Rob Joyce Keynote

test test test test all right this one's not hot anymore that's his sorry it's probably just off then yep check check check all right I think we're good EXC all right so let me um let me our very to have and our ke serving as the chief of the National Security agency's tailored access operations organization as chief of CEO Rob we organization Prov a unique and highly Valu capability to the intelligence community and to na Nation

leadership tools expertise and expertise in computer network exploitation to deliver foreign intelligence so that's the organization that Rob works for what Rob does um I I reached out Rob um see if he would be willing to come to austa and present um he was um very gracious and willing to come out here from Maryland to come speak so please join me in giving a warm Round of Applause thanks [Applause] Mark all right thanks everybody I'm G to ask you for one more round of applause for all the volunteers here [Applause] today so these bsides events are just awesome you know you think about the exposure the understanding the education you're getting um for a almost free

admission right the nominal ticket price you go away with a t-shirt all your swag is is the stuff you bought it's just phenomenal and besides across the country cropping up NSA is proud to sponsor here in Augusta um we do DC in Baltimore um I know our folks participate in AUST or out in uh out in Texas as well it's just a super opportunity to make sure we understand um how we're going to secure cyberspace in uh in uh in the future and I think the investment you'll see young people here experienced professionals people who are curious it's just awesome so so as I get to talk to you today what I want to do is take you

through um a little journey and think about where technology came from and where it's going and hopefully as we start the day put that back in the back of your minds so that when we're hearing all of these presentations you got something to Anchor them to and you kind of rise up out of that and think in terms of a bigger picture so where's technology going what are the risks um where's technology going that's a little close to predictions um predictions are hard I think it was Neil's bore who said um predictions are hard especially when they're about the future right so I'm really not going to try to predict too much about the future

but let you guys think about where we've been where we're going and then what that means so I'm going to talk in terms of five revolutions that I've seen come through so this uh this is 1970s computer technology right computers were owned by industry they were owned by government they were owned by educational institutions right they were such a scarce commodity that they were times shared you had to make an appointment you had to submit a batch job but you got a piece of that resource and it was a scarce resource and most people didn't have access to it so so so so that's the lineage that's where this has grown up from fast forward to the PC

Revolution 1977 things started growing in the personal computer Revolution they really became home computers in the 80s but this is the point where the masses could have this people could understand and start to learn for themselves they could Tinker they could play they could evaluate and understand and learn by doing doing right you didn't have to go to a formal course you didn't have to have that special access to something that was institutional um but it really opened the door for masses to get into this next Revolution right so first Revolution personal computer Second Revolution um and I'm cheating I'm getting a twofer here because I'm really talking about the internet and the worldwide web which are

intertwined interl but different um if you look at the internet um the connectivity the the way this rolled out um you now brought information from across the globe and brought it into the homes into the hands of people so if you if you think about the internet the the time frames on the internet are very short so as we get going sorry let me put up my speaker notes make sure I'm catching the right dates here

so as you look at the Revolutions in terms of the the connectivity exponential growth a thousand machines connected in 1984 that was the institutional period right that was University to University Government research lab the government research lab by 92 we had a million computers connected um that's really a a a Tipping Point where people started to get access broadly to the Internet by 2008 we hit a billion machines

sorry I'm not driving the slides from

here so I'm going to pull the connectivity and just run it myself did it did it lock restart it

uh from the BBM slid sare no I want I want to be able to run over and grab

it apologies for all the IT Tech stuff that's the beauty of going first we came in and tested but I didn't test with the recording um so I'm going to reopen this

minutes 5 minutes one minutes

do do you need to use present's view yes well I'm trying to have it up so we're out of sink with the outside

piece one last run

all right throw me back up still seeing your y slide

you all right we're good to go now I apologize all right so if you look at that astronomic growth of the connected machines you're also seeing in huge growth in Connected users 95 we had 35 million users um 2015 three billion users today we've got 3.4 billion people on the internet there's there's about 7.4 billion people on the planet right almost half the planets on the internet so there's a there's a research Professor metf talked about meta's law says that the value of a telecommunication network is proportional to the square of the number of users on that system right this growth when you double the people you don't Val double the value of that Network we're squaring its exponential

growth as we add people to this network think about the internet and the type of things you do with it right a lot of us have Niche interests think about eBay eBay started as a place somebody wanted to sell their Pez dispensers right they started up eBay um and and it flourished they found Pez dispensers around the world people who collected that small Niche odd thing and they connected them but then other people found it and you know everything from Electronics to glassware to other stuff but you could find people around the globe who participated in your small community the same thing grew up in terms of information if you wanted to know about something small and

specialized you can have somebody dive so deep that they understand the nits the tiny bits of that technology and it was accessible to you through the internet think about those of us who are involved in programming right if you have a question on a routine on a you need a snippet of code you need to find out why something's failing maybe your your PowerPoint is not running right right you can go out to that internet you can you can hit the Google it will bring back somebody else who has dealt with that issue before you right the power of that information coming to you um is exceptional third Revolution I'd say cell phone if you

think about where the iPhone right has impacted the technology of this country right um it's just phenomenal that you can be connected to all the power of that internet all across the land anywhere you go day night it brings it to you the world in your pocket right so June 2007 that was the start of the iPhone right wasn't even 10 years ago and the first instant instantiation of the iPhone wasn't that awesome but it quickly grewed to the power of the apps leveraging the internet right and now you've got the sum total of the world's knowledge walking around with you in your pocket connected all the time with a GPS a video system with um microphones with the ability to

interact with the world coming through that small device right that was a huge Revolution built on those previous pieces um that now brings more power to you remember I said took a number of years to get to a billion machines connected through the internet um 2015 there were almost 8 billion mobile devices connected to that internet again growth curve continues exponentially but now that connection goes with you right so the power of the multiplication of all of those things on top of uh on top of the information that they bring to you radically changing lives um if you look at the global Mobile Traffic it grew 74% again in 2015 um Global Mobile Data reached 3.7

exabytes a month in 2015 so an exabyte is a million terabytes um the folks that do the research have said that five exobytes would cover and record every spoken word said since the beginning of human history right if you transcribed every spoken word throughout the the totality of human history um that's equivalent to the amount of data that's now flowing over the mobile networks today in 2016 in a month right so so massive usage of this massive massive volumes but it's the connectivity the information it brings and the enabling it does so I'd submit the fourth Revolution is cloud computing right so it's the it's the big data backends that are now making that smartphone or your home PC

but that smartphone in your pocket bring the power of analytics data together in a fused way so that you can ask questions of that data and it will bring you answers that are distributed are able to scale to the level that we've got billions of people who want to go out to that messaging app or to go to that GPS crowdsource thing that will tell you when the traffic's bad and reroute you around it automatically before you encounter right all of the things that can be put into stirred up and then asked questions of um come with the power of that cloud computing and so really what that means is anywhere anytime you can get access

to that data which is everything everywhere right I would submit to you that these revolutions these Technologies are culturally changing our our U our society right 7 years ago that iPhone bit flipped you walk outside during the breaks and look at the number of people who are interacting to and through that device maybe down a little bit as people worry about their devices in a crew like you um some people might not have them out and on but as you go to the airport the shopping mall right look at the people walking like this or maybe flicking on their Pokemon go but they're interacting through this you can check your bank account right you can message

your kids you can know your home security status you know there's there's things online coming through this that direct your life whether it be that GPS app or warning you um that that the smoke alarm's gone off in your house right that connectivity is massive um so so I said you know culturally changing when I grew up um UFOs were a big thing right there were TV shows about them there were books about them you'd read about them in mainstream magazines there were people alleging the government was hiding UFO information from the public um there were grainy photographs every once in a while of a thing somebody said was a UFO now there's billions of video

cameras on everybody's Pockets walking around filming car accidents just you go to YouTube and you see once in a lifetime kind of things happening just bizarre stuff that happen to have a camera in front of it where' those UFOs go man culturally changing right we're not seeing that anymore so the fifth Revolution I would hold up is really the Internet of Things concept um 2009 people started talking about internet of things uh it's really taken off by 2020 Cisco is saying 2third of the things connected to the mobile internet will be some sort of device they won't have a person at the other other end of it right it'll be device based um it was it's it's about 15 18%

today what's driving The Internet of Things anybody recognize what this is Raspberry Pi so guy in England said I want to teach more kids to do computers um he inv Ed in sponsored um built a company that could could make Computing affordable to the masses kind of that next level of it's at an institution it's a home computer but there's still even a barrier um to be able to Tinker and play and understand with that technology so so the investment they made brought um Raspberry Pi $35 computer um hugely powerful multiprocessor it's got Hardware inputs and outputs so people can tinker and learn how to physically interface with a computer um it's got the connectivity to

attach devices whether it's displays mice keyboards cameras other things um but it is um it it was possible because of that chip in the center which is a system on a chip which takes all of the things that were discrete pieces of computers and jams them onto one piece of silicon and when you can jam it onto one thing you can drive and focus on the manufacturing cost and drive that down cheaper cheaper and cheaper so so much of the cost really isn't in the computer itself of that computer it's in all the connectivity that lets us interact with it it's those big connectors it's the interfaces that get out to the real world uh so the founder of the Raspberry

Pi organization was talking to Eric Schmidt of Google and he said what are you doing next and they talked about more powerful bigger batter computers for the kids to learn on things for experiment ERS to play with and uh Google said I think you got it wrong right I think you've got to get it to the point where you can give them away that's your intention is everybody needs to have a computer learn about a computer make it accessible get that on the internet um figure from half the world to the whole world and they scratched their heads and said well I can't give it away and if anybody knows free it's really Google right they give

away Gmail and the Android operating system and all of those things um so so it was probably thoughtful reasonable advice and this is what came out of that effort right this is um a Google Pi zero and I don't know if the name is intended to mean zero cost but it's five bucks it's a it's a slightly reduced version of that same computer um you'll notice a lot less connectors they drove down the cost for the connectors um it's got one um CPU slice that processor instead of a quad processor um but it's still an impressive machine it's a really impressive machine runs full-blown Linux it will um play Minecraft it'll run a it'll run a web server um it will

through connectivity I use these things I can go out and control thousands of LEDs for a Christmas light show off that one CPU uh it it is an amazingly powerful computer and if in fact that computer has more compute Cycles than that room I showed you from the 70s it has way more compute power than those first home PCS I showed you which were useful devices and it's five bucks and in fact um there Micro Center in Atlanta how about what's the closest one here Atlanta um so mic week had them for 99 cents right um the the the cost of this is still in that board in that connector um and what they've done is they've

pushed that computer down onto that system on a chip but but it wasn't built for the pi zero it was built for The Internet of Things stuff that's coming out and the the the the pi folks said this is the right chip for us to use at this point in time so what it says to me is that small computer is going to get into more and more and more things connected to the internet running substantial compute power at the end node um communicating and being able to drive um all sorts of innovation right seven years ago the iPhone didn't exist I couldn't have imagined the things I'd be using it for today right and so I can't tell you all the things

that you know a a 60 Cent Chip is going to do uh um for the Automation and sophistication of the things that are going to be in our lives um so so to kind of give you an example of where that where that's going where that's heading um let me show you the power of the distributed global cloudbased internet on a mobile phone all right so if there's anybody in here who already knows it you can't play so there's a pie um I'll run a quick contest so I'll give away a pie and a power supply and a and and a an adapter and the other pieces to make it run if anybody can tell me what year NSA was

founded right so I said if you know you can't play so who can figure it out right I see the phones going up the Google the Googles are lighting

up all right what you got 1952 come on down so President Truman set up NSA 1952 with an executive [Applause] order there you go so here's a pie and the stuff that'll make it run all right thanks yes sir thank you all right so so quick example right he didn't know small tiny trivial piece of knowledge if you had that question in this room 10 years ago right uh you'd have to go to the library you'd have to make some calls you may never know right it may not be worth it for you to know but that's the power of grabbing all of that information and having it at your fingertips right how many times a

day does that event repeat over and over where you can leverage that chain of technology to get to the things you need in your in in your life so Internet of Things 2020 if you go out and talk to the you know the the prognosticators about technology they'll give you widely varying views of where we're going to be um but if you talk to Gartner if you read The Cisco reports and other things pretty reasonable you'll get ranges 20 to 50 billion devices connected to the networks um 200 300 billion sensor enabled objects things that you know know about the physical world compute on them and then uh and then do something with that information right huge huge

leverage and this is going to be that same exponential growth more things connected mean more stuff that's going to happen um I'll tell you um much to the sugrin of my wife right I am an early adopter I expect many folks in here early ad opter as well right so I I have an iot device jury rigged up to my my uh washing machine and dryer and every time that that is done I get a tweet right I or not a tweet I get a text says laundry's done reminds me to put it in the dryer Dryer's done get it out so it doesn't wrinkle lifechanging nope convenient absolutely right pretty geeky yes I admit all right but but the idea

that you know I could put something reasonably affordable and I could do that with the technology um I didn't write a line of code to do that right I grabbed piece Parts um that exist and then messed with some interfaces and it was there and and you know soon it will continue um to grow and grow and things will be connected and available and and and doing these kind of things in the background the same way that you know my kids will never be lost in their entire lifetime unless their battery died right they're they're going to have this always on information there's going to be this stuff in the background of your life that you can't predict yet uh

that's going to keep us moving it was awesome here somebody trying the Hy Siri right calling it up I said five revolutions I'm cheating you might be getting in on the six here uh voice enabled technology is is is a real enabling piece of all of this so that's a an Amazon dot um it's the Amazon Echo in a smaller form factor but this is Amazon's device that you talk to it's always listening Alexa can you tell me when NSA was was formed Alexa can you turn on the lights right Alexa set temperature to 62 and it talks to these devices that are networked enabled and it manipulates your physical environment around you uh if you think back to those

revolutions I was talking about that machine room you submitted Punch Cards to interact with that computer maybe it was a stored program but it was something very manual keyboards to enter the data mice is the next level of input touchpads on those phones uh but now you're talking to them so as their small computer sprinkled around the environment around you I mentioned those connectors are a big part of the cost of things um if there's one thing in your environment that can just listen to you and then talk in terms of the ones and zeros that have to get in and out of those devices um you've again reduced the cost of that interaction enormously

and that one thing can communicate with all the things and can keep that moving and manipulating for you so huge leverage and Power in here so Siri um Coming online a few years ago the Amazon Echo um so Siri 2011 Amazon Echo 2014 um big shifts and they're getting better and better if any of you have used them and it's just phenomenal the amount of mobile queries that are coming to um to Google across its interface that are no longer typed right sometimes it's in the car so your handsfree but I watch a lot of lot of people now um who are just starting to dictate their emails or dictate their queries um because you can do it faster and almost

as accurately through the voice interface as you can with a

keyboard all the things right it's going to be pervasive and around us I I couldn't even predict you know you take away the technology you carried in here the laptops the the phones the things you've got in your back backpacks for a bides take away those things and I would expect there are hundreds of CPUs in this room right hundreds between all of the it the video teleconferencing The Alarm Systems you know and all of this um and and as we go on and on in the next couple years you know I couldn't predict the way the mobile phone smartphone would change society in the last seven um what are these connected things going to do in the next 5 to

10 so since this is a b-sides conference this is where we got to

go we start with small Linux computers that are sprinkled around your environment right who's patched their iot device this week I haven't patched my washing machine I haven't patched my washing machine sensor this week right um so so the question is as we get pervasive computers in our lives and they are expected to do things um that we trust right your alarm system that baby monitor that uh that security camera that internet connected um uh sensor for your uh for your fire alarm uh the question is what latent bugs or defects are in them or you know how will the technology Advance right I spent some money to get that dryer connected if there's a better solution

in two years and this one's working am I going to switch it out for a more secure dryer sensor I'm not right so these things are going to be baked into the fabric of our lives and then in the process of people poking at them and prodding at them we're GNA find these bugs a and they going to be vulnerabilities in our space and our lives so why do we care um if you think about it the Cyber environment today it's where our nation stores its wealth and treasure um the treasure being our intellectual property right you read about the hacking losses that companies have suffered where people have stolen that intellectual property and gone and

Rec created something that they invested billions in to research and develop and now somebody gets that fruits of their labor for free and can bring that online not having invested in that and reap the rewards on the other side and then there's just the wealth um you know our bank accounts our stock markets and other things and so we've got to ensure that we're protecting that in that space Willie Sutton was famous bank robber interviewed why do you rob banks wiie why that's where the money is that's where the money is right and so now we've put our money out into that cyber environment we we've also made it so we can't live without it at times right um

huge just fascinating um I won't go down that road here but if you want to be impressed look at the business cycle that's growing up around the crypto Locker um trade they have whole organizations with research and development funds who are looking at ways of grabbing viruses permuting them look uh redeploying them with the purpose of ransomware on your P PCS and machines right the machine pops up and said you've been hacked send Bitcoins to this account and we'll unlock your we'll unlock your things well what happens when that's your car and you know that little mobile data center has to be unlocked for you to get to work right you're going to pay that Ransom because

you've got no other choice um to get in there so so where we're storing our treasure our wealth and maybe even relying on these things um that's a very big deal so I made you think a little bit about you know the the sensors and the threats in the environment there's a whole bunch of ways that if you're running a big business or you're you're responsible for securing something you've got to worry about the threats in that space um so I'll tell you a little bit of a story to make you think again about where those threats come from um personal story um air conditioner much like Augusta up in Maryland hot humid really nasty Summers rely on those air

conditioners tremendously so one morning woke up seemed especially hot and steamy um went down clicked the thermostat down um it says the thermostat thermostat says the the furnace should the air conditioner should be running cranked it down fans running no cool air great head to the basement check out the air conditioner unit in the house everything seems functioning it's working it's spinning the fans um but the the the pipes inside that should be chilling the air aren't cold heading out outside go outside check uh the external unit is not spinning so I I know enough to check is it supplying the signal from the inside yes is it supplying the signal and getting there to the outside yep check

uh but it's not running is there AC there yep all right you've reached the limit of my technology called the repair guy repair guy comes to the house he starts working on the uh the air conditioning unit um after about 15 minutes he says it's the it's the power company's box that you've affixed to the outside of your air conditioner that Cycles on heavy duty days has failed I can't replace it you'll have to call the power company so our power company has this program where they put connected devices on the outside compressors and on Peak load days you get a break on your power if you sign up for the program and they can cycle them off maybe 15 to 30

minutes during Peak loads and shed some of that power uh they do that to manage the overall electrical draw at peak times and kind of smooth it out um you get a benefit hopefully you don't notice but they drive down your electric costs if you put those in I never put it in I didn't sign up for it I didn't know the freaking thing was there right so I had bought the house previous owner I guess had signed up for the service I didn't want it I like being cool I don't want to trust my cool to somebody else's decisions so I didn't sign up but this thing was sitting on my air conditioner and it failed and it failed

open I didn't even know it was there so um I told the guy I don't care about getting it fixed I want it gone pull it out jump around it get me my air conditioning and he did so 15 minutes later I was I was fixing up but I tell you this story because my question is do you know when You're vulnerable I didn't even know I was vulnerable I didn't know that was part of my local system and environment I didn't know I had the vulnerability or the risk but it was there and so when that failed it took me down I had I had an air conditioning dos and I wasn't happy right but but it

showed me that you know I didn't know my my environment well enough to defend it right I didn't know to look at that thing um you know in side if I knew it was there and knew what it did I would have known enough to be able to look around it and that was within my means to to be back up and running but I didn't even know it was there so so why do I tell you that story because I've really learned over time one of the core fundamental things to defending a network is really knowing your network you can't defend what you do not know so I would ask you you know as you

push a red team at a network or as you have foreign adversaries coming in as you have criminals trying to do that crypto Locker um that ransomware on you right the question is who knows more who's going to put in the time to know the pieces and the parts who's going to know the devices and the vulnerabilities who's going to know the things that underly that system who's going to know about the one user that really no kidding has kind of jumpered over your security thing for convenience so they can get to the the website they want to go that you're um that your security system is not letting them get to um you know who's going to plug in that thumb

drive who's going to know that that iot thing that was built in 2016 but is still in the network in 2024 um has a really well-known open cve against it right so who knows the most and I will tell you the people that are looking to take advantage of you and your things are going to put in the time to find that one thing to exploit it and so that's the reality of what we're up against when we have to consider how to defend these things so as we connect all the things as we use technology that's unlikely to be moved out to be unlikely to be patched on a regular basis and unlikely at times to even be understood that it's

in the environment and introducing a vulnerability I would say um you know we really need to focus in on the Technologies the policies and the advancements all the way across the Spectrum right whether it's education um doing that advanced research to figure out new and innovative ways that these vulnerabilities aren't liabilities whether it's the government that gets better policies in place that are going to help us secure at a national level whether it be industry who thinks about how a 10-year-old product that they don't want to support anymore really can still be a liability to the customers that they sold them to and figure out a way that we can continue to maintain and understand and maybe automatically

update so I don't have to know when I got to upgrade my washer sensor right so thinking about that and setting up that ecosystem um really a challenge for the technologists the folks in here the the the research Community um and the industry Partners right we can't rush out um be the first to market with the great thing everybody's got to have knowing that there's a that there's a fundamental security design from the ground up so I'll wrap it up here again thanks for the invite um just leave you again with one last thought about vulnerabilities you know the guy that won the the raspberry pie took it from the NSA guy it really is just a raspberry pie don't

worry about it it's all good thank you for your time and [Applause] attention all right thanks Rob

sure the public affairs guys didn't want We're not gonna have s [Music]