Cyber Safety and Public Policy

uh so we're going to cover some of the major developments and then we are going to go into the specific areas that Cavalry focuses on so uh Medical Transportation public infrastructure and home um and then we're going to talk about how you guys can get engaged in policy should you so wish to do so um in terms of major developments this is the biggie the gold standard major development that we have seen in um the the past year that has had an impact on what I would call cyber safety what we would all call cyber safety perhaps um so basically the dmca who is familiar with the dmca quick show of hands okay so I don't probably need to

tell most of you but uh in a nutshell the US has two copyright laws because one is just for losers um so there's one that basically says copyright's a thing and we should respect copyright we like copyright and then there's the dmca which says uh so about that copyright thing uh yeah we were serious about that so if you circumvent technical protections that are put in place to protect copyright that's that's a problem for us so not just the copyright issue but also the circumventing technical protections um what this means is that a lot of research has been uh subject to the dmca uh because often research involves circumventing technical protection um now what the dmca does uh do it does

a couple of things firstly it has some permanent carve outs some permanent exemptions uh to address this problem but they're very very narrow so one of them is um about reversing the hardware but it has very narrow restrictions and one of them is about um testing uh security of data and Transit encryption very narrow very narrow boundaries um so if you wanted to do things like look at firmware traditionally that has been round upon um when I say Fran upon I mean with handcuffs um so uh the dmca also has this secondary thing it does where it says okay uh this is about technological controls and Technology moves faster than law so uh what we're going to do is we're going to

say every three years we'll open a process where you can apply app for an exemption and you apply to the copyright office and the Library of Congress because they know a lot about security research um so so that's what it says and the idea is you apply and then every three years any exemptions that exist apart from the permanent ones that I just mentioned roll back so even if you already got some in you you you lose them and you have to go through the process again and they have this sort of multi-layered process where you apply and then there there's a comment period where people can say no that sucks I hate it and then there's another comment

period where people can say no I love it it's great we should do it and then uh there's some testifying that happens uh testify and then and then the Library of Congress and the copyright office look at all of this stuff and they go and they talk to other parts of the government and like Allan and they come back and they say yes or no on your exemption so why is this a major thing for us well last year we went through this process and there are a whole bunch of people who participated in requesting exemptions for security research there were four security research requests that went in one for security research for medical devices uh one for security

research for uh cars and two for General uh consumer oriented technology consumer research so the copyright office in the Library of Congress got all of these in together they looked at all of them they went oh these all kind of overl we should do something that encompasses all of them and they went and they talked to Nitsa who went and uh they they talked to the FDA um and they talked to the ntia uh at the Department of Commerce who said yes security research is a thing and it helps us support a free and open internet we should support it it's good we like it and so they said oh okay oh that's good right we like it yes uh these technology

manufacturers though and their alliances they seem less enthusiastic about the whole idea they've written some letters uh what should we do and N went um and uh the FDA and the Nia gave much more balanced advice and So eventually what happened was uh the Library of Congress and the copyright office said okay we will have an exemption for security research one exemption and it will cover any consumer oriented technology uh provided it's not in production so no wandering around hospitals unplugging and plugging in USBS um sorry to spoil fun but because this is all a little bit like we're not really sure what to do and it's is still going uh we're going to delay it for a year so

you can you can do this it'll come into effect but rather than it being immediate we're going to delay it for a year except for voting machines because there's kind of a thing coming up um so please go test voting machines um so anyway uh so the deadline for this when it comes into effect is October so for the people who have traditionally not considered themselves technology providers of which in the iot space we deal with many um who you know they're now dealing with lots and lots and lots of lines of code but don't think of themselves as technology providers they think of themselves as car makers or medical device makers or whatever it is

for those people they have this sort of sort of looming deadline and it has an impact it has an impact yeah that we're seeing already and the actions of some of these companies that don't consider themselves technology providers but increasingly are um there are numerous examples of this um one is the NTA process uh the on vulnerability disclosure there have been many automakers and some Med medical device manufacturers that have participated in that process and have attributed their participation to kind of a better dialogue with their regulator because it demonstrates that they recognize this is an issue that they need to deal with and that they are engaging on it in addition GM in January of this year published a

vity disclosure policy in in coordination with hacker 1 then in April May Johnson and Johnson uh published a coordinated vulnerability disclosure program as well H and then most recently in July Fiat Chrysler America FCA published uh a bug bouncy program in coordination with bug crowd great so we're starting to see like real developments and the alliances in this space are kind of pushing their members to kind of understand hey October's going to happen researchers who have been too afraid to disclose in the past and have been storing up vulnerabilities are going to suddenly come out of the woodwork and they are going to disclose and you're going to have to have processes in place to deal with this so

we are seeing a huge cultural shift which is actually awesome I mean this is like the best possible possible thing we could hope for bear in mind though we have two years and then this goes away and we start the process again so the battle is certainly not done done um and because of this because of this sort of strange process where you're applying to the Library of Congress which looks like a very technological place um because you're applying to the Library of Congress and the copyright office and you're going through this sort of strangely um intense process and there's lots of uncertainty um and and really this is about something that isn't a copyright

issue I mean most researchers don't as far as I understand they're not really trying to um defraud any company in terms of the copyright stuff it's it's really just like hey you have a vulnerability let's fix it not put people at risk um so because it's not really a copyright issue at its core there are people who are trying to get the dmca changed at a sort of more basic level and there are a number of different ways of approach ing this uh one is to work through sort of the more traditional routes of getting Congressional support trying to get legal reform um the copyright office for what it's worth is actually quite supportive of all of that uh in

conversations that we've had with them they'd be like yeah yeah we don't really we don't really know about this we don't really think we should be making decisions on it we're happy to support this um another route to go is you could launch legal action against the copyright office which is uh what the eff and um some other people are doing that was announced last week um I don't want to get too much into it because I really like the eff but um I think that our my personal view on this is that our better path forward is through collaboration and finding common ground and building trust I think that is a massive theme of I am the Cavalry um and

if you don't want to build trust and find collaborative opportunities this is possibly not the room for you um in all honesty and so I kind of feel like you know when you sue people you sort of undermine a lot of that um and whilst I don't expect Alan to comment in any way shape of form I imagine that when you know when the research Community decides to sue the copyright office it does make The Advocates that we have had feel a little sheepish in continuing to advocate for us um so there you go that's my personal view on it I still love the AF in support of the eff uh but that's my personal view so developments

of medical I've been talking a lot so we're going to ask some other people to come and talk instead um so first we're going to welcome Suzanne Schwarz from the FDA who's going to talk about some changes they have made which is very [Applause] cool uh yeah uh here have mine thank

you all right yeah so a lot of what Jen had provided in the introduction are um areas and items that we feel uh very very much aligned with and um I'm going to take a step back actually so how many of you have had any kind of interaction at all or know much about the FDA the Food and Drug Administration so there's a fair amount of number of people here okay um and and obviously we're the regulatory agency uh responsible for different medical products I come from the center for devices and radiological health and it's our Center our medical product Center that oversees that has oversight on both the pre-market as well as po postmarket

authority of medical devices that are distributed uh within the United States and the past few years has been a huge Awakening for the FDA as well as for more broadly speaking I would say the healthc care and medical device ecosystem in coming to terms with the challenges with respect to medical device vulnerabilities and the need to address those vulnerabilities so if I were to go back a few years time somewhere around the 2013 period the spring of 2013 we experienced our own wakeup call with regard to vulnerabilities that were brought to our attention and needing to really therefore engage with the industry with the medical device industry in a manner that is somewhat different than we've had in the past and

what I mean by that is recognition that there's a need for raising awareness educating doing a lot of Outreach on a topic that many of the medical device manufacturers I'm not going to say all but many of the medical device manufacturers really did not have on their radar as being something that needs to be addressed uh in a in a very proactive manner the ecosystem for us is a complicated one because of the fact that it's not just medical device manufacturers but are the end users the healthcare delivery organizations the hospital the clinical sites the patients that utilize devices and just because a device is regulated by the FDA doesn't mean that we have that kind of endtoend oversight and

authority over the devic's use once it's deployed out there in the field within the hospital or within a home or you know with a patient who's um has a device that's implanted so when I think about what we were faced with at that time it warranted the need for us to really embrace the idea of bringing the community the healthare community together around rally

around and being very you know superficial we' got deves development and then you have all those devices that are actually out there in the field you call the postmarket side the way that we have been addressing medical device security is by messaging and socializing the necessity for the total product life cycle approach to Medical device security so for new devices new technologies that are emerging or that are in the process of being developed and designed then need to be able to build in that security a priority from the from the beginning to bake it in not to kind of have it as an afterthought to deal with security and then bolt it on afterwards we know how challenging that

is and so um in I guess it was back in 2013 2014 we had released what's called guidance that provides to the medical device manufacturers what our expectations are for manufacturers to uh address cyber security in the pre-market phase but that's only a part of the story I wouldn't even say that that's half the story it's a fraction of the story the bigger issue are all the devices that are out there in use in the postm market that many of them are what are called Legacy devices are devices that were built um at a time where again security was not on the Forefront of the manufactures are on the healthcare delivery organization's mind and these

are devices that day in day out more and more vulnerabilities are being identified and are emerging and need to be assessed and uh need to be dealt with but we can't we absolutely cannot do this alone and so we went on this camp pain of really uh engaging all of the stakeholders within the ecosystem and this was also very much in parallel with efforts by the administration through the issuance of executive orders and presidential policy directives that set a certain expectation or framework for what government regulatory agencies working with the private sector could be doing in order to improve or strengthen cyber security of critical infrastructure and Healthcare Public Health medical devices are part of that

infrastructure [Music] so we um embarked on this journey uh to understand all of the wants all of the needs all of the challenges of the stakeholders in our ecosystem and in so doing it become becomes really really critical to bring the security researcher Community into the fold and to give the security researcher Community not only a voice to be heard to be listened to to be paid attention to but respect and a seat at the table and to recognize the value that secur that security researchers provide by way of expertise in working with the medical device companies and working with the government in understanding vulnerabilities are out there and how we need to be addressing them and uh

addressing them in an expedient manner in particular when they present concerns for patient safety which is ultimately what the FDA is concerned about and I think what we're all concerned about so um we uh through these efforts came to uh know I am the Cavalry bow woods and and Josh Corman really really well over the past couple of years and this has turned turned into quite an extraordinary partnership by virtue of really learning from uh the uh security researcher Community as ambassadors to us uh for that and our being able to exchange information and present the perspective that the regulator has as well as what we know of the stakeholders in the community and I would go so far

as to credit this type of Eng engagement this close collaborating and partnering with I am the Cavalry and with others with the medical device manufacturers with the healthcare delivery organizations but the the level of Engagement was so closely knit that um the guidance that we issued on postmarket just a few months ago back in January 2016 was considered to be a rather solid a rather robust guidance um and one that people across the entire ecosystem could kind of Nod to and say oh yeah you know this policy makes sense obviously there's tweaks that'll have to happen with the guidance as we finalize it but what we did was we introduced Concepts that are we believe are really

critical and that is coordinated disclosure the importance of coordinated disclosure of researchers working together with manufacturers working with also information sharing analysis organizations as part of developing that transparency and having processes in place for handling vulnerability information as it comes in so we built into the guidance recog you know the fact that FDA recognized those standards and that we consider it really really important as part of the management program the overall comprehensive risk management program of medical device manufacturers to undertake uh the their assessment and their management of medical devices uh from a cyber security perspective with these standards in mind now I mean I can go on for a very long time but I think

I've already taken a lot of time so maybe we can get addressed a little bit more during whatever Q&A or people yeah and there's a I think a medical session after this so ask questions then um okay so you know one thing that I uh want to call out there that I think think um maybe people are modest and don't call out themselves is um you know as Su mentioned when the FDA was working on this stuff they um they collaborated with members of the research Community which you know all props and all power to um to the FDA for doing that that's a huge thing um it actually is creating a new model and um I think that they

deserve a round of applause which I can't do holding my microphone um the other thing is that there are people in this room who also participated in that process and also influenced it and you know I from time to time I have heard or seen people question what the Cavalry is doing to those people that's what the caval is doing and that's where the strength is it's behind closed doors in um in non-shy non- ostentatious conversations but you know there are people in this room who had a real impact on that stuff and I think that the FDA would acknowledge that they added value to the conversation and I think that deserves to be acknowledged

so I'm going to ask you again to give a round of applause but there's more um so this was not everything on medical uh there was some other things that happened on medical and Josh is going to come up and talk about it and if you don't know who Josh is then there's no point in me introducing him hey go I Pro I promise not to yell um sorry I don't know um I think I'm supposed to hit the task force yeah the siso bill okay um so there's G to be more medical content throughout the two days but for this chunk uh if you didn't see this morning there's one more thing I want to

embarrass Suzanne a little bit more about um we uh you know we didn't get in a long bio for her but when when I first uh started getting in aware of this it was people like Dr Kevin Fu who had done some medical hacking it was uh Barnaby Jack before we lost him it was uh Jay Radcliffe and and people had been trying to do this but they they left very very frustrated in fact they they believed that the FDA type situation was intractable um one of the doctors yelled at Jay at some point not an FDA person and saying there's no dead bodies this is academic and esoteric and until there's proof of harm you know real dead

bodies we aren't going to do anything and I kind of bought that initially but um meeting Suzanne I mean she's a amazing equivalent peer to the rebellious you know passion that we see in this community um you know the FDA government I think Frank said this from n government moves really slowly but there are change agents uh and people that are just like us who are looking for that teammate in us so if we can be a teammate to them they will be a teammate back um so every time I talk to her I get more impressed but she was a trauma surgeon Burn Unit specialist I mean every part of her fiber is about

saving lives and now we have a new way to do it together and even though we believe that you would need dead bodies to see any significant change last summer they issued a safety recall in the hospy a drug infusion pump with zero dead bodies zero proof of harm and they had the presence of mind and the courage to push in a pretty hard government circumstance to really see that an unmitigated Pathway to harm is sufficient to trigger corrective action we don't have to wait for Calamity and I think um as much as I'm really proud of the people in this room that help bring the security research perspective none of it works if we don't have amazing

teammates so she's one of my heroes and uh I hope that uh people get to know her better uh really briefly um one of the things that's been a fruit of this is we've established such trust that Congress in the the sisa act of 2015 in December uh which most of you know is the information sharing bill they had a provision in there asking HHS Health and Human Services to do a one-year task force on cyber security um there were 20 people to be picked um and I think because of the work we had done um they wanted the researcher Community to be one of those 20 voices um so Michael mcneel who was up here earlier

from Phillips he's one of the largest device manufacturers on the task force um I was asked to represent um the research community so people who have worked in healthcare delivery are doing research on this if there's anything you want pulled into that process we have a 12month um assignment with six things we owe to Congress HHS in the white house at the end of it and we're about halfway through and some of the stuff we're going to cover tomorrow with the cameras off are the really really really hard problems that we are really really really concerned about so I think a critical Lynch pin in making hospitals safe is making the devices more rugged more resilient more defensible and I

think suzan's part of the universe has been very helpful in raising the bar on individual medical devices in addition to that this task force is now looking at how do you make Healthcare delivery organizations that still use Windows XP in really old gear and don't have cisos and are wide open and naked to the internet and in many cases we her work is very necessary but insufficient for this other stuff so um one of the policy advances I think we should be very pleased to see is a that they have a focus on cyber security um B it's an open process and C that one of 20 voices is basically us so if you weren't aware of that please load me up

we're looking for people who have pent tested hdos who have clever or innovative ideas we're looking for academics can find more realistic ways to prevent attacks and I think the real big wakeup call for them was the Hollywood Presbyterian hospital losing his ability to to provide patient care and the ransomware is just it's like shooting fish in a barrel for the hospitals they just are not in a good position at all so if you miss this morning's stuff we're going to dive into that a little bit more tomorrow and the second thing is a little less related but it's it's another good sign um I guess just like in the private sector sometimes a ciso reports to the CIO and

there a a little bit of inherent conflict of interest um HHS um there was a bill introduced uh to basically give more power to the ciso by stripping it out from underneath the CIO I don't think there was necessarily a structural problem but they said you know what um the operations in the cyber security of a government agency is important so they invited me to be a um I guess I get it did my first congressional testimony I still didn't do as well as Jen did for her her toys but um Jen avoided SAR Cong yes um so it's an intimidating process and it's it's a lot of work but um but here's the The Good the good news

bad news is um this is going to happen more often so now that we were starting to build trust relationships with some of these key uh congressional committees they don't all get here ings but several times almost like once a month at least um there's an emergent topic where their members want to get smart on something so I have to find like the world expert on crypto that can actually talk to a congress person like now so you might get a phone call from me or uh from bow or something where we're not necessarily looking for the best crypto person we're looking for the best translator and um as they recognize how dependent they are in

cyber we're going to need to build those muscles and we're not always going to do it right and we're not always going to use the right words that this community likes but um I think it's a good sign that we've had a few now like Dave Kennedy yourself me we're we're starting to establish ourselves that whenever there's a cyber topic they at least might ask us our opinion so we might not be on camera on C-Span but we are at least being asked for information I think that's also a very good sign is that what you wanted [Applause] okay so yeah so there's lots happening in medical and I think sorry I remember how microphones work at some point um so

there's lots happening in medical and I think you know the key takeaway here is we are seeing progress which is kind of awesome um so on to transport um and self-driving cars um thanks I appreciate it uh so there's a lot going on in transport as well um and not just in terms of cars although cars obviously make a lot of headlines on a regular basis um and there are a lot of things happening there so um I'm going to talk about some car stuff and then Amanda's going to talk about some Aviation stuff um so there are a few things that have happened uh so one has anybody heard of the Michigan car [Music]

bill all right a few um so uh Michigan introduced a um a proposal for a state Bill uh and it would have made it um an fence to uh to access the the computer systems in a car without permission from the manufacturer which again kind of makes research pretty illegal um so this was introduced by the Senate majority in uh I'm going to try and get my timing right on this April um end of April and then like very very quickly the res there was a response from the community so a bunch of a coalition of um research Searchers and uh people from the security Community responded in private in a letter and said hey um super concerning

you're you're basically making research legal and kind of pointed to the fact that there have been some instances of published car research that's been very valuable and that you know we we're thinking about lives here and got a really great level of Engagement from um from the bill sponsors so they came back and they said okay this sounds serious we should consider consider it we should talk let's chat and there's been some back and forth and um the proposed changes that they're looking at making would make it that the car's owner can give ACC can give permission to somebody to access the systems um and they're defining owner to include um like a a a what's the right

word for this lesie is that the right word um yeah so so it's much broader now and it would mean that I can give access to you to do work on it as a researcher um they are uh reconvening I think tomorrow is when the the state legis legislature comes back and we don't know when the bill will be reintroduced um but we do expect that it will be introduced with updated language so again yay for researchers uh collaborating and kind of moving this forward um then there was a couple of things that happen on a federal level um and one of them was a and I can never remember the name of this I always refer

to it as the nitab bill which is not what it is um no the other one yeah the national highway whatever it was um so this was proposed uh beginning of the year um and again it had something in it that said it would be a federal uh offense to uh access the computer systems in the car without the permission of the manufacturer again there was a strong response from the community uh this actually did have a hearing and um and so there was uh the the Commerce Committee uh had a hearing and they they called in um niter and some other people uh various Auto Alliance type people and they kind of went through it and there was some

questions that were asked in the Committee hearing about researchers and what the impact would be and generally speaking like the feeling is the bill is not going to move and if it does move then the language around this particular piece will be changed and adapted um and so again it looks like we're making the right kind of progress because there is a high level of Engagement um so at the moment I mean like I think you guys are probably all aware that nothing much is likely to move in Congress this year um there's kind of some other stuff going on so nothing's moving anytime soon but the question is like when we're thinking about movement we're thinking about

what's going to happen next year what will be real introduced what might have legs and so the engagement that we're looking at driving is really about how do we improve things so that when they get picked up next year they'll be less damaging um and so it looks like we're going in the right direction with that stuff so then the third one is as Josh mentioned the Spy Car Act um this is Senator Maris bill it was uh not this year it was last year and I think it was in the early part of last year so this is old um and uh Spy Car stands for um security and privacy in your car or for

your car act and it is looking at sort of measures that Automotive manufacturers can introduce to um Advance Security or improve privacy um in in automobiles again super unlikely to move there are some good things in it and some questionable things and that is generally the case with legislation and legislative proposals so it's about engaging and educating um if you are interested in looking at this you should take a look and then reach out to um some Mar's office uh but they have been talking a lot to people in the community they've been talking to the automotive manufacturers um and as I said like some of the stuff that they're proposing is actually pretty cool and it would be

very interesting to see what happens with it um but then there's also things like there's a pen testing requirement that seems a little like it may not be very practical um they want to do uh the car the stickers that say how secure you are I don't know how that would work in practice but I kind of like the idea of it because then I think it gets consumers into a point of view of thinking about security and having an expectation of security information which we don't have today and anything that improves security awareness I am a fan of uh but it's really unlikely to move anytime soon so that's that's pretty much what's happening in

Carland um that's the main stuff and again like there are people in this room who have heavily participated in moving all three of those bills on in terms of the language if not like the bills actually moving um so again if you one of those people you should give yourself a big pat on the back uh because that's awesome work thank you I'll just highlight a couple of developments in the aviation industry the major development was this year very recent in the last few weeks actually but I'll start um in September 2014 which is when the Aviation information sharing and Analysis Center or ISAC was established it's just an indication that Aviation companies are aware of this issue are are recognizing

there's a need to share information and and to get a better handle in the cyber security threat and then in5 I'm sure as you're all aware there are lots of um things that happened to increase awareness of the threat of of cyber security and and the Aviation Space so there was the um the instance of Chris and the United tweet there was um an instance of a Polish airliner being brought down uh there was the in uh what happened in the Malaysia airline crash and then there was also something called a government accountability office report GAO report which highlighted that the the Federal Aviation Administration or FAA did not have sufficient Security in in place to protect uh Airline

Traffic Control Systems so in the kind of fall of 2015 there was a lot of interest uh among politicians of dealing with and addressing this issue and then this past spring the the Federal Aviation Administration or FAA reauthorization act um was introduced in April and what the the reauthorization ACT basically does is it extends the Mandate and the funding for the FAA and it was just finalized uh mid July and signed in mid July it extends the Mandate and the funding of the FAA for another 14 months then we'll revisit all these issues but the really important thing that happened um was that there part of the the reauthorization bill required that the FAA uh take a look at at reducing cyber

secur cyber risks um to Aviation systems Civ civil aviation systems and gave the the FAA just 240 days to come back report um on a a framework policies principles of how they were going to help reduce risk and a couple of the things that that were specifically called out was thinking about reducing risks on inflight entertainment systems and to the air traffic control systems and then the same time the the FAA reauthorization bill was introduced in April of this year there was a bill introduced the Cyber Air Act um by Ed Mary Ed Mary uh for Metts a senator for Massachusetts and it was purposefully timed at the same time as the FAA reauthorization act and contained some

of the same ideas that you there needs to be some sort of cyber security guidelines for Aviation um that there should be mandatory reporting of certain kinds of incidents to the government um and that there needs to be serious thought and uh for the infotainment systems uh for how to secure those so that that bill uh is kind of been set aside it's in committee with which means it's being considered it could um eventually make it to the floor it could not but uh that has been presented to help move the conversation forward thanks mam um I actually think you're next yes no what yeah so uh but if I I'll do the the the White House gr bill um okay so

there's there's been a a few things again in in infrastructure um I'm sort of mindful of time um there is a bill that was introduced by uh Senators Graham and white house it was originally called the international cyber crime prevention act and it was introduced last summer um and then it was uh abbreviated down and proposed as an amendment for cisa which did not move ahead um and then it got reintroduced this year as the botet prevention act and they're still working on it there's likely to be a new version next year and it basically does a bunch of different things uh around law enforcement authorities for computer crimes um and one of the things that it does is it

looks to update um some of the existing laws including increasing the penalties for computer crimes against critical infrastructure um that's pretty much what it does in relation to critical infrastructure it's it's that and it's not more complicated than that you guys should check it out but it's likely to be reintroduced next year in some other format again it's called the prevent the bot net prevention Act you want to check it out can just talk about the nist framework okay is all familiar with the nist cyber security framework [Laughter] [Music] yes just a very quick update on on that um as I'm sure you're all very aware there have been numerous rfis before the framework was finalized and since the

framework has been finalized the most recent ones in December of 2015 last year um and that RFI was basically as asking again about how organizations are using the framework but also more forward thinking you know how should the framework be revised um should NIS continue to have the role that it's had or should the framework move to another place um and so as and the results of that RFI response and and a a workshop that n hosted in April they are updating the framework and so they're working through the pieces uh that they re the feedback that they received on things that need to be updated or added like there have been uh there's been some

attention around the Cyber supply chain risk management being added um some updates or changes to the implementation tiers Jen Ellis wrote that they needed to think about having vulnerability disclosure best practices so yes uh and so that's going to be happening through the fall and the plan right now is that they'll release uh a draft update early next year for comment all right I think I think that the next one is Allan he's going to talk a little bit about uh home stuff thank you and uh I know we've sung a lot of Praises about the cavalary I will just say that um Washington For Better or Worse often depends on uh outside experts uh special interest as

they're known and often they get a bad rap but really you know the the expertise comes from people in IND industry it comes from civil society and Washington has dedicated people who care about privacy who care about encryption there are lots of Civil Society people who really help us understand the core values there hasn't been people who really say cyber safety is a social value that we all need to work for and and the Cavalry has been a really incredible resource for those of us in government who want to have who need the information in order to work and build programs so I'm from the Department of Commerce uh we like it when markets work

when people get to buy and build and innovate uh maybe in slightly different orders depending on your priority of where you are in the department um we're not a regulator uh but we're interested in promoting uh better markets for security so just today we announced a new initiative on iot security uh starting with the premise that it's very hard for consumers to know what to look for in security you can't really go to a smart TV and say gosh did they use a Bim secure development life cycle process when they built my Smart TV um but there are some things we can start we can say does this device support security upgradability can this device be patched

the problem is there isn't really a universal definition of what it means to be patchable in smart devices it's a multi-dimensional problem and so we are launching a multi-stakeholder process to bring together Security Experts uh device Manu manufacturers device integrators those who are responsible for connectivity of devices and saying let's talk about the many dimensions that we care about for patch ability whether it's the user experience or whether it's authentication of the devices or whether it's how long this device is going to be patched and let's build the taxonomy and then from that develop a much smaller set of definitions that consumers can know about to look at to work with to say Consumer Report says I should look for

these words on the label and that manufacturers now have some specific goals to work towards to actually demonstrate to their board or to their cost counters oh we can get a return on security investment by making these products better uh this is voluntary we're not saying everyone needs to have this and by making it voluntary we believe that we can get active participation from industry bring them to the table for those who want to be active participants most people in Industry really like security at least on the security teams right they wouldn't be insecured if they didn't care about it so it is going to be a uh we're launching it now if you're interested please uh engage there's a

blog post out uh and the first meeting will be in uh sometime this fall the other thing I want to flag is by my colleagues at nist the national cyber security for the national cyber security Center of Excellence uh is engaged in a number of initiatives basically helping organizations transition from a technical standard into to implementation standards are fantastic but often organizations don't know how to go from a highly technical standard to actually adopt it and so nccco does things they build reference implementations to say okay I need these different components I need something that is this standard something is this standard and here's how they fit together to actually be secure as opposed to just one particular piece of

technology which won't do the job they have a particular initiative right now on the smart home focusing on authentication and authorization how do the different pieces of your connected home actually manage authentication and authorization they call them non-personal entities so you know you have different parts of your smart home we need to have common standards for authentication authorization to make sure you can actually have a secure home uh so that you know different pieces of devices of your smart home can't attack other parts of of your smart home uh so if you're interested in that I'm happy to connect you to the right people uh but again I just want to thank all of you and urge you to get engaged uh this

is something where we really need as many people who are passionate about security to weigh in uh because there are lots of voices in Washington for you know build more widgets or my industry is more important than every other industry uh we need more voices for security is something that really affects everyone so thank you

thanks Alan and just to add to what Alan said very briefly um the last uh multi-stakeholder project that NTA ran um which was on vulnerability disclosure and handling one of the criticisms that came from the community is that there are not enough researchers participating so um I really hope that you guys will take the opportunity to participate even if it's not sort of in person at the meetings get on the phone listen in um your voice can only be heard if you lend it um okay so we're going to whoa running out of battery that's good because we need to move through um okay so how do you get engaged um the big hint here is not like

this uh nobody likes a flaming torch except the British when they're burning down the White House um so don't do that that that would be the first thing um the the main thing is really uh to talk to people who are already involved in some way find out how you can get involved through them um most people will try and help you get started in a way that doesn't blow up look for common opportunities there are opportunities through forums like the NTA process which are looking to have organizations individuals participate in an open sort of voluntary process there are also required Comet opportunities it's part of the implementation of legislative law and by an administrative by an agency that's

administrative law so they are required to have open comment periods on their rulemaking and so there's an opportunity to influence how an agency uh implements a statute so for the next one um the bill that I referred to is the nits Bill even though that's not what it's called at all and I can I wish I could remember what it was called and stop mentioning NSA um because I feel bad now um that bill was a great example of uh people identifying hey this is going to be the Commerce Committee so let's reach out to staffers who are on the Commerce Committee and tell them what we're worried about and that led to questions so if there's a hearing that gets

announced you can um look at the committee members and reach out to their offices and you can basically send them suggestions questions for hearings and they'll go through them all the key to this is they need them at least 48 hours for the hearing that gives them a chance to go through and then they have to submit the questions 24 hours

hearing like a democra you do but I have I have some examples actually of when this has worked and it requires coordination it really it really does you kind of have to have a quum of people that are interested at the same time um but you know there's there's an example uh I know some people who are really engaged in and pushing the Electrify Africa act that passed earlier this year and they they had made a concerted effort to to to write letters to call their local representatives and they got their local representatives to sign on to the bill so it happens you have to be cordinated you have to actually do it um you might

get a form letter back but I I would say there are two keys to this uh one is you either need to hit them on a topic they already care about in some way um so it needs to be your rep and a topic they're already interested in so I'm in Massachusetts so the fact that Marque is already looking a lot of the stuff is helpful for me um the second option is you need to have other people who care about it too a coalition letter will always have more impact and a coalition of businesses based in the area will have even more impact um so that's that's basically the gist on how you approach that um and the last thing is

the eff has a great action center it's all described on their website they give you ideas of how to get involved you should check that out um we are racing against my battery right now uh okay so in terms of communication and Outreach again not burning torches and pitch fors not super helpful the biggest thing for staffers is they want an ask the first thing I'll say to you when you sit down with them is what can we do for you um and apparently when you say blow up the cfaa That's not a good answer but uh do have a clear idea when you go in of what your goal is and have a clear idea of

how you're going to speak to that like what is the story you're going to tell that helps them understand it the first time I went to DC I went and I was like it's terrible security research are being oppressed we must do something and I realized that effectively the day I went was the day that healthcare.gov fell over and Obama went on TV and went yeah I didn't know it wasn't working and so all of the Dems we met with were watching the news going oh and all of the Reps we met with were watching the TV rubbing their hands with Glee and laughing maniacally and it was a really great learning because the key here is

they're super busy by the way the next time I went was uh the big immigration thing with the kids uh the border and then the second the next time was Ebola so big lesson for me here is like these people are busy they have a lot of stuff going on and the first several times I went to talk I realized that what I was basically saying to them is hey we need to build a a rocket ship and fly to the moon and they were going what's the moon and so you need to make it really easy for them and that is not being dismissive right like they're experts in policy they know that I will never

know that is their job it is not not their job to be experts in security research it is not their experts to be their job to be experts in any of the stuff we deal with that is our job and so our job is to make it easy for them to understand and if you can create that quit pro quo they will meet you halfway so think about what your story is before you go in be really clear on how to make it simple for them make it simple for yourself and for them part of building your story is doing your research of course and and by that we mean you know talking to to

others with like that are representing different pieces of the puzzle that you're trying to build and bring and bring to them so you know from my perspective that means I'll often go talk to the engineers for yours it might mean that you need to sit down with someone who has done this policy stuff before and get a sense of how you would go about having an Ask that's going going to actually be relevant for the individual that you're sitting down and talking about with it yeah about it with so the next one this is not a call for you guys to be suck-ups or to be obsequious or to say anything that isn't true like you shouldn't be on

inauthentic or disingenuous however if you see people do something that is genuinely good recognize it if the FDA comes out with postmarket guidance that's a really good thing tell them that that is awesome be encouraging because other people are much more likely to want to emulate it if they see it get a positive response we're really good in this community at pointing out the things that are broken and we're terrible at pointing out the things that are not so that that is a a big one to do related providing AC actionable feedback is you know acknowledging that even if you totally disagree with every single thing um in a bill or something Rec try to recognize where that it's

coming from and that it's trying to achieve something that from the perspective of the person writing it is a good thing and then really figure out how to help that person understand you know from your perspective why that path is not the way to get to the end that is good and then provide very acual feedback for how you just saying that's that's not good that's not right is not enough you need to be constructive and show them how to get to where they're trying to go and we are right at the hour so uh rather than going through the the the following bullets I think we covered avoid jogg and and the experts thing the thing I will say is we

shouldn't need to I told you we were in a race against and you missed the Archer slide God damn it um so the thing I will tell you is um we shouldn't need to tell you to be courteous and helpful that should be a basic human thing um and frankly if you don't know that I can't help you um so good luck with it all uh do we have time just for 10 minutes of questions or with super at the hour so