IATC - Cybersec and AI Risk Management Challenges for the Next Generation of Public Safety Systems

okay good day everyone and uh thank you very much for the kind introduction and for uh inviting me to uh give this presentation um so I'm talking about cyber security and AI risk management challenges for the next generation of Public Safety Systems um you know in that in the introductory speech we talked about you know healthc care being a massive uh Target what was touched on there that will'll expand on a little bit in this talk is that the folks who are keeping us safe are themselves very poorly resourced on Cyber but they're also being inundated with more and more people selling them things selling them AI selling them all these that and the other and there is a massive massive

asymmetry in the amount of understanding between Public Safety folks who are keeping us safe and these people who are trying to push whatever they're trying to push just in terms of information generally not even in terms of risk management how do we help with this so that's kind of going to be what I'm going to talk about uh for the next half hour or so um the usual uh disclaimer that we all have okay um these are my views they're not representative the views of nist John's Hopkins any organization that I am or have been affiliated with and certain commercial products may be identif ified therefore fostering understanding um they don't imply recommendation or endorsement by myself

or anyone else so by the way everyone can hear me when I'm doing this right yeah all good perfect okay so uh very quick uh introduction who am I um so um I um I am a doctor not the healthcare kind of doctor I do surgery on robots um not surgery with robots um but uh my PhD is in AI robot behaviors in that wonderful wonderful period between the end of the last AI winter and the influx of deep learning when mathematical Rigo kind of mattered I might be bitter um I got one chuckle from someone okay I I I might actually have a chance with this Audience by the way um first time at

bides so um thank you so apolog apologies if this talk is completely off from from what you used to at bides because I've got no idea what you used to here at bides um but I had a a long-term interest in cyber security just from a fun perspective um who here remembers the first edition of hacking exposed the book okay yeah so that was kind of my entry into into this um you know back in the back in the days of uh of uh you know you doing messing with Windows NT and and all that all that fun stuff um and you know I apart from playing with robots I I did things like uh you know teaching cyber crime

and secure programming and Industrial Automation Robotics and things like that um relative to this discussion we're having here though and things moving slowly so um so actually last year was my first Defcon uh prior to that I had actually a bit of a gap my previous cyber security conference was Sans 2013 and it was interesting seeing all the things that in 2013 they said these will be solved in 10 years and came to Devcon and they're not um how do we you but we need to adj we need to deal with this because 2027 is not that far away and where this is particularly problematic is with these things right these things you know we're having a hard

enough time dealing with them from a network perspective from a computer's perspective from a cell phone's perspective what do you deal with when it's a medical device or when it's a robot and as was mentioned you cycle these things out in 15 years right what do you do with it when it's a car this wasn't the point of this car but anyway so you anyway so my background is in very much on the measurement science requirement side of the house that's why we have a car full of QR codes um testing the ability of robots to actually see is this the car I'm looking for right is this the Lost hiker is this the person who actually needs

our attention when a robot goes in you know when they're doing triage who is actually you know who is who is uh uh you know injured and so on you know how do we measure the vision that's kind of where that's going from anyway anyway teaching all that stuff anyway um moving on why am I doing this I'm doing this because I see the big issue here is people are shouting Into The Ether and The Ether isn't listening right I really really loved the way it was put earlier that we need to speak to these people in their love language right and I hope to be able to talk to you a little bit about how to speak the

love language of Public Safety CU these people are crying out for our expertise right they're crying out for something that's going to help them deal with this information asymmetry where they're being sold all this stuff and you know they're being pressed on saying hey this will help you with your outcomes or as some of them get told if you don't adopt this people are going to die and they don't know what the alternative is or what the downside is okay um anyway so um as may have been alluded to again I'm representing myself but I did do a lot of work with nist um I like definitions this is the first pain point that you will find when you're talking

to Public Safety or in fact and you Pro actually this is probably not not you know unfamiliar to most of you anyway is that there are lots and lots of people who mess up with the mess with the definitions to try and get people to buy their thing right and the problem with that Public Safety you run up against is they're used to having very good definitions to things they're not used to people playing silly buggers with the definitions like this so I'm going to I'm going to propose uh a few a few things here for this discussion cyber security we all know what cyber security is right we're at a cyber security event um if you've gone and had a look

at all of the various um cyber security framework or guideline things and you compare all the definitions and see what is and isn't part of it okay now you know I like n um s sp53 prevention of damage to protection of and restoration of computers blah blah blah blah you all that um make sure that the people you're talking to know what your a what is even within scope of what you're talking about that one's easy this is the one that I love what's artificial intelligence I as a as a devout Australian um I have a a nice saying for this one the definition for artificial intelligence is like the definition for football we are not going to

agree right um I I used to get very very upset with people when they use the wrong definition of AI right now right now ai everyone thinks AI is like generative stuff or deep neural networks or something um you know I remember a time when everyone was getting upset that AI everyone thought AI was machine learning this is actually the first one that um that Public Safety people and actually people who have this asymmetry get really really wrong and that is that AI is many many things where this is important is that there are many ways of getting the result there are many ways of doing license plate recognition there are many ways of doing routing of your your

ambulance there are many ways of figuring out where to put your next fire station to get the best response right it's not just deep learning um helping to educate these people saying there are alternatives that are not just throw deep learning at the problem or the latest you know deep learning startup and so on on the flip side of this on the AI side is that there are many dangers that are posed by AI that these people don't know about right and that we as practitioners of the Computer Sciences need to educate them about for example um one discussion that I had in this and we'll talk about this later with for Next Generation 911

yes we don't talk about that in a sec um who here knows about swatting who here knows about next Generation 911 okay so for the the the the the the a really quick version it's 911 but it lets you also submit imagery and video because it helps it's rather than you know having some paniced caller calling 911 and they can't talk coherently because they're in a panic and the best of us get there I've been there yeah and I thought I was pretty levelheaded right you can just send a picture and they can know exactly what's going on how much easier is it to swat someone when you have generative AI

very now that's bad but at least the 911 folks kind of know about this they know enough about it to say yes this is a problem they know little enough about this to say but we'll just train another AI to detect it okay um there is a lot of educ that we need to do out there just on these basic concepts around AI Public Safety this is a scope question okay Public Safety is not just your you know ambulance fire police whoever right this country loves it privatization Public Safety also includes all of the companies that are providing Contract Services who are not necess who now have are kind of can be in the the worst of

Both Worlds right in so far as they have to be commercially competitive they have to sell their service so they have to be buzzword compliant and they may not be fully regulated the same way and they may not have the resources or the impetus and yet these people are also part of Public Safety in so far as you know as was mentioned before talking about health care your hospital can do everything right but if the insurance processor gets popped you're still screwed um let's see um contract supplies okay um risk management um you know we're talking about identifying and controlling risks and a big chunk of risk management here that we all I think need to if we're

talking with these folks need to be very cognizant about well there a few things the first one is risk management is not risk minimization it is not risk elimination it is not risk avoidance what do I mean by this these are people who are authorized to drive 20ton vehicles the wrong way down Main Street through red lights that is not risk elimination or risk minimization from a driving perspective but it is a risk minimization from a society perspective relative to the probability of something going really bad if they don't get to the burning building in time right but Society participates in that risk management when we hear the sirens and we see the lights we know that we need

to do our part and get out of the way or be more attentive or at least be aware that something strange is about to happen and be more attentive in our risk management okay very simple example of how this how and this is so this is you know we're talking I think it was mentioned earlier these people don't have the resources to just apply a particular risk management thing to what they do it's worse than that their use case may not even allow it for example you have a large fire you have multiple fire departments responding they all have their device right someone's going in they see you know for whatever reason their their communication device is broken offline

they come across someone from another Squad that's down their device is working they need to be able to pick it up and use it they don't know what the password is they're not even necessarily on the same authentication system their Federated you know access control it may not even be compatible

right they have to get to yes on using that device what happens if you just SLA a corporate device management policy on it not going to work yeah okay risk management is a really tricky sticking point for a lot of these organizations where and how to adapt these things that we all know from Cor corate and normal risk management how do we make it work for Public Safety but also for water for you know food supply for all of this there are nuances that organizations don't even have the resources to be aware of we need to be aware of them at least when we're writing things to at least make these call outs right I'm sure a

lot of people here WR policy and things you know be mindful of hey there may be call outs that at least flag hey this is a thing and Next Generation systems what is the next Generation system in this context we're focusing on things that are moving fast enough that the risks are not obvious given what has come before that's a kind of a weird definition when we're talking about managing risk especially for these organizations where the Personnel they they're be they're employed because they're great firefighters right where they're employed because they will run into a burning building good Heavens I'm not going to run into a burning building right these people are good at that

they're not employed because they're good at technology that's not their job yeah we need to help them get ahead of this and part of that starts with being mindful of of their pain points and challenges um by the way this is I'm going to S Blas the some of the rest of this just because I want to have lots and lots of discussion uh at the end so but anyway some examples of Public Safety Systems we talked about next Generation 911 um robots and drones yeah um you know who here is does sort of you know OT type or iot type stuff okay um now imagine that your thing is now flying in the sky over there somewhere and you got

no idea if you're going to get it back um you know you have all kinds of sort of fun there um with your robots and your drones um and that's ignoring even all of the uh the the um uh sort of GE geopolitical overlay and the and the security overlay that's that's happening right now um you have increasingly connected systems um and this is you know your you know your dispatch system um that tells you know where you know which ambulance to send where is connected to your 911 system your 911 system is connected to your your your your drone system your drone system is connected to your geographical information system and anyone can get in anywhere right um who

here is familiar with what happened to Baltimore a few years ago Baltimore 911 okay a few of you um for those of you who aren't um you know have a look it's actually it's public knowledge now where it's been case studies and all that 91 um Baltimore's 91 one system got ransomware it took down all of the computer systems that they used to filter and screen to to actually go through all of their the 911 calls and send them out to dispatch they kept going because all of the manage all the people who would normally be in management were running pieces of paper from room to room guess what saved them and c and helped them get back I'm Sorry by the

way guess what caused them to happen in the first place contractor dropped the firewall to make something work um guess what got them back up a fire department happen to have a backup server that's the really really short version there's way more Nuance to it than that I'm oversimplifying right but these these increasingly connected systems are running far far ahead of their ability to deal with this um increasingly smart vehicles and routing okay people don't generally think very much about the AI That's in their you know Google or ways or whatever your routing system is right that can kind of be life for death if you're trying to route an ambulance how is their data getting

cleaned how is what are their risks involved when they switch from one system to another so what is some low hanging fruit how do we figure out low hanging fruit for what do we for what what do we think about because one of what we don't want to do is go into the local fire department and go hey you need to adopt I don't know pick your favorite framework right at best they're going to tell you to go away at worst they're actually going to try and do it I didn't get that backwards got to think about it okay a few things to think about overall technical impact okay is this actually going to make a

difference um and actually a lot of things when you think about it is this actually going to make a difference actually you got to think about it you know how bad can it get this seems to get the most attention but that's also not the most important thing right what is the likelihood of negative impact right

this is one that people generally really don't think about what is the likelihood of acceptance and understanding a fire department or a you know ambulance or whatever is way more like you're way get likely get way more compliance if there's acceptance and understanding if it's something they already know they need to be dealing with and where the solution is of the type that they can actually incorporate into to their operations if you go to them and say here is something that has great technical impact is really likely and they go huh you've got an up your battle I'm not saying those things aren't important but doing but being very aware of the likelihood of acceptance and

understanding is is is critical and let's see actionability likelihood of real world reduction in risk and actually I skimmed over my background so where this has come from in my previous life so I was developing performance measurements for robotss for the robots that go into the building that even the firefighters won't go into and figure out if there's anyone there or figure out if the structure is safe enough for them to go into or that you know fly over the next Ridge after a you know after there's been a bit an earthquake or whatever and see what's going on over there and things like that and a lot of the last two bullets are things

that vendors don't seem to speak to when they're talking with these people is this actually going to make my life better is this actually going to increase the outcomes or improve the outcomes okay so we really need to talk to these people how do we talk to them again if we just show up to the local Firehouse unless we already know them they're probably going to go who are you right what's our way in right we the Cavalry how do we how do we tell how how do we do it such that they know that that that that we are the Cavalry okay so these people love their guidance and regulations okay they're you know they

have procedures they have standards for everything right I mean some of the earlier standards came out from issues where a whole bunch of fire departments showed up to the same disaster and they couldn't connect their fire hoses together because none of the fire hoses would link up right these people like their standards there are many things out there that these people look at and listen to right um I mean I'm I'm familiar with n cyber secur framework and the AI risk management framework you who here is you know knows about either of those two documents okay these documents are put together with public comment we need people to write into these when they submit their R when they

put out rfis when they put out their drafts and say hey sounds great maybe we there needs to be a call out for the folks who have slightly different use cases and I'm not just by the way everything I've talked about I've talked about in the context of Public Safety it's not just Public Safety it's anyone who has a weird use case and a weird risk management profile right they need call outs for this right um you know how many people have seen a framework or a top 10 or a something used for something that's completely inappropriate right we need to write commentary we need to you know talk about how these things are you know

applied inappropriately we need to be you know who who who who here is actually involved in writing policy Okay so when you write policy you also have guidance documents around them right acknowledging the exceptions is a big chunk of this so that that way because the problem is the person who is helping Public Safety do this guidance and regulation stuff they're not necessarily familiar with this either they need that prompt to tell them hey for my application I need to think about this social media and podcast you know the whole the the the joke um how do you how do you uh how do you get a message out and this is old but telephone telax

tele firefighter okay it's all the people who laugh laugh quietly because they're showing their the little been been here for a bit too long um uh yeah so you know these people talk to each other there are plenty of social media podcast and things that these people listen to they really want people like us to talk to them they don't know who to reach out to right we need to be talking to these people we like I mean a lot of us like to talk or at least pretend to like to talk okay we need to reach out to these communities through these Avenues because here's the thing here's who's also reaching out through these

Avenues the vendors who are telling them half the

truth um events so similarly you know trade shows conferences conventions again they're all always looking for people who not just who don't just understand the cyber security side of the house but understand what I was talking about before about their Nuance they don't just want someone to stand up and say rotate your passwords patch everything you put a firewall up use a vpm you know they want someone who can actually translate that into what is actually technically actionable in their application and it's actually going to be usable for them and they need people to talk to them about these things because again guess who's at these trade shows and the thing is by the way I'm

not sort casting shade on the vendors right their job is there to do a thing but there is that information asymmetry that we need to help them with um you know those of you who are sales representatives okay now I'm talking to the other side of that okay again you have a job to do the thing I often argue the thing I often point out though and actually I did this a lot back when I was doing robot testing the worst and you know I'll talk about robots for this the worst robot in the world is indistinguishable from the best robot in the world used for the wrong purpose if I'm a robot vendor I do not want to sell my robot to

someone who is going to use it for the wrong purpose and get a bad result because remember what I said telephone telax tele firefighter right everyone is going to know everyone is going to be told that my product is terrible with when it's not terrible it's just that it was sold for the wrong purpose right um we're actually we we we have made inroads on that side of the house for folks who are actually using for sales folks who are using these standards to tell people my RO my product is not good for this do not use it for this I would rather you buy someone else's product um I'm a little bit out from how

that works on the on the cyber security side of the house um I don't know how much of that is happening um from this side from the other side I know they're getting horribly confused um but that I think should be something that people think about and they point and point out you know hey I've just realized you you got this thing you need to think about this risk when you're talking about my product and of course trainers are industry organizations um you know the again the industry organizations for Public Safety are crying out for the kind of expertise that again is going to sit down with them and go and not and not to push a

product not to just parrot have strong passwords you know use a VPN no who actually can do a put and I mean from from our perspective as practitioners it's not actually that much additional thought but it's thought that that they need they don't understand okay so that's kind of you know I guess that's not even really their love language as much as it is figuring out how to we even get to the point where we're talking about their love language okay I guess we talked a little bit about love language earlier on but anyway um I have a a 10-minute uh 10-minute call which is perfect so let's have a little bit of discussion how do we help those who keep us safe so

I guess the first question is who here has I guess we have a microphone run around or we want to maybe do we have a do do this or I keep it okay okay so um actually just a show Hands by the way who here has actually interacted with Public Safety the way I've defined it perfect okay so I've come at this from a particular angle is there anything critical here that any of you folks who have dealt with Public Safety think that I've missed please cuz of course I'm an academic right I spent 20 years in Academia and government research so I've been barely containing myself the whole time perfect so and I will say uh I'm Sarah I I am

the those people that you keep referring to the these people um I started my career in 911 before we had fancy computer we had a phone it rang that was what it did right so I've been in this industry a long time um now I'm a researcher disaster researcher professor and I think one of the fundamental issues that we have is this public safety practitioners um at the field level they don't care about these things they put the red stuff wet stuff on the red stuff they put the bad guys in jail the emergency managers live in that space to try and coordinate but the decision makers don't speak the language of tech at all and that is a fundamental issue

we have they don't know where the I I can't even tell you how many people have come to me and said what's the best software for this I'm like well what do you need it to do things and stuff you they can't even they don't speak the language to the point that they don't they can't even scope a problem because it's a fundamental lack in their background their education their training part of it is government government um you have to really want to be a government Tech person because there's not a lot of money in it generally especially at the local level but this idea of I don't even know what's capable so I can't tell you what

I want it to do I just know I have a problem and that I think is The Sweet Spot in in conversation is is I can I can tell you what's wrong but I don't even know the possibility of fixing it so I can't go to a vendor and say I need this this because when you ask a vendor every vendor has the best solution for your problem because you don't know what your problem actually is and in one of the best cases I've seen of that best worst however you want to look at it is a police department I work for many years ago that implemented a new fancy computerated dispatch and computerated Reporting System all this stuff what

they didn't do is spec their internal systems and realize that none of the cops knew how to type so they went from recording all their reports and sending them to a transcriptionist now they had type and people were getting written up because they're their months down the road they're behind they had to send a bunch of cops to typing school because they didn't fully scope the project because they didn't understand how so I think that's the that's the fundamental piece in here is they don't speak the language so they don't have and their education doesn't include any of the technology bits it's not there so perfect so that's a good one and I think it's actually one that I've completely

missed this presentation so thank you so much for pointing it out is that they don't know what they don't know right they don't know so they're not even here because now they're going huh for something that's actually really important so speed questions okay okay let's get let's okay I'm told to hurry it up okay yes hi I'm a ciso in light rail one of the biggest challenges are the life cycles in which these systems exist and and we cannot make changes in a cheap way and we're now at seven and8 figure numbers for systems that are supposed to be in there for 15 years and so I think the biggest challenge is is you know as

cyber security continues to evolve in terms of threats and other things on the landscape how do you put something in today that was that can protect something that didn't even think about our back you know 10 15 years ago yeah exactly that that's and part of the problem there is there may not be a solution at that level right your risk management might well have to be except that there is a risk and now you got to put governance policy procedure around it somehow right this point there's no EAS there may not be an easy answer because there's no resources and time is one of the resources that they may not have yes how how are we doing for time

couple more questions okay um in the slide before we just said about how uh people can help maybe not for fire departments but police departments um will typically do a two-year audit sieges so they may already have a list of things they need to improve upon and so people want to sort of knock on the door that could be an Avenue to say hey I'm here to help and can I take something off your plate there um just as an idea for everybody in the room yep yeah so knowing their Cycles which I'm yeah and there there's tons of audits that I think Public Safety and just if you're looking for Grants you have to do anyway

so there's probably a a list of activities they know they need to improve upon yep good one anyone else no okay oh look than did you have a okay well thank you so very much um please do stay in touch um especially if anyone has any comments about so I've been on the Academia government side I'd love to know more get more more you know in depth on the vendor side and the on the on the uh Private Industry side of the house so please do reach out to me um email address I'm you can find me on LinkedIn and all that but otherwise please enjoy the rest of the event and thanks once again to

the organizers for inviting me and for you know listening to me for the last 45 minutes