I Am The Cavalry - Day One
Show transcript [en]
where you said this is my crusade and then you took that to the workplace and got the workplace to support your Crusade instead of you just waving the banner sitting at a conference by yourself going care about Erp and everybody's like we don't know what that guy is like yep yeah so you know I I would describe any company's relationship with their Erp vendor regardless who it is as you know an incredibly bad marriage with an incredibly High Cost of divorce so you just don't do it right so you stay tied in with that and every passing year your technical debt Grows Right you add 11,000 more customizations so you know what what helped is when I went to my
management and said look you know I'm not going to mention the word security or vulnerability or risk but um H how much money are you willing to pay tomorrow for a bad decision from yesterday so I basically use technical debt as a way to drive a lot of the security discussion and and it actually worked very well luckily I'm in an organization where Safety and Security are non discretionary so we don't have to worry about prioritization and is it above or below the line so if you you know if you make the right case there's there's very good support in our organization right that's awesome thank you that sure those things are really important to me does that resonate with
you guys like th those pieces that where people can get empowered by their passions and then actually turn that into work yes awesome yes we can yes we can tell me more yeah I guess apologize for inter interrupting you now I will send you Erp Pony inex okay sounds good I
have you know last year she crashed our panel too I love it though I feel like it's just a thing that happen audience participation I'd rather her crash than other people so I'm good we first met Chistmas yes ma'am it sure as hell was I told you to take my seat cuz I was done which which you're like away from that's that's why all of these the white one say participant not attendee not just dude who shows up or gal who shows up but person who gets involved that's the spirit of all of this yep so yeah I just wanted to add on to that I guess so me being a transportation researcher working with the federal government my
job is to save lives basically There 35,200 lives lost last year on our nation's roadways okay right now there hasn't been though uh as Josh I think was saying any consequences we don't know of any in the wild you know cyber attacks that has caused a fatality directly on America's roadways here um what excites me though when I want to get at is something Karen actually said so she's still here I was glad um was you know government moves kind of slow she had a slide up there and um what's exciting for me is we're actually starting to change we actually see that now um you know we've talked with Josh and had different meetings we've talked
with other people here in this room not just working with the the big three car makers or the car makers not just working with academics you know working with small research organizations we're listening we're trying to change because traditionally we are reactive we have to wait for a problem or The Burning River to happen and we understand that's not going to happen we do move too slow for that matter of fact a lot of companies move too slow for that that's why there's patches every week for stuff so you know I do appreciate that and I do think that's something that's excited me and my team now is that our Administration what we're doing now is
actually recognizing that and we are trying to change trying to make a difference and we want to keep that right now with no consequences as much as we can in the future was was there was there a point where that for you kind of got executed into into work like was there a a thing that you did to get them to know it or did it come from aan high or was it like how did that get sticky so I should give the the truthful answer or the government answer um I mean we could turn the camera off I'd rather them know the truth the truth I'll say the truthful answer it's pretty effective when you can take a high level
politician uh take a policy maker uh take your boss into a car that's doing 45 M hour down the road and from your phone push a button and have it steer to the right demos it's uh yeah demos are very very effective um it uh you know it is a dog and pony show yes but I'll tell you what you can read about it or you can actually sit in the seat be on a a test track and do this um but it really wakes people up and when you see that potential for this to happen you know you start to listen and you start to understand and um you know these are not easy problems to deal with but we have
to awesome thank you one exciting thing uh on that you mentioned 35,200 lives lost on the roads and one of the things that I know that the government is racing towards as well as the Auto industry is autonomous vehicles the simple reason being that 94% of those and these are stats from your BX correct right uh 94% of those are from human error so if you can take the humans out of the loop you can potentially save tens of thousands of lives and what equates to basically 80 to 100 deaths a day on us roadways so uh one of the things when I was talking to an auto automaker in Germany they said Bo we're
German we move slow so that we get it right so that we get the security and safety stuff right I said great while you're moving slowly there are fatalities on the roadways that could have been prevented if we had maybe abandoned some of the security control TOS so I'm not advocating for going the other way but either side of that spectrum is wrong right because it will cause death we have to find out what that Middle Point is and maybe abandon some of the things that we think we should do out of you know muscle muscle memory or reflex like oh put antivirus on it or long passwords right maybe we need to rethink what that is and find a
different way that could also then if we find a way to do it in cars and medical devices Etc maybe we could retrofit some of that to the it corporate Arena and have fewer failures there too last one passion to progress so it it might sound kind of corny to you but you know I've always been you know a boy scout I like fixing things or making something you know um happen the the right way and I guess my passion or my aha moments are in order for me I know that I have the ability to to fix it and and make that difference and not just within the organizations that I operate but even at the larger scale so that's
why you see in and those that know I'm out there you know I I you know my word is my bond and that's how you know I'm I I'm able to execute and I hope that by bringing others that have similar responsibilities I help Elevate the entire hole so that's kind of kind of my my hit man and so in that and I'm stupid so I have to take notes for things um in that uh was there a moment there where you got to bring aha up the food chain and say I'm I'm taking this on and and and they went from uh no one's doing this to yeah you're taking it on we got
you yeah when and again back on on the whole the the demo piece by bringing in you know the dark side into your you know in into your offices and tearing down the walls so that people there is no Dark Side they have the same objectives and goals that that we do that was sort of some of that aha moment within the organization and so I needed to bring them in we needed to demonstrate you know directly on you know your babies are ugly here you we got to clean some of these dogs up and so you know when you do that and you do it in a in a you know compelling way in
your organization you know it means a lot and and it's kind of and not just for us and and for you know for what we do but you know I think I remember um talking with Billy Rios about you know one of his last um pieces on the pump and until he actually uploaded and and and showed the FDA the demo of it that's when they had the the aha moment and they got it he could talk about you know the compromises and the vulnerabilities and what was discovered and you know until he got you know blue but you know they weren't going to get it until they could actually you know see it and and
smacked right in front of their face so keeping it smacked in front of their face is kind of how I try to keep I think there's also a second important lesson there which is he demonstrated it to them not Dro o day on stage right right so one of the things that I've observed is if you go in and talk to people in a trustful clueful way with respect on both sides then they'll listen to whatever you say if you instead put them in a position where they're surprised and have to react they will probably react in a way that is opposite to what you want um so breaking down that wall between people who are
both trying to do the right thing and bringing them together is a really really IAL part of doing this I think that's awesome so the again I'm very simple so I I distill those things in the way that I hear them right and to me it speaks to me everybody's story speaks to me in in a different but really congruent way where we have demonstration being one of those kind of things that helps you Break Down The Walls um but there's also some really poignant other things I think um you know when when you were talking about the Erp plan and being able to bring that to a financial means that's it's changing in translating the
conversation right but the real key of that really wasn't Financial the key to that that I heard and and I and I can see in some ways is that you reframed the context of what was going on to their language you said if you care about Safety and Security I'm going going to put this into the bucket that you care about so that I can be passionate you can be passionate and we're on the same goal and on the same path and I think that that's a huge thing for all of us to learn from um in the beginning Beyond demonstration what I got was this uh kind of pride of ownership right my words my bond that's
what I do I say I'm going to do it and I think that that's another really really powerful thing for all of us to to start looking at and learning from to say if you're going to do something and you do it with Integrity that Integrity is going to gain you the type of political capital and the type of flexibility that may not be present it may you may have to work 10 years to get your integrity to the level of that where it's every single time they say they're going to do it they do it and and then you'll have you'll have those pieces and and the demonstration piece is beautiful because demonstration is actually really hard
demonstration is so hard because you're trying to figure out how hard do I hit somebody with the Nerf bat to like annoy them enough to know that they could have got hit with a steel bat but not hard enough that they're mad at you for hitting them with a Nerf bat and that's a real kind of delicate line to play and so being able to do that and execute on those things I think takes the Integrity I think it takes the pride of ownership I think it takes where where with you I see this imp impact it takes I am driven by the amount of impact that happens and the more impact that happens the more
fuel I get about it the more passion I put into it the more impact happens after that and it's this Fireball that goes down using each one of these things that you guys kind of have some distinct views on together to break down all of the walls and to change what you love doing into what you're doing and if I can just add to your comment I think one part that you mentioned I want to emphasize even more which is you know this may not be maybe the most popular thing to say but if you want to influence your organization you have to start speaking their language right uh you you can't do a backflip every time
you find cross-site scripting I'm sorry in the grand scheme of things it just doesn't matter it really doesn't it's it you know whether to fix that or not is just another business decision just like whether it's to upgrade a valve fitting or whatever you know build a new campus it's just another business decision and um I think we will have far more respect you know in our boardroom and with our senior management um when we can speak more their language which is around you know business prioritization Forex adjustments you know depreciation resource Capital around the world I mean that that's how these decisions are made and we can't continue to be kind of odd stepchildren in that discussion right we
need to start being active participants in the business discussion y um lastly of my interest because I'm selfish and I get to moderate so I can ask you questions uh how do you survive the fatigue because you guys are making profound changes in macro industries that have never been able to make these kinds of changes you're breaking down huge walls that people aren't even willing to scale and breaking bricks is tiring like what do you do to stay in the game I used to say drink I don't say thatmore uh I don't know whether it's because I'm getting old or whether my fatigue uh outlasts my ability to drink um but now for myself I'm I'm a
introvert so I just like go into a quiet room and sit and maybe listen to some music and spend my weekends like not leaving the house which is maybe not the healthiest thing but if you've been in DC lately it's like the temperature here but with also 100% humidity so it's not really fun to go outside uh but but I know other people deal with it in different way um and I think the the uh condensed answer would be whatever recharges you go do that what about the rest of you guys because I imagine y'all have like secret tips that I need to learn from because I get tired quick so for me I mean it's not fatigue
yet um I mean Automotive cyber security is kind of an emerging field you're starting to see companies now have you know cyber directors report to CEOs you're starting to see companies make changes in their designs you're starting to have companies come to at least us the government and say look we realize this is a problem and here's what we're doing about it and we want to tell you because we want you to get smart too um you know so right now it's not fatiguing I mean it's really an emerging area right now um you know uh back to Karen government slow move slow you know no change but you know this area right now because of automation because of vehicle
to vehicle communication because of higher-end audio systems in the cars you know this is all the new frontier 10 years ago let's go hack the car okay that meant cut a brake line pull the throttle cable uh maybe sever you know a steel belt on the tire and 100 miles later ha haa you know now we have the the cars are equipped with I'll say the tools to allow them to be compromised or to allow them to be vulnerable you know you can't take a 57 Chevy and steer it to the left at least from a computer um you know so for for me at least um and at least my team we're not fatigue this
is a new emerging area we've set up a new division um I have a new lab um and it's very exciting for us so um that's we haven't hit that point you know what good I mean and that and what an opportunity for people who feel it to look at your industry and go I need I need to go somewhere where the fuel is there's also probably a lot of people in this room who can help fatigue you if you want to we can get you there don't worry is this the whole like lead a horse to water can't make him drink we can make him really tired to those point I would drink and I own a brewery too so
oh okay some preparing drink back into your story now yeah address you guys I I'll tell you for me uh you know when you asked the question I had kind of a little bit of a crisis I'm like wow I've never thought about that but the honest answer is I I would agree with you um it's not even close I'm not like I barely I've barely gotten started I I have so much left in the tank let's say where uh no one's even put a dent yet to slow me down I feel like I still have a tremendous Runway of passion to carry me through all this I I don't feel the slightest fatigue aome um yeah I I don't
feel it at all I mean and I I'll tell you what I want to do I want to build worldclass software security program and you know we just got we've just gotten started not even close yet love it so I would describe kind of your fatigue from uh you know I've hit that wall and because you you you constantly as you said trying to knock the the bricks down and you hit a few of them and it's like okay this isn't getting me any any anywhere and so um I I I also don't know if I call it fatigue or more how am I going to approach that wall in a different way sure and and that for me
is you know I try to to to go back into the the toolkit and understand you probably face this in some other fashion and another different means what did you do what did you leverage from there who can you seek out so I get re-energized by you know making sure that I have colleagues and others that I can you know bounce things off of in order to you know to find a different way of of scaling that wall or trying to knock it down so that would be awesome kind of my way um sneaky too because I I asked those questions for really specific reasons more to kind of highlight that as all of you have a ton of passion in this um
you're still going and just getting started and I think that that shows it shows that you don't have to have long periods you have a okay quick recovery between rounds ready to go and that to me proves that passion can be put to make progress and it's not just I'm going to set progress and go do it like you you you have to put your heart behind it um and and if you really feel that you can make the change you can be the change you don't you don't it doesn't have to exist I mean look at our whole industry it didn't exist right 30 years ago and in hardly any capacity you know and now now we're renting hotels out
it's crazy like that to me is totally crazy and we're doing it so that we can get together and go these are the things that we're solving these are the problems that I have and this is a community of people like you said around me where I'm I'm beating bricks and I don't know where this problem's going and people are like oh we've done this and this and this and now all of a sudden the road is completely open when you thought you were at step one you're at step 10 and and I think that that all of us have a ton to learn from each other no matter who has what experience or who's in what industry or at what
step of the process you're in I think just sharing those things being passionate in a way and trying to leverage each other's you know brick breaking together is is how we're going to make progress that leaps each other each time we're never going to go from 1 to 2 to 3 anymore we'll probably go to 1 to 5 to 30 and that's why we're growing so fast and I think that you know people like this are driving those forces I mean well you're literally driving the force but everyone else is pushing the force but but I think they're they're really driving that so you know I I know we have to wrap up but I want I want
everybody to think about what types of changes you're seeing going on in the world the big world right there's there's devices there's all of these things that we're using there's people that are out there that are pushing the gas to say okay we're going to start securing these things and instead of just worrying about what's the next symptom let's start trying to figure out any way that we can work together to give all of the people the most help that they have and put as much fuel on the fire as we can to actually go forward so I thank you guys I thank you guys immensely I I get to learn tons of stuff so whether other people do or not
I'm insanely selfish in the fact that I love it um because I get I get to hear all these things and these wonderful stories so thank you so much for all of your efforts and if there's anything I personally can do please let me know and you got my everything I got thank you guys thank you
so with that uh we're going to break for lunch and we'll be back here at two sharp is uh for a a very interesting talk with Jen Alice and Amanda Craig from Microsoft on uh how hackers are changing policy and and policy changing hackers so thank you and see you in an hour and a
half
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
last
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
is a lawyer so um you can blame her for anything not of Microsoft but officially I got a lot ofre some State gave me something uh so we're going to cover some of the major developments and then we are going to go into the specific areas that Cavalry focuses on so uh Medical Transportation public infrastructure and home um and then we're going to talk about how you guys can get engaged in policy should you so wish to do so um in terms of major developments this is the big the gold standard major development that we have seen in um the the past year that has had an impact on what I would call cyber safety what we
would all call cyber safety perhaps um so basically the dmca who is familiar with the dmca quick show hands okay so I don't probably need to tell most of you but uh in a nutshell the US has two copyright laws CU one is just for losers um so there's one basically says copyright's a thing and we should respect copyright we like copyright and then there's the dmca which says uh so about that copyright thing uh yeah we were serious about that so if you circumvent technical protections that are put in place to protect copyright that's that's a problem for us so not just the copyright issue but also the circumventing technical protections um what this means is that a lot of
research has been uh subject to the dmca uh because often research involves circumventing technical protections um now what the dmca does uh does it does a couple of things firstly it has some permanent carve outs some permanent exemptions uh to address this problem but they're very very narrow so one of them is um about reversing the hardware but it has very narrow restrictions and one of them is about um testing uh security of data and Transit encryption very narrow very narrow boundaries um so if you wanted to do things like look at firmware traditionally that has been frowned upon um when I say frown upon I mean with handcuffs um so uh the dmca also has this secondary
thing it does where it says okay uh this is about technological controls and Technology moves faster than law so uh what we're going to do is we're going to say every three years we'll open a process where you can apply for an exemption and you apply to the copyright office and the Library of Congress because they know a lot about security research um so so that's what it says and the idea is you apply and then every three years any exemptions that exist apart from the permanent ones that I just mentioned roll back so even if you already got some in you you you lose them and you have to go through the process again and they have this sort of
multi- process where you apply and then there's a comment period where people can say no that sucks I hate it and then there's another comment period where people can say no I love it it's great we should do it and then uh there's some testifying that happens uh testify and then and then the Library of Congress and the copyright office look at all of this stuff and they go and they talk to other parts of the government and like Allan and they come back and they say yes or no on your exemption so so why is this a major thing for us well last year we went through this process and there are a whole bunch of people who
participated in requesting exemptions for security research there were four security research requests that went in one for security research for medical devices uh one for security research for uh cars and two for for General uh consumer oriented technology consumer research so the copyright office in the Library of Congress got all of these in together they looked at all of them they went oh these all kind of overlap we should do something that encompasses all of them and they went and they talked to Nitsa who went and uh they they talked to the FDA um and they talked to the ntia uh at the Department of Commerce who said yes security research is a thing and it
helps us support a free and open internet we should support it it's good we like it and so they said oh okay oh that's good right we like it yes uh these technology manufacturers though and their alliances they seem less enthusiastic about the whole idea they've written some letters uh what should we do and N um and uh and the FDA and the Nia gave much more balanced advice and So eventually what happened was uh the Library of Congress and the copyright office said okay we will have an exemption for security research one exemption and it will cover any consumer oriented technology uh provided it's not in production so no wandering around hospitals unplugging and plugging in USBS um sorry to
spoil your fun but because this is all a little bit like we're not really sure what to do and it's still going uh we're going to delay it for a year so you can you can do this it'll come into effect but rather than it being immediate we're going to delay it for a year except for voting machines because there's kind of a thing coming up um so please go test voting machines um so anyway uh so the deadline for this when it comes into effect is October so for the people who have traditionally not considered themselves technology providers of which in the iot space we deal with many um who you know they're now dealing with lots and lots and lots
of lines of code but don't think of themselves as technology providers they think of themselves as car makers or medical device makers or whatever it is for those people they have this sort of looming deadline and it has an impact it has an impact yeah that we're seeing already and the actions of some of these companies that don't consider themselves technology providers but increasingly are um there are numerous examples of this um one is the NTA process uh the on vulnerability disclosure there have been many automakers and some Med medical device manufacturers that have participated in that process and have attributed their participation to kind of a better dialogue with their regulator because it demonstrates that they recognize this is
an issue that they need to deal with and that they are engaging on it in addition GM in January of this year published a vity disclosure policy in in coordination with hacker one then in April May Johnson and Johnson uh published a coordinated vulnerability disclosure program as well uh and then most recently in July Fiat Chrysler America FCA published uh a bug bouncy program in coordination with bug crb great so we're starting to see like real developments and the alliances in this space are kind of pushing their members to kind of understand hey October's going to happen researchers who have been too afraid to disclose in the past and have been storing up vulnerabilities are going to suddenly come out of the
woodwork and they are going to disclose and you're going to have to have process in place to deal with this so we are seeing a huge cultural shift which is actually awesome I mean this is like the best possible thing we could hope for bear in mind though we have two years and then this goes away and we start the process again so the battle is certainly not done done um and because of this because of this sort of strange process where you're applying to the Library of Congress which looks like a very technological place um because you're applying to the Library of Congress and the copyright office and you're going through this sort of strangely um intensive process
and there's lots of uncertainty um and and really this is about something that isn't a copyright issue I mean most researchers don't as far as I understand they're not really trying to um defraud any company in terms of the copyright stuff it's it's really just like hey you have a vulnerability let's fix it and not put people at risk um so because it's not really a copyright issue at its core there are people who are trying to get the DM changed at a sort of more basic level and there are a number of different ways of approaching this uh one is to work through sort of the more traditional routs of getting Congressional support trying to get legal reform um the
copyright office for what it's worth is actually quite supportive of all of that uh in conversations that we've had with them they've been like yeah yeah we don't really we don't really know about this we don't really think we should be making decisions on it we're happy to support this um another route to go is you who could launch legal action against the copyright office which is uh what the eff and um some other people are doing that was announced last week um I don't want to get too much into it because I really like the eff but um I think that our my personal view on this is that our better path forward is
through collaboration and finding common ground and building trust I think that is a massive theme of I am the Cavalry um and if you don't want to build trust and find collaborative opportunities this is possibly not the room for you um in all honesty and so I kind of feel like you know when you sue people you sort of undermine a lot of that um and whilst I don't expect Alan to comment in any way shape or form I imagine that when you know when the research Community decides to sue the copyright office it does make The Advocates that we have had feel a little sheepish in continuing to advocate for us um so there you go that's my personal view on
it I still love the eff in support of the eff uh but that's my personal view so development of medical I've been talking a lot so we're going to ask some other people to come and talk instead um so first we're going to welcome Suzanne Schwarz from the FDA who's going to talk about some changes they have made which is very [Applause] cool uh yeah uh here have mine thank you
all right yeah so a lot of what Jen had provided in the introduction are um areas and items that we feel U very very much align with and um I'm going take a step back actually so how many of you have had any kind of interaction at all or know much about the FDA the Food and Drug Administration so there's a fair amount of number of people here okay um and and obviously we're the regulatory agency uh responsible for different medical products I come from the center for devices and radiological health and it's our Center our medical product Center that oversees that has oversight on both the pre-market as well as po postmarket authority of medical devices that are
distributed uh within the United States and the last few years has been a huge Awakening for the FDA as well as for more broadly speaking I would say the healthc care and medical device ecosystem in coming to terms with the challenges with respect to medical device vulnerabilities and the need to address those vulnerabilities so if I were to go back a few years time some weere around the 2013 period the spring of 2013 we experienced our own wakeup call with regard to vulnerabilities that were brought to our attention and needing to really therefore engage with the industry with the medical device industry in a manner that is somewhat different than we've had in the past and
what I mean by that is recognition that there's a need for raising a awareness educating doing a lot of Outreach on a topic that many of the medical device manufacturers I'm not going to say all but many of the medical device manufacturers really did not have on their radar as being something that needs to be addressed uh in a in a very proactive manner the ecosystem for us is a complicated one because of the fact that it's not just medical device manufacturers but are the end users the healthc care delivery organizations the hospitals the clinical sites the patients that utilize devices and just because a device is regulated by the FDA doesn't mean that we have
that kind of endtoend oversight and authority over the devices use once it's deployed out there in the field within the hospital or within a home or you know with a patient who's um has a device that's implanted so when I think about what we were faced with at that time it warranted the need for us to really embrace the idea of bringing the community community together around the necessity to challes respect medal devices and
and develop and then you have all those devices that are actually out there in the field call on the postmarket side the way that we have been addressing medical device security is by messaging and socializing the necessity for the total product life cycle approach to medical device security so for new devices new technologies that are emerging or that are in the process of being developed and designed the need to be able to build in that security a priority from the from the beginning to bake it in not to kind of have it as an afterthought to deal with security and then bolt it on afterwards we know how challenging that is and so um in I guess it was back in 2013
2014 we had released what's called guidance that provides to the medical device manufacturers what our expectations are for manufacturers to uh address cyber security in the pre-market phase but that's only a part of the story I wouldn't even say that that's half the story it's a fraction of the story the bigger issue are all the devices that are out there in use in the postmarket that many of them are what are called Legacy devices or devices that were built um at a time where again security was not on the Forefront of the manufacturers or on the healthcare delivery organization's mind and these are devices that day in day out more and more vulnerabilities are being
identified and are emerging and need to be assessed and uh need to be dealt with but we can't we absolutely cannot do this alone and so we went on this campaign of really uh engaging all of the stakeholders within the ecosystem and this was also very much in parallel with efforts by the administration through the issuance of executive orders and presidential policy directives that set a certain expectation or framework for what government regulatory agencies working the private sector could be doing in order to improve or strengthen cyber security of critical infrastructure and Healthcare Public Health medical devices are part of that infrastructure [Music] so we um embarked on this journey uh to understand all of the wants all of
the needs all of the challenges of the stakeholders in our ecosystem and in so doing it become becomes really really critical to bring the security researcher Community into the fold and to give the security researcher Community not only a voice to be heard to be listened to to be paid attention to but respect and a seat at the table and to recognize the value that secur that security researchers provide by way of expertise in working with the medical device companies and working with the government in understanding the vulnerabilities are out there and how we need to be addressing them and uh addressing them in an expedient manner in particular when they present concerns for patient safety which is ultimately
what the FDA is concerned about and I think what we're all concerned about so um we uh through these efforts came to uh know I am the Cavalry bow Woods and and Josh Corman really really well over the past couple of years and this has turned into quite an extraordinary partnership by virtue of really learning from uh the uh security researcher Community as ambassadors to us uh for that and our being able to exchange information and present the perspective that the regulator has as well as what we know of the stakeholders in the community and I would would go so far as to credit this type of Engagement this close collaborating and partnering with I am the Cavalry and with others with
the medical device manufacturers with the healthcare delivery organizations but the the level of Engagement was so closely knit that um the guidance that we issued on postmarket just a few months ago back in January 2016 was considered to be a rather solid a rather robust guidance um and one that people across the entire ecosystem could kind of Nod to and say oh yeah you know this policy makes sense obviously there's tweaks that'll have to happen with the guidance as we finalize it but what we did was we introduced Concepts that are we believe are really critical and that is coordinated disclosure the importance of coordinated disclosure of research reers working together with manufacturers working with
also information sharing analysis organizations as part of developing that transparency and having processes in place for handling vulnerability information as it comes in so we built into the guidance recog you know the fact that FDA recognized those standards and that we consider it really really important as part of the management program the overall comprehensive risk management program of medical device manufacturers to undertake uh the their assessment and their management of medical devices uh from a cyber security perspective with these standards in mind now I mean I can go on for a very long time but I think I've already taken a lot of time so maybe we can get addressed a little bit more during whatever Q&A or if people
yeah and there's a I think a medical session off to this so can ask questions then okay so you know one thing that I uh want to call out there that I think um maybe people are modest and don't call out themselves is um you know as Su mentioned when the FDA was working on this stuff they um they collaborated with members of the research Community which you know all props and all power to um to the FDA for doing that that's a huge thing um it actually is creating a new model and um I think that they deserve a round of applause which I can't do holding a microphone um the other thing is that
there are people in this room who also participated in that process and also influenced it and you know I from time to time I have heard or seen people question what the Cavalry is doing to those people that's what the Cavalry is doing and that's where the strength is it's behind closed doors in um in non showy non- ostentatious conversations but you know there are people in this room who had a real impact on that stuff and I think that the FDA would acknowledge that they added value to the conversation and I think that deserves to be acknowledged so I'm going to ask you again to give a round of applause but there's more um so this was
not everything on medical uh there was some other things that happened on medical and Josh is going to come up and talk about it and if you don't know who Josh is then there's no point in me introducing him hey Josh I Pro I promise not to yell um sorry I don't um I think I'm supposed to hit the task force yeah the siso bill okay um so there's G to be more medical content throughout the two days but for this chunk uh if you didn't see this morning there's one more thing I want to embarrass Suzanne a little bit more about um we uh you know we didn't get in a long bio for
her but when when I first started getting in aware of this it was people like Dr Kevin Fu who had done some medical hacking it was uh Barnaby Jack before we lost him it was uh Jay Radcliffe and and people had been trying to do this but they they left very very frustrated in fact they they believed that the FDA type situation was intractable um one of the doctors yelled at Jay at some point not an FDA person saying there's no dead bodies this is academic an esoteric and until there's proof of harm you know real dead bodies we aren't going to do anything and I kind of bought that initially but um meeting Suzanne I mean she's a amazing
equivalent peer to the rebellious you know passion that we see in this community um you know the FDA government I think Frank said this from n government moves really slowly but there are change agents uh and people that are just like us who are looking for that teammate in US so if we can be a teammate to them they will be a teammate back um so every time I talk to her I get more impressed but she was a trauma surgeon Burn Unit specialist I mean every part of her fiber is about saving lives and now we have a new way to do it together and even though we believe that you would need dead bodies to see any
significant change last summer they issued a safety recall in the hospy drug infusion pump with zero dead bodies zero proof of harm and they had the presence of mind and the courage to push in a pretty hard government circumstance to really see that an unmitigated Pathway to harm is sufficient to trigger corrective action we don't have to wait for Calamity and I think um as much as I'm really proud of the people in this room that helped bring the security research perspective none of it works if we don't have amazing teammates so she's one of my heroes and uh I hope that uh people get to know her better uh really briefly um one of the things that's been a fruit
of this is we've established such trust that Congress in the the sisa act of 2015 in December uh which most of you know is the information sharing bill they had a provision in there asking HHS Health and Human Services to do a one-year task force on cyber security um there were 20 people to be picked um and I think because of the work we had done um they wanted the researcher Community to be one of those 20 voices um so Michael mcneel who was up here earlier from Phillips he's one of the largest device manufacturers on the task force um I was asked to represent um the research community so people who have worked on Healthcare delivery are doing
research on this if there's anything you want pulled into that process we have a 12month um assignment with six things we owe to Congress HHS in the white house at the end of it and we're about halfway through and some of the stuff we're going to cover tomorrow with the cameras off are the really really really hard problems that we are really really really concerned about so I think a critical lynchpin in making hospitals safe is making the devices more rugged more resilient more defensible and I think suzan's part of the universe has been very helpful in raising the bar on individual medical devices in addition to that this task force is now looking at how do you make
Healthcare delivery organizations that still use Windows XP in really old gear and don't have SOS and are wide open and naked to the internet and in many cases we her work is very necessary but insufficient for this other stuff so um one of the policy advances I think we should be very pleased to see is a that they have a focus on cyber security um B it's an open process and C that one of the 20 voices is basically us so if you weren't aware of that please load me up we're looking for people who have pent tested hdos who have clever or innovative ideas we're looking for academics can find more realistic ways to prevent attacks and I think the real
big wakeup call for them was the Hollywood Presbyterian hospital losing its ability to to provide patient care and the ransomware is just it's like shooting fish in a barrel for the hospitals they just are not a position at all so if you miss this morning's stuff we're going to dive into that a little bit more tomorrow and the second thing is a little less related but it's it's another good sign um I guess just like in the private sector sometimes a ciso reports to the CIO and there's a little bit of inherent conflict of interest um HHS um there was a bill introduced uh to basically give more power to the ciso by stripping it out
from underneath the CIO I don't think there was necessarily a structural problem but they said you know what um the operations in the cyber security of a government agency is important so they invited me to be a um I guess I get did my first congressional testimony I still didn't do as well as Jen did for her her toys but um jid I congression yes um so it's an intimidating process and it's it's a lot of work but um but here's the The Good the good news bad news is um this is going to happen more often so now that we were starting to build trust relationships with some of these key uh congressional committees they don't all get hearings
but several times almost like once a month at least um there's an emergent topic where their members want to get smart on something so I have to find like the world expert on crypto that can actually talk to a congress person like now so you might get a phone call from me or uh from Bo or something where we're not necessarily looking for the best crypto person we're looking for the best translator and um as they recognize how dependent they are in cyber we're going to need to build those muscles and we're not always going to do it right and we're not always going to use the right words that this community likes but um I think it's a good sign
that we've had a few now like Dave Kennedy yourself me we're we're starting to establish ourselves that whenever there's a cyber topic they at least might ask us our opinion so we might not be on camera on C-Span but we are at least being asked for information I think that's also a very good sign is that what you wanted okay [Applause] so yeah so there's lots happening in medical and I think sorry I remember how microphones work at some point um so there's lots happening in medical and I think you know the key takeaway here is we are seeing progress which is kind of awesome um so on to transport um and self-driving cars um thanks I appreciate
it uh so there's a lot going on in transport as well um and not just in terms of cars although cars obviously make a lot of headlines on a regular basis um and there are a lot of things happening there so um I'm going to talk about some car stuff and then Amanda's going to talk about some Aviation stuff um so there are a few things that have happened uh so one has anybody heard of the Michigan car [Music] bill all right a few um so uh Michigan introduced a um a proposal for a state Bill uh and it would have made it um an offense to uh to access the the computer systems in a car without permission from the
manufacturer which again kind of makes research pretty illegal um so this was introduced by the Senate majority in uh I'm going to try and get my timing right on this April um end of April and then like very very quickly there was there was a respon from the community so a bunch of a coalition of um researchers and uh people from the security Community responded in private in a letter and said hey um super concerning you're you're basically making research legal and kind of pointed to the fact that there have been some instances of published car research that's been very valuable and that you know we we're thinking about lives here and got a really great level of Engagement from um
from the bill sponsors so they came back and they said okay this sounds serious we should consider it we should talk let's chat and there's been some back and forth and um the proposed changes that they're looking at making would make it that the car's owner can give ACC can give permission to somebody to access the systems um and they're defining owner to include um like a a a what's the right word for this is that the right word um yeah so so it's much broader now and it would mean that I can give access to you to do work on it as a researcher um they are uh reconvening I think tomorrow is when the
the state legis legislature comes back and we don't know when the bill will be reintroduced um but we do expect that it will be introduced with updated language so again yay for researchers uh collaborating and kind of moving this forward um then there was a couple of things that happened on a federal level um and one of them was a and I can never remember the name of this I always refer to it as the nitab bill which is not what it is um no the other one yeah the national highway whatever it was um so this was proposed uh beginning of the year um and again it had something in it that said it would
be a federal uh offense to uh access the computer systems in the car without the permission of the manufacturer again there was a strong response from the community uh this actually did have a hearing and um and so there was uh the the Commerce Committee uh had a hearing and they they called in um niter and some other people uh various Auto Alliance type people and they kind of went through it and there was some questions that were asked in the Committee hearing about researchers and what the impact would be and generally speaking like the feeling is the bill is not going to move and if it does move then the language around this particular
piece will be changed and adapted um and so again it looks like we're making the right kind of progress because there is a high level of Engagement um so at the moment I mean like I think you guys are probably all aware that nothing much is likely to move in Congress this year um there's kind of some other stuff going on so nothing's moving anytime soon but the question is like when we're thinking about movement we're thinking about what's going to happen next year what will be reintroduced what might have legs and so the engagement that we're looking at driving is really about how do we improve things so that when they get picked up next year they'll be less
damaging um and so it looks like we're going in the right direction with that stuff so then the third one is as Josh mentioned the Spy Car Act um this is Senator Mary's bill it was uh not this this year it was last year and I think it was in the early part of last year so this is old um and uh Spy Car stands for um security and privacy in your car or for your car act and it is looking at sort of measures that Automotive manufacturers can introduce to um Advance Security or improve privacy um in in automobiles again super unlikely to move there are some good things in it and some questionable things and that is
generally the case with legislation and legislative proposals so it's about engaging and educating um if you are interested in looking at this you should take a look and then reach out to um Senator Mar's office uh but they have been talking a lot to people in the community they've been talking to the automotive manufacturers um and as I said like some of the stuff that they're proposing is actually pretty cool and it would be very interesting to see what happens with it um but then there's also things like there's a p testing requirement that seems a little like it may not be very practical um they want to do uh the car the stickers that say how secure you
are I don't know how that would work in practice but I kind of like the idea of it because then I think it gets consumers into a point of view of thinking about security and having an expectation of security information which we don't have today and anything that improves security awareness I am a fan of uh but it's really unlikely to move anytime soon so that's that's pretty much what's happening in Carland um that's the main stuff and again like there are people in this room who have heavily participated in moving all three of those bills on in terms of the language if not like the bills actually moving um so again if you're one of those people you should give
yourself a big pat on the back uh because that's awesome work thank you I'll just highlight a couple of developments in the aviation industry the major development was this year very recent in the last few weeks actually but I'll start um in September 2014 which is when the aviation information sharing and Analysis Center or ISAC was established it's just an indication that Aviation companies are aware of this issue are are recognizing there's a need to share information and and to get a better handle in the cyber security threat and then in 2015 I'm sure as you're all aware there are lots of um things that happened to increase awareness of the threat of of cyber
security and in the Aviation Space so there was the um the instance of Chris and the United tweet there was um an instance of a Polish airliner being brought down uh there was the in uh what happened in the Malaysia airline crash and then there was also something called a a government accountability office report GAO report which highlighted that the the Federal Aviation Administration or FAA did not have sufficient security and in place to protect uh Airline Traffic Control Systems so in the kind of fall of 2015 there was a lot of interest uh among politicians of dealing with and addressing this issue and then this past spring the the Federal Aviation Administration or FAA reauthorization
act um was introduced in April and what the the reauthorization ACT basically does is it extends the mandate and the funding for the FAA and it was just finalized uh mid July and signed in mid July it extends the Mandate and the funding for the FAA for another 14 months then we'll revisit all these issues but the really important thing that happened um was that there part of the the reauthorization bill required that the FAA uh take a look at at reducing cyber secur cyber risks um to Aviation systems Civ civil Aviation systems and gave the the FAA just 240 days to come back and Report um on a a framework policies principles of how they were going to
help reduce risk and a couple of the things that that were specifically called out was thinking about reducing risks on infl entertainment systems and to the air traffic control systems and then the same time that that FAA reauthorization bill was introduced in April of this year there was a bill introduced the Cyber air act um by Ed Mary Ed Mary uh from Massachusetts the senator for Massachusetts and it was purposefully timed at the same time as the FAA reauthorization act and contain some of the same ideas that you there needs to be some sort of cyber security guidelines for Aviation um that there should be mandatory reporting of certain kinds of incidents to the government um
and that there needs to be serious thought and uh for the infotainment systems uh for how to secure those so that that bill uh is kind of been set aside it's in committee which means it's being considered it could um eventually make it to the floor it could not but uh that has been presented to help move the conversation forward thanks man um I actually think you're next yes no say what yeah so uh but if I I'll do the the the White House gr bill um okay so there's there's a few things again in in infrastructure um I'm sort of mindful of time um there is a bill that was introduced by uh Senators
Graham and white house it was originally called the international cyber crime prevention act and it was introduced last summer um and then it was uh abbreviated down and proposed as an amendment for cisa which did not move ahead um and then it got reintroduced this year as the bot net prevention Act act and they're still working on it there's likely to be a new version next year and it basically does a bunch of different things uh around law enforcement authorities for computer crimes um and one of the things that it does is it looks to update um some of the existing laws including increasing the penalties for computer crimes against critical infrastructure um that's pretty much what it does in
relation to critical infrastructure it's it's that and it's not more complicated than that you guys should check it out but it's likely to be reintroduced next year in some other format again it's called the prevent the bot net prevention act if you want to check it out can just talk about the N framework okay is all familiar with the nist cyber security framework [Laughter] [Music] yes just a very quick update on on that um as I'm sure you're all very aware there have been numerous rfis before the framework was finalized and since the framework has been finalized the most recent one in December of 2015 last year um and that RFI was basically asking again about how organizations are using
the framework but also more forward thinking you know how should the framework be revised um should NIS continue to have the role that it's had or should the framework move to another place um and so as a and the results of that RFI response and and a a workshop that NIS hosted in April they are updating the framework and so they're working through the pieces uh that they the feedback that they received on things that need to be updated or added like there have been uh there's been some attention around the Cyber supply chain risk management being added um some updates or changes to the implementation tiers Jen Ellis wrote that they needed to think about having
vulnerability disclosure best practices yes uh and so that's going to be happening through the fall and the plan right now is that they'll release uh a draft update early next year for comment all right I think I think that the next one is Allan he's GNA talk a little bit about uh home stuff thank you and uh I know we've sung a lot of Praises about the Cav I will just say that um Washington for better worse often depends on uh outside experts uh special interest as they're known and often they get a bad rap but really you know the the expertise comes from people in Industry it comes from civil society and Washington has
dedicated people who care about privacy who care about encryption there are lots of Civil Society people who really help us understand the core values there hasn't been people who really say cyber safety is a social value that we all need to work for and and the Cavalry has been a really incredible resource for those of us in government who want to have who need the information in order to work and build programs so I'm from the Department of Commerce uh we like it when markets work when people get to buy and build and innovate uh maybe in slightly different orders depending on your priority of where you are in the department um we're not a regulator uh
but we're interested in promoting uh better markets for security so just today we announced the new initiative on iot security uh starting with the premise that it's very hard for consumers to know what to look for in security you can't really go to a smart TV and say gosh did they use a b Sim secure development life cycle process when they built my Smart TV um but there are some things we can start we can say does this device support security upgradeability can this device be patched the problem is there isn't really a universal definition of what it means to be patchable in smart devices it's a multi-dimensional problem and so we are launching a multi-stakeholder
process to bring together Security Experts uh device manufacturers device integrators those are responsible for connectivity of devices and saying let's talk about the many dimensions that we care about for patch ability whether it's the user experience or whether it's authentication of the devices or whether it's how long this device is going to be patched and let's build a taxonomy and then from that develop a much smaller set of definitions that consumers can know about to look at to work with to say Consumer Report says I should look for these words on the label and that manufacturers now have some specific goals to work towards to actually demonstrate to their board or to their cost counters oh we can get a return on
security investment by making these products better uh this is voluntary we're not saying everyone needs to have this and by making it voluntary we believe that we can get active participation from industry bring them to the table for those who want to be active participants most people in Industry really like security at least on the security teams right they wouldn't be in security if they didn't care about it so it is going to be a uh we're launching it now if you're interested please uh engage there's a blog post out uh and the first meeting will be in uh sometime this fall the other thing I want to flag is by my colleagues at nist the national cyber
security for the national cyber security Center of Excellence uh is engaged in a number of initiatives basically helping organizations transition from a technical standard into implementation standards are fantastic but often organizations don't know how to go from a highly technical standard to actually adopt it and so nccco does things they build reference implementations to say okay I need these different components I need something that has this standard something that's this standard and here's how they fit together to actually be secure as opposed to just one particular piece of technology which won't do the job they have a particular initiative right now on the smart home focusing on authentication and authorization how do the different pieces of your connected home actually
manage authentication and authorization they call them non-personal entities so you know you have different parts of your smart home we need to have common standards for authentication authorization to make sure you can actually have a secure home home uh so that you know different pieces of devices of your smart home can't attack other parts of your smart home uh so if you're interested in that I'm happy to connect you to the right people uh but again I just want to thank all of you and urge you to get engaged uh this is something where we really need as many people who are passionate about security to weigh in uh because there are lots of voices in Washington for you know build
more widgets or my industry is more important than every other industry uh we need more voices for security is something that really affects everyone so thank [Applause] you thanks Alan and just to add to what Alan said very briefly um the last uh multi-stakeholder project that NTA ran um which was on vulnerability disclosure and handling one of the criticisms that came from the community is that there are not enough researchers participating so um I really hope that you guys will take the opportunity to participate even if it's not sort of in person at the meetings get on the phone listen in um your voice can only be heard if you lend it um okay so we're gonna whoa running
out of battery that's good because we need to move through um okay so how do you get engaged um the big hint here is not like this uh nobody likes a flaming torch except the British when they're burning down the White House um so don't do that that that would be the first thing um the the main thing is really uh to talk to people who are already involved in some way find out how you can get involved through them um most people will try and help you get started in a way that doesn't blow up look for a common opportunities there are opportunities through forums like the na process which are looking to have
organizations individuals participate in an open sort of voluntary process there are also required Comet opportunities it's part of the implementation of legislative law and by an administrative by an agency that's administrative law so they are required to have open comment periods on their rulem and so there's an opportunity to influence how an agency uh implements a statute so for the next one um the bill that I referred to is the nits Bill even though that's not what it's called at all and I can I wish I could remember what it was called and stop mentioning Nitsa um because I feel bad now um that bill was a great example of uh people identifying hey this is going
to be the Commerce Committee so let's reach out to staffers who are on the Commerce Committee and tell them what we're worried about and that led to questions so if there's a hearing that gets announced you can can um look at the committee members and reach out to their offices and you can basically send them suggestions or questions for hearings and they'll go through them all the key to this is they need them at least 48 hours for the hearing that gives them a chance to go through them and then they have to submit questions 24 hours for hearing you have to get
you do but I have I have some examples actually of when this has works and it requires coordination it really it really does you kind of have to have a a quum of people that are interested at the same time um but you know there's there's an example uh I know some people who are really engaged in and pushing the Electrify Africa act that pass asked earlier this year and they they had made a concerted effort to to to write letters to call their local representatives and they got their local representatives to sign on to the bill so it it happens you have to be coordinated you have to actually do it um you might get a form letter back but
I I would say there are two keys to this uh one is you either need to hit them on a topic they already care about in some way um so it needs to be your rep and a topic they're already interested in so I'm in Massachusetts so the fact that Marque is already looking a lot of the stuff it's helpful for me um the second option is you need to have other people who care about it too a coalition letter will always have more impact and a coalition of businesses based in the area will have even more impact um so that's that's basically the gist on how you approach that um and the last thing
is the eff has a great action center it's all described on their website they give you ideas of how to get involved you should check that out um we are racing against my battery right now uh okay so in terms of communication and Outreach again not burning torches and pitchforks not super helpful the biggest thing for staffers is they want an ask the first thing I'll say to you when you sit down with them is what can we do for you um and apparently when you say blow up the cfaa That's not a good answer but uh do have a clear idea when you go in of what your goal is and have a clear
idea of how you're going to speak to that like what is the story you're going to tell that helps them understand it it the first time I went to DC I went and I was like it's terrible security researchers are being oppressed we must do something and I realized that effectively the day I went was the day that healthcare.gov fell over and Obama went on TV and went yeah I didn't know it wasn't working and so all of the Dems we met with were watching the news going holy and all of the Reps we met with were watching the TV rubbing their hands with Glee and laughing maniacally and it was a really great learning
because the key here is they're super busy by the way the next time I went was uh the big immigration thing with the kids uh the border and then the SEC the next time was Ebola so big lesson for me here is like these people are busy they have a lot of stuff going on and the first several times I went to talk I realized that what I was basically saying to them is hey we need to build a a rocket ship and fly to the moon and they were going what's the moon and so you need to make it really easy for them and that is not being dismissive right like they're experts in policy they know
that I will never know that is their job it is not their job to be experts in security research it is not their experts to be their job to be experts in any of the stuff we deal with that is our job and so our job is to make it easy for them to understand and if you can create that quid pro quo they will meet you halfway so think about what your story is before you go in be really clear on how to make it simple for them make it simple for yourself and for them part of building your story is doing your research of course and and by that we mean you know talking to to
others with like that are representing different pieces of the puzzle that you're trying to build and bring and bring to them so you know from my perspective that means I'll often go talk to the engineers for years it might mean that you need to sit down with someone who has done this policy stuff before and get a sense of how you would go about having an Ask that's going going to actually be relevant for the individually sitting down and talking about with it yeah about it with so the next one this is not a call for you guys to be suck-ups or to be obsequious or to say anything that isn't true like you shouldn't be inauthentic or disingenuous
however if you see people do something that is genuinely good recognize it if the FDA comes out with postmarket guidance that's a really good thing tell them that that is awesome be encouraging because other people are much more likely to want to emulate it if they see it get a positive response we're really good in this community at pointing out the things that are broken and we're terrible at pointing out the things that are not so that that is a a big one to do related providing AC actionable feedback is you know acknowledging that even if you totally disagree with every single thing um in a bill or something Rec try to recognize where that it's
coming from and that it's trying to achieve something that from the perspective of the person writing it is a good thing and then really figure out how to help that person understand you know from your perspective why that path is not the way to get to the end that is good and then provide very acual feedback for how you just saying that's that's not good that's not right is not enough you need to be constructive and show them how to get to where they're trying to go and we are right at the hour so uh rather than going through the the the following bullets I think we covered avoid joggin and and the experts thing the thing I will say is we
shouldn't need to I told you we were in a race against our battery and you missed the Archer slide God damn it um so the thing I will tell you is um we shouldn't need to tell you to be courteous and helpful that should be a basic human thing um and frankly if you don't know that I can't help you um so good luck with it all uh do we have time just for 10 minutes of questions or with super at the do uh so do Q&A while I'm setting up okay does anybody have a question yes Gillis when you're an and you're trying to support Story You're
yeah
e
e
e
e
e e
uh so I want to kind of tie some of those things off and follow up on some of the things we talked about last year some very cool surprising developments uh and then over the past year more and more things have happened so uh unravel what those are uh and then looking ahead what's coming up um and then we're going to get four very very cool people up on stage uh we're going to have Jay Radcliffe um who is a security researcher most of you know him if not you know his name at least uh Suzanne Schwarz who has already talked to us once today she'll come back and talk again um Colin Morgan who is with
Johnson and Johnson he's done some really really good things to help Drive cyber security into their processes uh and then Christian DF who is a uh rare unicorn he is both a Defcon speaker and a registered physician so he's one of the very few people that I know who has both of those on their title so what's gone on in the last year um specifically following up from some of the things we heard last year Well I want to point out that as of last year uh and before this has not changed um the FDA does not have to recertify patches for medical devices before they can be deployed in the field unless something changed this morning in the
last hour no okay so this is still accurate and upto-date information you don't have to worry about that uh and there's the the standard there that you can go and look it up for yourself if you don't believe it I know that a lot of um people falsely believe that you need to have the med uh you need to have the FDA recertify your medical device before it's published uh before it uh can be updated um I wanted to follow up too on something that happened last year we had uh Drager who's a German medical device maker um announce their commitment to a coordinated vulnerability disclosure for the first time at bsides Las Vegas which
is a pretty cool thing you know a major medical woohoo yes a major medical device maker came to us and said we want to announce in your track first and that was really really cool so since then uh about a year on uh they actually got the uh the thing up about a week or two later uh a year on they've had four vulnerability disclosures through this process um so where a lot of medical device makers say we can't do a coordinated vulnerability disclosure process because we don't won't know what to do with all the vulnerabilities um they've gotten four uh which is not an onslaught uh it's not overwhelming zero of these have been extortion attempts um so contrary
to the seemingly popular belief in some sectors that all researchers want to do is uh try and get money out of you that's not the case um I'll also point out out that they have about 12-h hour turnaround time from when they get a report coming in to when the researcher gets a report uh notification back hey we got this we're looking into it thanks for sending it in that's really cool so uh of all the software companies how many have a 12-h hour uh turnaround time to that notification human-based notification not many so to the medical device makers and to the others who say well we just can't do that we can't respond within 7 two hours well they're
doing it within 12 hours and that's with a a team of very dedicated professionals um working very hard to get that done so it is possible uh and dreer's done great things so um they're probably watching right now if they're not watching now they'll watch the recording so how about a round of applause for
Dreer I also want to follow up quickly on the hosp situation so we talked earlier today about hospira um they had a medical device uh an infusion pump that was um it's like a a new fashion new fangle IV uh it's a computer controlled uh system to to inject medicine into the patients um some security researchers found a vulnerability they reported it quietly in closed dialogue and then somebody reported it openly uh that triggered a couple of things first of all uh a safety notification went out in in uh may I think it was May 13 of 2015 saying that the pca3 PCA 5 devices had this flaw and uh for uh healthc Care organizations to take Serious pre uh
precautions when using them later on uh just before we came out to Defcon as Josh already mentioned the first essentially safety recall of the medical device without demonstrated proof of harm no patients had to die so after this what went almost unnoticed in the Press after the big splashy stuff um is that hospira reported themselves that they found new vulnerabilities in their devices so in January the icert released a notification that said hospira has identified these things um they are uh in some cases vulnerabilities in existing devices in some cases vulnerabilities in devices that they no longer sell uh and in these cases they have patches available in other cases here's what to do to avoid
the vulnerability so this is an instance where uh on their own and in a self-reporting format they took their own initiative to go and do it now that wasn't because they got threatened with a talk at black hat it wasn't because someone was going to go full disclosure on them it was some of the quiet work that had been done to build trust in that ecosystem uh and to specifically get them on that pathway of saying all right well we can't avoid the fact that we have vulnerabilities we now must address that and embrace it and get on this Pathway to getting them fixed faster so I don't know anyone from hospira if anybody is
here from hospira come up and say hello later uh but it seems like they might be on a very good path going forward uh which is great another thing that we talked about last year uh we did a uh very small private event uh up in one of the Suites here on Thursday night last year uh we had about 25 or 30 people um it was representatives of the security research Community medical device makers Healthcare organizations government uh many many others who came in sat and talked amongst themselves very quietly very openly and honestly um not really hiding in anything or covering anything up uh it was to the point where we had no non-disclosure agreements we had no
agreement to be off the Record or chadam house rule it was just a bunch of people coming together who saw a common need uh and a common trajectory and a common desire to do the right thing collaborating it's the type of information sharing that's probably intended by uh information security analysis centers but that rarely happens in a formalized structure it's only the type of of high trust High collaboration environment that can engender these types of things um I'd also like to let you know that we're doing it again this year um For Better or For Worse looking at the size of the crowd in this room right now I'm not sure that the space we
have can hold everybody but you're all invited and if we need to overflow we'll figure out some way to accommodate it take a straw pole take a straw pole yes what what do you mean take a straw pole ask everyone in the room okay I'm afraid the answer that comes back so is anybody interested in going to this raise your hands okay yeah we're going to need a bigger boat which is a good thing um it means that this year more so than last year even we've got a lot more people come to the table and and wanting to engage on these things so if you're interested uh come see me come see Josh come see quati who's over here
uh and we can tell you where that's going to be what's that it was magical it was yeah we're going to sit down for like an hour maybe and have a bunch of beers I think maybe half a dozen got beers got drank and we sat there for five hours and just like talked it was very very encouraging which is why we're doing it again this year uh so in the last 12 months a lot of things have happened first one I want to highlight is uh def December 5th right right after the um the nhac uh security and privacy meeting up in Boston we held something called cybered RX uh and we did this in order
to bring a bunch of the stakeholders together who wouldn't normally talk to each other get them in a room together cage match you know all of them enter and only one leaves no uh we did it in a very uh collaborative manner so it was a a really cool layout that we did um we essentially set the tone in the morning and said we've got some hard problems to solve but it's a worthy worthwhile cause so let's get to work then over the course of uh of the day we had lightning talks and stakeholders from I think 18 different groups we gave them two minutes five minutes who are you what's your role in the
ecosystem what are your hopes dreams and aspirations as well as your fears if you get it wrong um and what can you give and what do you need in return and we had those people go and and essentially identify themselves and say what they do why they matter and it it was a very powerful message to get out there so people who had been working on the opposite side of the aisle of some of these folks for years and years and years but had never really sat down and understood what they did why they did it and that they were all pointed in the same direction towards patient safety finally got the chance to come together
and see what that looked like see what it looked like in practice uh and to build some of those connections that otherwise wouldn't have been built uh and to empathize a little bit with the position that the other folks were in so you had uh medical device makers coming and saying you know here's what we do and God if it weren't for all these standards and things that we have to follow of course we could do those things they would be easy um then we had people coming up like healthcare delivery organizations saying well look we get these bad medical devices I think one of the quotes from a different talk was it's the same crappy software that's
in your Windows machine uh in life and death s situations uh and then you had people like Marie Mo who we saw earlier photo of her and I know she's watching the live stream now say I'm a patient and I'm a security researcher I depend on a medical device to live so I don't care if it's crappy software it needs to be improved um I don't care what needs to happen uh I need this device uh in order to to survive my day-to-day life with all the flaws it has it has way more benefits so we need to consider all of those types of things and the uh the mass of getting those people together
the gravitational poll that they had um made it a really really productive event to the point where somebody who's been in healthc care for like 25 or 30 years who's who's crusty by now who's uh hardened against any progress said wow that was one of the best events that I've been to to that really opened my eyes so I think we're seeing a lot of progress by getting people together in the right room and so we're actually going to repeat this uh we got an invitation from the Dutch government to come over and run one of these in the ha uh tentatively we've got a date set for October 10th uh so anybody who is in
Europe round October is um let us know we can we can see if uh how we can get you to that also we're going to do another one I think the date is December 7th um I I didn't fact check it before I came up here December 7th okay we got confirmation there we go so December 7th again in Boston again it's going to follow the nhac or the HS privacy hns privacy and Security Group um so this is going to happen again watch this space cybermed x.org another big thing that happened uh we previewed this a little bit earlier on today in January uh just alongside the uh FDA Workshop that happened we released the Hippocratic Oath for
connected medical devices the idea here is that Physicians take a symbolic oath uh to act in the best interest of their patients increasingly medical devices are the care delivery instrument they're the ones carrying out uh the orders of the physici so they should also have some type of a symbolic ethos right um this is meant to be it uh we also wrote it so that anyone in the care delivery ecosystem can see their own role reflected in this right so Physicians can read the hypocritic oath for connected medical devices and say oh I see I do this this this and this I have a role to play medical device makers biomed Healthcare it Hospital administrators patients even
they can look at this and feel like it's talking to them uh this is modeled Loosely on our five-star uh cyber safety framework for automobiles um the five core ingredients here are uh safety by Design how do you make a product safely and securely it is thirdparty collaboration how do you tell take help from uh people in the ecosystem who find problems and report them to you um how do you have some type of evidence capture we routinely hear that no one has ever died from a healthcare hack or from a car hack but the truth is we don't know we don't have the evidence to say one way or another um how do you contain and isolate
failure and in the health care context uh we made it very specific how do you avoid harm from failure things like fail safes uh and in medical devices this is very common where you have a physical fail safe where even if somebody has uh the administrator password to the medical device they can't cause harm um and then finally how do you update once you know know a better way so it's five very simple capabilities here that uh many people within the ecosystem can have some rooll in and can have control of uh that allows us to have safer devices um the FDA postmarket guidance for cyber security of medical devices was published in January and there was a
workshop following the publication that was really really good um Suzanne will talk a little bit about that and I don't want to steal her Thunder but very briefly I want to mention that um the postmarket guidance essentially has a carrot-shaped stick or a stick-shaped carrot if you will helping to set the incentives for medical device makers for healthcare delivery organizations and for others um to uh to to make a big effort to engage the security research community so without going into the details of this essentially one of the requirements in order to reduce costs once you know that there's a flaw is that you have the ability to take um a vulnerability report from researchers that you have
some type of a coordinated vulnerability disclosure program in place already and that you're sharing this type of information you're actively seeking to get the information to make your products better um even though this is not a a law uh even though it's not a regulatory requirement it's certainly being treated as a regulatory requirement by a lot of the manufacturers and uh I was at a medical device conference in Virginia the other day uh and every single medical device maker I talked to either has a coordinator vulnerability disclosure program or they are about to release one so without saying who it was in the room uh my informal survey of the six to eight people who were there says that
every single one of them is thinking about this now this is the type of change that as researchers we would never be able to drive right if we're on the outside knocking on the door and saying hey let us in it's not going to happen but by teaming up with those medical device makers with Healthcare organizations with the FDA the ecosystem is able to make those types of SE changes that will make the world safer I want to talk a little bit about something that um you heard a little bit about this morning in Karen's talk uh if you haven't seen that I encourage you to go back and watch the recording of it um
she talked a little bit about a software bill of materials uh the idea is uh when you go get a car uh or when you go get a toy you know what the materials list is that's in that so when there's a defective part of that car somebody can go and and recall it very quickly and safely so in the automotive industry for instance every bolt every rivet can be traced back to every plant every facility every week it was manufactured so so that when something happens they can really quickly trace it and find out what vehicles are affected right so while we're um doing and seeking these things in uh in some very very uh easy to reach
places um we're not doing it in software which is trivially easy to do you can run a simple software script and figure out what parts of open- source software and Commercial Code exist in your medical device or in your software package um the manufacturers certainly know what code is in their devices or I would hope that they know um yet we're not doing it and we're not we're not publishing it well Phillips took the step uh and said okay we'll do that we can publish a bill of materials of what's in our software so now when a hospital is buying a device they know what vulnerabilities exist in it that are publicly known so if for instance
heart bleed exists in a device that you buy today you can say I'm not going to get that device until you fixed heart bleed that's a major thing that I need out of my environment also five years down the line when the next heart bleed comes out those same hospitals can very quickly with just a SQL query rather than uh an exhaustive port scan of all their systems figure out which of their medical devices which of their systems has a heart bleed like vulnerability if we had this for instance in uh electronic medical record systems and we knew that half of them have a J boss vulnerability that is actively being exploited by ransomware and that shutting down hospitals instead
of having the response be well let's see if we get ransomware and then let's try and pay the ransom it would be let's eliminate this vulnerability it's posing a serious threat to patient safety today that capability is hard it's very very easy however to unlock that and Phillips has taken the first step they're the first medical device maker that I know of to say we will issue a bill of materials uh for the products that we make is that public there's one other that's about to um Johnson and Johnson uh I think they're the biggest medical device maker in the world biggest yeah biggest medical device maker in the world they now join the other uh medical device
makers that have a coordinated vulnerability disclosure program this one follows the iso framework by the way so Applause for ISO uh which one is that 3111 2947 ISO 2947 vulnerability handling vulnerability disclosure yes if you want to know anything about ISO no uh Katie murus who's in the audience helped uh develop those standards she's one one of the co-editors co-authors of the standards um that essentially it's a a rootkit into the established processes of many many manufacturers who know ISO and if there's something you can point to an ISO they'll just go do it right I know I know it seems crazy but uh but if you can do that uh then now they have a way
to engage and to actually build a secure uh coordinated vulnerability program um Jen talked about this a little bit earlier uh but uh there was a HHS task force established to look at healthc care cyber security as a part of a legislative act literally there's an act of Congress that says get together a bunch of people 20 different stakeholders representing multiple stakeholder groups one of whom uh one of those stakeholder groups by the way named in this act that passed through Congress is security researchers so Congress is getting clueful and saying we need security researchers to be a part of this dialogue if we're going to talk about security research type things kind of makes sense we all know it but
uh getting that level of awareness into the legislator's minds um is a real accomplishment so uh two of the people out of those 20 one of them is sitting here Josh Corman um who represents the security research Community there the other Mike mcneel works for philps who's a very very clueful individual he spoke earlier on a panel here he's the one who's pushed through a coordinated vulnerability disclosure program with Phillips as well as the software bill of materials that they've got so uh I've got high hopes for uh what might come out of that um expect disruption come you know March 2017 time frame looking ahead uh and I'll speed up because I'm looking ahead to getting
some great people come up here uh in October 2016 the dmca will have certain exceptions come into effect one of those is you will now be able to reverse engineer medical devices that's a pretty cool thing so up until now if you took a medical device and he tried to reverse engineer the protocols it was using or any of the software or firmware in there it would have been illegal under the Digital Millennium Copyright Act um one of the people who is a signatory to this Harvard publication a letter uh campaign actually to uh the librarian of Congress is in the back of the room now he'll be up here later Jay Radcliffe uh because
of his work as well as some of the others including Jen Ellis who might have walked out of the room um now we have exemptions for things like medical devices for cars and for uh voting machines where we can look at the security of these critical areas uh to find out what flaws exist before the bad guys do in a legal way uh I'll skip this one for now and we might talk about it tomorrow uh when we're talking about some very hard problems and very hard approaches so now I want to call up to the stage and I'll grab the mic for them um we'll have a handful of people come up and give their perspectives uh a US
regulator Suzanne Schwarz of the FDA uh Colin Morgan who is uh product and secur product security coordinator for uh Johnson and Johnson J Radcliffe works for Rapid 7 it's a security researcher and Christian damf who is a uh both a security conscious person who has spoken a Defcon and a physician so first let me introduce Suzanne Schwarz of the FDA to give a bit of her perspective and you can just Advance the
slides oh let me get that there go can everybody hear me yes yes yes yes so thank you very much I have to apologize in advance because I'm going to use some notes here I'm limited in terms of time and I really felt it was important to get this right I have a few personal messages to say here and um again I just wanted to make sure that I was able to convey my sentiments in a in a concise manner but in a very very meaningful way so um let me just start off by saying that I feel very reflective today and highly appreciative last August I was privileged to participate by phone by calling into this particular
session was hopeful to be able to partipate this coming year and here I am I am here I am of theing
safer sooner together being here provides for me a study really in contrasts and I might add really stark contrast from our medical device ecosystems really state of being when I compare that to even three years ago three or more years ago and to where we are currently L and that's not to say that we should be patting ourselves on the back um or lapsing into any sense of complacency we do have a lot of work ahead of us this is an arduous Journey but the steps that have already taken we've taken over the past few years really give me hope they give me hope that with persistence working together we're going to continue to improve and there will come that moment
when when these baby steps will be transformative into more into greater strides as we move towards what really is a desired state of medical device cyber security so kind of picture this in 2013 2014 that really was an inflection point for the agency for the FDA as well as I would say for the medical device Community prior to that time live demos of medical device exploits and dropping Odes on the stage of whether it was black hat or Devcon it was really rather the norm and it was very much anticipated by attendees by the participants on the other hand FDA medical device manufacturers healthc care delivery organizations in other words our ecosystem the healthcare ecosystem we were first learning about
these vulnerabilities and their potential for exploit at the same time as the public at large now that's not a great trajectory as you can well imagine when it's especially when you view that through the lens of patients who rely upon these Technologies to really to better their lives but this year by contrast a number of panels at bides black hat and codenomicon are living living proof that when all stakeholders are given the opportunity to have a voice a voice that's heard and that's not ignored and are given a seat at the table an equal opport seat at the table we can better understand and appreciate each other's perspectives our motivations needs as well as interests
and and collectively we're in a much stronger position to address the tough challenges that plague healthc care Security's posture as we continue to evolve as we are evolving right now it's worth noting that we don't get to Showcase a panel of diverse stakeholders like today conversing on this topic unless there's already been an investment in the hard foundational work the dedication the tenacious commitment to being collaborative and developing that Unity of effort and dare I say I think we've unglued ourselves from being stuck in that very alluring admiring the problem phase as a community and Bo knows what I'm talking about I'll be very interested in hearing your perspective on that so how did we get
here the answer I would offer is really through a coalition of the Willing um individuals and organizations who've shown encourage by moving out of the comfort zone of their own silos and there seeking thereby seeking a common purpose that being to protect patients against potential harm as patients Place their trust and confidence in the very technologies that are supposed to help them so this past January here let's just switch this slide yes okay as B mentioned this past January the FDA together with HHS with Department of Homeland Security as well as with the nhac the national Healthcare ISAC we convened a public Workshop bringing really all stakeholders together to further expand the depth and the breadth of
collaborative efforts in medical device security and this Workshop was held on the heels of releasing the draft guidance at BO referenced on postmarket management of medical device cyber security so I've selected a few of the murals that represent the panel sessions to share with you and as you can see some of the very important themes that emerge the need to embody empathy and to identify shared principles understanding motivations the importance of building trust relationships as a vehicle for coordinated disclosure Ure and understanding that progress here will happen incrementally and is contingent upon change in mindset change in behavior and ultimately a change in culture now transparency and communication throughout the total product life cycle is critical what does security testing
of devices look like what is considered acceptable risk what forces exist to empower and to better inform the customer before purchasing decisions are made again ultimately patient safety is
Centric and to enhance situational awareness developing trust circles is what's going to enable actionable information sharing on risks threats and cyber practices but how do we get to establish those trust circles well we have to be able to speak a Common Language and share an understanding of our respective pain points what constraints different stakeholders have what hurdles that they face so the cavalry's hypocritic oath lays out a blueprint for advancing medical device security recognizing that no this doesn't happen overnight tonight I'm me to paraphrase Josh Corman you got to learn to crawl and then walk before you can run and with that I'm going to turn this back to Bo and close by saying that we aspire to be your running
Partners in this great journey safer sooner and
together all right thank thank you Suzanne um next up is going to be Colin Morgan and I'm going to jump out of the presentation for just a second uh because he's got a an intro video that I think you will want to see uh oh all right let's try
this we'll see if the audio comes out my dad's job and he's really superhero that's awesome that he saves people's lives by making sure no bad guys get into any medicine machines to hurt other people all right so first of all let's hear it for Irish uh and secondly I'll pass the mic over to Colin to give a medical device maker perspective thanks bo uh first it's an honor to be here you know I first time I've spoken at bsides and I mean how cool is that what parent doesn't want their kid calling them a superhero it what was the amazing part was I explained to him probably months before that you know what I did for work
because a long my wife stays home she has her own own Consulting businesses but every day it's it's Dad's going to work to earn money for the family and he's working really hard and I'm a big family guy so one day my son asked me what is it that you do and I explained to him that I work in cyber secur and I've got this new fun role where I get to take what we've learned in it security and try to bring it to a world that doesn't understand it he's like what does that actually mean I'm like well you know how people get sick and sometimes they have to go to the hospital or sometimes they wear devices
that help heal them he's like yes Dad I get that well I try to make sure that no bad guys get into them and break them and hurt them and his first response was why are they able to do that and then it was why would somebody want to do that and I've really thought about that messaging a lot over the past few years and there's a couple points that I want to touch on in this brief five minutes that I have here and I'm open to any questions after words as well I'm as much of an open book as I can be um but I will preface with the obligatory these are my opinions and not those of Johnson
and Johnson my attorneys make me say things like that but Johnson and Johnson that's where I work and for those who don't know Johnson and Johnson and when you hear about it you think of babies you think of Johnson's Baby think of you know cute cuddly faces but what a lot of people don't know is that Johnson and Johnson has made made up of 200 over 250 companies across 60 countries across the world about 130,000 employees and we touch 1 billion patients a day one billion we have products that range from Over the over the Shelf things like Tylenol and Listerine to pharmaceutical products for rheumatoid arthritis or cancer and medical devices such as sterilization systems insulin pumps and
many future ones that are going to be coming so we are a very diverse Healthcare organization that touches 1 billion patients per day so here I am joining J&J 5 years ago and coming to a realization of what the security world looks like in healthcare mostly my background was in the federal government which is a whole different umbrella which you know excuse me hav touched on some of that and after a few years in the organization really understanding the breath of the company I uh had my aha moment around this space and it was when I first met Josh at absec New York City a few years back where he talked about I am the Cavalry
and I went up to him afterwards and was like Hey I work at J&J and apparently we're the largest medical device company in the world and I'd like to learn more about what you're uh what you're talking about so fast forward a few years fast forward through a lengthy investigation into our organization of understanding what we have in our inventory today what our future pipeline is going to be having all of those tough conversations the political battles and the challenges that we faced we now have a dedicated program focused on this we went from a simple idea from a conversation with I am the Cavalry to a full-fledged program dedicated to secur securing our products
Engineers that sit on the product development teams building Security in things that all of us think this just makes sense I'm a security person we should be doing this the world is different and Suzanne hit on a key word that has really been one that's been resonating with me lately and that's culture two years ago at the FDA public Workshop in 2014 there was a cultural issue within the security community and the Healthcare Community around this is this really an issue we've zoomed past that in the past two years where the public Workshop this year everybody understood the issues and the questions were more around how do we solve them so the cultural issue is not in infosec the
cultural issue is outside of infosec the cultural issue is with the R&D organizations the quality organizations the teams that develop these amazing life-saving products but now slap on some type of Bluetooth or RF or network stack and now all of a sudden they have to become a infos SEC or it expert and that's not what they are and they operate in a realm where security has never historically been part of where quality sits within a quality process and they have to follow the process but when you look inside the process security is not mentioned once and so you have to go through that effort to change that process and that's a really big cultural battle and challenge that
every medical device company every hospital has to battle through and we're fighting through those challenges and we've had a number of wins and a number of of uh um you know successes that we're very proud of you know we've heard about one today is our vulnerability disclosure one product security. j.com which was a significant significant accomplishment for us it took many months of effort getting the right support and buy in from everybody who had impacted you know I mentioned we have 265 operating companies all of our franchises are independent of one another they don't talk to each other we're a security team that spans all of them and have to have go have the same conversation with every
single team at different times and it's just the nature of our business and we've had to really adapt and create flexible models number two is the crowdsourcing piece we have crowdsourced the crap out of our framework we didn't go into a bubble and say this is how we're going to build devices securely we went outside we talked to I'm the Cavalry we talked to our our competition because you know the medical device companies we don't compete on security we talked to the government we talked to researchers we really tried to understand the approaches people have taken to build a solid program or what we think is solid you know we focus on the N cyber
security framework we focus on the ISO standards that you know that Katy authored over here for our vulnerability disclosure we looked at tr57 which recently came out around M risk management from a cyber security perspective and we've really tried to figure out how we take a lot of these build it into a program that fits into a quality process that doesn't understand security because if we go into that process with something brand new it's going to be hard for them to understand it so we have to do a lot of language transl which Josh talked about this morning really take what we talk about in security and put it into their language and their speak so when we talk
about threats to them that's a hazard and we need to talk about it that way and we've really tried to adopt that internally to help buy that support the fourth one is community we're working on some Community projects or what we call them uh one we we talked about it a bit at the nh-isac event and it really started some movement on it and that's trying to open source within the Healthcare Community our framework so what we're doing for threat modeling what we're doing for security requirements how we're building out our assessment questionnaires and sharing that with the greater good of the healthcare world so using the nhi sac as a form to pass that through to the other
organizations you know for for most that don't know 80% of the medical device companies that are out there have 50 or fewer employees 50 or fewer now how many of them do you think are dedicated or understand security they're the ones that need help and if we can help them we're going to do the best that we can uh so finally and I try not to run too long here is is you know back to my son's video there he talks about he called me a superhero I'm not a superhero I'm just a guy in a company trying to do the right thing trying to make our devices safer and secure I mean if I want to throw a
ter around I'll steal one of Josh's and maybe call myself and my team super change agents because that's ultimately what we are we're security guys I'm a tech guy by trade I used to love breaking Network equipment and now I get to try to change and work to change culture in the largest medical device company in the world that touches 1 billion patients per day and to me that's exciting and empowering because I feel like every day I'm making a difference so thank you for the opportunity and uh I appreciate it thank you very much Colin so next up uh we'll go to Jay Radcliffe who will make the long walk from the back of the the room where all
the cool kids sit up to the very front I don't think anybody's shocked that I would be in the back the room right so it's been a really interesting kind of Journey uh in looking at the research that I've done and what it kind of what it kind of means to me as a security researcher and as an IT professional I started out this just by playing around with something playing around with my medical device to see what happened and to see what it would do and at the time that I did that I didn't really think anything of it and it turns out that it's become a very large issue and it's a very important issue and watching the
last hour here and seeing all the progress that this group has made and seeing all the progress that we have made collectively as a community by building something where manufacturers have a stake and they're saying yes we want to do this individuals are pushing up from the bottoms of their companies saying this is something that's really important this is something that I really believe in that we need to do pushing on the media areas so that way Executives get the idea of yes this is something that's important it's not something that we can hide from it is something that we can do something about five years ago when I kickstarted this there was a lot of hiding nobody
had a plan nobody knew what to do and as a consultant I have this great Insight because people call our company up and they have us help them out in this and they ask us all right we've got executive approval uh you know we have a a huge hospital and we uh we hired one person and we gave them $5,000 we want them to secure everything can you please help us do that and that's really where we're kind of at right now we have an excited top end of the branch that can give us limited resources that want something done and we have people at the bottom that want something done and don't have the
resources to do it so we're in this execution stage and I look at some of the slides that Suzanne presented about the life cycle and the communication and things about that and that's great and I love that we have a plan to do that and every time I think about a plan and if that plan worked great we wouldn't have any problems I think about a quote from Mike Tyson and Mike Tyson says Everybody's Got A Plan until they get punched in the face and a lot of times that's where I feel that I'm at and I know that other people in my industry are at at we've got a great plan we go into an
organization they want help they're very Cooperative they want to do it we start the plan and something goes wrong somebody disagrees somebody doesn't want to cooperate and what's really important right now is for us to stay engaged in that process we can't get frustrated and we can't quit at that point in time we have to stay engaged in the process and continue to move forward sometimes when I present research to a company it doesn't go real well they don't like it but you know what I smile and I say hey let's try and work through this how can I help do this better how can I help you understand do I have to do it in a
different way do I need to talk to different people I try and stay engaged not to get a sour taste in my mouth and say you know what screw it it's not worth it this can't be fixed which we tend to do in infosec right we're frustrated because we want change now but we have to stay engaged because we're talking about something that doesn't move fast we can't get funding the way we want to get funding so everybody from the top to the bottom needs to stay engaged so we continue to execute on these things and make that continuous progress because it's amazing the amount that we've already got done but we really aren't done yet and as a patient as a
practitioner as somebody that you know often watches I want to see that succeed I want to see it get better so I think that that's kind of where I've seen things go and that's where I see a lot of places at everybody wants patients to be safer everybody wants medical devices to be safe there is a medical device company or healthare provider that I've ever been with that was like you know what screw the patients um Live Die whatever we're here for a profit none of them say that number one priority for every one of these companies is taking care of people how do we just do that effectively and how do we integrate that
into the information and technology ecosphere is what's important and the people in this room the people at these conferences are the ones that know how to do that the best and we have to interact with them and we have to continue to do that thank you all right thank you Jay so we often say that uh security is a relay race sometimes uh and you're always passing the torch on to the next guy well running uh anchor leg of our relay race is Christian damf uh who as I mentioned is both a physician uh and a de cons speaker so over to you thank you so much hey everyone can we just get it Lively in here a little
bit can we give it up for I am the calvary for everyone that's spoken here all the governmental organizations all of you guys that are here learning or contributing or going to just give it up to him come on everybody give it
up all right so my job here is in about four to five minutes is to teach you two things about s and remind you about something very very important the first thing I'm going to teach you about doctors is that 99.999% of them know nothing about what you know okay and it's not because they don't care it's not because they haven't heard about it on the news it's because for the most part they're very very busy furthermore it's just not in their purview something that was very impactful to me last time we had our meeting and I hope all of you come on Thursday was that someone asked me you're telling me that when you go and order a drug and
that drug is being delivered to that patient and it's a life-saving drug that you don't even look at that machine you don't look at the stickers that are on it you don't know how it works you don't know what its name is you don't know if it has a horrible track record you don't know if it doesn't work I said absolutely I have no idea I put that order in a computer it goes to a nurse that's in a room 200 feet from me that medicine gets pulled out of the pharmacy and gets infused in that patient and I know nothing else about it frankly for the most part if I'm not running around the emergency department
with my hair on fire I don't know if that Drug's even been given now that's very different probably from your dayto day which is you're familiar with the technical tools that you use they're like your third arm everyone in here has so many different devices on them that are part of their everyday life that is not what happens in medicine okay so the first thing to teach you is that doctors for the most part know nothing about what you know now if you have been paying attention today you know that is not where we should be okay one of the stakeholders that needs to be part of this conversation are Health Care Providers nurses Physicians doctors nurse
practitioners physician assistants everyone in the care delivery from the janitors all the way to the pat to the doctors that are doing life-saving surgery okay they need to be part of it not all of them we don't need to have courses in medical school about about cyber security excuse the Cyber and you throw something at me if you want but we have to use it I guess it's not going to happen and it doesn't have to happen but we need to engage some of them because what they offer is a very valuable part of the conversation okay the second thing I'm going to teach you about doctors is that they're hackers too they just don't know
it they just don't know it let's talk about this what do they do they look at a system the human body and they recognize where it breaks they recognize when it breaks down and it causes cancer it causes infectious disease the trauma associated with a high impact motor vehicle collision they recognize that your spleen not working because you're bleeding to death it's been fractured in half that system that is supposed to work is not going to work and this is where it's failing this is what I'm going to do to interven it this is what I'm going to patch okay but that's kind of more oh well everyone just patches how's that really the hacker ethos well Physicians
Implement treatments to circumvent disease that's exactly what we do every day we recognize that there are ways around problems and we think innovatively we see where these vulnerabilities are and we attack them we fix them Etc doctors do the same thing with their treatments they recognize that cancer some cancers work a certain way they involve certain genes uh they recognize that chemotherapy will work for some of them radiation will work for some of them a combination of it they figure out the problem and they fix it okay they recognize what's broken just like you guys out there so take that understanding when you try to engage them say unlock that hacker within that health care provider talk to them about
this system of care and re and say put it in their put it in their purview say what would happen if that machine broke over there that machine that's delivering a very potent medication that's keeping that very sick patient alive what would happen if it broke well the patient would die do you care about that of course doctors care about that everyone cares about that well that device that we're talking about is incredibly vulnerable to attack let me show you how and let me show you with just a little bit of work a little bit of effort how someone with a very very bad um Spirit Soul I'm not a very religious person myself but that person
can screw that up can hurt your patient and all of a sudden they're going to care about it okay and they might not care about it to say I'm GNA go and take some course workor on um cyber security I'm gonna learn about this to be able to contribute meaningful to the technical conversation but what they will be are advocates for you in the conversation with the people who can change this and for the reason of the last thing I'm going to remind you that this is why I'm thankful for the opportunity to speak here with you but I want to make sure that all of this conference all of this talk all these tracks we talk about
all these awesome things that are happening we cannot forget why why there are so many people in this room that care all right it's because of that tiny little infant that's seven days old that's surrounded by insurmountable odds if you can look around that look at one two three four five infusion pumps all of which have drug libraries that are reminiscent of the hospah Haack Telemetry units drug Delivery Systems ventilators that breathe for this tiny little infant okay they already have the disease the breakdown in their physiological processes that they're fighting against the last thing they need is for one of systems to fail because it's running Windows NT and no one's looked at it for 10
years and the vendors have forgotten about it and the biomed people say it works it's too expensive to fix it we haven't gotten money to do it we don't have another bullus of money until the next cycle we're already striving you know we're already struggling to take care of the patients we have right now with the medications they need this is a hard problem okay but this this is why you're here hopefully this is why you're paying attention it's because you recognize that this is what matters and let's strip away for a minute the term the patient that's what I say I say I see lots of patients every day I saw patients last night told 2 am
and that helps me cope with the fact that sometimes it's hard to think about them as people because a lot of bad stuff happens to them okay they are people they are your daughters your your sons your mothers your grandparents they're you and we all know more than anyone else on this planet this is problem is going to get worse the next generation of doctors grew up with cell phone with smartphones glued to their hands and they see the solution to every single problem out there with as an app or another medical device the next Generations of doctors and entrepreneurs in the medical sphere are going to push for this even harder it's going to explode
we recognize that we are not going to be able to fix this problem unless we start doing something now and it's just the right thing to do okay I really appreciate this time this opportunity again thank give it up for the calvary awesome all right well thank you very much Christian and uh to all the speakers to Suzanne to Colin to Jay um I I think it's been a really really good dialogue I actually can't wait to go home and see the recording uh and go through and just like make notes of all these great things that people said so uh I'd like to thank you all for coming too and as we do the change over uh to
the next presentation we'll take a couple of questions until uh until Josh is ready
yes
e
e
e
e e
is uh when they were trying to go to electronic health records from paper records They attached reimbursement to this Clause called meaningful use and if you're in the industry you know you just got a Pang of pain in your body when I said that but from a security perspective I basically said guys uh maybe meaningful use was our original sin maybe this is why we're so hackable and essentially what you did is you took devices that were never designed engineered threat modeled to ever be connected to anything and you forced them to connect to everything and you couldn't just go back to the drawing board so we're going to pay down that technical debt and
security debt for a very long time and that's why we're going to have some very uncomfortable brainstorming tomorrow can I can I tie it off for now okay all right so um for the camera and the streaming um I'm going to do the auto talk a little differently than we had intended I I had a few auto makers that we're going to try to pull up on stage much like Bo did given a few things that are happening some of them aren't allowed to speak in public yet um but if you're willing to reveal yourself and I won't put you on the camera or anything but who from here Works in or with the automotive industry
good good good so last year we had the privilege of having I think it was 11 people from Tesla that self-identified in the room uh we had several people from GM Ford from Honda um and we're starting AC our very
way them this is mind
one of re chairman of GM uh 10 days ago in Detroit she gave a keot a cyber security conference and she is essentially channeling most of these talking points and every and uh I was very pleased to see that because that shows how well we've infected that industry that usually was afraid of us to start to like realize how vital uh a team uh how vital resource we are if we if we properly team together so I'm just going to show you a very brief version of what we kind of acclimate them to and I'm going to leave a little bit of room for some of the things that are happening if I see Frank as well we also had Frank
from Nitsa uh National Highway Transportation safety administration so the regulator in this space spoke earlier today if you missed that just catch the video um I'm sad to say that they were about to release um their guide on connected Vehicle Safety um and it's all done but they have to wait a few more weeks for government approval because government's moved slow as he reminded us this morning uh so again I'm Josh Corman I'm one of the founders V the Cavalry and if you weren't here for this morning session we turned three years old yesterday so if you've been helping give yourself a round of applause anybody come on no nobody's been helping okay all right all right so
um there's plenty of work to do and there's plenty of room to help and I'm just going to show a little bit of that right now um motivations have turned out and I actually had a much more detailed version of this this morning motivations have turned out to be the biggest obstacle for us working together they don't understand why anybody would ever hack their vehicles why would you do that um and and I'm not making fun of them but they have had some bad experiences um it's almost it's more of an urban legend that white hats go to companies they say we found a bug and they extort them right I've been working I don't know if you saw Leonard they
from Department of Justice uh he was on a panel earlier today with Jen Ellis they have had almost no extortion cases almost none um the ones they have had have mostly been misunderstandings like someone said hey I found a bug for you and before they took a pause and a breath they said and if you pay me I will gladly fix it for you it wasn't really extortion it was just really terrible communication skills but I often have to speak to motivations and this is where I basically point out that you know just like uh every car company's not the same and not everyone who works at your car companies the same um white hats have very different
motivations as well so I have a table that I showed this morning they're all P's and this is a gross oversimplification but white hats or the people who find bugs that aren't criminals um they do it for one or more of the following five reasons they're protectors that want to make the world a safer place they're puzzlers who do it for challenge for curiosity for for the you know they like to solve hard things take it apart and put it back together they do it for Prestige because they want to win the white jacket or they want to be on CNN or in Wired Magazine they do it for profit because this is a way to make a living um or they do it
for protest they're for or against something and when we kind of explain that you know hacking is Magic and there's bad Wizards and there's good wizards like gandf thank goodness we had gandf they demystifies it a little bit for them and when they understand that they're not allowed to drop OD day on stage at Defcon or they're not all out to make money um and that some of these folks especially these folks are here because they want to make the world a safer place it helps them better understand and better structure their coordinated vulnerability disclosure program so one of the things I want to leave a little bit of time for is have a really honest discussion about where the
safety critical Industries are at on their coordinated disclosure programs and some of the guidance we've been giving them that you might not agree with at face value but there's really good reasons we're giving them that guidance but the point here is that everybody's motivated differently and for me I just want to make the world a safer place um but when you know how they're motivated you know what they're trying to accomplish it's also a good hacking trick because the people you're going to speak with at these various companies if it's the general counsil of a car company versus the security team at a car company versus the thirdparty supply chain part uh part of a security
car company they have different wants needs and fears and instead of doing the same thing over and over and over and pointing a finger at something they did wrong I'm not excusing them but I know I try to start with what motivates them and then tailor the message to that person so one of the the warm-ups I do is you know the a lot of the people have heard this mark andreon quote that software is eating the world and what he means is that every company regardless of what you do is now becoming a software company John Deere does not call themselves a tractor company they call themselves a software delivery platform and that's how they
self-identify GE is re re reconstructing its entire company to be the industrial internet um you know Cisco is talking about the internet of everything now what they mean is this is a business opportunity and if you aren't good at software you better get good software because if you want to please your shareholders software is the last mile of differentiation when I hear it I hear something different I hear software is infecting the world right we're putting software and weakness and Bluetooth and internet connectivity into every single aspect of our lives and the number devices in your home that weren't hackable before that are now hackable is growing right it's like a plague none of us look at it that way we kind of think
the internet of everything's awesome um but we're not going to feel that way forever and at some point um we'll come to like a happy middle ground and we'll realize okay sometimes it makes sense to put softw and connectivity onto something and in some case use cases it's wildly inappropriate to put bluetooth why do you need Bluetooth on your insulin pump that can kill you I mean Jay radliff just talked as how he kind of got into this area is he could do unauthenticated um communication with his BL with his insulin pump and give himself a lethal dose I mean that's kind of what Barnaby Jack was doing when he did his famous uh hacks on stage right
why would you do that and if if you're gonna do it you better be willing to do it in a safe and secure way you really got to do the threat modeling you really have to be held to a higher standard so I couldn't come up with a good metaphor and I would still prefer a better one from somebody here because your guys are all smart but I was fixing my deck my patio right I got my gas grill out there and I had to buy new nails and I bought galvanized nails do you you know why we buy galvanized nails anybody rust they don't rust you know what the problem is with galvanizing metal
anybody that makes them brittle so I bought 10 Nails because I needed 10 and I had to go back and buy more because I bent half of them right so I'd rather we look at software and connectivity like that that when the use case is appropriate when we need the rust proofing you know we make that choice and when we can't afford the brittleness we we make a different choice but we're not there yet and I've often called this I know you guys hate the word cyber but guess what when you talk to the outside world you better get used to it um so I call it cyber asbest because we used asbest everywhere it was lightweight it was fire retardant
it was such a miracle um material for Builders we put it in schools and hospitals and Manufacturing facilities we put that stuff everywhere for years and then we found out it gave you cancer and we had to condemn some of those buildings and there's billions of dollars of class action lawsuits over that thing now people still use aestus but they use it in less um prominent less um they don't use it everywhere they use it where it makes sense and where it's safe to use so I want to find that happy ground right now we all grown about things like heart bleed because you it affected most people I mean it had a logo it had a
pretty you know marketing campaign but one of the things that you know when you're done your groaning is that op SSL is pretty much everywhere there are certain open source libraries that make its way into lots and lots and lots of embedded systems and the stories to me weren't so much you know that there was a bug in open source and it wasn't so much that there was you know how long it had been there it's more stories like when Rob Graham um looked at the internet on day one he found 600,000 systems nakedly exposed affected by heart bed and he would do a monthly scan with mass scan and six months later it was about half of the actually the first
three weeks I think it was half of them got patched but he kept scanning year month after month after month and the last half never got patched and when people looked into why aren't these things getting patched they were in industrial Control Systems they were in embedded systems they were in places that needed the the software but couldn't be updated they were essentially forever day bugs and some of these places they landed are mission critical life critical safety critical systems so when you're going to depend on things like open source which everything does whether it's bash bug or or whether it's open SSL or whether it's the one that's hitting hospitals right now which is a
law in uh it's basically the fox gloves law but it's a serializer deserializer problem that was in JBoss used by tons and tons and tons of people in this particular case it was a massen device so when we depend upon these things everywhere we've now invited weakness in a way that yeah we get the benefits of this stuff but if we can't also patch it we're in big big trouble and that's exactly what's been happening right we're finding op SSL and HTTP client and Bash in medical devices in our homes in industri control systems in fact one of the more um responsive vendors on op SSL was Seaman Seaman industrial controllers Seaman as in the one that got hit by
stuck snet so to their credit they admitted how many of their very very expensive industrial control systems were affected and they could patch themselves many of their direct competitors were also affected and could not patch themselves so I still had arguments with car companies early on as to well yeah we use all that software but we don't have to patchable patchable adds an attack surface right and then the shell shock Etc so when I try to bring this home I I saw I showed this this morning but it Bears repeating we know we're going to get hacked we know that cars are going to get hacked often the question is how much damage does it do and everybody
knows about the Haitian earthquake because it was on the news every single day and bana was asking for money and the American Red Cross was asking for money and all the living presidents were asking for money and it was a terrible terrible terrible tragedy 235,000 people I think it was uh 230,000 deaths it was a 7.0 RoR scale flattened many of the buildings they crushed everybody inside now nobody heard of very few people heard of a much much stronger earthquake in Chile six weeks later it was 8.8 RoR scale and if you know math it's logarithmic it's a lot worse 7.0 8.8 it only killed 279 people that's why we didn't hear about it it was nowhere
near as attention grabbing and when all the scientists looked at all the different factors like population density and proximity the epicenter and all these other things why did an 8.8 only kill 279 people and a 7.0 killed uh 230,000 people and it was building codes that was the number one contributor Chile had building codes Haiti did not what shook buildings in Chile flatten buildings in Haiti so it wasn't the presence of earthquakes and it wasn't the magnitude of earthquakes it was do you have building codes and we really don't have building codes for building software code we don't and honestly we probably threw up a little bit in our mouth when I said that right because but the thing is
we're taking this software that we can't defend anything if you really challenge yourself aund of the Fortune 100 companies have had a loss of intellectual property every single PCI Compliant Merchant has lost credit cards our failure rate is about 100% so everything we do on a long enough timeline fails us right we've given up entirely on prevention right now it's all now detect and respond how quickly can we detect and respond but what's the response after somebody's been killed you can't unkill them you can reissue a credit card you can do credit monitoring you can't unkill somebody and the reason it's been acceptable is those failures were not consequential failures right nothing has really triggered the motivation to start
to look at a need for a higher level of assurance of of safety critical it and what's worse though is when we have our our high consequence failure it's going to look a lot like this and if remember you know the whole Auto industry knows someone somebody's going to have the first car fatality everybody knows and they've also to their credit they know that it doesn't matter which one gets hit first it's going to hurt all of them because when there's a crisis of confidence and that's the key phrase when there's a crisis of confidence in the public to trust connected Vehicles they my mother-in-law will be terrified right so when she saw the Jeep
hack Last Summer she stopped buying Jeeps I'm not kidding every every from the day I started dating my wife till now they've been a Jeep family but after last summer they had to get a new car they didn't get a Jeep anymore and it's not that jeep isn't able to secure themselves it's that the confidence was shattered someone doesn't want a car that might do something unexpected in fact I see uh one of the guys from Nitsa one of the quotes that this is a little off script here one of the quotes that really sunk in for me is we were so the Cavalry was so so focused on getting them to have a culture change and a
recognition of the existence of talented and persistent adversaries the the actual threat models that we we tried to do it in a non-sensational way because we didn't want to scare my mother-in-law not theoretically my mother-in actually my mother-in-law we didn't want to scare her because the truth is whenever you talk about K hacking some somebody in the crowd says oh that's why I'm keeping my 1997 Civic and that's bothers me for two reasons um one is um you know a a newer car is so much safer than a 1997 chassis I mean so much saf there's so many uh safety and crash survival ratings improvements that have happened I don't want people to be afraid of new cars I want them on new
cars right and the second thing is and this is why I need to do the quote from the administrator from Nitsa nit is the national highway Transportation safety administration basically the last year we have stats for was 2014 and it was uh 32,670 deaths in the US due to car accidents and 94% % of those were human error we know the year-over-year went up about 8% so if you do a little quick math I'll do it for you about a 100 people every day die in a car about a 100 people and 94% of them are human error so therefore if we can get to autonomous and semi-autonomous vehicles we're going to save a lot of lives while
we've been here today we've lost 50 60 70 people to avoidable vehicular accidents so we're not Lites saying we shouldn't have modern connected cars The Challenge and this is very nuanced is we need to compel the right motivation and and corrective action on the part of the automakers so that we can make our cars safer to preserve the trust that hasn't been shattered yet because the moment we shatter that trust the moment people are afraid to trust these semi-autonomous vehicles or the connected Vehicles it we're just postponing the life-saving advances that we could have I know that seems a little unintuitive right I'm not going to say I trust all technology but the truth is my peripheral vision is
only this good but a car can see 365 I can be distracted or angry or tired but the software won't be so we're never going to take the human out of loop entirely but we have to help preserve that trust so the what the issue is not so much and this is really what got through to them it's not so much that they're going to have a failure they know they're going to have a failure the issue is the response time at the moment for the current Fleet of vehicles is so poor that it's going to look more like this they won't if you can't patch your vehicles or if the patch is really manual and error prone you're gonna
that's what's going to shatter the confidence of the public so I've started shifting them less away from kakar beack to are we ready for failure now one way we did that is on our first birthday two years ago at Defcon we uh we issued a fstar automotive sa cyber safety framework we released it through Reuters we did an open letter to all the car CEOs and we essentially said paraphrasing look you guys are masters of your domain you've been making cars safer and safer year over year for the last hundred years we're masters of our domain in cyber security and now that cars are computers on Wheels our domains have collided and we will be safer sooner if
we work together here's a framework to work together and the basic idea was since all systems fail you need to be prepared for failure and I'm going to walk you through some of that um in a bit but uh B basic principles like safety by Design third party collaboration exper evidence capture security updates segmentation isolation this was not meant to be a PCI checklist this is not meant to be prescriptive controls this is not meant to be the Finish Line it was meant to be the starting line so you must be this tall to ride the internet of cars that that basic idea and sadly two years later um we're still many many years from
satisfying all these and one of the one of the really tough Ur emerging issues that I've been talking to Nito and the auto I act and Congress about is number three is going to be doozy the evidence capture thing nobody wants to touch it um which we're going to talk about a little bit tomorrow maybe a little bit today but let me just show you the basic engineering principles I Shar with them so all systems fail yes all of them um there are no exceptions and physical Engineers know this so back to speaking their language this is a engineer electrical and physical engineering discipline so when you know all systems fail we know cars crash that's why we
put so many crash survival features into them so it's about can you fail in a predictable graceful way so what do we know about computer science very very little but we know that the more code you have the more problems you have I mean a Biggy Smalls graphic I wish I thought to put it in here but there's a certain unavoidable defect rate per thousand lines of code we don't measure it per million lines of code we measure it per thousand lines of code because there's defects in every single thousand lines of code now really mature programs they'll measure it by 10,000 lines of code but there's a flaw rate per 10,000 lines now Windows XP or Windows 7 had
about 10 million Lin a code in it so think of all the problems you've personally experienced and the patch frequency and Cadence for your Windows system about 10 million but a car has over a hundred million so they should be patching 10 times more frequently when was the last time your car got patched for a security issue anybody about a year ago for your Chrysler right was it a seamless patch like Windows update I know I know right and not and you know what to their credit they they updated it some of these some of the ones we've told cars about they cannot be fixed and I'm not beating on GM GM's doing a fantastic job on a number of
fronts but what no one saw after all the uh the cut the um discussion over the the patch you had to go through is GM also patched a bug about a month later and it took five years to fix they did it and it was over the air but it took five years to do because it was a really hard problem to fix on really old Legacy technology so all right I I don't want to lose the Rhythm okay so 10 times the lines of code means 10 times the number of security flaws it's just a fact right software isn't the problem right software's been in cars a very long time the problem is that we've been given
remote access of varying lengths and ranges over more and more and more over time so the original sin if the original sin in healthcare was meaningful use the original sin this room will actually get my joke uh the original sin in cars was the government mandat back door known as OBD2 so for emissions testing we had to add a a direct Port onto the can bus to allow for Diagnostics and emissions testing Etc from the state of California so that was one of the early ones the second one also came from California it was um without requiring physical access to the car was the tire pressure monitors the tire pressure sensors were there to very very short range but they
were there to make sure we had high fuel economy to cut down environmental impact because tires that are running a little low have poor gas mileage but think about all the things you've added you have Bluetooth so your smartphone can connect and you have nearfield communications and you have 4G LTE Wi-Fi standard in all GM vehicles 4G LTE Wi-Fi hotpots standard whether you want it or not you get one and I I I flipped out when I first did it and before I was even friendly with Jeff Mill GM I said I have a 4G LTE Wi-Fi hotspot in my phone in my car right now my kids can use this to play on their
iPads but uh this one can't kill the brakes and yours Ken so um you know it's the level of remote activity and for those of you who don't yet know how to manipulate K bus and haven't gone to the car hacking Village which is Awesome by the way um don't worry you do know web browsers and we've added thirdparty app stores to a lot of these things and a lot of them are running on really really familiar and really really vulnerable web browsers so the stack is becoming more familiar to us which means it's becoming more familiar to adversaries so it's it's not the presence of per se it's the number and variety of remote
attack surfaces and that's why Chris and Charlie were able to do this over the Sprint network because you know Dan gear has this uh line well I'll get to that in a second so it's the number and variety of remote attack services that are changing and as you guys know you know Bluetooth isn't very large range but you can you can amplify that significantly with a scope and whatnot so then usually we get to the part where someone says yeah yeah yeah of course they could kill you but there's no money in it right which and I've even heard Chris and Charlie say there's no money in it first of all that's wildly uncreative I can think of
lots of ways to monetize car hacking um Bitcoins to start your car you know just just a couple right um so when they say that no one would hurt you um we're not thinking and we're conditioned most of our careers if you've been you know in corporate security or pen testing or payment card industry most of what we've done our best practices which suck by the way um when was the last time you did a pent test and didn't get in anybody okay so most of it's focused on the confidentiality aspect of the CIA Trinity and of regulated data replaceable regulated data we're not really well suited for people that want to do physical harm or that want to hurt
the availability of mission critical systems you know most of our advice is still about confidentiality and breaches so um Bo likes to remind me that it's not just uh adversaries it's accidents and adversaries and if you've ever done a threat modeling exercise even if you have you you think you have no natural Predators you still have one threat actor Murphy Murphy's Law right so um also malicious intent is not a prerequisite to harm software have glitches and no matter how much testing you do there was this long protracted set of court cases over the unintended acceleration case where they brought in NASA scientists to look at the software complexity of the Toyota Lexus you know
breaking system to see did a glitch lead to unintended harm and we're not even trying to relitigate that here we don't have to have the boogeyman to have concerns over cyber safety and vehicles it's the software and the remote connectivity of that that's a big issue in fact the hospital in Hollywood Presbyterian hospital in Southern California got hit by the Sam Sam ransomware which took advantage of that J boss flaw in that McKesson device that could have been patched and it locked up systems so badly they had to divert patients to other hospitals so that piece of ransomware wasn't targeting Hollywood Presbyterian it had no intention of hitting a hospital it just happened to accidentally cause harm and
the same can be true in our automobiles but you have to think a little more creatively not to script kitties or not to um nation states who are equally vulnerable to this although they could do assassinations but think about other adversaries like an Isis or an ISO it's not that hard and as we make these things more U as we lower the barrier to entry for these and as we make them more connected uh this is yet another way to scare people or to hurt people you know we wrote a piece um for a government agency on a on an attack scenario for New York City kill all the Lincoln in the Lincoln Tunnel was the opening sentence so if
you do a kill bit on the wildly vulnerable unpatchable thing in a lot of some these different makes and models of vehicles um you could disable any Ingress or egress out of Manhattan by hitting a few Bridges and a few tunnels you don't have to hit every car you just got to hit a sufficiently representative number of them so it would take days to tow them out so how'd you like to cut off food and water and throw up you know some sort of attack credit for that I'd like to combine that with a Hollywood Presbyterian style attack so we don't want to scare people and use Scare Tactics but one thing that shocked me
this morning so I'm going to repeat it again when Jericho and I researched Anonymous for two years we two and a half years we wrote the building and better Anonymous series we said that we're less concerned with what Anonymous is doing and more concerned with what comes next and I meant that someone was going to pick up and perfect the blueprint of the use of social media and asymmetric Warfare and all the things they were doing right but this is not even you know theoretical anymore there were very very very few hackers and Anonymous most of us know that one of the hacking Crews was team poison one of the members of Team poison janad Hussein the guy who
who attacked Tony Blair's website through team poison he left the UK he moved to raqqa he started the Cyber caliphate he was training and recruiting people to use Shodan to use metlo really low hanging fruit you don't have to be a super Elite hacker to use some of these freely aable tools and shortly after death crun last year he was killed with a drone strike and I'm shocked at how few of our friends here in Vegas this week even know that happened but think about what you could do if you wanted to hurt people and the answer is you could do a lot but anyhow to quote Dan gear you know um on the internet every socio path
is your next door neighbor so you're kind of hoping that zero people out of seven billion have the means motive and opportunity to hurt you that's not good math not only is there what 1% of the global population is a sociopath uh and some of them are likely to be hackers we actually know a few of them and we go drinking with them this week um so I don't want to be in a situation where I hope they wouldn't hurt me I want to know they couldn't hurt me so back to this five star if we know failures will happen can we put some Scaffolding in place to make sure that when failures occur we're prepared
for failure so I like the names that we put in our original document but I so much wish I had just said said it this way how do you avoid failure how do you take help avoiding failure without suing the helper how do you capture study and learn from failure how do you have a prompt and aile response to failure and how do you contain an isolate failure so I'm going to put some names and faces on this and again this is more for the outside audience than for you guys and even if you do these things you will still be hacked but the question is how much damage can that do you know the
Chris and Charlie thing let them put their tracksuit image on your your center console for the UK connect but don't let them shut off the brakes why are critical systems directly connected to non-critical systems right and there's historical reasons why they are and some of them are good reasons and some of them are not good reasons so safety by Design do you have a published St station of your security life cycle you can just say we do nothing you can say nothing but allow the free market to be able to assess yours from somebody else's so Microsoft kind of does this with their sdl their sdla and this just created a way for us to talk to them
about do they do threat modeling and for the first six months we said which threat modeling system do you use and after six month months of asking that question and every single response was what's threat modeling um we stopped asking that question but it became a way to not say do you have a security program but rather let's look at how strong your maturity is on different aspects of your security development life cycle third party collaboration do you have a public attestation uh or do you have a published coordinated disclosure policy involving uh assistance of third party researchers acting in good faith and of many of our victories between what Jen Ellis has been working on and
Katy murus has been working on and the ntaa process this is where we've had the most success um but basically let's put it in really simple terms do you have a beware of dog sign implicitly there that you're going to send ceas assist letters and lawyers at someone who brings you a bug or do you have a welcome mat and that was one of my favorite parts of Mary Bear's keynote was she actually used the firm welcome mat uh on the vital importance of working with third party researchers evidence capture is the one that's going to be really really hard for a bunch of reasons uh that aren't OB obvious um but do your vehicle systems
provide tamper evident forensically sound logging and evidence capture to facilitate safety investigations everybody knows what one of these are and aside from the fact that it recorded the conversations in the cockpit which we were never asking for um the first thing that happens when a plane crashes is we call the NTSB National Traffic Safety review board or whatever something like that I can't remember the name the very first thing to look for is the black box so whenever something's you know lost at se we'll only have so much time before we can recover that vital black box if it's so vital to preserve the safety of the industry and to preserve trust in the industry why isn't anybody freaking out
there's zero cars that have one zero so we aren't tamper evident it took six months I believe trist and Charlie said of failed attempts before they successfully got their payload to work so we would have had six months of tampering reconnaissance and and failure to notice and maybe shut down ports right um we keep claiming there's no one's ever been killed in a car crash due to hacking but we have no evidence collection to ever prove otherwise it's very circular so this one's a fairly important one and turns out that the largest opponent in the entire ecosystem is actually the Privacy guys it's not the industry industry actually wants these um so we have some very strange
fights to have in discussions on can this be done in a privacy neutral way and when we wrote the standard we we actually said this can be done in a completely privacy neutral way and the irony is the most what's the most I'm not even going to name it yet what's the most privacy conscious country on the planet anybody Germany guess who just announced last Monday that they're going to require black boxes in all their cars Germany so if Germany can figure out how to do this and we're gonna we are direct Bo and I just had a call with the embassy um we're going to directly work to help sure it's a good one but the US is so
afraid to get you know get in fights with the Privacy Advocates but somehow Germany's going to find a way through um so this one's a really really really important one um just like in in you know in the hospital environment you do a morbidity and mortality you do a postmortem you do an aop you want to study and learn from what happened what went wrong how do we improve ourselves and that's not going to be possible until we start capturing evidence in a consistent way security updates um can your vehicles be securely updated in a prompt and agile manner um initially they fought us like tooth a nail on this one they said ah it's going to add an
attack surface it adds it adds complexity and although we don't know how to secure a web browser we do kind of know how to do a secure update process like it's you know it's it's a tractable problem and yes it may add an tax surfaces over the air but it also gives you the ability to have a prompt and agile response so you're not the deep water Horizon oil spill for weeks and weeks and weeks so you know this is something like every single day your your phone apps are updating Microsoft's updating etc etc so it's a similar kind of idea you know what if they want to do it the more expensive way through the dealer
physically sending USB Keys whatever fine let them but iron what blew my mind is one of the companies that screened at me said they would never do it on a subsequent meeting I said how much does it cost to do a recall like a physical recall and we went through the math and I said you know how much brand damage you get when you ever you have a recall in the news and they said oh yeah we know exactly how to calculate it it's this much this much and this much I said wouldn't a software update have less stigma than an you know just a routine software update and wouldn't it cost a lot less on labor and Shop time and like
the next month they announced that they were going to head to uh remote over the air updates not because they want made the car safer but because it saved a ton of money so I really don't care why they do it I just care that they do it and then segmentation isolation this is the idea of do you um do you describe how you separate your physical and logical systems to keep um excuse me physical and logical isolation measures to separate critical systems from non-critical systems some of these guys use the equivalent of a VLAN uh some of them do nothing some of them have a security Gateway but it just lets everything through some of them use uh
virtualization and process isolation um I don't really care what they do per se but I want to I think we should be taking steps in fact the one I've seen that's done the best is Tesla um AB absolutely intentional different uh communication mechanisms for infotainment versus um physical safety uh and the idea here is a submarine has floods can flood compartments without sinking the whole ship uh the problem with the can bus isn't the can bus uh controller controller area network it's the fact that once you're on it you pretty much have unfettered access to everything else pretty much there's things that they do to try to prevent abuse and all of them are defeatable uh
if you don't know that talk to Craig Smith the guy who started open garages or go to the car hacking Village he'll just show you almost um so one of the issues there back to that Civic I told you there were two reasons I hated the idea of keeping your Civic now that we have these wonderful things like Progressive dongles from your insurance companies or Verizon's hum or all these deevy of uh little Indiegogo Kickstarter size projects that plug into that OBD2 port you just took an unhackable 1997 Civic and you just made it hackable so um because once you're on that bus you're in big trouble and I just shared a long train ride with
the CEO of a car company in the in the trucking industry tractor trailer trucks and his technology works for OBD and and they're very very very concerned about those massive amounts of Steel um you know being packable through a lot of that stuff because they almost all depend on lots of aftermarket OBD2 Technologies so even if you don't think those tractor trailers are hackable they they've just become hackable um for those reasons and when you kind of put this into context many of us are like but Josh this stuff's really really basic yes it's really really basic but you have to understand where they are on their Journey they just woke up about a year ago and
realized they were software companies and it's not excusing their behavior but they have no idea what they're doing here and I think back to Microsoft 17 years ago sending Cee and assist letters to our buddies maybe you even have one on your wall but then you had ktie Missour you know issuing a sixf figure cash prize through Microsoft's blue hat program and some people here besides have received that six fig cash prize how do you go from cease and assist six figure cash prizes I call the meim to Enlightenment for Microsoft 15 years right that Enlighten to two because we not going to snap
large and fing and not focus on failur focus on future success and not tell them all the things they doing right but ALS all the they doing wrong but also tell the things they're doing right and even if they do all these five star things they're still going to be hackable but at least I think we're maybe better prepared to to contain and respond to and notice those failures and I just want to end before I go to questions on a couple of the successes right Tesla does not have a 100 Years of baggage and Legacy to worry about so that's in their favor and they've been they've been freaking awesome right they have a bunch
of security and software Engineers they hired day one they did threat modeling they hired security people on staff and they were the world's first automaker to have a coordinated vulnerability disclosure program and for that they need a round of applause right [Applause] they they also set the model of crawl walk run without even knowing they were doing it they had money to issue bounties day one but they didn't go right for that they wanted to see how many bugs they wanted to see what kind of bugs what kind of variety are we going to get flooded is this going to be noise so six months into the program theyve realized okay we have more capacity and they offered a cash prize I
think it was up to a th000 bucks and then 6 months later they upped it to 10,000 so they showed that you don't have to go from zero to six figure cash prizes from Microsoft there is a way to ramp up now I don't have a screenshot for it but let's also give a round of applause to GM GM this January was the first traditional manufacturer and it was much harder for them to get through their red tape and they offer a coordinated vulnerability disclosure program uh so let's give a round of appuse applause to GM
and I'm going to postpone it for now but you know I I was one of the voices discouraging them from offering cash prizes initially um there's a lot of good reasons I discouraged it and they will be and they have budget and they are doing private hacka funds uh with prizes um but that's a different discussion and then third uh in the last month um Fiat Chrysler FCA offered through bug crowd their first uh bug Bounty they went straight for a bug Bounty so they do have a small cash prize um but they also are saying we will not Sue third party researchers acting in good faith who follow our policy so let's give a round of applause
for fat
Chrysler now if you were in the medical sessions the one of the reasons that was so powerful to hear Suzanne Schwarz from the FDA is when we tackle the automotive first it's because there's only about 20 oems so we knew that one at a time we could wear them down and finally make it a tracable problem but when it comes to medical devices there are thousands and thousands of device manufacturers so we had to take a more centralized approach um and uh more recently um Nitsa has been very helpful here and the guidance that was about to come out and is soon to come out you know they they've been very Pro coordinated vulnerability disclosure and
I think that's really the gateway drug in the five star is once people start receiving bugs and they start seeing researchers as an asset as a teammate instead of a threat uh they might find more bugs find them sooner get them fixed start to realize the need for more containment and isolation start to realize the need for prompt and agile updates etc etc so back to that five star the failures are going to happen but are you prepared to avoid failure take help avoiding failure learn from failure respond to failure and isolate failure and the way I put this finally to them is it's the kyoga river in Ohio I said this this morning so it's a repeat for a
few of you Andrea matsan who is speaking here she's a law professor when we did our constitutional Congress for the cavalary at Derby con almost you know a little after almost three years ago so it was after deathcon um she kind of said hey guys um nothing's going to change until people die you're going to need your Burning River on fire moment if you don't know the history the the river in Ohio the kai hog River in near Cleveland caught on fire and stayed on fire many times and ultimately somebody got a picture for time I think it was Time Magazine and it finally triggered corre corrective action like the Clean Water Act and things like the EPA but it
it it took really bad things like how bad does pollution have to get before you have a burning River on fire how do you even put that out but they did and this was not even the worst to the fires it's just the one they got on on picture um so we may have to have that high consequence failure but the problem is the 2019 models are already done for some of these manufacturers and the supply chain that goes into them are done even further out so unless they anticipated perfectly without our help all the kind of smart uh security defensive things they need to do the the response times are going to be very very
slow so I don't want to wait for our Burning River on fire moment I don't want to wait for my mother-in-law to have a crisis of confidence and connected vehicles I want to preserve that trust so that we can more quickly save the hundred people per day that die to due to human error um and if you think individual cars are bad just look at vehicle to vehicle and vehicle to infrastructure stuff which is a mess um and again this is taken a leadership position there and they've done a lot to have a privacy by Design protocol that's been worked on for 12 years but the where this whole system breaks down is for there's there's one security
principle we do know which is that security is not composable which says if you take secure thing a and secure thing B and you put them together you might not have a secure AB but what the inverse Corral are of that is you could never take an insecure car a and any other car and have a secure network of cars right and if You' talked to Cesar Sero who talks about smart cities and hackable infrastructure most of the roadside equipment that would be participating in this vehicle infrastructure is passing stuff in the clear on Purpose By Design um so I'm very very worried about the system of car the internet of cars and there have
been some Congressional hearings on this and there has been some good work but more is needed and we're going to need more help from more people when we get to that stage but we focus very very deliberately on individual cars and individual car companies because the system will never be secure if we don't have secure participants within that system so the road ahead just a few nods to some new some existing and new uh initiatives individual bugs scare and polarize the Auto industry so I know we like to think that if we drop OD day if we do a high-profile attack it'll trigger corrective action but it tends to trigger an immune response and it
tends to hurt trust if it's not done carefully um but there are some people who have had projects for a while now that have been building trusts and building up a a a community of interest and talent so one of them is one of the the most talented but least extroverted is Craig Smith who founded open garages a while back when he still lived in Ohio and now he's in uh I think Seattle so open garage is something that you could start in your own town it's basically a platform to teach students and mechanics and anybody that wants to Tinker on cars how to hack and how the cars electronic systems work and he's one of the guys who helped
found the car hacking Village at Defcon later this week so definitely check that out and one of the nice things about him and his tribe and his extended friends is they create lots and lots of free and open source tools um so to truly build up a a community you need to teach other people how to do this stuff and they're very good on sharing because their focus is on safety and protecting uh less so on on the the public stuff there's also a new initiative that was originally in Intel um but people thought it was an Intel scheme but it wasn't at all uh it's called now it's a 501 C6 nonprofit called asrb Automotive uh safety review board
and their idea is they want to have uh self-healing networks of cars by 2025 right or 20 2030 or whatever it was like this big audacious goal but they want to think past Individual Car Protection and think about which Technologies are missing that will allow us to notice failures or attacks in one area and dynamically heal fleets of vehicles and things like that so um in full disclosure I'm the I'm the chair of the tech steering committee but what we did is we took a mixture of Breakers and fixers so I'm more on The Blue Team type side and they have people like marike Mark Rogers who was one of the the Tesla hackers um uh they have people like
Craig Smith they have some folks from Academia that do uh car hacking so we have about an equal mix of people that know how to break cars and are really experienced at breaking cars but also people who who think that instead of just breaking cars over and over maybe we should look at alternative reference architectures and alternative designs so the idea of this spiral here is we want to always have a fusion of a old priest and a young priest or a blue teamer and a red teamer um to look at Future stuff so the deployed Fleet is sunk cost and it's really hard to fix the deploying Fleet is the stuff that's coming off the
factory line right now and you might not be able to change the supply chain but you can at leaste harden stuff and the the future developing Fleet is really where we want to focus um so if people people are in Academia or are focused on future Technologies to make cars safer and less hackable um please look me up for that and um I don't have a slide for them but the auto ISAC didn't exist really other than a name until pretty much January and the auto ISAC just like the other isacs are information sharing analysis centers um they too are a nonprofit versus the government sponsored version and it's right now mostly just the automakers but they're
creating participation levels for the tier one suppliers and they're going to create a third tier par ation for folks like I in the Cavalry and uh Civil Society non nonprofit groups to help and that's less about you know maybe making cars less hackable and more about when cars are being attacked threat information sharing kind of like the fsac and other isacs currently do uh and then I can't put a slide up but I hear that the n's guidelines are done and just going through approval and Frank can't talk about it yet but um we believe based on previous writings they've done that it matches quite a few of the principles of the cavalry's five star already as well things like the
value of coordinated vulnerability disclosure and working with third party research communities um so that's kind of an update on where the things are with cars and again everybody in this ecosystem is motivated differently but my goal with conversations like this is hopefully that you are now more motivated to get involved so that is the end of the prepared remarks thank you
yes it is it is yes uh the comment was that segmentation isolation is also an issue on airplanes that is true uh to save on the weight of the airplane they collapsed avionics networks and infotainment networks because cable is very heavy uh yes we have any there yeah so the cavalry's initiatives are we have several projects we have Automotive medical public infrastructure which is where planes and trains live and uh home iot so we are engaged with the aviation ISAC and that topic but not in this talk maybe a little tomorrow morning in fact one of the aviation guys is here anybody else okay all right Bo is this the last talk for today this is the last one right okay
all right I'm gonna run upstairs because Suzanne Schwarz from the FDA is gonna address
everybody
e
e
e
e
e
e
e
e
e
e
e
e for
Related talks
51:51
32:48
33:48
54:33
31:06
20:51