Collective Action Problems in Cybersecurity

okay hello everybody thank you for coming down again uh we've had a change on the track today uh this is going to be Alan Freeman he's going be talking about Collective action problems and cyber security thank you thank you and uh first I apologize for not being Russell Thomas uh he has actual data to talk about whereas I used to do things with actual data but just became a fed and I want to thank Lisa by the way for getting the room warmed up and getting everyone warm and fuzzy about the US government so uh so the takeaway today is we about uh three weeks ago announced the new initiative in the Department of Commerce that just basically amounts to

if you could get a bunch of smart people in the room to make the internet more secure through voluntary coordinated action who would it be and what should they talk about and we want your ideas because we are going to try to create a number of rooms just like that so for those of you who are wondering little about me um I used to be a computer scientist uh I wasn't very good at it um and so I got PhD in applied economics which means I do some economics but I'm not really that good at economics I do a lot of data stuff but I'm not a professional statistician I do some political science but I'm

certainly not a political scientist and when you're mediocre at that many things you sort of have to end up in Washington DC so uh

first at George Washington University and then in February I joined uh the US Department of Commerce to help roll out a project like what we're talking about today um the the caveats and hi folks a geek here sorry about this but we had some problems with the audio and so audio pretty much just cuts out here for the next few minutes I think it starts up about the 18 minute 20 second Mark so sorry about that they had to adjust some things downstairs but I'll leave the slides and the rest of the video

ready

e

e

e

e

e

e

e

understand how you have different layers in a food chain you have competition and collaboration at different points so I I think the word ecosystem is very useful our focus is voluntary coordinated action and we're trying to say how can together working together we have coordination to address some of these issues that span different parts of the ecosystem different sectors different components in the security ecosystem working together we're interested in some big problems and some small problems small and I'll I'll give you some examples on the problems we're going be looking at a little bit but some of these we want to tackle the big problems but we also understand that there are some relatively small Niche issues that

still if we could fix would make a real difference addressing the question of malvertising for example may not

actually sector still have an approach so what are the outcomes is going to be of this process we're not creating new standards that is the job for standard development organizations in the federal government that is the job of nist moreover the outcome of this process is also not you know everyone should buy my product right that may be an attractive outcome to some of you but that is not what we are trying to do we're trying to look for best practices and again one of those terrible words um shared definitions principles that if we adopt together we can actually solve some of the hurdles that exist as I mentioned we're also trying to avoid duplication

if some of what we're talking about today already exists in other fora please let us know so what are some of the questions that we're interested in looking at well uh in in this request for comments which I'm going to talk about in a little bit we have three broad buckets the first bucket is network and infrastructure security so that could be an examp examples in that case are you know botn Nets how should isps work together with usability researchers and software vendors to create usable notice and takeown process how should people are trying to take down botn Nets work with the hosting Community to make sure that we're not disrupting lots of other things when we take down a botn net open

source Assurance would also fit in this not only we interested in promoting the identification of vulnerabilities and potential exploits in open source projects but we want to know is there's something that we can do working together as a community to adopt to promulgate patches to adopt the solution and of course you have sort of the usual questions about promoting DNS SEC adoption addressing certificate issues how can we draw greater attention to certain Solutions or adopt them when especially when adoption requires multiple parties think chicken and egg problems in the web security and consumer trust space it's the second bucket we have things such as what can we do to promote transport layer security adoption how can we promote

that adoption in a prioritized way rather than just running around talking about TLS in sort of an underpants gnome style way of saying the first thing every website needs to do is adopt TLS and then forget every other initiative how can we prior PR ize this web app security how can we promulgate known existing Solutions and make sure that we have a good approach for future websites and for other new entrepreneurs to make sure that we're not introducing new vulnerabilities something small spyware and trusted downloads making sure that the the things that people are downloading this question of spyware it's actually much harder for an anti for an antimalware vendor to determine that something is spyware

versus malware right malware easy that's trying to break something spyware at least from the vendor the spyware vendor perspective they're selling a legitimate product and in fact there are large chunks of the advertising ecosystem that ultimately depend on this what are some processes we can use to have a shared standard to say Above This level what you're doing may not be great but it's not illegal and it's not something that we're going to try to get rid of and below this standard you're behaving poorly you're trying to subvert existing defenses that's not Kosher let's try to create a race to the top rather than a race to the bottom also in this bucket is this

lovely term internet of things which we can talk a little more about if anyone's interested and then the final bucket something near and dear to my heart which is how can we create better future markets um for example how many companies in the country or in the world do you think should be handling this security of their networks themselves maybe 50 maybe 100 the rest of the economy should really be going to should be Outsourcing it to people are experts the problem is we don't have a clear way of understanding what risks lie with the vendor versus the client if we had a series of best practices or principles we could actually grow the market by saying listen because we all

agree to talk about this question in the same model the same path using the same language more and more companies are going to be willing to adopt this even if certain vendors can't pretend that their stuff is somehow magically different using just a thesaurus to describe their products vulnerability disclosure another very popular issue I know Katie is around here somewhere there's been a lot of work promoting standards for public disclosure vulnerabilities to make the ecosystem work better having researchers and vendors work together is there a further thing we can do further work we can do so what can you do if you go to this link and I have a little flyer here as well you will find

a request for comments it looks quite messy it's got tiny print and three columns because it's the Federal Register but essentially what we're looking for is we want you to tell us who should be in this room and what they should be talking about whether there are big questions that I haven't identified that you say listen major progress can be identified can be made if we just got the right people in the room or alternatively tell us why we're wrong saying listen Allan you need to stay the [ __ ] away from this issue because there are people working on it or because my buddy and I tried to do something on this uh a couple of years

ago and we found that we didn't make any progress it was just too hard I'd also love for you to participate the request for comments period ends on May 18th at after that time my colleagues and I will be discussing which of these topics we'll do first ideally we'll plan the first multi-stakeholder plan to come together uh and have a meeting around it by the end of the summer so if once we announce it we publicize it please get in touch and I'll put you on a mailing list I promise to take you off the second you don't want to be on it anymore uh in fact I'm legally required to uh we'll send something out saying this is what we're

going to be working on now now and then in a couple of months we're going to be working on this other project please engage a multi-stakeholder process is only as good as the stakeholders that join because it's the stakeholders that actually do the work the US government in this case really is just a catalyst the stakeholders determine exactly what the outcome is going to be and if you have further questions uh ask me now here is where you can get more information and uh again thank you for your patience and uh please let me know how we can help [Applause] any questions any you're full of shits

yeah how do I think markets can help solve uh the information security questions and the short term is there isn't anything else um it's this is a well documented approach in the it space that the era of having customized spec built technology uh is is just 30 years out of date um any solutions that are coming and again there is there is no Silver Bullet uh right all of the many different pieces have to come from the from innovators from entrepreneurs from startups the challenge is going to be in understanding how all of these pieces fit together uh and that I think there is a role for the government to play but the government cannot do it

unilaterally uh and that is the approach of this multi-stakeholder process to say how do these different pieces fit together um I don't know if that answers your question if you have but thank you that was a very nice easy question like yes how do you the international aspect of the technical ISS the RO of the great so the question is is what is the international dimension of this uh it is not everyone who is affiliated with the US government has a clear understanding that the internet is not just American uh but I'd like to think that most of the people that I work with do uh and so we are certainly welcome participation uh from companies around

the world this is the important thing to remember is this is not a governmental process the goal is not to create another Forum where different governments send representatives and the representative of the government is the modal model of participation the goal is instead to say listen if you have something to say we don't care where you're from we just care about what it is that you want to contribute and we want to make sure that we have the full range of voices the approach behind this is to say um let's get the Civil Society Community right so for example there are some bills that that uh Lisa just talked about on the hill that the Privacy

Community doesn't like we want to make sure that any solution that we start talking about has the Privacy community in the room from the beginning

yes um you know I'm two months into the federal government uh so I don't want to comment too much about this I can say that if you look at what has come out of the Department of Commerce over the last 3 to 5 years uh you look at the work nist has been doing to from a process perspective to make sure that their future crypto work has the full trust in buying from the crypto Community uh I think you'll find evidence that we take the question of trust very very seriously and and and we believe that if the broad security Community does not trust the work that is coming out of the Department of Commerce whether from ntia

with Ian or whether uh NIS crypto work then we're wasting our time so having trust in buying from the crypto Community is very important uh however as I said at the beginning there are many voices and many policy priorities in the US government so I hope if there are people on your team even if you're not the point person thinking about this that you will at least mention this to someone I realize that RSA is a very busy week uh but I'm really very happy to schedule uh a call or a conference call or even a meeting if you're in the DC area or in San Francisco this week I'm happy to do a more in-depth brief uh

if anyone would like it and uh thank you for your interest sure absolutely no one would know by looking at my slides that these thank you to besides thanks