IATC - Transforming Industries for Fun and Safety (Presentation) - Beau Woods & David Rogers

so I think this is gonna be like a weird fun session I hope it's gonna be it's not your typical hacker con talk we're gonna be talking about public policy which sounds super boring but yeah there you go in the back he knows what I'm talking about but actually you know through several years of trying to fix like low-level bugs or like hack a single system or hack an entire organization hack an industry one of the things that we learned through ion the cavalry is that actually it's about the same amount of work effort to hack an entire industry as it is to hack a single system and if you want to hack a single industry

you could also hack the public policy so this is kind of the public policy hack how do we get better documentation how do we get better policy statements out and so with I'm a cavalry for the last I don't know probably 18 months or so we've been working on building out what we're calling a cyber safety policy database this is just like hey here's a bunch of cyber policies particularly around cyber physical systems or the Internet of Things a lot of them say similar things some say different things but like let's put them together and compare them like wouldn't that be fun and cool now we've done that informally in building out like our automotive

five-star cyber safety framework as well as the Hippocratic oath for connected medical devices over the last year so we've done it more formally where we've went out and actually sought out policies some of them we helped frame and helped you know government agencies in the crafting of them some of them came out independently but had a lot of overlap and so like what if we took those and framed them up together against each other and said how does each one map to the other one it was just kind of a fun thing but then we we started to see it had a lot of power I'm going to talk a little bit more about that in just a second but we actually

have a another really cool thing that were going to talk about today with Dave Rogers so David I'll let you do your introduction but just very briefly he's done a lot to help craft IOT policy for the UK government over the last probably decade or so and culminating most recently in a document they launched earlier this year talking about an IOT code of practice for security which is going to get some more legs even than that it has right now so I want to flip it over to David to do the first part of this I've got the code of practice up on the screen here if you want to refer to it hopefully my screen doesn't blink while

you're talking but yeah take it away David cool um well thanks Bo so a little a little bit of background so I've kind of had probably one foot in the security research community for quite some time I took an unusual route like most people into InfoSec left school at 16 ended up doing stuff I didn't want to do and ended up as a head of security for Panasonic mobile and doing 23 and doing a lot of investigating embedded systems hackers so my backgrounds tronic engineering and so yeah that's really how I cut my teeth and how it got to tho know a lot of people in the security research community and I got a lot of

respect for them over the years so I've been coming here for a few years too but yeah for the past few years I've also been running a company called copper house and as part of that we've been helping UK government with the national cybersecurity strategy so we're on the second iteration of that now so I help them out on some of the mobile and now the IOT parts of it I also get involved in the GSMA and other industry bodies so I chair the device security group at just May and I also teach and so what that's giving me is a kind of like as one of my students here by the way for my former students but well it gives me

is a really broad view in terms of you know the the whole ecosystem what manufacturers want what security research is one and hopefully with the work that we've done particularly around IOT security that's that's being reflected and I should say also that there's a huge team behind this work so the the lead for this is the Department for Culture Media and Sport Japan for digital as well and but behind that is also the national cyber security center who are an excellent group of individuals and there's so many good people there you know I can't say enough good things about those guys and the advantage actually that we have in the UK is that the NCSC underpins all of the

government departments so while the Department for Transport is doing some work on cyber security or we're doing some work on consumer devices or Bayes is doing some work on energy systems and smart buildings underpinning all of that you have all of these fantastic engineers at the NCSC and it really really works so to cut to the chase well how do we start this work well I was in the South of France at a standards body and I sat down for coffee with a guy from the NCSC and literally to start this conversation was how how would we have stopped in there right and so we we came up with a kind of straw man list of

things but during that process also you know we were kind of inputting what we observed right so we've all observed so I've done vulnerability disclosures to vendors that have gone really badly and you know I've seen the consequences of vendors that don't have any way of talking to researchers and how badly they treat them I've also seen at firsthand you know the fact that we didn't have any way to do software updates on mobile devices in the past and having to stood along with major security issues but what we did see was that you know there are a lot of bad practices that we all have known about for say the past 20 years or so and

they're still here and P still shipping products particularly IOT products that are extremely insecure and so we kind of agreed that we really do need to tell people the basic still we still need to tell particularly companies that are just kind of digitizing products so say a washing machine company that wants to put their product on the Internet you know that's their prerogative but in reality they don't know what they're doing and they're doing the same things that people did 20 years ago but unfortunately with some of the equipment that's still insecure with the same foreign abilities as twenty years ago that still have open telnet access and so on so what we wanted these

guidelines so we came up with a code of practice and and there was a an expert group came together this is all part of a report which is on secure by design and there are many elements to this about how to communicate this to consumers and so on but the core of it r-13 outcome-based guidelines so what we wanted to make these things were measurable and we selected the top three so the top three are literally no default passwords we're not going to accept that anymore it seems obvious but you know like I say the products are out there the second one is about having doing vulnerability disclosure actually having you know acting on it and having

a such security page and so on and the third one is about having software updates and end-of-life policies and so on so those three basic things are actually also the most impactful things so if we get those then we're really winning because that's the problem face at the moment the rest is kind of really really nice to have but to me they're quite essential and I should also say that there are some vendors out there who doing a great job and but the the large part isn't so what I've described these things as as well these top three so the consumer can check whether there's a default password on device it's pretty easy a consumer if they

reminded to could try and see if they could report of an ability to a company and also consumer is going to be pretty easily know whether that device can get software updates or not they'll certainly know if they can't get software updates so these workers kind of insecurity Canaries so in a sense a consumer could reject a product on the basis that none of those three things exist because if those three things don't exist then probably the rest of the product is pretty badly insecure as well I think it's a good bet so so that's where we look to it we've I mean we've we've had some great conversations beau and I I should give a

shout out to a lot of people I've spoken to over the years in terms of this this particular topic Dom Bailey had noticed this tweet was on the screen earlier dom bailey particularly was heavily involved in the gsm a iot security guidelines and and more and more security researchers are coming into the business community in the government community to actually explain to people and tell it how it is and and people are listening to them and so i'm really grateful to the fact that people bothered to listen to me and you know we've come up with what I think or a decent set of guidelines so we've we've sent this out for public feedback public feedback was pretty good

we've made some tweaks and so on and we're ready to publish probably later in the autumn and together with us and this is a happy coincidence actually so so beau mentioned in the start that he was doing a mapping exercise against policy with the I'm the cover group and what we've done is a mapping exercise mainly for our own efforts to understand what's happening in the standards and guidance space so what there are ton of people who have already worked on IOT security and are standardizing it at the moment but it's really really fragmented we don't want to kind of create another standard for no reason but what we can do is kind of say this is what's out

there and this is how it maps to the code of practice so what I'd like to see that we do with that is that we put it out as open data so then anybody can take that information and use it for their own in their own companies or whatever and hopefully that will help to raise the biosecurity and and really contribute to making things good in IOT so I I believe David correct me if I'm wrong but that is the first public announcement that that's intended to be open data or hopefully open data yes yes yes yeah so uh a world first here in the Cal retracted besides Las Vegas who would have thunk it just goes

to show what a handful of dedicated passionate people can do in this world is put something like that together and then open it up crowdsource it we added a little conversation about like some of the things that can come out of it going from here for something that is more of an open data project which is a good transition into what we've done at ion the cavalry over the last few months which is to try and put together a list of man that blew up real big nice so a list of general policy statements that cross a lot of of areas so if you look at this list got a lot of black screen there I don't know what's going on with

that always have backups right so if you look at the list here that we've got on the screen I'll see if I can zoom into that a bit but uh so we took a lot of the policy documents that exist things like the DHS strategic visit principles for securing the internet of things things like I am the Cavalry's automotive five-star framework so these these documents that already exist out there in the field and we said what would happen if we just started to see how each of those map against each other so that if we're writing a policy doc or a policy set of policy recommendations we know we didn't miss anything and we know that we've got the best possible

language distilled from everything that actually exists out there on in public policy land today and what we found is that there's a ton of overlap there's also some sector specific documents that are really useful in that sector so you can see right here highlighted like the National Highway Traffic Safety Administration cybersecurity best practices for modern vehicles that's very specific and they've got they've got 12 policy statements where some other policies might have many fewer like three policy statements so you can see they go into a lot more detail in a very specific area but to be able to pull these things together to put them in a mapping system in a way that doesn't create a note just

another standard and there's an xkcd comic about that as there is for everything so how do we put it together in a way that can be mapped for policy makers for academic researchers for industry and for others to be able to kind of smooth the transition right so I think in 2016 we did an analysis and what were there Josh like 12 different policy documents on cybersecurity and IOT just from the US government and I think one from Anissa that's a ton that's a lot to keep up with and in a lot of cases people are kind of stepping all over each other to try and and get these things that understand them and what we wanted to do as well was publish

this in an open format so anybody could take it and use it going through this process and in having some conversations with particularly US government agencies one of the things we learned is that they could actually use them for a lot of really interesting things so in in putting this together we actually found that there was a a reference set of statements and I know that this is an eye chart and you can't see it all but we came up with some reference statements that distilled each of the policies that had overlap and pulled into a single sentence this is gonna be available online very soon so don't you don't have to squint to see it we'll

publish the notes and the links a single set of reference statements that could actually just be picked up and used in a policy document if somebody wanted to or tweaked to fit a specific industry or a specific purpose and in talking with some of the agencies they were like wow you've done this and you've already mapped it back to our internal policies and guidance and rulemaking that's kind of cool because then what it does for us because we don't have to go and figure out what our legal authorities are we've already got a mapped so we reduced the threshold to building new policies and also made the policy statements better so they could be picked up and used they would be more

consistent so industry wouldn't have to figure out a different way of going about in complying or aligning two different standards around the world or different policy statements around the world and it gave a good data repository for academic researchers like Carl and Kareem and Hasan who you saw yesterday talking about some of their work so that they could then take this open repository and mapping as a single easy data set to start jumping around and doing more deep analysis and coming out with recommendations and conclusions so we are going to publish this that can put a just a link in the YouTube video that we've got or distribute the link to however we want to best format it right

now it's in a Google sheets document which is probably not the best database but all the information is accurate we've also got a word document that has the single policy statements that we found are the superset of everything that exists and we'll publish those as well starting probably next week when I get some sleep but one of the tools that I wanted to highlight or one of the use cases and then we'll open it up for questions with the last couple of minutes we've got here is if we want to see which policy buckets mapped to which public policy documents we can pretty quickly and easily see that this is just with a simple pivot table because I suck

databases so I did you know I use the tools I had so you can see like supply chain rigor you've got things like the DHS strategic principles for securing the Internet of Things the epic ratico for connected medical devices and I suspect if you plotted this on a line by timing you could see history you can see what documents feed into what other documents and that could be really really interesting to emerge trend so you could say something like you hey this supply-chain rigor concept is getting a lot of traction we should probably look for more policy documents on supply chain rigor in the near future you can also use this again I'll zoom in

on this if you are working in an agency or working in public policy recommendations house like a think tank then you can take a look at what you've got map it to what already exists and says where's my coverage so this is a you know the top mapping actual zoom down here to the UK government document the code of practice so you can see where that maps up so you know David for your use you can see that you've got a seven overlaps with the cyber safe and secure by design you've got one here with forensic Lee sound evidence capture and that might be an artifact of the target demographic that you're going for is why you got that balance which is

really interesting to look at and it can be a check and say oh did we under treat that or did we treat it just right it's just different than the super set there's a lot of other things you could do with it I know Karl and and Sean probably are thinking about some things now but we see this as a start right it's a bunch of data we just want to put out there unless somebody else figure out how to use it and make best use of it you could also use it in a former life when I was doing a bunch of governance risk and compliance auditing this type of a mapping was super helpful

because you go into a company and they would want to know here's our program what laws do we comply with so this is just an easy translation engine to that which could be an enabler of business could smooth over a lot of the processes that small companies have to go through normally they'd have to pay six figures to PwC to come in and figure it out if somebody and they could now potentially do it for free so we think it's a cool thing hopefully you guys do too I'll shut up now and take questions got one in the front here [Music] David I loved the idea of survey a harbinger canary in the coalmine always thinking sort of unintended

consequences and how wily people are in terms of meeting the requirement all of a sudden and enabling customers I'm sorry in consumers I have a lovely idea in what was the concern about then incentivizing just fixing the hard-coded credential is ooh right and then nothing else so you get say theoretically devices that no harder intentions but then are fail in other ways yeah I mean I think is I could say it's probably largely part of the escaping the password thing that you know I mean the the way that the code of practice is done is actually relatively high level and we wanted to have these measurable things and what we could see was lots and lots of IOT devices coming out with

admin admin admin one two or five and in the context of mere I and Reaper and so on that's exactly what their problem was oh part of major part of the problem so it's not and I think that's maybe the attitude people have taken is like well you know that's an old issue but it isn't it's still a current issue so yeah there's some really complex things that we want to do you know in the future like quantum safe cryptography and things like that but actually look over here admin admin so those basic issues and still need to be addressed and I think that the basis the bottom line is we've had enough it's not acceptable if

you want to if you want to make the UK safe place to do business in we can't stand for this do it yes so going back to your idea that you were talking as an example about the refrigerator or the dishwasher or whatever I'm putting out on the internet washing machine the washing machine perfect I got it wrong already um those devices like remind me of like old-school networking and IT they're a box you design a box you sell a box for a specific profit margin and the teams already then moved on to building the next box right if I look at the most secure like I two devices today they're the ones that charge a subscription because that gives

you a team a recurring profit to keep the team alive to do security updates etc how would you feel about kind of allowing vendors to think about that model like I don't mind having a pennies a month subscription for my washing machine if it means my washing machine secure because otherwise we can't really expect them to factor what 10 20 years of warranty for security updates and IT talent into their current profit margin I I kind of wish that was true because I know a lot of subscription devices a grossly insecure so I think obviously the cost is a factor and and cost has to be born somewhere in the supply chain so but I think the problem is is that a lot

of these vendors don't appreciate the threat environment as it is now so you know when I was designing product panasonic to do the security you know we didn't have remote software updates and so on equally this security research community wasn't as established as it is now and so what you have now is you know attackers up here the mobile industry probably is up here in terms of defense you know if you look at Android and iOS that at least you know they're very sophisticated in terms of defense and then you've got Joe Bloggs washing machine company here who's buying in you know equipment from a third party in China that they don't know what it is

and it's insecure so regular is a seeing this all the time and you know you as a consumer don't know you can't measure really the difference you can make some basic quality decision on someone bender that you think you know but they could still be using a no diem supplier that's insecure too so I think the reality is is if you want to play in this game and sell products to people you have to secure by design the gone are the days where you can ship crap that's like we have time for one more if it's very fast yes so was just gonna ask where did you decide to form your buckets from for the mapping and then

also these are guideline documents is the level of granularity such that you know the recommendations are so large compliant you know you could be in clomp liance without being technically compliant yeah that's a great question then that leads into a point that was kind of part of the design requirements for for these documents was we wanted things that were in them I zoomed in a little bit so maybe you could read I don't know how good that screen is but we wanted the things that we we came up with to be objective not like you know based on my sense of the feeling of the direction of the winds I kind of think that you're okay here but like no you're

you you either are this or you're not this right so objective observable so it didn't take you know some deep peering into the source code of a compiled binary to be able to understand whether or not something was or wasn't didn't or did did or didn't meet these objectives we wanted it to be something that could be falsifiable verifiable so that's an important part of science in the scientific method I personal would love to see a lot more sciency stuff done rather than you know vendor white papers that that tout claims let's have scientific methods that actually run through things tell you the methodology make it repeatable have other people who can go in and fact-check your studies so

those were just three of the elements and requirements and we wanted it to be high-level enough and written in a language sufficient so that policymakers could get it so it didn't take a huge leap you know you might have had to educate them what email was you know going back to Travis's talk earlier but for those who already knew what email was it wasn't a stretch that they would know that the thing is updatable that it is supported for defined a lifetime like something like that and then it would have a clear translation into the more technical pieces and you can argue about whether or not the the firmware needs to be supported or just

software sitting on top of it but the act of requiring that discussion to happen is a whole nother conversation that we're not even having right now and then kind of the final point is especially for the I am the cavalry Hippocratic oath and the automotive five-star we wanted it to be a an attestation based model so that manufacturers would tell you the commitments that they have made then that sets up a whole other enforcement regime that we don't have to worry about you know being just like a bunch of scrappy researchers who threw about a bunch of ideas out we didn't have any power or authority to enforce things David does thank you good job I'm a way

to hack the system but so if people attest to something then they've made a claim right and that should be something that bolsters public confidence but if you're lying or if they're misleading then there are remedies that already exist in the American system and the UK system and other systems to be able to handle those types of things so those were some of the design requirements that we had with the original system and it's mapped really well you know kind of you could use it for that same thing just to your point about the the high level nature that guidance I think there's always always a balancing act right nothing's ever black and white and

so the last thing we wanted to do was constrain innovation so you don't really want a monoculture of government tells you you have to design this thing this particular way because that's going to be bad you know I don't want the insert things to die I actually want it to grow but in a responsible way for users around privacy and security so you know there has to be some balance in that but I think we've picked some of the things that we can say we don't want right and we can identify some of the bad things all right we'll have to compile it there please find these gentlemen and ask them more questions as we can as you find

them in the hallways thank you very much and I believe that's the end of the video awesome thank you [Applause]