BSIDESLV 2018 - I Am The Cavalry! - Day One
Show transcript [en]
you can sort of seed trust from a ruler authority say the root zone file and then you distribute that through our IRS registrar's etc ISPs but there's a central point of failure on the flip side of the spectrum when you have you know blockchain and Bitcoin there's no central point of failure so I will sort of be considering here the pros and cons of different registries and I was sort of hoping to get a mesh between governance structures of registries and their technological characteristics to see how it could be deployed for IOT effectively and if there's anybody that would like to talk to me about this afterwards I would surely appreciate it so this is very
briefly what Mudd looks like as I mentioned before we really like that it's a lightweight model that standardizes useful device information it was recently picked up by NIST that are I think either forking or trying to deploy it and then Enterprise IOT framework they're adding a threat signaling server to it there's also no hardware modifications needed to IOT devices but on the flip side the drawback is it doesn't fingerprint legacy devices and that is a big issue also the mud file which is a file that contains all the useful IOT device information has just provided bonafide by the manufacturer and you know unless you want to impose onerous regulations that stifle innovation a lot of the
smaller players are not really gonna provide it because they just don't care so I just included this to give you an idea of what other sorts of registries are out there but either these are the you know classic competition going on right now between FWS and as your major depending on when I pronounce it but these two platforms basically are you know they suffer from the same hierarchical trust mechanisms that the others do so although they offer different functionalities they rely on a lot of the same open source code that about the other platform use there are they also have some of the same drawbacks so blockchain the big hype right so how can it solve IOT so there was this very
interesting new concept of a decentralized Internet I don't know if any of you watch Silicon Valley but what we really like about this is that they propose a solution to something called Zuko's triangle named after the creator of z cache so naming systems usually have a hard time combining these three properties and a system security and uniqueness decentralized trust and human readable or memorize Abal identifiers as you know naming systems need to combine context and an object identifier to create an actual ID for an object or digital assets so to sum up here some of the challenges there's no really a space to collaborate so you might have academics that create you know proprietary databases for IOT you might
have private vendors that are just acting out of sheer rational self-interest because of you know collective action problems so we really need to formulate a good public policy framework but the question is how do we get there there is a lot of challenges on the global front there's a sort of you know you don't hear a lot about this in the news but there's a sort of a division worldwide division between BRIC countries and the ITU multilateral way of seeing the world and the IETF and Internet Society on the other hand I'm just mentioning in passing that Bob Kahn's the little object architecture which is really vit use per view right now is picking up a lot of ground in
Russia and China so this is basically our call to action for the IOT community given that this is the I am the cavalry panel this piece is about education awareness we really want to get the world out there we don't want to be inviting onerous regulations so we better come up with a multi-pronged solution thank you and I'd like to go over our details over a question but I didn't want to run over time since I see that we're already 30 minutes now have you tried turning it off and on again so we're gonna wrap up by talking about something that is actually currently underway and this is not a new idea but I'm gonna try to convince you of two
things one that this is the time that we can actually make it work and second that this is something that is really helpful for trying to tackle some of the problems that Jessica laid out of really understanding exactly where and how to prioritize our legacy concerns so who's heard of software Bill of Materials who's heard of s BOM okay so we'll do a very quick overview this may come as a surprise to some of you but software is not hewn out of alabaster marble by Greek sculptures with little halos over their head right it's assembled out of parts and some of these are very carefully chosen after weighing options and going to conferences and some of them are just
ripped off whatever you could find on Stack Overflow and the challenge is actually understanding how what we pick and put in our software affects the user of the saw users of software and there are many paths that when we look forward to figure out how do we make sure that the devices and the software on those devices is better there many paths we have looking forward but very least let's start with perhaps the lightest touch possible knowledge transparency how can you be against transparency gets having a little more information a software bill of materials is a radical notion that says hey when you give me something with software on it it's helpful to know what are the
third-party components that are built that are the building blocks of that software are you giving me vulnerable library version old not old or are you giving me shiny new version new new now there are a bunch of benefits to this transparency has a delightful feature which is is often key in promoting better markets you're someone who's buying software there are two vendors out there one of them is willing to show you what the components what's their list of ingredients the other person is selling you a bag of cookies and says no no we don't want to tell you what the ingredients are but trust us it's okay they're all natural right you're going to want to go with someone who has that
confidence of transparency in fact I'll go you one further if you have a good process for developing your software for developing your product pulling out this list of ingredients is pretty simple it's actually something that works with a natural process heck github will do it for you automatically so will maven there's an eclipse plug-in if you don't have a good process then it's a little harder so going back to the economics 101 this is what we call an efficient signal it's something that if you look for in the marketplace it can be an indicator quality even if it doesn't mean quality itself so that gets to the purchasing side perhaps the area that we think about the most we think about
software Bill of Materials or software component transparency I can't use the term software Bill of Materials for a couple of reasons when we think about the value is this notion that hey the things that used to be secure yesterday may not be secure today so I go to the store and I pay attention new ingredients I just throwing them things into my cart and I put them on the shelf and then Jessica comes over to join my family for dinner and Jessica's deathly allergic to peanuts now I can do two things I can call up Nabisco and say hey I've got a box of this thing it was made at the state are there peanuts in it or I could
look at the goddamn list of ingredients right this is why we have lists of ingredients it's so that we can decentralize the risk decision-making that come with consuming delicious tasty treats surely we can ask for the same thing in the devices that make our lives richer better or in some cases safer and longer but Alan you haven't gotten to the legacy question how do we think about end-of-life this is perhaps one of the things that I think is the most power because when we think about how long a device is going to last we're drifting away from the cameras and the smart doorbells and the thing that feeds my dog and let me look at pictures of
him when I'm traveling to Vegas and we start drifting into the things that are keeping granny alive and the things that are keeping the lights on right the stuff that the cavalry is here to really focus on these are things with very long lifespans their technology hooked up to either really big pieces of steel or very well engineered pieces of steel it's all steel I think it's possible they make devices and cars out of other things these days I'm not a saw I'm not a material engineer I'm on the software side so underneath the hood we're dependent on all of these components if you care about the resiliency of your organization knowing those details helpful is very helpful who's heard of
left pad so left pad delightful example of software supply chain it was one of these simplest functions that you could ever imagine right take an array fill it with zeros that way sorry you're facing me that way so right Pat it to the left now turns out there are lots of lazy programmers out there say [ __ ] it Washington right code when it's there that's how we write code right we reuse other peoples libraries code reuse 101 for using software so it was used in a whole bunch of great projects the node the node system node ecosystem until one day and I won't get into this story but essentially the guy who wrote it who had a different
software package was offended they made a decision he didn't like he took his bat and balls and went home so that meant every piece of software that use left pad was calling a function that they couldn't dynamically link to or rather was calling a function that linked to a function that late to a function that late to a function that they could no longer dynamically linked to whoops we broke node so these are the things that were caring about what is the long term stability make a real difference when the community that's maintaining a particular project says we're no longer gonna support single threading write all of the cool new GPUs that are driving our particular project our
multi-threading it's a pain in my ass to support single threading well that Dam is hooked up to a couple of chips that I can't really take out right now and they don't support multi-threading so what do I do having that visibility into your system is the ingredients that allows us to start thinking more strategically about when we're going to have to make certain product replacement decisions these are not things that are cheap right the difference between stuff and web is when you make a mistake in a web platform it's just hey let's commit a change when it's stuff it involves budget and politics meetings with people like me and Jessica and no one wants that so how do we plan
forward one of the keys is going to be having this level of transparency now just a very brief plug for the work we're doing at NTIA the cavalry is actively involved but we need support from you if you're interested there's a very particular discussion in this initiative it's open sorry it's our multi-stakeholder process right it is open it is transparent focused on saying what is a software build materials and how can we all do it in a similar enough way so that there isn't unique solutions for healthcare and energy and auto and oh by the way the software industry let's try to find a shared way of doing it that meets all of our needs
there is a particular workgroup that is focused on the healthcare sector if you were interested in this it's time to get involved the auto sector has expressed some interest in doing this imagine you're a car manufacturer wouldn't it be really nice to know what's in some of the software that you're folding into the electronics that you're shipping in your cars because under American law you're liable for everything that's in your car so it'd be really nice to have some assurance that it was you know new fresh software there are lots of hurdles here how do we use this information to the best advantage but we're going to tackle those as we understand what transparency looks like so that is my call to action
which is hey get involved now I think we're going to have a broader discussion so this is your chance to dive in ask questions of Jessica who can tell you about life on the hill and how to get involved the Georgia Tech team which is doing some great research and may be able to share some insight into perhaps what the academic world is like if you're interested in engaging in that side in IOT just remember share questions share your new ideas there are no dumb questions they're a [ __ ] ton of bad ideas but that's okay we won't judge all right I'm gonna do we have a volunteer who can help with the roving
mic hey there's a guy in an orange shirt
thankful it's a slight is it's a slight looking at the challenge and the complexity of what you're trying to do which is great and amazing is there a challenge in trying to find the perfect solution due to the complexity of the challenge and actually how long will it take to find a perfect solution can we get close to a ninety percent solution or a ninety five percent solution and then go for it or do you think there is a 100 percent solution for this across the whole industry across all the legislation the whole lot can we get there or are we going to have to go for something slightly shorter than that and do it quicker are you asking this
panel's opinion what is the challenge all of IOT security yeah well software Bill of Materials rolling out the International impacts of that the whole lot it's a big challenge and a big problem space finding the perfect solution is going to be really really difficult across all the different stakeholders so will we get there and if we're not going to get there what does the 90 percent solution that like alright tell me this oh it is working okay great I'll take that first I think as trite and as cliched as the same can sometimes be don't let the perfect be the enemy of the good but I think that's gonna be the key here in software build
materials we started having this conversation over a year ago when it was introduced in a big government healthcare report called the healthcare industry task force report and one of the biggest roadblocks we initially ran into when we started having this conversation was folks saying like look this is this is so complicated it is gonna take us so long we're never gonna be able to figure it out nobody's ever gonna be able to agree on how we should do this and so we should just forget about it and I think our response on s bomb was that's not acceptable that's you know being that defeatist about it isn't helpful it's we can get there if we try and so we sort
of demanded that the healthcare sector figure it out we use the coop power of the congressional letter to essentially tell the Department of Health and Human Services that they didn't have a choice about it anymore that they were gonna be figuring out how to do software build materials and we looked very much forward to figuring out how they were gonna do it so I think from at least from the the congressionals perspective especially trying to be as non regulatory and collaborative with the industries that we're trying to ultimately help as possible I think our answer is look we we from the energy and commerce side understand that this is complicated understand that there's a lot that has
to go into this but the imperative for doing it that I am the cavalry tagline that that bits and bytes have met flesh and blood this is so critically important that you guys are all gonna sit down you're gonna figure it out and you know what we'll see you when you do so I don't know if Allen has any other better thoughts but so so who does operational security for an organization anyone anyone on the frontline of their organization all right how many of you guys used advanced threat intelligence services at least two or three different products three different feeds it's a pretty rich industry and yet we still have companies that only use one source
of threat Intel my god don't they care about the children we have to acknowledge that there is a maturity model that we have to you know say hey there are going to be some folks that are gonna be cutting edge that can use this data today that's the leading edge what we did at NTIA is we didn't frame it around the government has to do it we framed this is a market issue we have supply and demand so we brought together vendors software vendors medical device vendors you know industrial control system vendors and then we put their customers in the room to the people who buy their products we brought in banks hospitals energy companies and all of a
sudden it stopped being quite so impossible and it started being a well what would this actually look like we went from the why to the how and I'll be honest I am very skeptical that they're more the dozen hospitals in America today that could actually use the Bill of Materials I'm perfectly willing to be told that I'm wrong by the many experts in this room but we've got that first dozen they're raring to go and one of our goals is to make it machine readable so that we can fold this into products and we've also worked very hard to make sure that the vulnerability management tool providers could be in the room right at the end of the day the path towards
maturity involves automating folding it into existing products so you start small you start making it something that's nice and then it starts being something that's commonly asked for and then it becomes a default package and then maybe if those bastards up on the hill want to regulate will let them
further thoughts
so Alan you mentioned one industry where the end user for this information I think is very well defined and that'd be more the industrial control system space where the end users of the technology are large industrial concerns with with usually technology teams you might understand a software Bill of Materials how do you model this and more like automative automotive and medical space where the end users are consumers at large especially when you get into say like personal medical devices or implantable medical devices and automobiles where you have consumers that aren't necessarily technically inclined what should they do with that information if it's available that is a fantastic question and I think you're you're dead on this is not consumer
grade information I'm going to speak in my personal view now this is not the view of the United States Department of Commerce or NTIA I don't believe that the path towards better security relies on empowering consumers we've been trying it in 20 years that's not true 17 years that the field of usable security has existed this is as an academic and policy research priority we have successfully taught the American consumer to do one thing and who noted what have we talked consumers to learn we've taught them to look for the little lock icon we taught them and they finally learned that lesson exactly as let's encrypt push to make sure that every single goddamn website whether it
was legitimate or not whether it was mal malicious or not had transport layer security so now it's a meaningless signal right that is our one victory we have it turns out not terribly useful so we definitely want to push on what the enterprise is where it where the folks who care about it let's go back to the broader ITT I don't want to focus this on Bill of Materials because I think this is true I want to also give a shout out to another project that many of the room worked on through NTIA which is patching right it is one thing to say hey you're buying a TV you should make sure that it's patchable and that patch
ability should you know include some understanding of how long software rates are gonna be available and also we the update process itself should be secure after all a patching mechanism is a remote code exploit that you really hope only one party can use right so right if the patching is an incredibly dangerous attack surface now oh I may not be able to do this you know not the most active guy in the world but you know I've been doing this for a while who stayed in hotel room last night who is absolutely confident that the TV in the room was not turned on and listening to you today the hotels have a very strong interest
in making sure that their if there is a security flaw on the things that they have in 10,000 hotel rooms they can fix it quickly we need to empower them because these aren't experts right again these are still people who buy TVs for a living not security experts we need to focus on how to empower those people to ask the right questions so that was a long way of saying we're going to go with where the levers are the auto industry is a great example where the end consumer may not be able to use the data today but the auto manufacturers would love this data today and so let's promote it and put it in their hands
what happens to it tomorrow we'll figure out that's between them and their regulator right does
anyway I was just gonna add that in the registry space you can think that there are naming conventions that are known by consumers you know IP addresses are kind of known but a lot of them you've if you asked the average person for their computers MAC address they would have no idea how to find it you know the if you think about the i/o cheese in the IOT standard space you know certain ones like Bluetooth or Wi-Fi have been trademarked or branded in a way that consumers can wrap their minds around but you know in I Triple E or an IETF standard is not something that a consumer would understand and so even if the you know
consumers can still benefit from both standards and registry based naming conventions that they might not have to interact with so I think we have time for one more question oh sorry can I get one right of reply from a gentleman of the auto sector and then we'll get one more question thank you okay well I was gonna ask a question I was also gonna point out that some vehicles today are actually made with that with mininum not not just steel but if you look at the software that's in vehicles today off you know oftentimes that software was developed five six seven years ago I mean the car I Drive today was built around Windows Vista time and the software was probably
developed at windows 98 time so who is I so like Microsoft is not expected to keep windows 98 up to date now how do we do that with with IOT products that are going to be used by consumers for 15 20 25 years I mean I think from what I have seen about the the legacy technology conversation around the RFI and the software Bill of Materials conversation that we are starting to have I think it's it's not that we know the answer to that I mean that was something that came up in the RFI quite a bit I think there was one group actually who came out and said that it was their opinion that if
there's a medical device for example that's still in a hospital than that manufacturer should have to support it it doesn't matter how old it is I think our point was that that's pretty infeasible and that's really gonna stifle a lot of innovation and technological growth I don't have a good answer for you unfortunately I think one of the ways that we're hoping that software build materials really affects the ecosystem is that it eventually becomes to publicly embarrassing to put out old software that people find ways to to get that so we as we continue just like with legacy devices out hopefully that it becomes sort of too embarrassing to start putting old stuff into the
system into the ecosystem on a on a newer basis and so that this problem almost becomes self-correcting as time goes on you got to stop now 30 seconds just wanted to go back to the s BOM train of thought here so we don't really hear a lot just this is just for the sake of you know hearing both sides of the argument here we didn't hear a lot from the manufacturers perspective and their reluctance to really implement s BOM what would you say Alan would be like the top three ways to address their concerns and like how would they perceive this as we V onerous and you know stringent imposition on behalf of government so so I'm getting penalty
time so first just make it clear we are not interested in regulation at the moment there are others who want to but the second is context vulnerability may not mean exploit ability and so we need to find a way to communicate that but I think we are now well past our time by at least a minute thanks to the grimace of the gentleman shirt so I want you to hopefully thank for detective and Jessica thank you all so much just a reminder if this was awesome for you like it was for me I think we have public ground going on until about 7:00 right today and tomorrow [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Applause]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Applause] [Music] our cell phones on silent or moving outside and I'm just gonna glare at you until you do one of the three this side of the room is awesome you guys are rock stars those guys in the back though I don't know about them all right so uh good afternoon welcome to besides Las Vegas I am the Calvary this talk is cyber-safety disclosure it'll be a panel given by Nina Ali Susanne Schwartz J Radcliffe and Josh Corman before they get started I just wanted to thank our sponsors Amazon Oh off Talos Cemil and Hugh me oh it's their support along with our other sponsors donors and volunteers that make this possible with that said
let's get started
okay so we actually are expecting Josh to show up at some point halfway through this and he was supposed to moderate this so we're kind of winging it a little bit to start with we're going to do some introductions and then talk a little bit about kind of each of our roles in kind of safety disclosure and what our experiences have been and then kind of take it from there my name is J Radcliffe I am currently a cybersecurity researcher at Boston Scientific who makes medical devices and my big experience with this as a patient I am a type 1 diabetic and have used medical devices of various types for a long period of time probably the last 20
years since my diagnosis and I have a very intimate relationship with medical devices and their safety because I depend on them every day to keep me healthy and to keep me alive and it has incorporated that into my career as somebody who is a medical device hacker is somebody that looks at the safety and security from a software and technology perspective of medical devices and that's that's kind of my role in in this field and in the in the industry
hi i'm suzanne schwartz from the FDA FDA Center for Devices and Radiological health and before I talk about the FDA really what I wanted to do was take a few moments on behalf of FDA to recognize to really acknowledge the work that I am the cavalry has done over the past five years and to really state how important the contributions are that all the security researchers have given have contributed to the medical device ecosystem we highly value that work it is extraordinarily important to advancing medical device cybersecurity and moving the ecosystem along and so we want to congratulate I am the cavalry for that work and we look forward to ongoing efforts particularly in that
shared mission space of safer sooner together so with that just a little bit of framing around background of FDA's work in medical device cybersecurity our emphasis has been very much on building the community on really building that collective and that collaborative atmosphere and it's as a result of really trying to do that kind of convening and giving every stakeholder a voice a seat at the table that our ability to formulate policy has gotten to where it is at present and when I speak about formulating policy I'm talking about the guidances that we have published for both the pre-market side of cybersecurity in other words prior to devices going on the market as well as throughout the rest of the product life
cycle post market once the device is actually in its clinical use but this has been a very arduous journey and one that we at FDA have been learning as we go along with all of our partners and there have been a fair number of hiccups and challenges along the way very much a part of what does it take to mature and go system to mature the sector in an area that it has been very at a very rudimentary level as of at least a few years ago and granted we've seen a fair amount of progress but it's more than just taking the tools that we're able to deploy out of FDA the tools out of our
toolbox but rather what does it take to change culture what does it mean to change hearts and minds and to really bring everyone together and that's where utilizing the research community has been so very very important and a good example of that has been in the coordinated vulnerability disclosure space so that is a really good illustration of how FDA came to really understand the importance of manufacturers and others adopting disclosure policies and making those policies public and available and transparent to to researchers and other identifiers and to have processes in place for intake and handling as well so while we have seen some good steps some good progress forward with respect to adoption of disclosure policies and
coordination around vulnerability disclosure there's still a long ways to go with them we can talk about what some of the difficulties and challenges are as we continue with this panel but I'll hand it over now to Nina hi can you hear me you can't hear me can you hear me now better super good okay so I'm gonna hold it like this and look awesome the whole time good no yeah so I'm Nina I own the DEF CON biohacking village and one of the things one of the medical devices that I work on is the electronic medical record which in my eyes is the ultimate record sorry it's the ultimate medical device but it's not actually considered a medical device my
main issue with it is that it's built on a lot of antiquated technologies and this year with the bio hacking village what we decided to do was to build it out so under normal circumstances last year before that the year before that it was a lot of security talks everything was someone up there giving a presentation and last year we were looking at the situation thinking this isn't the whole ecosystem this is not everything that happens with medical so how do we make this better and how do we make it whole so what we did this year was create a medical device village along with the talks and a wet lab so building all of that out it gives the
researchers a better idea of how medical actually works and you can get your hands dirty and touch everything and get in there deal with talk to the manufacturers get better insight into what they're doing how you can help things like that so just touching on what you said some of the challenges that we have normally faced are is trust how can the manufacturers trust us as hackers information researchers to give them the right information and how do we how do we get them to trust that we're giving them the right information so that they can maintain the integrity and the safety of these devices so since we don't have a moderator my question back this way is as a patient and as part of
Boston Scientific how do you guys deal with that and then how does the FDA further accommodate things like that well from the Boston Scientific perspective you know we're just kind of starting this cybersecurity program there and you know it's a it's very interesting when they brought me in they gave me this large list of legacy devices and they said you know we need to make sure these legacy devices are safe but we also need to make sure that the devices that were made going forward or safe and we're seeing a huge demand from health care delivery organizations they don't want to buy devices that are insecure that's crazy right they actually are doing their homework and they're asking lots of
questions of us of how we are testing these devices how are we guaranteeing that these devices that they're buying are going to be secured not only now but secured going forward for the next 5 10 15 years even because medical devices are not something that are like your cell phone they don't get replaced every year and a half there's something that usually lasts a long time and that industry is used to having devices last for 10-15 years so when they make that investment they want to know that those things are going to be updated and secure going forward now this presents a large problem because there really isn't an operating system out there that gets
support for 10 to 15 years and when we look at a lot of these new medical device technologies a lot of them are being built on the backs of things like Android devices and Android devices have even a shorter period of time of lifespan you know you know the average lifespan of an Android phone or a tablet is about a year and a half and if you know anything about the medical device world it takes longer than a year and a half just to develop a medical device so it's a very big challenge to us as a manufacturer to build these devices and to make sure they're secure and supportable as they go out into the
field as they go out into patients hands to make sure that they are indeed secure and stable and usable for that entire lifetime that their they've looked at so to add on to that from FDA's perspective let's start off from where our mission is which is to protect and promote the public health and so we look at cybersecurity of medical devices through the lens of patient safety recognizing that if there were to be and exploit to certain types of vulnerabilities of devices that could affect the performance of the function of that device then that patient's health can be in jeopardy that patient could suffer some kind of consequence or even worse yet it could be more than one
patient it could be a number of patients or a mass number of patients so when we think about it from that point of view it's important for us also in a lot of the outreach and the multi stakeholder engagement and the educating and the building awareness that we've been doing to really underscore those principles of what we're talking about here with regard to FDA's FDA's mission and FDA's a specific emphasis on assuring that these devices are not left with exposed vulnerabilities that can lead to the kinds of hacks or attacks that can endanger patients coming back though Nena - to your question I think a lot of this is again focusing on building or creating an environment of trust of
trust of respect and of empathy among different stakeholders and without those factors the ability to share information and to be transparent about sharing that information really just sort of unravels so that is really very much key to what we have invested a lot of energy and a lot of effort in doing and it's with growing pains there's no question around that we've seen some disclosures that have gone very smoothly and we are there there has been really great dialogue across the different parties and communication communication that's been very much aligned to the public and there have been others where there has been quite a few hiccups so I think the other piece that's really important to emphasize here as well is
that it's not merely about the disclosure per se you know the disclosure is critical but built into that concept that's not the outcome the endpoint built into that is really the means by which one gets to full management of that vulnerability and making sure that the vulnerability is being addressed appropriately from the standpoint of whether mitigations controls or a mediation need to be put in place in order to appropriately again manage that vulnerability so a disclosure is certainly a mechanism by which to do that but I wouldn't want FDA would not want the industry and all stakeholders to lose sight of the forest for the trees here in terms of it's not merely about a checking the box exercise
and disclosing did you want to say something cuz I have another question go go for okay so one of the things that happens let's say you go to the hospital because you're having a heart issue right they don't walk up to you and say okay here are all the pamphlets of all the pacemakers we have here's their contact phone number for support you got about five hours let us know how you feel call them choose the one you want we're good to go we're gonna send you into search right it's an emergency you have to be in search within three two to three hours to make sure that you're living so if that device is going to
humans which don't get instant updates and patients aren't very fully aware of what these things are of what the devices are that are attached to them do you just know that the doctor gave it to me it's going to work I'm going to be fine so how do we better ensure that is medical information security and technologist how do we better accomplish this and what's the educational process it's a good question I think that one of the things that I've seen a huge amount of growth in is the amount of questions that I get asked and the amount of enquiries that we get from medical professionals I've had some some recent privileges of being on technical expert
boards with doctors and they have become a lot more aware of these things and I think it's because not only have we had some success in in media in talking about some of these issues publicly but I also think that it's kind of creeping into their minds just because of the way that technology is running you know I mentioned cellphones and one of the new technologies that I'm seeing is the cell phone is going to be the bridge between the medical device and the cloud and that's how all of the data that the patient generates is going to be communicated and doctors are incredibly smart intuitive people they know hmm my cell phone drops calls all the time and
does weird things and can get malware on it and now it's going to be responsible for doing things with these medical devices and I've got some questions about that because I don't trust my cell phone to make credit card payments yet I'm going to put my faith in this cell phone in patients you know to keep track of pain stimulators of keeping track of cardio devices and cardio rhythm devices and we see this technology being used more and more and doctors are starting to question is this safe whereas before it was very abstract it was very proprietary where you had to be within six inches of the device to communicate with it with a programmer
those are older technologies and now we're putting bluetooth into everything and these things are familiar to doctors and I think that we've done our part in helping to educate them but I also think that it's just the proliferation of technology that they're familiar with and that they have questionable experiences with you know I think that all of us in the room can understand how maybe we can question maybe our cell phone not being the most stable device that we've ever used or our Bluetooth headset that connects to our phone or our car maybe that's not the safest and best way to go but there it's not to say that it's not safe but doctors are asking those questions
to determine if the those types of devices are safe to use so I am seeing a lot more doctors asking questions about that technology and even though patients might not have the immediate decision-making capability whether to choose their device or not or to choose to have that device have Bluetooth capability or not there's certainly doctors looking out for their patients safety in that regard so that's very encouraging no we're we haven't seen that significant in terms of progress with all across the clinical community but I think that you're seeing signs of that particularly in the cardiology or the cardio interventionalists and it is our plan to target other parts of the clinical community over the course of
the next year in order to again better inform and better empower physicians around the technologies and so that they're better positioned to have that kind of an informed conversation or dialogue with patients we think that educating patients is really critical here and that because those dialogues also are happening between the patient and the provider it is important that the providers feel a level of confidence and what it is that they're able to communicate and that they could put it in lingo and lingo in language that a patient can understand and can make together with their physician a decision based upon you know what's put in front of them in terms of devices so this is
an area in terms of communications and better education that FDA working together with different clinical societies working together with various patient groups is going to be really important as we go forward I have more questions so shameless plug time I am the Calvary does a cyber security summit they did one in Arizona and we did one in New York so where we talk about the emergency preparedness of medical facilities hospitals ambulatory centers things like that so I know you were involved in it are you know okay so essentially what happens is we escalate the situation you know at first one computer goes down you find out there's some ransomware and then by the end there's mass chaos havoc it's amazing
you ever get the opportunity to go you should so what lessons can we learn from mass emergency medical downtime and how do we ensure patient safety with disclosure of ransomware and breaches from the hospital systems or the military systems are you asking me I'm asking both you okay that's a good question you know hospitals tend to be a little bit understaffed and behind when it comes to their IT technology and there's a lot of struggle that goes on in that ecosphere of even having a solid inventory of all the devices that are in your in your environment and being prepared for that is something that is a very scary situation because I don't think a lot of
hospitals are prepared for it in my experience you know not only from you know from my years of consulting working at hospitals and working with hospitals you know it makes me very nervous to see you know the amount of devices that go unpatched the amount of well I know we have a lot of devices I don't know where they all sit and I don't know how many are you know are vulnerable right now because we can't scan them we can't do that type of technology because they're impatient they're impatient use and devices that are 10 to 15 years old they don't react well to scanners and they don't react well to a lot of the modern
technology and when you have somebody hooked up to a respirator or infusion pump and you scan it and it decides to reboot and take five minutes to do that you might harm the patient and that's something that I think that every hospital and every medical device everything everything in medical centers around the patient and making sure the patient is safe so that's not a risk that they're willing to take so they are often not as prepared which is why you see this chaos that comes up when you have things like well there's some malware that's spread across the entire Hospital and locked up all the alert all the medical records so now we can't figure out what blood type this person
is or we can't figure out what their diagnosis is and they might be in a coma so it's a very troubling situation and it's a very scary situation and that's why it becomes really important to do exercises right to be involved in preparedness response recovery resilience exercises that focus on simulations where you have a cyber attack of sorts or different kinds of simulations and scenarios we think that this is really very important and hospitals as part of their Hospital preparedness programs do this for other types of hazards all the time what we need to do and what is happening actually is building that same kind of programming and exercising for cyber related functions too so do stay tuned
on that because FDA has been working with mitre and with two states with New York and Massachusetts on pilots in terms of putting together what our playbooks for cyber preparedness and response that will then be utilized even to exercise and to iterate around what the what the gaps are and how to shore up some of those gap areas but you know clearly we can't leave hospitals with the lack of ability to respond effectively if when they are hit by some kind of an attack yes it involves New York City as well so I'd like to talk about one thing real quick it you know since we're talking about disclosure I think it's really important to note how far we've
come in disclosure seven years ago I gave a talk at blackhat where I hacked into my own insulin pump and at that time the state of disclosure was pretty chaotic I didn't feel comfortable enough going to the manufacturer to disclose that before my talk because I knew that their reaction would be to sue me and I would never get to do the talk and people would never get to hear about the vulnerabilities that I found in my medical device that was seven years ago today and just I mean last year I disclosed the same type of vulnerability to a different insulin pump manufacturer at Johnson & Johnson and I was able to do that very comfortably and go to them
and say I found vulnerabilities and they said great we have a vulnerability intake program and we want to work with you and make sure that we address these issues correctly and safely and it took the process took us over six months but the end result was me as a researcher coming out with the manufacturer and saying these are the problems that were identified these are the solutions to get around it and patients should not be overly concerned with the day-to-day operation of these devices and if they feel especially threatened like if they were a president of a country or if they maybe were unwilling to take those risks I I kind of call I don't like to use the
term tinfoil hat people but these risks are very low probability but very high impact you can turn some of those features off and not have that risk present in your life and that was impossible seven years ago it was completely and totally impossible and because of the work that the FDA has done because of the work that the cavalry has done because of the work that a lot of researchers and medical device vendors have done we've reached a better state it is not perfect it is not something that you know we can just say great we're done with it you know we don't have to do any more work on this there's still a lot of work to be done
to make it better but man has it come a far way and as a researcher that makes me a lot more comfortable doing my disclosures in doing my research we've even gone as far as to getting exemptions to the Digital Millennium Copyright Act to make sure that researchers that are doing good can do the type of research that's needed on these medical devices seven years ago when I did research on my own medical device I had to do it with one hand tied behind my back because I didn't want to risk going to jail that was not part of the plan and I wanted to make sure that good guys had as much ground to explore
and to research as the bad guys did or as adversaries did and now we've reached that state where we can do that type of research without having to worry about prosecution under the Digital Millennium Copyright Act now we still again it is not perfect we have a ways to go with things like the CFAA and other types of legislation and laws that might impact a researchers ability to do research and to disclose but again we've come a long way and I want to recognize that we've come a long way and things have gotten a lot better from that perspective I couldn't agree more and and we really make a point of applauding the behavior of medical device manufacturers that
have engaged in coordinating disclosure and really in being able to work in such a a collaborative manner with researchers and with government agencies in terms of being able to communicate like that I think that where we want to be you know in terms of setting goals for the next 12 months is to see even greater adoption across manufacturers because we have more than a handful I'd say we have two handfuls of manufacturers that are champions in this arena they are really at the leading edge and they've really put themselves on the line I have to say with regard to disclosures because the media or the press doesn't necessarily understand or perceive right now that making those kinds of disclosures is
actually a sign of greater maturity and of transparency and those manufacturers often do get dinged and and pointed to as the ones that have vulnerabilities when we know that every one every manufacturer every product every Medical Device has vulnerabilities so one of the challenges that we see as we go forward in this next year in this next phase actually is trying to get a better grasp on what are the hurdles what are the perceived obstacles what's hindering medical device manufacturers the the bulk of them from actually adopting these policies and participating in coordinated disclosure and as we get a better understanding of that we'll there are going to be various white papers and play books that are being put out by
different groups within the healthcare sector to try to help address this issue from different angles so that again hopefully by next year at this time it won't be 15 manufacturers of the thousands that you have in the ecosystem but there will be maybe I don't know you know maybe a hundred or so that would be really nice to see I have a question for you Nina I didn't know if you wanted to talk about what kind of protections that you put in place in the biohacking village for coordinated vulnerabilities that are disclosed or that are found during the during that process it's more of a bow question but was the lead on the medical device
village so I'm going to hand it to you
turn it on always okay I'll go stand in your eyeline better yeah so we've spent about 18 months working through how we're gonna do the medical device village this year at biohacking village and they've gone through some pretty great pains to make sure that we strike a good balance you know one of the things we don't want to be is something like the voting village was where you have a bunch of bad actors you know the medic of the voting machine makers don't want to improve the security their devices they see them as secure enough already and so the voting village had to go out and get a lot of negative press we want to work with people who are doing good
things to get positive press out of it so shifting the mindset from one of exposing bad practice to really an educational learning environment a safe space for collaboration for trust building for understanding and empathy is our goal so to that some of the things we put in place are like labeling for all the devices so you know here's the disclosure policy where here's a link to the disclosure policy or you know this device is not on the market anymore it's for educational purposes only or you know bringing in the medical device makers themselves to help set up the lab to run it so that they can be literally face to face with the person finding the issue so you cut the
threshold to reporting to almost zero we've done a number of things like that I think that some of the biggest breakthroughs that we've had are the medical device makers themselves who some of them proactively reached out to us when they heard about it they were like hey we want to be a part of this like how can we come will you let us set up in there and like talk to folks what yes so I think that's emblematic of the industry change that it's not just us who has to put the protections in place which we have done a lot of but it's also the industry themselves wanting to lean into security rather than lean away from it and
there's other things we've done like working with some of the disclosure third-party disclosure groups who are able to triage some of those vulnerabilities art manion's going to be there from cert CC and help with some of that we've got some good informational materials that we're gonna give out that give you a good clear pathway to reporting issues so it's not just hey find something and then go you know out to the media we've got at DEFCON generally this year there's a ban on recording and we took it a step further we said we have a for press it's default deny by exception only will will work with press to come in there because we want to make sure that the story is
right and accurate and not sensational and overly dramatic you know nobody wants a bunch of FUD out there least of all people who are trying to build trust in the industry and in the ecosystem so that's a lot of the things I'm probably forgetting a few of them because my brain is kind of fried like right now planning this for the past few months great Thank You Josh you want to join us no no you heard it's covered Hey yeah if you got a question sure the vulnerabilities equities process do you explain that for everybody
FDA has not had visibility nor has HHS on the vulnerability equities process so you know I the concept behind it and and Sean you may be in a better position to explain it than I can but the concept behind it is to make sure that with respect to vulnerabilities that were they to be exploited could be you know highly catastrophic from the national security perspective that those vulnerabilities be maybe kept within very constrained circles within government and that and you know in certain cases of the manufacturers would not be aware of those vulnerabilities and that they can be used even potentially in an offensive manner as well
but yeah I just want to throw those three little words out there yeah so how do you division the federal versus state versus local role in managing risk caused by ulnar abilities and not just medical devices but IT systems and hospitals generally so obviously the FDA has the best market guidance but how do you see states coming
so from a response perspective you know this is where our working on what we're calling this regional playbook becomes important in that there there is infrastructure there's response infrastructure that is in place at HHS's level of the assistant secretary for preparedness and response what's known as a spur and a spur has connections you know in to the states through what are called like regional coordinators and those regional coordinators also cross into the different states public of health public health departments as well as with hospitals as well what we're proposing is that that education has to and that linkage needs to expand to get it beyond what are all hazards types of responses for which that aspirin network
has been set up so that the parties that would be engaged from a response standpoint really understand what it means to deal in the moment with a cyber related type of an attack as well so it would leverage that kind of that same type of a network what we've done also through the work thus far in building a playbook and reaching out to States is to have discussions with those states departments of Public Health as well as with various parts of you know the regional coordinators there and with the hospitals just again taking even lessons learn from there but and leveraging those
yeah I would say so it's just knowing what you do for the National Governors Association I would say beyond slightly beyond the coordinated vulnerability disclosure or the disclosure process what we're finding at least in the king that we did the congressional task force or healthcare cybersecurity is you know but for the rest of the room one of things we found was while medical device makers were starting to add cording disclosure while we're decriminalizing research from the hacker community while Suzanne her team are trying to improve the state of the art and the the minimum entrance criteria and ongoing care and feeding of medical devices the last mile seems to be the hospitals and one of these I think a
role for the National Governors Association or for the state and local is to try to drive things like our cyber mid-summer where we did clinical hacking simulations the tabletop exercises with state and local government and hospital administrators to have a very visceral and palpable experience on how underprepared they are for this new form of weakness against accidents and adversaries so I wanted to see like a 50 state initiative or maybe go to the major cities in the u.s. that have some sort of Mecca around medical like Boston area Minneapolis in Cedar sinai in LA but the people that see themselves as leaders in this profession were they to start doing this because their governor asked them to or their mayor got
involved and took a personal interest in disaster recovery or preparedness or some sort of national security exercise I think it would create fertile soil for all the great work that you've already heard of today so I think their role is really to be a better receiver of the good information and to date we haven't really leveraged that because we at least from the calories perspective we found it hard enough to try to break through into federal government let alone 50 states or even more cities so it's it's very overwhelming to us and we need guidance leadership from you but I would say getting that awareness level up may better leverage all the good work that we've already talked about
so for that I live in New York and New York City so as far as the local state and national is concerned 9/11 happened it was really real thing and I'm not sure that we actually learned anything from that hospitals are 24 hours seven days a week 365 days how do you do an emergency preparedness exercise with a city that on a weekday or during rush hour during 9:00 to 5:00 has put 7 million people in it how do you make all of that happen where people can get to a safe place or whatever the situation is so that's something else that needs to be addressed in big cities smaller towns things like that and on the local level
and then as far as the state of national it's like Josh edge we just need to work up or down but we need to work on it
we have any other questions welcome Josh oh hi do you have some additional questions or topics you want to bring to the table since I don't know if it's already covered and you guys are also brilliant I'm assuming you covered it all someone tell me if this was already covered but I think the hardest part and one of the big risk areas we have is we you know I think it's a good that we've get gotten more of a positive attitude towards an embrace or the value of white hat research or good guys I think some of us are jumping too soon to wanting it perfect and what we saw working with Alan Friedman and his MTA process is
that people are at different parts of their journey so while the the disclosure wars and debates are 20 years old for most of us a lot of these safety-critical industries are at year one and they have to kind of crawl then and walk then run and what we've been trying to do is get them on the crawl stage and then hope that there's a virtuous upward spiral that they'll add some more nuance or some better legal language or more safe harbor clauses and whatnot so I call it being patiently impatient and there's some people in the room that we've been trying to work on for a couple years to get them to do their very first coordinated vulnerably
disclosure template and it was really helpful in commerce department put their seal on it and it was really helpful when Suzanne before that said you know we really treasure the value of white hat researchers please start these programs and we are making strides but I think to get to that next level of adoption we have to get almost things like a product manager and looked at what are the use cases that are keeping them from doing so what's that one little stuttering block because a lot of these cases it's one little phrase in the NCI template that prevent them from having any program so you know what we started doing we said just cut that line
I would prefer you have it but cut that line get started because when you have your first program you have your first taste of success and when it doesn't explode then your internal confidence goes up and your internal political capital goes up and I think sometimes we're so frustrated that we haven't been embraced we want more than they're capable of giving us so sometimes going slower actually makes you go faster and I want us to have some level of relentless attachment to the goal of hike trust and high collaboration between researchers and bug receivers I also want us to have a pragmatism to us that gets us there faster sometimes you know slow is smooth smooth is fast
and we haven't really demonstrated that patience a little bit of patience upfront tends to start the process and then you can accelerate into the curve and I think we have a lot of proof points to that effect but that's kind of what I wanted to add it's like even I just started my own coordinated disclosure program now that I'm back in the private sector it was hard to get through the general council really hard but we got something through and I narrowed the scope down to maybe one product and someone could criticize that from the outside and say it's not perfect but I think that patient impatience when the first few disclosures were getting in right now
aren't gonna backfire people are like oh this isn't so bad oh I can see the value in this and then you can expand from there so we have to look at this as more of a marathon and not a sprint and I asked my hacker colleagues is don't be so purist about it and don't you know overplay that the trust we started to experience but help people get where we want them to get by understanding where they are you know they have their current state we have a desired state we have to build a bridge from that current state desired state and it's often not one maneuver I think the people in this room know that they want to use the
empathy and the patience and I wanted to go a lot faster than many of us have experienced but I think if you squint that we have a graphic that new way made for us that showed like eighteen parts of the US government in a two-year period enthusiastically embracing the value of coordinated Boehner bill a disclosure I said this earlier this morning but if you weren't here art Mannion did a Senate testimony a couple weeks back about the specter meltdown disclosures and both the the the chairman and the ranking minority both implicitly articulated almost perfectly and implicitly articulated the value of white hat research they were actually critical of the response from industry and what a victory in a five-year span
ago from hackers or criminals to a gimme for elected officials in the Senate to understand the value of research so I think on the arc of history we're doing the right things what I would encourage you guys to do is don't drop the empathy that got us this progress don't give up on the goal but don't drop the empathy that got us here I think that's why we built trust with Suzanne and her team and that trust hard-earned has turned into significant secondary effects where Congress is like we really like this maybe other parts parts of the federal government should do what Suzanne's doing so I didn't I hope that wasn't redundant what was previously covered
but I think we're doing the right thing the right way and we have to have realistic timelines on I don't think we should be arbitrarily patient but we should understand where our teammates are at and help them across that next hurdle is that redundant no okay yes
there's a clear communication on what constitutes critical advice versus a vulnerability that's important to be aware of but perhaps is not as severe as some of the others that are out there and as somebody who writes about this stuff on a regular basis even I find it confusing to and unclear to try and figure out what's a serious vulnerability and what is less serious I'm carrying what's being done to help clarify that well that's that's definitely something that that I had a huge amount of consideration when I disclosed my Johnson & Johnson work one of the things that I learned in this process when I disclosed the stuff in 2011 with the Medtronic insulin pump you know I just
thought it would be a cool black hat talk that all my geeky nerd friends would enjoy learning about how I found out about this and when the media got ahold of it it became this really big thing and I got emails from all over the world from parents from doctors from hospitals that wanted to know what they should do [ __ ] does this mean I need to wrap my kids insulin pump in aluminum foil does this mean they need to go back to doing shots does it what does this mean I don't understand what this vulnerability means I learned a lot from that and the second time around when I did with work with Johnson & Johnson I
said I want to make sure that people understand what this means and I wrote a big blog post that got posted the same time that we did the disclosure and I said as a patient and as a parent I implore you to keep your child on this insulin pump if you're affected by this vulnerability because if I had to choose right now to keep myself or my children on this insulin pump even with the vulnerability I would still do it yes the vulnerability is bad but we have to realize that vulnerabilities and risk are relative I mean we take a risk when we fly to Las Vegas to go to this conference now some people choose not to fly some people
choose to drive because it's a different type of risk that they're comfortable with but I think that making consumers more aware and more comfortable with what that risk and vulnerability means is really important and part of that's the researchers job I need to tell patients hey this is a really technical thing that's probably never ever ever going to happen to you but it's still something that we need to be aware of and we need to fix I think we just got the five-minute warning but a small answer is tomorrow we have a art Manion tamil art mein from certain CC tamil are from DHS who's technically the sponsor of CPE which leverages CBS s myself some other folks we're gonna kind
of drill into some of the strengths and weaknesses of that but one of the big problems is CBS s is kind of really not well oriented for the common vulnerability system is poorly oriented for safety critical use cases we tend to focus on remote code execution or loss of intellectual property as opposed to availability attack which might be a fatality and some of these so it's not that you can't score properly with the system it's that they tend not to so we're gonna talk about and press upon some of those weaknesses in a much better answer to some of your question did you guys cover the sim Sabbatini because I think part of the answer this
might be what chairman Gottlieb is talking about with sim sab we didn't we actually didn't get to talk about the safety action plan but as we move forward at the FDA in furthering the work that in building upon the work that's already been done we put it out in the safety action plan that came out in April of this year some specific steps that we're looking to move forward with and one of them is this concept this notion of a public/private partnership model that would be that would bring together experts across multiple disciplines working in a trusted environment in order to evaluate to assess a vulnerability and to really achieve get to ground truth around that
vulnerability and closer to real-time and this is in response to some of our own observations and learnings and quite a few than which have been public in terms of the timeframe that it has taken to really get to ground truth around certain very I would call them high impact or high consequence of all the abilities were they to be exploited so you know what this would do would really allow for creating an environment that you have disciplines such as a clinical the clinical discipline the bio imagine the security engineering discipline really working together and having access all to the same information in being able to really thoroughly assess and comprehend what is the impact of that vulnerability and
what is the exploit ability you know of that vulnerability as well in terms of then helping support what needs to be done in managing that vulnerability think that that is you know a really key piece as we move forward in that right now we're left with certain pockets where resources just are scarce in terms of being able to achieve that kind of ground truth certainly in a timely manner so I got the sign that we're out of time please take advantage in the hallway though this is the start of the conversation at the end with Suzanne or Seth raise your hand so that's gonna be on the panel tomorrow about CBD and cbss I just did I just did but you know if
you have burning questions or topics on this I think the same said especially is there a hacker voice on the Simpson there will be all right yeah I mean this is easy if you're here this morning if there's a pacemaker attacked do people get tired or is there a loss of life potential and and I think something like this stands a good chance to get past the noise and the posturing towards actual ground truth so thanks for your time I think it's the end of the track today but please avail of the opportunity to very senior people in the FDA here to answer your questions and be good colleagues thank you [Applause]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause] [Music] [Applause] [Music] [Applause]
[Music]
[Music]
[Music]
[Music] [Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music] [Music] [Applause] [Music] [Applause] [Music]
[Music]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51