to wait and see . Thats a good question. So some of the issues without with Industrial Control Systems i think its kind of an open secret that they are widely considered highly vulnerable and highly exposed and as high consequences from their failure. We so recently there was an iranian guy who is charged with hacking a dam. Likely apparently the slew state was not operable remotely and there wasnt that much water behind the dam. So i dont know that well be able to head off all of those disasters. I dont know what their impact will be but i think to some kind of a planned response is important. We will need to some kind of response if and when that does happen. But doing all weekend before that by having this design layer that takes the security into account is going to be really important. Being proactive certainly has a benefit to ever look at other historical legal context, for example, in environmental regulation, we need to wait for a river to be on fire. It was until the Cuyahoga River was inflamed that we passed and got environmental laws in place theres one of the most aggressive regimes we have. Rather than waiting for a river on fire event, it might be a more desirable and more logical strategy to be proactive and to think through the optimal pathway for crafting both responsibilities and structures of information transfer before we have a river on fire and Information Security context. We may not get to it but one topic is the lack of in sort of Software Reliability as part of the issue. Also it stymies the insurance world as well. But one thing we should not assume is just because you can connect it to the internet doesnt mean you are required to do so, special in Industrial Control Systems. If youve ever played with showdown, there are things i should not be connected to the internet that are and they have hardcoded default password you can even change if you wanted to. I used to say instead of worrying about sophisticated nationstate attacks, maybe first you should handle meta swipe, free attack tool. Below that i realize what a second, we are not in patching known for love those. Of verizon report about this unless you have this stunning graphic that showed 97 of the successful attacks last year were due to just 10 known vulnerabilities and they had a patch available for more than a decade. Wait, maybe the lower level, minimum hygiene is make sure your Industrial Control Systems are not nakedly exposed to the internet. I think we have a lot of things we could and should be doing a the easiest way to secure that 30 year Old Industrial control system is to not that it exposed to the net. Something like stuxnet the bridged the gap because a bunch of other factors but we are taking significant elective risks through our unnecessary elective attack surface. I saw you first, and then you. Russell with Stanford Universitys Hoover Institution or theres a lot of focus on talking about software assurance, but given the fact the iot is, the iot in the home has toasters, ovens, refrigerators, dryers and washers, we are not looking at a hardware assurance as well and the vulnerabilities that are embedded within hardware. And since the supply chain for a lot of these things is coming from overseas what are your thoughts on hardware safety . A lot of the work we do we talk about those differences, the third way, the fourth what is different in composition. What we need is a hardware or Firmware Software stack of widely different than you might see in an enterprise device. In some cases this common componentry, and others like you by a palette of some embedded chinese chips for the cheapest that day and my be different the next day. Theres no insurance. Are never as likely to be assurance on some of these things. There is an experiment with Underwriters Laboratories to make a cyber seal. The initial round will be on medical devices and industrial control devices. The likelihood when we talk about different economics with home and for consumer, this might be a kickstarter thing with two employees in the garage into my be the next thing bought for 3. 4 billion it doesnt usually get completely scrapped and rewritten. This is a particularly pernicious issue including the hardware you refer to. Going back to your earlier point about fluctuation arbitrage, at the bottom and is oem chips you just bought off of random auctions listed at the high end it is when your nest is brought to you by enron. The entity supplying it is engaging in various practices that would become illegal and then we have the rest of that which is not even hacking. Its simple manipulation. But we will end up with is we will have some minimum standard of care. Think about a commercial wrestler. You cant just have a commercial wrestler. Even though the hacker committee hate any kind of regulation there are times when the government for Public Safety and the public good in the form of minimum kitchen sanitation code. There may end up being Something Like a gold star see where its more of a carrot on a stick or a minimum standard but well have to come to put we device that can meet a certain threshold will allow discerning citizens to go by those and only those. It may not be as deterministic as an Underwriters Laboratories ya guaranteeing this will not catch on fire. In lego engineering is deterministic and cybersecurity is not. We have a whole lot more complexity. I think what well end up doing is having to import whole lot more segmentation and isolation in the way we set up our dependence. You dont have to put software on everything. You dont have to connected to Everything Else but its going to take a whole lot of stumbling and fumbling before we get there. I will briefly comment complement one of your points. On the point of a minimum standard care for security, the federal trade commission has instituted a reasonableness standard for security, and all companies and dental products as a Consumer Protection measure. They are enforcement activity, over 50, with respect to security and reasonableness is the hallmark of activity. Theres a report called the start with security report that provides a list of practices that have been considered in face Enforcement Actions and its intended partially as assisting document to start that are trying to struggle through these questions of hardware and Software Security in their new devices. Theres a Sister Organization as well called build a secure and their unique focus is on very small indigo go kick starts a project where there creating guidance i and referenced architecture that youre going to make a raspberry pie, heres how to do in a secure way. Theyre trying to take popular small electronic lowmargin iot platforms and provide free guidance and Reference Architectures that theres a better chance of it being done less horribly, better chance of less horribly. Earlier you had also asked about ideas for what we know to do to fix things. One of the things as i actually am starting a money going to be a cybersecurity analyst for the state department, and i dont have anything smart in my house. If i were going to something smart in my house i would have three dumb routers and i would completely put all the internet of targets behind one router on one hand, have the internet come through the other and put anything that it wanted any level of security on on a completely different subnet and Different Branch probably why it. By the same token what i would like to know i dont like the opinion of you is considering some people dont want to use the internet of things, to have a mandatory rule of law that every device has a mechanical nonsoftware controlled onoff switch so i can shut off the internet and not worry that it can be turned on through software and hacking. Theres a click to turn off my tvs wifi, to turn off my refrigerators wifi, the ovens wifi and so on. If it would be a good viable first step two of the people who dont have enough security since. Montgomery told theres a switch. Its right back here, click it and youll be fine. So switching to a dumb device, right . In fact, we were car shopping about three years ago and i try to find even though i knew hackers look at most of the cars i could in which gore had the best security program. Fastforward three years later, i know on a first name basis some really intelligent support person at every single cargo to its readers leaders i still cant answer what the best programs are. We of little glimpses in peaceable one of the more stunning moments on a trip i said to my wife, this car has 4g lte wifi standard in all vehicles. She said, he said doesnt make you want to buy this car instead of the other . She said i dont think you know my husband. [laughter] then he had to say you can osha to doctor she said im not a ninja to but a preacher i cant shut it off. And thats what i call them no, you cant shut it off. Some of the recommendations suggest you should describe to your customers what happens, how much it would still function when its not connected or how much, what are the failsafe modes if it were compromised. Would be great to a safer connection. These are the discussions we want to stimulate. When you start making recommendations to Consumer Electronics companies we have released a list of options they can choose from. And to help consumers know to ask that question. Because unless youre married to a security pro or study it, you might not even know to ask that question. Of the car manufacturer and its a multithousand the purchaser investing in. Its just something you care about but it didnt occur you to ask. To help consumers know which questions you ask into the pressure with their buying golf on companies to have good Budget Programs in place, to open the policies with Security Researchers who find flaws, to have feedback loops, that Information Available about whether theres a kill switch or human override. It an Autonomous Car and some is going horribly wrong that was simply not anticipated by the coders rebuilding this device. Code is written by humans. We cant anticipate everything your we are human and code is written by humans. So sometimes, youre going to mistakes and im a Firm Believer in the importance of maintaining human override in circumstances where unforeseeable event causes something. Spent a lot of Industrial Control Systems and medical clinical environments have a requirement for an analog override. We are losing that discipline and some of these other safety critical cases. Will have to find a way to get back. Department of commerce. I want to say that parts of the government that are strongly encouraging cooperation between vendors and Security Researchers. But i wanted to talk about what we can do to leverage Market Forces independent of just combating control regulation. One example is collaboration between the nationa national asn of real doors and International Consortium to have a checklist as youre selling your home. If youre buying any of you want to know whats in there and jordan know to get the first look at, hvac system of debt. Theres a checklist is a at least what Smart Devices on home and when with a built . Is not the best for security because its not written about security but its a good start. Are there other economic forces that we can use to collaborate so its not just consumer versus spender but you can get some large powerful commercial forces on the side of the consumer . I like your example. One of the things we talked about in the paper is the right to be forgotten for homes. When you sell your home you change the locks. When you resell your home do you delete all the data from the system, that is personal data about you that goes to the new owner . What does that look like . Would have to just change the entire thermostat because it is tied to your account with your password . Do just head over the past were too many people are moving . Thinking about those things, the lifecycle of the advice device, a fridge for up and or oven, how do you as a consumer, that buyer of the new place or the seller of the old place do that . Maybe your fridge just keeps buying meat and having u it sent to your house and your vegans so you move in and you just get all this meat shipped to your house. How do you stop at . You dont have the password to stop syndicate. What happens . So i like your specific example. Building off that, im curious, what are the basic interoperability standards between competing manufacturers . One example we hav have in the 5 quasinightmare scenario is, imagine you have each announced as coming from a separate vendor because youve added to a piecemeal. What happens when amazon kitchen stops talking to your microsoft bathroom . What happens if they are all jostling to basically fulfill your competing demands . We have all these things where the snow didnt see the manufactures will lose have guarantee some basic interoperability. I dont know how we legislate the equivalent for what the smart home is are some standard on that i dont think thats been looked into enough, or what happens when the manufactures go to war with each other or just glitches between the two where you have on reproducible glitches from various rooms because of the way the systems are configured . We are going to now build it home. Id like to take a parallel from auto lemon laws. Recent america wasnt the vision was to sell a vehicle new more about its history than the buyer so it was a device put in place that did not add more information but maybe gave you an escape clause if he found something with the lemon law. You can argue those are not necessary more data with things like carfax where theres more transparency about the events in the maintenance that went into that particular vehicle. Thats at least for our part, it is spending time with the Research Community, they are not big fans of legislation or power structures. Most seem to be okay with the idea of transparency to enable free market choice. Thats one of the reasons which we have tried to talk about food labels or demonstrate if it is patchable. One of the things were going to tell people why we dont have five star ratings is either for vendors who have disclosure programs. In your initiative, in lieu of of information i might be able to glean about automobiles is a short list of Car Companies who have or are about to have inviting researchers reported in. Someone with a front door welcome mat instead of an implicit beware of dog site is more likely to with issues and fix those issues than an organization that doesnt. Its not causal but its something i can act upon. I think one of the strongest issues will be free Market Forces and the best way to unlock those is to have more transparency to enable the free market choice her. In the commercial industry for Smart Buildings and smart kitchens and so forth, they talk about a 35 savings in operating costs. Theres a couple of things ive been hurt in this discussion to one of them is ip version six is probably necessary. The other is theres a whole list of local and regional Building Code and building inspector issues that go on in terms of doing that bad retrofitting is almost impossible. Design it initially becomes the answer. Another word that probably hits the cards being is something called emp, either by terrorists or by natural causes, like a solar flare to bring down the whole network. And then you might not even be able to crawl out of your window. So some of that hardening might be really interesting. So one of the interesting things that you mentioned that i will latch onto, maybe taking your point too far in a direction you didnt intend, but if you look at the fleet buyers of automobiles and have to do a Software Update today it requires physical access to be the update. To have to take the car out of service until they get the update done. If you go to any other rental car agencies, they might have a fleet of 100 cars at that location. How many hours does it take per vehicle if they had to go out and do that . Went to be taken out of service so they are no longer producing revenue . I can see a scenario in the future if you go to restaurant and say im sorry, we cant serve any food that requires refrigeration because we were waiting for the person to come update the refrigerator. Like in the commercial. [inaudible] on your cell phone via automatic updates. Maybe theres something that you can do in the refrigeration but again, that means you must be connected to the internet. Thats one of the things that opens up the greatest potential risk from adversaries the if its isolated already then you have a better window i would say to be able to wait and maybe you dont have to shut down your fridge before you update. So the connection to the internet part is what makes you have to shut the fridge down before you can go and use it. Lets take one more question and then we will do some Closing Remarks. On sort of with greg on the whole vision of the smart home with the jetsons. I want to know where my fine car is . And but seriously, if you look at cars in the Highway Safety institute and all the testing they do, until there is some entity that actually tests, not talking about standards, right, but, of course, voluntary, talking about people who crash things are do the equivalent of the iot, how, my supposition is that consumers will never really know what is safe and what isnt, right, until theres actual testing. And so in order to accelerate Something Like that, josh, youre talking about liability, if you look at places like the mayo clinic who have impose liability on their vendors, you know, if your Software Fails and there is a breach, you are liable. Through contract, yes. Through contract. Unless theres a consumer movement, right, to demand liability on the manufacturer whos bringing something into my home that has this vulnerability known, then i dont, without those two things im not sure that just relying on the goodwill of manufacturers to do the right thing. Because we know that something not going to happen. They will push product out the door with no vulnerabilities because they cant. Is will get to interesting legal territory. When were talking about physical objects, a chair, a table, traditionally the refrigerator their adventure protections as a matter of law under the version of a thing called the universal commercial code that has been incorporated by state legislators into all contract law. That gives consumers sort right to record. Yoyou can reject product that arrives at your door that are not conforming with what they were supposed to be when you purchased it. We have these protections for physical objects, but then over here in code land, the software has generally been shared with these enduser license agreements that say you use it on to own risk, whatever happens is not our problem. When it was a chapter of your latest book that got lost when you got the blue screen of death on your laptop, you are annoyed that you kind of delta with it. But the blue scheme blue screen of death on a medical device that is iot is real death, right . So here we have this physical space, nor about liability come at a higher level of consumer protectioconsumerprotection bece information disparities. And over here we have this as is where is known for supper. These are clashing in the iot context. Thats what we need to resolve. Courts are going to need to struggle with this and thats where the rubber is hitting the road in the iot car, i guess. Sorry for that spent a teaser for a future discussion, one of the ways i met andrea a couple years ago was posing the question ofhow is Software Liability the worst possible idea except for all others . Especially when it comes in bits and bytes. The basic thesis is you want to place the top burden and the party in the best position to avoid the risk and then they can offset the residual risk with insurance levers all swear. So this will come to a head. Maybe its the first kid who gets hit by a selfdriving car but i think i dont is what will trigger the condition it is better to have a plan before that moment end of a kneejerk we reaction afterwards. Lets just do a 30second Closing Remarks in any particular order and then lets have she said it took a river on fire to trigger protections like the. I think they can of the fire to great the National Safety board. Someone has written a lot about air travel. I agreed to i would love some of the National Transportation safety board for the internet of things where i work flights. I sleep like a baby on the because im its the safest thing i can possibly do given the oversight of the. A plane crash is zero tolerance and also as antifragile cold weather several culture to improve it and make sure it never happens again to patch of those older those. I dont know what it would take to create a cultural shift but that would be a great thing. A glitch, a nest that burst at our neighborhoods across america, Something Like that. I dont think you get a cyberattack, i do know if we could even plan hackers by some horrific failed a glitch or death for Property Damage might be what it takes. So kind of drunk on your point a little bit, you said the manufacture will not get us out of the goodness of arts. Not only that they can. There is fiduciary responsibility of management to return investment to the shareholders. Until security becomes a monumental or significant financial issue for organizations, maybe they cant. Maybe thats one of the faces we should start looking at more is how do we make cyber safety of financial issue for organizations with carrots and sticks, market demand, whatever it might take. That might shape and shift the landscape more than some of the other things. My final thought is coordination opportunities. Playing on that last point, while some entities will argue a producer duties requested maximus profits and cut corners on security, different organizations will argue longterm maximization of corporate value instead requires investment in r d in building the products of that will engender loyalty from our Customer Base and keep them safe. So coordinating, rewarding those kinds of behaviors across all parts of our ecosystem. For example, the securities and Exchange Commission issued a guidance that strongly encourages requires disclosures of material breaches of security by publicly traded companies. They made some comments that perhaps the disclosures in the 10 days are not quite the level they were hoping for, but coordinating information in the marketplace thats coming from part i of the enterprise with double degenerate disclosures that are coming from part b and looking for the big picture story about how ended because of security or doesnt care about security and what affirmative measures are they taking to be the best version of themselves in order to help consumers stay safe, to engender a sense of trust in the marketplace, and to nudge forward innovation in a way that bolsters our economy as a whole rather than compromises our information flow. I want to end on a colonel of hope tying a few things together that we heard. At our first constitution caucus, andrea, beau and others with her and andrea told the whole room it was going to take a death, it would take a river on fire before anyone would listen. Our stubbornness said we are going to try, old relationships and trust and use empathy and we want to be safe or sooner together. And sitting right there right next to Suzanne Schwarz last year started a pretty Intense Exchange of education and awareness across between industries. And when we talk about you said it would take truth of harm of medical device to trigger a corrective action. Similar to your point, dead body. The week before death cant that issued the first ever essentially recall the Safety Committee patient on a hot fire proof of our because through the dialogue they conclude an unmitigated pathway to harm was sufficient to trigger a corrective action. Now in the guidance pics of the idea of saving lives and waiting for really bad things to happen, we are stubborn enough were not going to wait for that and i think discussions like this and collaborations will allow us to be safer sooner together. Lets take it to the next stage. Thank you for your time, and thank the panelists. [applause] [inaudible conversations] [inaudible conversations] coming up on cspan2, a conversation on privacy, security and government surveillance live from the Hudson Institute in washington at 12 15 p. M. Eastern. Later, president obama travels to flint, michigan, to meet with local officials and residents about the water contamination crisis. And the president speaks at flint Northwestern High school. You can see that live on our companion network cspan at 3 55 p. M. Eastern. Both iraq and afghanistan i hope those countries with their constitutions being sort of facilitator of agreement on key issues among iraqis or afghans. Your influence is considerable, state or government very anxious to meet with you when you ask for a meeting stake sunday night on q a, former u. S. Ambassador to afghanistan and iraq and the United Nations Zalmay Khalilzad discusses his memoir the envo envoy. Speed and we saw the extremes such as zarqawi exploited, although weve been directed towards the end of the period that i was there by the surge, by reaching out to the cities, by building up iraqi forces, by establishing a unity government killing zarqawi at the end, to bring about security. Violence was way down but, unfortunately, when we left and the documents held by rival regional powers, pulling iraq apart, violence escalated every device has now spent sunday night at eight eastern on cspans q a. Earlier this week a new hit of voice of america made her first public remarks since taking the job. She spoke about the future of voa and challenges in international broadcasting. She spoke after brief introduction and then took questions. Welcome to newcomers and welcome also to those watching online and watching on cspan television. My name is adam powell. I am the president of the Public Diplomacy council, and i am the director of washington programs for the usc center on committee patient leadership and policy. There is a green light on. More about our partners on [inaudible] communication leadership. They are hosted by the American Foreign service association. Our guest today is, the new director of the voice of america if she has a long and distinguished journalistic career, biography on the reverse of your programs. Shes one to go surprises what she said when she was sworn in we do have to change. We must change. We need to change in a big way. So change is coming. Change is here. Amanda bennett. [applause] lets just test the technology before i start. Is this now working . Is everybody dreaming of . Thats terrific. Thank you. And than thank you very much, am come and thank everyone for coming here. I look at in the audience and icy all kinds of friends and colleagues out here. I so appreciate your coming and i cant thank all of you for being here so im going to single out one person from the voice of america, alan, whose greatest the voice of america kept me from making an error in his speech on about today. So i need to thank them right now. And then second, id like to acknowledge my predecessor as director of voice of america david, who has been as helpful and warm to me as a human being can be in helping prepared for the speech other i like that one too please acknowledge david booth at the Atlantic Council. [applause] so is adam says it will do no biography just flip the page over and read it yourself. But lets get a couple things you might not know because i am of an age that i was part of a movement that cheap airfares and curiosity about the world sent all of us out around the globe. And the migration of a dont think it ever happened penetrate before when it was associate with the war. So as a result of this when i was in high school i was an Exchange Student in the philippines. When i graduated from college i worked as an author in paris taking care of six children into bulldogs. I spent the early years in my career in canada, and unless any of you have any misunderstands, canada was then and is now way more of a foreign country than any of us acknowledge. Later i was a second wall street journal correspondent in china at a time when the newly opened country was most definitely a foreign country. Since then ive worked at five different media organizations and i had a really, really good luck to be the winner of all of them were at their peak of their journalistic power and reach, and all of them known for their seriousness and integrity of principles. So for all this i am way, way more of a journalist and diplomat becaus because the medm going to say im all journalist, no diplomat. Many of you in this room who have followed the voice of america, led voice of america, worked for or with voice of america are way more expert than i am at the diplomatic purpose of voice of america. But im here to save you that i think that we are very much more alike than we are different. And the great journalism is, in fact, great Public Diplomacy. So let me remind you just briefly what happened we sleep and the changes that have already come to voice of america. Under the leadership of new ceo john lansing who is the ceo of the broadcast board of governors of which voa is the largest part, we shifted to five Strategic Focus is. One is that we will target our resources towards five specific geographic areas, and issues that are vital to u. S. Foreign policy. China, russia, iran, cuba and violent extremism wherever you find in the glow. We will accelerate a dramatic shift to digital and social media, emphasized impact on hold ourselves accountable for that. And has strategic cooperation across the fight independent networks that make up the broadcast board, and acquire external content. So not only do i completely agree with these goals, i also believe that these issues reflect in large measure the challenges that are felt by news organizations all around the world and are also being felt inside voice of america. So curating and cooperation, these are hallmarks of the modern media scene. Competition once ruled journalism as multiple Media Operations were competing for audience, fighting against each other to distinguish themselves. Yet for more than a decade news for physicians have all realized they must share resources in order to succeed. Partnerships proliferate, nonprofit organizations partner with for profit organizations. Radios hard with newspapers. All digital or possessions partner with print and tv. And even as weve seen with animal papers, the creation of a multiorganization, multiplatform, multicountry coalition that bout itself into a virtual investigation team. So would only make sense in this environment we do our best to bend over backwards to collaborate with our partner organizations, radio free europe, radio free asia, and the office of cuban broadcasting. And as for impact, what else Hester Elizabeth about in the last 4050 years . Ever since watergate all media or possessions, all the journalists have striven covenant i. Domestically to protect our children, to eliminate abuse, to expose corruption, expose inequities. Internationally to work to explain and root out terrorism, genocide, human suffering wherever you find it. So in the area of digital, just this morning i had the great pleasure to announce that we will have our first Deputy Director of voice of america and more than two decades. Sandy will be joining, has just joined voice of america and she comes to us from a robust beauty and digital background. She was critical to the newsrooms move to a Digital First position of the washington post, reorganizing the entire news operation to support that goal. And i knew started based on social sharing she was the managing editor who learned how to use all different platforms to curate and combined content ever to reach different audiences. And her aim will be to accelerate our booth to popular and emerging technologies, to engage as many people around the world as possible, especially in places where there is no free press. We need to get our audiences where they are. Now i say that the Biggest Issue for last, which is saved actually being the voice of america. Most American News organizations are already coming america. Telling americas story. They just dont realize thats what they are doing. We need to cover foreign policy, of course, but we also need to cover america. We need to cover america through the benefit of the people around the world we are trying to reach. And to do that we need to use the amazing resources. We have most of them inside the building right down the street, to create unique, interesting use, and to speak to the vital interests of the people we are trying to serve. So what does that mean . It doesnt surprise me at all that one of the most popular features of our Russian Service is a video dictionary of american political terms. Little videos explaining whats a soccer mom, what happens when you filibuster, but this canvassing mean, and how about the bible belt . One of the most popular stories come out of the Russian Service was a little feature on a 90 year old california woman who was delivering groceries to her neighbors, which within minutes of it being posted through tonight assures him, took the comments thing i wish we had that in our country. I love seeing the picture of a normal american society. How about other topics that are of great interest to the audiences we are trying to target . Well, i dont know if it will surprise you as it surprised me to discover that iran is crazy for we need to create a robust coverage of entrepreneurialism which is the hallmark of our society to cover Silicon Valley come to help connect the ideas that come out of Silicon Valley with a young entrepreneurs in iran a need to know and what to do so much about that. These will be stories that appeal to people who aspire to have the kind of starters and success that you find coming out of Silicon Valley, and to me others of them around the world. How about American Business . I dont think its any accident when you think about what china is like now to realize that iraq a rockstar in china is one of the. We need to beef up our coverage of American Business and its deadly of american philanthropy, which is probably the most robust of any in the world. And write about these topics can not just about the features but this is topics that are of interest to our audience around the world. We need to build exciting, unique content that speaks about the assets in the United States in ways that our audiences want to hear and can relate to. Like education. From the wealthiest high officials child to the child of the poorest nigerian or rwandan or ugandan or tanzanian, every parent of those child realizes that education is the key to their better lives. We need to put our Heads Together inside voice of america to get ways to cover on American Education in ways that will speak to these hopes and desires. And theres medicine. People may apply to other countries to get their faces lifted, cheap treatments, medical tourism. But they come to us when they want to save the lives and the lives of their loved ones. Our coverage of medical issues, like zika and ebola, literally doesaves lives big and expanding the coverage to coverage of medical advances on the cost and availability of drugs, and simply our knowledge of the best ways to keep our families healthy will help translate the things that are wonderful about this country to our audiences. In africa, in asia, in afghanistan there is a huge hunger for news and information about women, about their education, about their business success, about their striving for independence, about the things that lead to their development and growth in the world economy, and the forces that are holding them back. We need to devote our resources and our thinking to helping to explain and encourage that movement and that information and that knowledge. So we need to cover everything about america. We need to cover the good and the bad, as William Harlan hale said in february of 1942, just days after the beginning of our intriguing to world war ii. He said in the first voa broadcast com, as you all know,e news may be good, the news may be bad. We will tell you the truth. We will cover the country honestly and fairly. Its troubles in shortcomings, but it will not be a fair picture unless we cover all the other things about america as well. Its people, its energy for change as well as its force to resist change, its generosity as well as its agreed, its hope equally with its despair. That striving for a just society as well as the failures to achieve it. Theres an amazing amount of resources and passion and commitment inside the cohen building, and among our brave and dedicated responders around the world who face danger every day to bring us in the rest of the world for news of their struggles. I believe we can show the world the Amazing Things we can do, and in doing that we can truly be the voice of america. Thank you. [applause] i will not subject myself to questions. [laughter] please wait for the microphone and identify yourself. Thank you very much for an excellent presentation the my name is greta morris and i am a retired Foreign Service Public Diplomacy officer. And thank you especially for talking about the various issues and subjects that the voice of america is covering. I wonder if you could talk just a little bit about the media, because the media of voice of america has changed a lot since 1942, with voa television and also digital media. If you could just comment a bit about that and how you make the choices but which kind of media to use. Thank you. I will be happy to add to that question. I first need to make an unpaid political announcement, which is adams keep persuasion brought me here at the end of my second week in the office. [laughter] i dont want to say that im here, im happy but its really not fair. But actually, actually, you know, coming into the voice of america made me realize how much the struggles inside the voice of america near the struggles of these organizations all around the world. They are actually is very little that is unique about the process of moving from one technology to another because he had the exact same issues of trying to protect your legacy means of tradition at the same time moving as quickly as you can new technology. This is very difficult, very complicated and very expensive balancing act. You cant use it because all this group of people is moving to this kind of taking the news, that we will throw away this kind. This is a subject that all media has grappled with for the last two decades come at a dont think its going to get any easier because what were finding is just as soon as we get up and we think were at the cutting edge of technology, a week later technology has moved. What we need to do is try to figure out how best to reach our audiences with news and information where they want it, how they want it, and in the platform they want it into the best weekend at doing that. And that means becoming much more nimble and much more attuned to the way our audiences consume media. I used to work it into your as used to work it into your as to what used to work at npr and stewart occasionally as a commentator spent welcome, college. Thank you. My question, you talked a lot about information and mention nothing about culture or music or comity or any of the other things which commercially sort of our the voice of america worldwide and are very, very powerful. And also theres a lot of success in the record of voice of america into the music and other cultural expression to have you any plans for that, for not only cultural coverage but for transmitting cultural impressions because i complete the acknowledged and no that part of history of voice of america is a history of the culture, and i think i have some ideas in the back of my head. As you think of some kind of interesting stuff going on out there that would be a very great use to the voice of america. I dont want to talk about these because a lot of these require negotiations with other parties but it involves bringing parts of American Culture out to the rest of the world that have never seen them before. I have to say that yes, you are right. Its not my forte but i certainly recognize this is an extremely important part. This woman here was next, and then you, sir. Stick a mic night is back here though. [laughter] my apologies spent this woman comes next after you. Weve got to get the microphone up front. Paul delaney. I spent most of my career as an editor and reporter at the new york times. On the way over i ran into 89, white men, africanamericans its biggest i apologize. Im having trouble hearing you. I dont think the microphone is on. Im not getting what you are saying. On the way over can you hear it now . One, two, three. Go ahead. I will try. I ran into a nonwhite nonafricanamericans citizen, and when i told him where i was coming, he asked what, ive heard of voice of america, what is it . Is there any way that you can explain to americans what voice of america is, what it does, introducing to the average american who has never heard of voice of america . And ill answer that this way. Those of you with a deep knowledge of the history of voice of america no part of the historical roots of voice of america coming right about the time of world war ii, there was a prohibition on voice of america broadcasting its content into detroit for obvious reasons. He didnt want to create a government competitor. I think given the fact the pervasiveness of social media people getting information on social media its almost impossible and certainly irrelevant to block the content to the United States which is not competing with anybody. In todays media but i feel like we have a great deal to offer citizens in the 20. So thats one way of answering it. The second way of answering is, i was considering this job from christmas time until i took the job two weeks ago. I was paying a great deal of attention to what was broadcast, what was written, what was on the website, what was on it at. I was listening to things as i went for walks. It wasnt until i got inside the building that i realized how much awesome stuff is being produced inside. Its for some reason not getting out in ways that we can easily consume and appreciate. So making people around the world more aware in different ways of what a terrific content is being produced i think is going to be one of our biggest challenges. Because theres almost more stuff going out there that you can squeeze into a single app or a single newscast for a single web app. So i think we need to figure out how to use our content over and over and over again. Effect under no this has been done and i dont know whether he will actually ever get but do you know that video, that video presentation of the american political terms that was done for the Russian Service . I thought it would be really awesome to subtitle it in english and say heres what the russians have details about what our political system and. Put it on youtube and see what happens. Why not . Why not try things in a bunch of different ways . Why not take the content we producing and use it in as many different ways as we possibly can . I think theres a big job to be had there because seriously there is way more really interesting stuff going on voice of america that even i realized. Now. Thank you. I was struck and very much appreciated the third point you made in your presentation about the mission of of america, which is to talk about america. To cover stories within the United States. All different kinds, but i was born in another country. I came here as an immigrant because i found it to be a fantastic place to live and raise a family. And so im glad to hear you wanting to cover those prospects of this great country, as well as the negative ones which are very easily covered by anyone who has a newspaper. Bad news is always easy to find. Do you expect to find any controversy within voice of america for those kinds of stories that show the whole picture . Because the journalists, by their nature, gravitate towards bad news and because you dont want to seem like a propagandist anyway. I would like to emphasize im talking about writing positive story to talk about writing interesting and important stories. The way i would say is if anyone were to objectivist i was there when i was in my late 20s i covered the american automobile industry. When their sales were going up we write about why. When the sales were going down, we wrote about why. It was a beach. We were covering a beat, writing stories about a beach. Some of them wound up being good, some bad, some neither good nor bad they were simply stored about what was happening. Why were managers being laid off, what was going on . I think thinking about the United States of america as the biggest, most interesting, most vital be you could mostly think about the beat of our ask the look about this. Im not saying going out and cover positive story to im single out and cover all stories. Dont transcribe news you hear from events happening. Go out and make news. Make news by finding out the stuff we dont know about and tell us about it. Thats the way i would explain it to know this gentleman. Mike anderson, retired Foreign Service officer we all know the commercial American Media have had to reduce their overseas presence. They have cut back their burrows bureaus around the world almost consistently. Has the same trend happened with voa i can you talk about we have correspondents and you have enough of them . Just some thoughts on the need for americans to be overseas reporting directly from respected countries . If you dont mind, two weeks another probably get away from the issue of budget resources, what we need except to say if you ask the journalist do you need more resources, the answer is probably not going to be no. So thats the first thing. But yes, i see two things being a tremendous opportunity for us. One is the necessary reduction of overseas assets but america and to be pretty much all american and western european news operations all over the world. And also the pouring in of similar assets by those we might consider our target audiences. And so i think putting those two things together mean that if we use our resources wisely and well, which i believe that we are, can and should be doing i
comparemela.com © 2020. All Rights Reserved.