IATC Day 2: Introduction and Overview

oh theme for today is uh uncomfortable truths yes uh this is Bo and Josh uh and they're going to get started with uh I guess just a 30 minute hello talk about the cavalary for a bit and then we're going to get to more open discussion right cool all right thanks so um who was in here for at least part of the day yesterday okay and who is new to the track today just coming in okay good so yesterday uh it was it was a very one to mini kind of interaction we're standing up here uh talking and bringing other folks on stage um to go through some of the things that they care about that they've seen their wants

needs desires fears hopes dreams um today uh we're going to be a lot more collaborative um so uh yesterday just to recap we started out um uh and just did an overview of I am the Cavalry so if you're not familiar with I am the Cavalry we're a Grassroots initiative that started three years ago here uh on August 1 so we're we're two days past our third birthday um and the idea was that uh as we looked around the infosec community we saw a lot of the types of failures that we typically have servers crashing uh laptops not coming up when they're supposed to such as our av fail over here um mobile phones getting

malware on them all of these types of things uh we really hadn't seen a consequential failure we hadn't seen loss of life we hadn't seen a massive scale where people start started to distrust the technology that underlied some of these societal systems um but as we're connecting software to more and more of the things around us um the consequences of those failures will increase so it won't be as much about credit card data uh pii uh and it will be a lot more about loss of life loss of trust and as we started looking around and talking to government people corporate folks others who might be looking at um these types of problem spaces so that we could fix

them we found that there really weren't uh there wasn't anybody in charge right we got us as high and deep as we could and found that we were the adults in the room and that both scared the hell out of us and made us empowered to be able to take action and to be uh to decide our own fate so that's how the name came about we said if the Cavalry isn't coming then the responsibility Falls to us uh and so I am the Cavalry is all of us saying I will be part of the solution uh I will not go quietly into that into that night um so uh that was our introduction yesterday just basically um briefing the

people who haven't yet heard about us uh then we started talking talking about um uh hacker Heroes we had Karen elazari do a great talk if you didn't get to see it yesterday uh it's recorded and it'll be posted uh in two or three weeks um kind of calling out all of the protectors in the crowd the people who want to solve hard problems because they know that it's a a global good um we had a panel where we tried to talk through some of the hard problems that we see every day as well as the things that we've done to overcome them right um to show the progression of things over the past 5

years where 5 years ago if we got a bunch of us together in a room we know what would happen we would get drunk and talk about the problems and admire them um today we've started talking about what the solutions might be so that we can solve them and move towards something better and uh work on raising the water line for everybody um in the afternoon we came back and we heard from Jen Ellis and Amanda Craig uh about what's going on in public policy in cyber safety and they went through a lot of different pieces of legislation of Regulation state federal uh International um talking about how uh whether we want to or not cyber security

is now a part of the uh public policy Zeitgeist and we can't ignore it anymore um as well as talk about some of the successes we've had with the MCA exemptions for security research in medical devices and voting machines uh and cars uh in uh getting a Michigan car hacking bill fixed so where it was terrible before it's now much much better because of this community right sticking their hand up and saying wait a minute something's wrong here and then going and engaging in a positive prod productive manner with those lawmakers um then we moved on to uh healthare cyber safety panel our discussion it magical it was magical as Josh says so that was uh a lot about uh

what's going on in the industry some Trends uh looking back three to five years and then coming to today what's happening and then projecting out another year or so and see what's going to happen and we had four really really good talks uh that were just F minute lightning talks from different perspectives we had a US regulator the US FDA Suzanne Schwarz talking about how uh they've been working to bring the entire Community together in healthc care so not just medical device makers hdos Healthcare delivery organizations and the government but bringing in security researchers as a part of a healthy ecosystem uh and how important we are to them we had uh Colin Morgan from Johnson and Johnson give a very

good talk about um uh and you've got to go see it if you if you didn't see it yesterday uh we had a video of his kid saying that his dad is a superhero because he works on uh these things that help people and he keeps the bad guys from hurting them with the medicine machines medicine machines yeah uh he also told a personal story about the uh the path from Johnson and Johnson's perspective and how they've gone from what's Security in medical devices to a very clueful organization that has a lot of good things coming uh and has done a lot of things already uh we then heard from Jay Radcliffe a security researcher talking about the

maturity of the entire ecosystem uh and some of the baby steps that he's seen in the past 5 years where we've come and how not only have uh the companies matured and gotten better about responding to us uh also the FDA and IC C and other government agencies have got better gotten better about dealing with security research security researchers uh but the researchers themselves have also stepped up and they've been more willing to work collaboratively rather than just dropping OD a black hat and it's not because any one group stood up it's because all of them collectively started stand standing up and going around in a virtuous circle uh then we had quati who is here uh give a talk from a

physician's perspective and he basically said look guys this isn't about you this isn't about manufacturers it's not about the FDA it's about the patients patient safety is the number one concern MH uh and then after that talk we had a car talk which I wasn't here for CU I had to run up stairs so why don't you debrief on that yeah we we've had the most progress I think in automotive and medical so that's why we really highlighted them yesterday so um I basically showed the five star cyber safety framework we published two years ago and then gave kind of a progress report for how many and which parts of the automotive ecosystem have embraced

it so instead of showing a highly technical presentation if you want to go look at this I showed the kind of slides that are appropriate for being ambassadors into that Community we also we glossed over who was on the the midday panel with Nickerson but that was basically the head of cyber security for Phillips medical the um um one of the guys from Nitsa which is the national highway Transportation safety administration the regulator equivalent of an FDA for cars um we had Sasha from Exxon um uh with an oil and gas perspective and the goal there was to kind of show these are areas that are working why they're working and where the passion plus personal responsibility

and ownership ship had really made a dent so some of those examples came up again in the car carplace because we were able to show where the Nitza was essentially not involved or where some of the automakers were in an adversarial relationship with researchers for some good reasons and now how you have Tesla Ford not excuse me not Ford Tesla GM and FCA Chrysler of America Fiat Chrysler of America have published coordinated vulnerability disclosure programs with a few others um coming soon so that was really a progress report of what's succeeded to date against the five-star cyber safety framework and the overall ecosystem and then we adjourned abruptly um so Bose's overview of yesterday is

not bad I've see some new faces so I'm going to show a few little framing things the purpose of today is If yesterday emotionally was where we've won and where we're winning in the first three years today is really freaking hard problems that we don't know how to fix really hard ones and we want to have the cander and the trust with each of you to speak very aggressively about some of these um in the morning we want to really tackle uncomfortable truths and one of the things we've experienced is uh this a great line I think it was from one of the presidents but the opposite of a profound truth is not a profound lie

it's it's another profound truth and most of our hard untractable problems are where you have competing profound truths that come into tension and it we can't be so polarizing as to say well my truth is more important than your truth because that perpetuates the stalemate so one of the things we want to do is surface some profound truths that make this really really hard in fact one of the things I alluded to in the Cyber safety framework for auto is star number three which I'll show briefly in a minute is evidence capture we don't have any security logging evidence capture in automobiles at all and one of the reasons we don't is actually friends of ours that are

privacy Advocates have been so harsh on the automotive industry historically and on the government historically for good reasons that none of them are willing to get in that fight again so there's really intractable problem where really good privacy goals are coming in attention with really important forensic and NTSB and accident investigation goals so rather than us admiring the problem or being stuck for years the the goal of the Cavalry is to be safer sooner and we can only do that if we work together and that means we really want to hear some of these so I have some horror stories I'm going to share from the Health and Human Services cyber security taskforce of how dangerous modern Healthcare delivery

organizations are um and we don't know how to solve some of those problems we're hoping to surface some on agricultural technology which threatens parts of the global food supply we hope to talk about some of the oil and gas issues if if people are willing and we're also going to shut the cameras off uh so that we can have it you know at the moment someone wants to so that we can have um really important Revelation in surfacing a ground truth and the idea is later this afternoon we'll take some of those ground truths and if we have uncomfortable truths they re they necessitate uncomfortable Solutions so even though we kind of hate regulation we kind of hate laws and we kind of hate

um you know lots of parts of society when we have you know cars that can kill people or airlines that can fall out of the sky or oil and gas pipelines that can explode we have mandatory safety things and now that bits and bites are meeting Flesh and Blood even if it's uncomfortable we want to surface maybe some possible solutions to rise to these challenges so um with that I think I'm going to show a few framing things especially because there's some new faces um and then I'd like to get into some uncomfortable truths that that's okay and if you have one we want to hear it so I'm terrified right now by clinical medical environments

agricultural technology and some of the oil and gas stuff but maybe you've got an even worse one that we haven't heard of yet so this is where we want to surface some of that stuff anything else