Public Policy of Things

let's let Jessica and Bo get started thank you very much welcome back just after lunch I see a lot of new faces in the room too which is very good we've still got we'll have some folks trickling in as the rest of the session continues and this is the public policy of things so the idea is we wanted to come in and bring you a perspective from DC on some of the activities that have happened in the congressional so the congressional activities some of the agency activities executive branch some of the things that have gone in gone on in the last few years to kind of set this stage for going forward over the next few years on how we can help build

better public policy in DC and we brought Jessica Wilkerson here jessica is a live tame congressional staffer she does not bite usually but she does help a bunch of us have our voices heard in the Hall of Congress and she's gonna fill us in we had this on the agenda for just like a one-to-many kind of talk but we figured we would do more the fireside chat style so give Jessica some time to give some context really and then go over in some more detail so the specifics so Jessica why don't you tell us about your journey kind of how you got here and especially over the last four years or so since you've been in DC

how things have changed how you've seen things change particularly with respect to the Internet of Things as well as with respect to how security researchers and hackers have been seen in DC okay I think I can manage that so again I'm Jessica Wilkerson I work for the House Committee on Energy and Commerce which is one of the biggest committees within the House of Representatives we have jurisdiction over everything from healthcare to energy to telecommunications to issues cards we pretty much run the gamut if it's not law enforcement intelligence there's one I'm forgetting and that's alright national security that's the other one we don't have and so that that gives me a very very broad look at everything that's happening

within cybersecurity within the the federal space because our comedians up touching on a lot of it and as I said I started on the hill four years ago straight out of college I do have a computer science and mathematics background it was sort of a long and winding journey to how I ended up with Congress worked out quite well but I don't feel shame and admitting that it was a complete accident but you know I think it's been really interesting to me watching how Congress in particular has evolved over the last four years when looking at cybersecurity issues because when I first got there this is back in 2013 cybersecurity was solely a breach focused law enforcement or intelligence

community issue and that was it you you weren't gonna talk about the vulnerability of medical devices like maybe you touched on whether or not somebody could hack the grid but nobody ever thought it was possible and why would you waste time on it smart car smart devices those things we're starting to come up but you know nobody was really that concerned about I mean I think this was back before really broad HTTP adoption so that you know we weren't quite there yet and you could really see that with the way that that Congress approached these kind of cyber security issues when you had hearings that were supposed to be on technical issues it was always on well the X

company was breached so obviously they failed somehow and we need to punish them we need to ratchet up the the requirements that they have to meet so HIPAA or the PCI standards or anything like that and if we if we do that if we put more stringent standards and we'll never have any more breaches ever and obviously that's not true so what I have found particularly interesting is that over these last four years it has switched from being a law enforcement and intelligence community issue to being an everybody issue and the the thing that the way that we've ended up explaining this to people is that there are a lot of companies he used to be

physical product companies you car you made a medical device you made whatever and you made a physical product and in some cases maybe you put software and you still have people who think about in that kind of frame of mind a lot but the way that we have started communicating to our companies our constituency's so the hospitals energy companies retailers things like that we've essentially started telling them you are not physical products companies anymore who happen to have a software components what you're doing you are a software component you're a software company who happens to put software in a car or haven't split software in a medical device so instead of looking at cybersecurity issues as a very small

component of what you're doing it needs to be your primary consideration because if you don't have security you can't have privacy you don't have security you can't be reliable and these are all the kinds of buzzwords that get thrown around in DC I mean if you're talking about grid you're talking about the grid being reliable if you're talking about financial issues you're talking about the security in the privacy of financial information and personal information so in trying to get people to switch to that paradigm shift it's it's been a very very long winding road but we're starting to get there and a lot of that I think is due to the more welcoming interaction that a lot of congressional

committees and other parts of the federal government are having to the information security community you know when I think that's just talking about a story from a couple years ago just to which it seems like it should be so much longer but this was when medical device vulnerability disclosures were really starting to become a little bit more routine but this was one of the first and this woman was it was pretty severe and the company who was affected we ended a meeting with the company just to find out more information about what was going on and they were you know as oh this security researcher is completely untrustworthy and he's making things up and and he doesn't know what he's

talking about and also like this random thing on his website just shows that he has weird political views and so we shouldn't listen to anything he says and neither should you and it was a ridiculous argument to make at the time it is still ridiculous argument but you know you had people in Congress who were a little bit more receptive that because your community was just so alien to Congress and and I mean sometimes you can still hear at this this myth of the the four hand of pen pound hacker in the basement like those things still they run around but now you're you're you're starting to get a little bit more of a thing where when we have issues like

Mirai or when we have issues like medical device hacks or what happened with the with Charlie Miller and Krista LASIK and the G we don't immediately panic and we don't immediately call the Department of Transportation we do call the Department of Transportation but then we'll reach out to Chris and Charlie directly we'll reach out to you know the the folks who are talking about their research we'll reach out to them directly and actually hear from them what happened what do you recommend all these other things and it's much more of a collaborative process than this adversarial well you broke the law because obviously security research is bad and all these other things and I think that that in in addition to this

idea of switching from a law enforcement in an intelligence community focused way of looking at cybersecurity has been very helpful so that is probably what I would say is like the the big overview for me and for my committee when it comes to cybersecurity I don't know if you wanted to dig into specific issues yeah so that's Congress and that's your committee and clearly things have changed over the last few years a lot of the action that's gone on has in respect to Internet of Things public policy has come from the executive branch so I don't know if you want to or can give any insight to some of the different organizations and agencies that have oversight and how they have

oversight in those areas yeah okay can do so one thing to understand about government and about Congress in particulars we're very territorial so each part of the government has jurisdiction over certain pieces in Congress it gets broken up by energy and commerce is jurisdiction over HHS and in the department energy and so anything that happens with those agencies were technically supposed to handle and the Committee on Homeland Security deals with the Department of Homeland Security and so on and so forth and this is the same for different federal agencies so god helping Human Services Department of Energy Department transportation XYZ things like that so what's been really interesting for me is looking at an issue for example that I think is

relevant to you guys coordinated vulnerability disclosure there has been this this groundswell of support of different federal agencies who government not always the best at coordinating within itself who have nonetheless all come out and said this is an expected behavior from these sectors so FDA issued its post market guidance saying medical device companies we expect you to work with security researchers nitsa came out and said the same thing that Sur regulates automobiles you have the ongoing NTIA process I don't know if any of you actively participated in NCA's process and then even the Department of Homeland Security within their guidance has said you know coordinated disclosure is an expected part of a cybersecurity program so you know where sometimes the

government really struggles to coordinate and have a unified message I think at least with with an issue like coordinated vulnerability disclosure it's become such a common-sense thing for different parts of the federal government that instead of now being a question of you know is coordinated disclosure good is working with security researchers good the answer is just a default yes and now it's how do we finish getting there so I think that that has been really impressive piece of piece of the coordinated disclosure program yeah and I'm gonna try and throw some slides up if if it will work I'm not sure if my laptop's yet configured right but there's been a number of in the past 12 to 18 months there's been a

number of executive branch as well as congressional actions around the internet of things and maybe I'll just go through a couple of these verbally if it's not going to show up on the screen but things like the Presidential Commission report which I know that you're familiar with the you mentioned the FDA guidance there was also a Health and Human Services task force report that you can probably talk in some detail about we're gonna have a conversation about that later on today as well when josh is here I think that's gonna be about six six pm I think for a half an hour there's been a lot of work within Department of Transportation and Nitsa which I believe you mentioned

let's see if I can do this now without crashing there we go that old trade commission has come out and done some things around the internet of things we have Alan Friedman speaking a little bit later on today here Department of Commerce and in TIAA on so the multi-stakeholder processes I don't want to go too deep into any of those necessarily but just on the whole the point of this slide is that there's been a lot of action Jessica Mitch and coordinated disclosure and this is roughly speaking some of the actions and activities that have gone on around coordinated disclosure in the conversations in the federal government over the last 12 18 months and I think

the the point that I'm taking away from looking back now that I've got a chance to sit down and do a retrospective is that there's a lot of things going on that are very very cavalry shaped and cavalry focused so if you look at for instance some of the the Department of Transportation work they put out in January 2016 a set of their priorities for the year and the number one one of the number one priorities that they had for instance was that they wanted to get more engaged and involved in the security researcher community and understand how it works help build more ties and relationships and they actually treated or seemed to be treating

security researchers as friends rather than potential adversaries and this wasn't just an academic thing that a few people said it was actually signed on to by I think 16 or 17 car brands the sell in the United States including all the major ones that you know and that was really really impressive to me that that the federal government was leading on that in in automotive of course we've got a great precursor to that which was the FDA work that Suzanne Schwartz and her team did Suzanne's in the room and we'll be hearing from her and a little bit as well on building guidance to industry on pre market and post market which is basically while you're going

through the clinical trials and approvals and then after you get approval looking at what's happened the healthcare landscape to some of your devices as well as many many other things I know that coordinated disclosure is one of the top of your list and you actually even have an acronym for it I do because it can't be a government thing without an acronym so why don't you talk a little bit about some of the work so the things that you've done particularly on coordinated disclosure and then what you've seen through the rest of government uncoordinated disclosure as well yes so I call it CODIS coordinated disclosure primarily because I've got tired of typing coordinated disclosure and emails

to people and now it's just become the shorthand way for my committee to refer to it so we'll see how that goes but the way that we've approached coordinated this letters so the the big secret of Congress made it's not a secret I guess this would be the the assumption is that when Congress wants to do something somebody writes a bill somebody writes a piece of legislation and you go through this whole big process where you debate you try to get passed into law and so on and so forth but the the thing that is starting to become clear to Congress and that I think my committee has accepted already is that cybersecurity standards don't actually get you better

cybersecurity in other words compliance is not security you can be compliant without being secure and so we have tried to step away from legislation as a solution to cyber security issues because it's just not agile enough the technology changes for more quickly than Congress can't pass laws so we need a different way of affecting change so we have started doing our these roundtables and we essentially gather a group of people together into a room who we think is relevant to a conversation we shut them in for about two hours and we say here's a problem statement here's what we think or would like to see you've got two hours to essentially come up with what we should do next and we've

actually had a tremendous amount of success with these roundtables because it just allows people who might not have the same or might not have a reason to be in a room together to come together and try and collaborate on what a problem is Congress has an immense ability to convene you know when when Congress calls people answer because if you don't answer Congress we have other ways of making you talk to us and all of them are less pleasant so you know if if I can more so than other people I can pick up the phone call somebody and say hey we want you to be here at X time for Y reason and while we may be able to

have a conversation about the details and the merits chances are they're gonna be there so for groups who are all involved in the same industry or all of them in the same sector and facing the same problem but might have different ideas about how to solve it or different equities and things that they need to consider when doing it you know we can kind of be the people who say we need you to be in the same room at the same time and we'll work it out so we did that with coordinated disclosure we started doing that yes it's almost two years ago now was the the first one first roundtable that we had and I

remember being very pleasantly surprised because I expected that conversation to be a whole big potentially acrimonious debate about is coordinated disclosure good or bad and the surprising thing for me is we had 20 people in the room maybe and pretty much everybody came in and said oh yeah coordinated disclosure is a good thing we're absolutely planning on doing it some people in the room Artie had done it and we're working through their process it was just for everybody it was it was more of a conversation about how do we do it how do we get there and and so you know I think the other thing that we that we found very valuable coming out of that that roundtable is instead

of Congress imposing a policy on all of these stakeholders they essentially came back to us and said now that we've had a chance to brainstorm with other people who are in the same boat and facing the same kind of issues that we are this is what we think we should do and we as Congress instead of trying to be like top-down we're gonna make you do something that essentially says like all right that sounds great like we'll check in with you in two months and and that's the way that we've been handling it and then I mean for example you know there was a there was a big blowup in the coordinated disclosure world a couple

months after that first round table with muddy waters and Med sac did their pacemaker vulnerability drop where they did it in the press they they didn't give the company any warning it was just you know threw it out there and we as the committee were not huge fans of that for us there were there were really serious patient safety concerns with the way that that disclosure happened and so what we did is we since you went back to the same group of people who we had convened originally including members of the research community I think it should've said that before like I think I can impose there was Josh we we went back to the same group of people in this

essentially said we don't like what happened we don't want this to cause a backslide in federal government and company acceptance of coordinated disclosure and their willingness to work with the research community so what do we do how do we address this in a constructive manner rather than everybody just slamming the door and researchers faces and saying well one of you screwed up and did a really bad thing so now we're not gonna work with any of you and we had a really great conversation and you know after that we we have some things that we're still working on internal to the committee that we're trying to do next steps on uncoordinated disclosure but I think the big takeaway

for us is that there had already been such a groundswell of acceptance and such you know the the people at these companies they'd seen the value for some of them who had coordinated disclosure programs they'd received really great disclosures and the help to up their products and in a way that they didn't have to spend you know hundreds of thousands of dollars they didn't have to go through a big regulatory action they didn't have to have a big congressional investigation into a screw-up on their part and so today I mean you know the the cost-benefit ratio of these kind of programs it was so good that it wasn't a concern anymore so you know I think

those kind of less traditional congressional and federal government approaches when it comes to cyber security issues are very valuable yeah and I think it's interesting too that the trust that you've built with the security research community over the past few years is shining through and and even people with high-powered lobbyists and other things can't convince you to stop working with security researchers and that when you see that acts about action you don't love all security researchers and as the same type of person you recognize that their difference in motivation and actions and behaviors and other things I think that that's an underappreciated part of what certain people in government can and will do have given

the chance is to to build and maintain that trustful relationship one of the things when we started the cavalry and we started saying you know maybe we need to talk to public policymakers a little bit more than that avoid them what we heard is will you'll never do that unless you have ten million dollars we spend that every year on a lobbyist and what we found is that actually that's not the case that the government has people who are just as committed and passionate to human life and public safety issues as we are the security research community and that it doesn't take a megaphone or deep pockets to actually engage and have a substantive conversation that there

are people who really want to listen especially today there are people who really really want to be right and what to be smarter and I wonder if you saw a change between pre wanna cry pens yeah and post want to cry you talked about the the longer scale change a years but just within the last few months what have you seen across government that is shifted because of those very very high profile high impact attacks yeah so wanna cry was a was a huge deal for my committee because we have jurisdiction over health care which means that theoretically speaking we could have opened up an investigation into any company who was hit or we could

have open up an investigation into the Department of Health at Human Services I guess I don't really know well you watch what happened in the UK right well thankfully we didn't have too much of an impact in the u.s. it was maybe a warning sign and it's not just health care of course no actually yeah so it easy being you know commerce and energy we have jurisdiction over a lot of what happens in the US economy which is intimately tied to Internet of Things it's intimately tied to manufacturing robots to cars to healthcare to aviation to other things yeah I mean I think one of the the nice things about that paradigm shift I was saying for the way

the way that Congress has been approaching issues is that that very one of her I could have very easily turned into just a mess where you could have had a bunch of committees opening up investigations into what happened but they probably wouldn't have gone about it in a very intelligent way and so you could have had these dueling congressional committees that didn't actually get you anywhere at least for my committee what I thought was really nice about the way that our members handled the issue is that I actually we set up a call for them with a handful of experts on the issue to talk them through what had happened and why it and somebody on that call essentially

made this claim of the United States got really lucky because I think some of our members had when when looking at that issue with looking at what happened with the UK they were like oh well the United States must just be really good and really well-prepared for these kinds of things because we didn't get hit at all and in the back of my head I was like oh god that's not that's not the case at all and so we had somebody on the call that this expert had the call listenger said we just got lucky like somebody who just found a way to shut it off like 20 minutes an hour before the United States

would have started getting systematically demolished by this incident and I think because of some of the groundwork and because of the the really dedicated action that that some of these experts have that have invested in our committee and our members over the years our members got that you know that we didn't have to have this big long fight with them about you know what being lucky in this context meant and instead we got to move straight into okay well if we got lucky then that means we're vulnerable so for vulnerable what do we do about it and you had a couple folks who are like okay well obviously we need to update HIPPA because if it's if we were all

vulnerable don't want to cry then HIPAA is outdated and we need to update HIPPA and then you had a couple of other members for like that's probably not the right approach so what do we do and then you know luckily there were a couple of other things a context wise that were happening right when want to private we knew for example the health care cybersecurity industry task force report was coming out and so we kind of said all right not that everybody isn't still vulnerable not that there isn't still a giant problem but we know that this report is coming out all right and if we're gonna be honest it had leaked in the press right around the time this has

happened and so we knew what the report was gonna say even though we couldn't really admit that we know what the report was gonna say and you know we we in sort of saying let's update HIPAA and let's let's make another big compliance regime and let's start finding companies huge amounts of money every time that they make a mistake we essentially said okay Congress essentially said get a bunch of experts together into a room and ask them what they think should be done about health care sorry cybersecurity one Assam what's wrong with health care cybersecurity and then to us and what they think should be done about it as we said we in in a moment of

really uncharacteristic foresight we asked them a year ago to do this the reports ready and they have a bunch of recommendations for us so we we took the report we looked at what the report said and that kind of became our road map we essentially said okay they said that legacy devices are big problem they said that a lack of transparency into what software is included into in a particular device is a big problem so you had the hospitals who had devices that were vulnerable but either they didn't know that those devices were running on their network so they didn't know that SMD v1 that the vulnerable protocol was was in those devices all right so the

the software transparency bit is a huge problem the legacy devices is a huge problem we've got a workforce problem where you've got folks who are really smart and IT but not necessarily smart in health care because the healthcare realities of IT make it a little bit more complicated then you have a vulnerable product just shut it off or just disconnected from the internet can't always do that in healthcare so that became the way that we sort of channeled all of our members concerns about healthcare was we've already asked a bunch of smart people let's do what they said let's let's not try and reinvent that wheel let's let's look at what they said and let's do what they

said yeah and so that sounds like it was a powerful catalyzing moment where you actually had something ready to go like you said a moment of foresight you would you would thought about this a year ago so you actually had the ability to go out and reach out to these experts have been studying issues what issues do you see coming in the future that might be worth looking into or studying from a congressional standpoint or you know without predicting the future what issues might be half of Congress's mind were the rest of the government's mind in the coming six to twelve months so if I had to pick one I would say Ohio T Internet of Things um

I don't think I'm supposed to say Internet of Things actually anymore I think my committee prefers oh I say connected devices whatever so when Mirai hit we everybody collectively lost their minds for about 48 hours very slowly though because some of us had very degraded internet access so we were less able to yell at each other over you know but you know everybody was just like oh my god what do we do the Internet is under attack and we have to well one the the first instinctual thing that everybody said was oh we have to we have to find the people responsible way to find the people responsible for Mariah and we have to arrest them and I

remember me and some of the staff on my committee we just kind of were like no like maybe I guess if you can find them then that's great but that's probably not the most beneficial use of everyone's time let's instead look at you know how did this happen how could a bunch of cameras take down this much of the Internet when you know that seems wrong and so that's wrong what do we do about it and I think what we've seen is that not just Congress but other parts of the federal government have really started to focus on this you know there was an executive order that bad mentioned botnets and there's these big you know

government initiatives to how we fight botnets and so I think from my own personal perspective that the focus on botnets is a little bit odd I think it's important but I don't think it's it's that the primary issue I think the issue is that we keep making really crappy devices and then being surprised when they get taken over and used for nefarious things so if I had to pick out like one set of issues that I did that I think is really going to be top of mind for government it's it's this whole bottom IOT issue and how we handle that yeah you mentioned that in the executive order they call for Department of Commerce and others to study the issue

and Alan Friedman is doing a lot on looking at botnets the next panel this is advertising we're in the ad business now full transparency but as you said it's it's a not so much about that but that's exists it's the conditions that have led to botnets and particularly in the internet of things because we've had bot nuts for maybe a decade or so of hijacked browsers and things like that creating botnets but in here and other things it's potentially a very different issue and talking about some of the fundamentally and defensible practices that go into making the other things I don't know if you want to say much about some of the things that you might be

looking at or thinking at thinking about to shore up some of the security and those or save that for later no I can talk about that so we have a couple of things one of them is I'd mentioned the the healthcare industry task force report before one of the things that is coming out of that is this idea of software build materials and essentially what that is is if you have Daniel Daniel does suffer build materials so he's very excited about tomorrow morning yeah he's gonna do more advertising but the general idea the idea is if you are giving somebody a product a smart product you are also giving them a list of what that smart

product contains so is it I tend to think of it in medical devices because frankly that's been most of my life lately but you know if it has embedded Windows XP then that's on a list and but it uses open SSL and analyst and what's the version numbers of all these things that it's containing so if you have something like a wanna cry incident you have a big database or spreadsheet or something that says okay I need to look for SMB v1 and according to my little cheat sheet of software Vela materials you know the here are the devices that are affected and voila I know what I need to protect so for us that's a big one one that we focus less

on but I know our friend Alan and interior focused on ins is patching and update ability so I think that is it that is a huge focus that I think needs more attention another big one might have just lost what oh I think this might be an oddly specific one but the common vulnerabilities and exposures program I don't know if any of you who have been dealing with CVE lately more dealing with CD we're at about 2015 when it was having some of its issues you know we are of the opinion that the CBE program is fundamental to Internet's our to Internet security today that it's the it's a common language that we all speak

when it comes to vulnerabilities and so that that program really needs to be made stronger and more effective so we are looking into the CBE program and how we can do that but essentially our bottom line is what's not trying to take a compliance focused view of cybersecurity let's not impose more standards and regulations and guidelines and everything else because from my perspective the proliferation of cybersecurity standards is becoming a cyber security threat in and of itself because for a lot of people smaller companies especially who were just really started to recognize what I was saying before that they are software companies who might happen to put that software in physical products you know if you've got 15 cybersecurity standards

that you're somehow supposed to pick from in order to be secure well how are you supposed to do that so we're trying to take to the to the botnet issue into the the medical device issue and want to cry and all these other things instead of trying to force retro actively security onto these things it's how do we create an environment that fosters better security from the beginning so how do you have updatable products how do you have such a problem cereals so that you know what you're buying maybe that influences your buying decisions if somebody has a product with with more updated libraries maybe you choose that one I don't know but if you

have better security from the beginning then that's great I think we also need to recognize and we have started to recognize 100% security is a myth you're never going to be 100% secure so if that's the case then you need to be able to fix that when it comes to the coordinated vulnerability disclosure piece is huge for us you know I think just overall it's just we need to be more agile we need to be more accepting cyber security issues in the past you know we'd have a hearing or we'd have a big blowup every time a company experienced a breach target got hauled in for a for hearing back in 2014 2013 whenever that was when they had their

breach and so we try to stop doing that and generally just just create a more fostering environment before security yeah it sounds like if I can extrapolate a little bit an abstract for the last few years or up until at least a couple of years ago in Congress and other aspects the government it seems like the cybersecurity thing as this InfoSec thing was just something that was a passing fad and it was gonna go away he'll deal with it as it comes up but by and large private sector they've got it they don't how to handle it they're all over it and now it sounds like Congress at least and your committee at least probably for some very good reasons is

understanding that it's not going away that it would be something that's increasing over time is our dependence on connected technology grows faster than our ability to secure it we will continue to have these issues and so getting ahead of them is probably the thing that they need to do yeah so given that you know if they are going in that direction then how do you see the next few years shaping up more of a long-term crystal ball less of a short-term so at least from my committee's perspective and I would expect the more forward-leaning agencies like FDA and it's in this case and HHS actually the Department held the Human Services has gotten really good at this as well you

know I think we're gonna continue trying to take this collaborative very open process where instead of trying to impose policies on industry you're on the security research community we're instead going to solicit them and essentially say we are not gonna be the smartest people in the room on this topic I have a computer science in a mathematics background I by no means consider myself to be a cyber security expert so instead of saying hey I sat alone in my office for two hours and I thought about a problem and I think the answer is X and then keep writing essentially a bill that says industry thou shalt do X because I thought it is a good idea it's more likely that we'll

have these kinds of collaborative discussions with industry and with the research community in this Center say here's the problem statement you do this every day you're far more message in this than we are what do you think we should do and then what is I think likely to happen at least from my community's perspective is we'll take those suggestions we'll roll them into the policy realities because you can't ever get away from politics and politics and then you know we'll we'll synthesize something between the tech expertise that we solicit and the policy expertise that we have and we'll come up with a working solution so I think with with things like the the botnet issues and

the IOT issues it's not gonna be a sane well smart device manufacturers you just have to make your products list stupid it's gonna be you need to be updatable you need to be transparent about what's included in your products you need to be these other things because that's what we've been told well we'll get us there for things like medical devices you know you need to we need to put the tech people and the the healthcare providers in a room together so that they can have a discussion about okay we can't just unplug the pacemaker I don't think you unplug pacemakers but bear with me we can't just unplug the pacemaker because that would kill somebody but it

has a cyber security vulnerability we need to do something so tech person hospital person figure it out and then tell us and we'll help you do it maybe that may be the best way to put this instead of me continuing to ramble is that we my committee Congress I think we want to be the conveners we want to be a welcoming enough face of government that people can come to us and tell us what they think their solutions should be and then and then we can help implement them to the best of our abilities because I think again I would just repeat like we don't believe that we're the experts we don't believe we should be the experts

we would prefer that we don't have to be the experts abstracting again from what you said it sounds like sounds almost as if you're saying that regulation might not be the only power that government has and that even within regulation there might be some ways to do it that aren't as heavy-handed as a lot of people in this community here yeah yeah so actually one of the ways that I'll put this I'll let you in on one of one of my secret powers of Congress my ability to ask really stupid clueless questions or at least what people think are really stupid clueless questions get me very far if I'm sitting in a group for example with the coordinated

disclosure debate early when this was we were starting to discuss this with car manufacturers and medical device providers and energy grid operators you know if I just kind of sat there and looked a little clues I'm just like well you know but what would happen if somebody came to you and said you had a vulnerability in your system like what would you do with that and then to just see them kind of be like we don't know and then realize that if they have to give us a better answer than we don't know or we'll find an answer for them and they're not gonna like it so that ability to kind of insinuate that either

figure this out yourself or we'll figure it out for you and and by the way you won't like what we say is a very very full driver because you know two months later you can essentially ask a clueless question like well what would happen if and then they'll be like no no don't do anything just give us a little bit of time and we'll we'll come back to you then two months later suddenly you know they're like here it is we sat down and we figured out the answer is X so I think that will be the larger trend of cyber security issues across government yeah and then beyond just the power of convening in Congress there's also

federal agencies looking around I see several friendly faces I don't want to call all of them out but different parts of government have different types of authorities some can regulate so they can impose things on industry some can mediate so they can kind of get in the middle of certain conversations of what organization is maybe not responding to researchers someone like ics-cert can come in and help mediate that discussion some have convening power in a different way a more public and open way and Alan would love to talk about that he might even have a couple of talks this week on it but doing things like being able to build to bring industry together to come

up with a common way of doing things and to essentially define a standard or something that can act more or less as a community or industry driven standard to be implemented and so there are multiple ways that government can go about bringing together these conversations or having these conversations that doesn't always mean if government is involved there must be regulation that comes out of it but at some point those types of conversations will break down an industry won't be leading or they won't be leading in the right ways and at that point there might be a threshold whereby read regulation or legislation is and I know that the current administration is very regulation light they would like to see less regulation

going on legislation that pulls away some of the heavy hand of government on industry and I wonder if you could spend a couple of minutes talking about what some of those mechanisms can look like if once regulation once legislation is required what could go into place that would be less heavy-handed or be seen as less of an inhibitor on industry so full disclosure talking to in Congress you have two kinds of staffers you have legislative staffers and you have oversight staffers legislative staffers work on legislation and oversight staffers oversee I am an overseer I do investigations I don't necessarily do legislation so we're getting slightly out of my wheelhouse but you know I think some ways that that regulation

gets approached when when government doesn't want to be very prescriptive is we essentially say thou shalt adhere to an industry best practice guideline and then it's it's sort of unnamed it's not specified what each of those controls are but I think you know that this is the case with some things that are that are not referring to the NIST framework for example where where people are saying you know we're not gonna say you must do XYZ but we are going to point you towards the NIST framework and then you can fill in the blanks yourself I think that is pretty similar as well to what nitsa did with their auto cybersecurity guidance where it wasn't

necessarily hugely prescriptive but it had some basic standards of care if you want to call it that for what should be done and I think that that's generally the way that it's its approach where it's the government will essentially say we expect you to meet a minimum standard but we aren't going to tell you what that minimum standard is we expect you to get together as the the industry in question and come up with something and then then you would hear to it and that gives on industry the ability to to control their own destiny to a certain extent it gives them a little bit more more say in what they're gonna have to adhere to and it also speeds up

the ability to update whatever it is that there's some huge shift in the technology revolution and the technology that can that can change much more quickly and we've got about seven minutes for questions if anybody wants to ask any questions about public policy in the internet of things as we've got one there now I mostly just had a question about the coordinated vulnerability disclosure because I this is the first time I'm hearing this I'm kind of interested in in it when you talk about that is it mostly how you coordinate with the different people that you have to disclose this vulnerability to and then the public or is it how you run through channels to

start disclosing this vulnerability and then start to protect it are you asking about the process and the concept of coordinated disclosure yes okay well there's some really good resources out there that you can look at to help go through in a lot more detail but and you're actually sitting next to a very smart person a good thing or two but the idea of coordinated vulnerability disclosure is when a security researcher or anyone finds a potential security flaw at a product or a piece of software that they can do two things with it they can either tell someone or tell no one and if they tell someone how do you then tell them and there's many different

ways that you could go about doing that through you know privately disclosing to the first part you made it or to a third party who didn't make it you can publicly disclose mailing lists or something like that you can work with a in a more staged and coordinated fashion for instance and that's where the bulk of this conversation has been and a coordinated disclosure where you're working to coordinate with the people who are responsible accountable for the abilities within those systems who wrote the software for it or or selling those systems and that way there's a chance that the vulnerability boner ability gets fixed before someone else knows about it and then what do the escalation pathways

look like if that conversation and coordination breaks down and then engaging people like cert CCE art Manion sitting to your left probably don't email it directly but his group can help do some of the third-party coordination ics-cert I mentioned earlier can also do some of the third-party coordination to help broker trust between researchers and software makers or device makers and there's actually an ISO standard for how organizations software makers device makers would handle disclosures there's a couple of ISO standards might butcher the numbers but I think it's to 911 for seven and three zero one one one art can correct yep I get the thumbs up from arts but there's also a because I've got

a slide on it I'll pop that slide up there's a NTIA document that was released in December of 2016 vulnerability disclosures attitudes and actions the result of a multi-stakeholder process and in December 15th they published early stage coordinated vulnerability disclosure template as well as several other documents around this to help by and large industry and corporations figure out how to do how to handle disclosures and what's what goes on both publicly for the policy side and then privately behind the scenes to handle them internally yeah the next question over here nice to see you both they can't see me so that's a little joke regardless of who is in political power at a particular time a common critique

of Congress is that they are beholden to special interests and I was curious what what mechanisms exist or what processes you use in order to minimize making decisions that are over there are overtly biased so to speak from said special interests so easy questions obviously it hasn't easier answer than then you figure but I think it's because the the issue said that I cover so in Congress usually staff covered a range of issues you'll be the healthcare person than the energy person the telecom person for me I am only the cybersecurity person so I cover cybersecurity all day every day it's all I do and so to answer your question about about how I avoid making

biased decisions I look at the technology what can the technology support what can't it support what is the reality of the technology this is a big one actually a brother didn't mention this because encryption I assume is a huge deal for everyone in this room so I said Congress as I'm sure many of you are aware I decided to jump into the encryption debate last year and we did the the encryption working group and I staffed that and we released our report in December 2016 essentially saying you know don't weaken encryption it's bad idea don't do and you know that I guess you could argue in that case that there were special interests on on both sides

you had the the law enforcement in the intelligence community is essentially saying we'll never be able to solve another crime again and then on the alternative side you had companies who'd said you know we better protect dissidents we've got to protect domestic violence victims we've got to protect everybody and we can't do that with that encryption and so the the reason that we were able to arrive at the conclusion that we did which was don't weaken encryption is we we looked at the technology we talked to a bunch of encryption experts for me frankly I looked at the math and as such we said we we cannot see a path forward where the technology will simultaneously

support being weakened and still being able to do the things that it needs to be done so at least when it comes to cybersecurity issues I get lucky I look at what the technology will I won't allow and and that's my policy I think we got time for one more question before we go to the feds and hackers feds hard hackers panel at the top of the hour at 3:00 p.m. good afternoon appreciate your comments I have a question what are you thinking about in terms of policy as we as we look at Murray and things like Mariah and botnets and all that sort of thing how do how do people who operate really important things continue to do their

job in the face of non intelligent devices that are being co-opted by adversaries to do things is there is there a thought in the policy space to provide for active defenses I don't I can't use that word to allow to allow maybe ISPs to stop unintelligent devices from just beating the heck out of poor victims yes so I'm gonna try and answer quickly because I know we're running out of time I would highly recommend we don't I don't this was not planned that we keep advertising but there are so many smart people doing panels I would recommend that you go listen to them I'm gonna call it hark back but or or active defenses in that kind of that loop look

them together into one kind of category of issues gen Ellis and Leonard Bailey Leonard Bailey is a DOJ attorney who's incredibly smart on these issues he's giving a talk tomorrow morning tomorrow morning baby got hacked back is that what it's called so I would hacker I would highly recommend that if you're interested in this issue you go listen to them give their talk I am highly skeptical any active defenses or any hack Beck measures because frankly if we can't make secure systems to begin with I don't think we have any business saying that we're gonna use our skills to go attack somebody else like I would rather let's just focus on making systems that cannot be affected through

Amer I like action then then then try and take this offensive focused approach like in in this case I do not think the best the best defense is good offense and so I'm gonna I would much rather a spokes on the defense part I'm gonna try and find a slide really quickly is that the somebody punching somebody on I like that one so we may have some at some options there we may have all bad options so this isn't a complete set of options we could take and attack to defense and bought thats but you could disconnect or filter out bad actors that may late that may lead to especially some other parts of the world taking

more heavy-handed control over the internet may also you may inadvertently turn off or block connected equivalent like medical devices you could try and take down the bad actors just disconnect them and completely go after them brick the devices that may also lead to bad public safety outcomes or maybe the worst idea is you just let all of this stuff happen which may be a terrible idea for any number of reasons so I'm not sure we've got a bunch of great answers at a public policy level or at a technical level necessarily so with that our time is uh well expired so thank you all and stick around for the next panel feds hard hackers thank you Boeing

Jessica