CG - Don't Hate the Disclosure, Hate the Vulnerability: How the Government is Bringing Researchers a

the

[Applause]

P The Who and that's not and that's saying all is not much of an exaggeration us when we're doing it's like 90% of I don't

um I don't know I mean like

[Music]

[Applause] you know

everybody

agre we're fine with that be

open I don't know what definely

I have to wear

[Music]

away [Applause]

I'm now here for all right the question is what room is this broadcasting into all right we got the channel problems we J

excellent all right so my name is Alan fredman I from the government and I'm here trying to help and hopefully today you will tell me how we can work better so just a very bit of brief introduction I've been a Fed for about four or five months uh originally I did uh computer science I did computer security in crypto I wasn't very good at it and so I went to grad school in a field public policy which means I did a lot of Economics but not at like a professional Economist level and I did political science and organizational behavior but not in any way that I could make a career in it and so when you're mediocre

in that many fields you sort of end up in Washington DC so I bounced around various research organizations before uh joining the US Department of Commerce so the basic gist that I'm going to be pitching you today and I think it's been teased a little bit by some wonderful people here today is that we're going to be having an open and consensus driven multi-stakeholder process uh and we'd like your help hey look some bullets what are we trying to do we want to Foster trust reduce friction increase predictability diminish calls for regulation keep the the man off your back and and of course improve productivity so I work for the US Department of Commerce or as we like to

call ourselves the good guys uh of course we all get along in the federal government uh but I don't have a badge I don't have a gun that didn't give me any of the cool toys but uh and we're not a regulatory agency with a few exceptions that we can raise a little bit later if if you guys are curious um what we do have is a focus on trying to make things work and in particular we're focused on the digital economy we like the digital economy it's a great buzzword and more importantly we think that it is one of these things that's going to drive growth and Innovation and jobs and all those wonderful happy things and one of

the other DC buzzwords we like to use is the ecosystem but I actually really like this concept of an ecosystem because if you go back to biology what do you learn about an ecosystem well you can zoom in or out practically an unlimited amount uh uh and that's very useful you can analyze at the micro view or the macro view you have competitors you have collaborators sometimes you have different parts that do both at different levels and often you have two things that appear unrelated until one of them gets way too big or goes away and then you realize oh they're kind of interconnected and that's part of what we're trying to do so you know the

ecosystem is a very powerful metaphor but at the end of the day Commerce we like markets and we're for them and we try to help them because unfortunately sometimes markets fail so in the security space there are lots of people who have been talking about market failures in fact that's sort of my origin as an academic to think about this uh but we're going to talk about policy today so what's the policy context for thinking about how to address market failures in security well we have our friends in Congress and they do mean well and sometimes they can work but it takes a really long time uh legislation even in the best of days where you can get Congress to work well

uh actually right takes a really long time to debate things takes a long time to get things done and it's a very broad crude impl instrument it's very hard to write legislation that can actually grasp the nuances of very complex subtle issues so what do you do well you have legislation and you also have our friend regulation or as some people like to call it job killing regul one word uh the challenge there is even when you think regulation is a good idea and necessary it still takes a long time it's hard to get right and often whoever just yells the loudest gets to sway the debate so what's left if we can't have legislation we don't want regulation

because it takes too long it's too clumsy a process well you know we've got talking we've got basically trying to say how do we get all these perspectives so my boss uh the assistant secretary uh part of his his agenda is something you guys might have heard of which is managing the a transition and really fostering support for the multi-stakeholder model what does multi-stakeholder mean well basically just means talking making sure that we can hear different perspectives and finding ways to use conversation to end up in productive environment where we can find common ground and move forward he likes this idea so much that he said listen this should be used not just for international internet

governance but this can be something that we can actually use for domestic policy as well we'll return to the idea of domestic and later if you want uh so we've been doing this for a while before I joined the Department of Commerce to identify issues where bringing different people together the stakeholders and saying hey how can we address these issues and make things work better could actually make a difference one of the things we've been working on is dmca takedown notices my colleagues brought together online Publishers web Publishers and content owners two groups that don't really like each other in fact they don't get along at all but they are both Bound by law a very popular law in this room called

dmca now they had never been in the same room before and one of the things that we did is said listen we know you guys disagree about each other's business models but the law forces you to work together so let's find a way to at least standardize the interactions that you have underneath the dmca law how can we standardize and make more rigorous the takeown notice policy and they did they found a way of basically formalizing that so at least behind the scenes they had a better way of responding to each other and and not having everything be you know ad hoc oneof it was more efficient we have an ongoing process on facial recognition

technology right brand new technology or evolving technology going to have huge Market potential but also very very scary from a privacy perspective rather than waiting for things to just grow out of hand and possibly bring in regulation to shut the whole thing down or having CEOs dragged before Congress to answer very embarrassing questions we said listen let's get the vendors who are going to be using the technology and privacy Advocates who are very concerned about the technology put them in a room and say hey what are the concerns can we adopt voluntary guidelines that the vendors can follow that make the Privacy Advocates happy so we can grow the economy and still protect privacy to some

extent yesterday we had our first meeting of this new process for uas or as the rest of the world calls them drones uh it's interesting you know the the Cyber and drones the two terms even though we've tried to keep more productive language otherwise similar question though for drones which is a lot of people want to use this technology to make money a lot of very valid concerns in the policy Community let's come together so what are our goals for the security side well to start with the high level goal is the stability and growth of the ecosystem how do we make the internet more secure right we've all had that so I joined the

Department and we had uh a request for comment saying hey what should we work on we're not going to be looking at every issue we're not going to be changing laws what are key issues that by bringing different parts of the ecosystem together we can foster conversations that haven't happened yet we got some very interesting ideas we got some ideas that perhaps were could have used a little bit more thought up but we got from a very broad range of stakeholders we heard from you know industry associations we heard from Individual companies we heard from startups a few hackers wrote in and said hey here's what we think you should do and we looked through the comments and

the idea that seemed to make the most sense it was a lot of popular support for it was that old Chestnut and old chestnuts are the tastiest chestnuts of vulnerability disclosure right is there anyone in this room that has not participated in an online flame War about vulnerability disclosure okay we got a few people that's excellent this is good so there'll be a little bit that's new here but by and large this is something that's been around for a while and by the way to clarify we officially call it vulnerability research disclosure to make it clear that this is about the private sector uh not about the government aspects so let's talk about history right not that kind of History

this kind of History um we heard this morning in the panel so I'm not going to dive super into depth for it uh but this is something that's been going on for a while in my case the first paper on the topic that I peer reviewed was in 2006 there had already been a debate going on in the academic world about this question uh and if academics have been writing papers about it that means the real world had been dealing with it for another 10 years prior to that so we know that it's messy we know that there are no clear lines and we also know that there are benefits of working together now that's all well and good in

theory but we have to move past the world of theory so why are we addressing this now well there are a range of ongoing efforts right now there is uh some excellent work it's been done by KY Mur so I think many people in the room know uh developing an ISO standard uh putting her her Blood Sweat and Tears into making something happen uh at the moment if you wanted to read that standard you'd have to Shell out5 or $10,000 hopefully that will change so there's certainly some progress going along there's also a lot more public attention around this particular issue you know I don't have to tell you all the fun news stories that you've

heard about from the last few weeks devoted to the events here in Las Vegas of this week to know that this is was now something that went from being a niche issue that people the security Community argued about and maybe some lawyers got involved with to being something that is now dominating the headlines and unfortunately when you have this much public attention about something you have that much you know you you have this conversion of policy people into it you tend to get not ideal policy so the signing of the Patriot Act we also have an evolving market for it there are more and more bug Bounty programs that are coming up lots of companies are experimenting dipping

their toe in the water Josh Corman in the calary room mentioned told the story that in fact some companies dip their toe in the water only to be punished for it United sort of tentatively took a first step and was excoriated for not going further in for not taking the giant plunge so to help with that there are now an increasing number of middlemen coming out you've got hacker one you've got bug crowd people are saying all right we don't expect you to run this yourselves we'll bring you the experience and keep those crazy people in the utility kilts from touching from from you having to actually interact with them we'll handle the interaction all right well that sounds

easy how do we think about vulnerability disclosure well the first order of approximation is we have two sides and I realize it's going to be a lot more complicated than that but we can talk about we have blue team the vendors we have the red team the researchers what are their motives what are their capacities well let's start with the researcher side so any Hogwarts fans here we can divide researchers into four different groups and you'll forgive me this so first we have the people that care about doing it because the internet needs to be safer these are the heroes who are just doing it because it's what they believe then of course we have

Ravenclaw these are the academics right these are people who are doing it the wisdom they want to understand the systems and if they find the vulnerabilities well they figure out what to do with them as they discover it they care about the knowledge now there's no shame in wanting you know a little bit of money there's no shame in that I think there's a little bit of that all Slytherin is certainly the most practical of the four houses and and no one wants to be [ __ ] Hufflepuff so really they're only three houses so okay so that's the motives they're very different we acknowledge that what what about capacity well as we remember from the movie

Incredibles everyone is special which means no one is but of course we acknowledge that there are some people who are good at different things than others so we have very different motives we have very different capacities now on the vendor side what can we say about what the vendors want well those greedy bastards just want money right any vendors in the room you're all greedy bastards no they want the same thing that all us want they want stock images of cyber security and they want good security well to be more precise vendors want security but it to be more important they want to satisfy their customers right they are you know be honest running a for-profit business but

also we have to acknowledge that if we expect them to look after the security of their customers security is one part of the overall well-being of their customers they don't want to break their customer systems and they don't want to remove the trust that the customers have given them venders also have different types of capabilities right there are maturity models different firms have different abilities there are some companies that have been doing this for a while there are some companies that are just too small they don't have the security people to know what to do with this there are some companies that say listen we will dedicate many man-hours to figuring out how we deal with

vulnerabilities but even that takes a while we don't have that many people so we have to acknowledge that different types of Enterprises different types of vendors have very different capabilities as well and of course context matters a cloud is different from a car we have different technology but we also have very different markets we have very different regulations we have many different factors that are at play so by and large on both sides of our multicolored scrum we have great heterogenity great diversity now diversity is great for finding different ideas we're trying to find Common Ground we need to work a little hard but on the other hand we have a lot more ideas at

play to find it so what are the outcomes that we are trying to build here at the Department of Commerce well we are looking for the Silver Bullet you've heard there's no Silver Bullet of course there's no Silver Bullet right there is no one siiz fits all model everyone is going to be a little different moreover we have no intention of forcing people to fit in into something that's going to be a poor match we understand that in the research Community people are looking for different things we understand that vendors have many different interests at play as well what are we trying to build well we're trying to build a set of principles we're trying to find a way of

saying all right at very least if we can't have best practices for everything we can have some higher level best practices we can have the Magna Carta of vulnerability disclosure a set of principles that we can appeal to that both sides buy into so as we begin to develop policies at the Enterprise level policies at the sector level policies at the industry level we can point to them and say actually we're trying to follow this goal so maybe we can tweak what you're saying a little more to adue to this goal what is the holy RIT from which we can develop the law how are we going to do that well like I said talking that's the tool we

have it's completely voluntary we're not going to drag anyone there it's also open we don't keep people out uh anyone can come now this is scary for a lot of people especially people who are used to working either in you know tight-knit collectives or industry consortia where you know the people that are around you you know that guys and there are always guys in this situation who are like in the room and they say we're going to pound this out and then everyone will just listen to us that's not how this works there will be shall we say difficult people in the room now the good news about that is unlike a closed process a regulatory

process where the loudest person gets the most attention if it's open we can say that guy's an [ __ ] I don't like working with [ __ ] and there are two things that happen right people are stop working with this individual or people take him aside and say listen we're trying to get something done how can we find ways of working together because it really is about finding common ground now how that happens comes from the community I am not going to tell you we are not going to tell you this is the exact problem we are trying to solve we all know that we need to do something in the space of vulnerability

disclosure but actually defining the problem has to come from the community the community has to have ownership of it they have to set the agenda they have to advance it the job we in Commerce are going to have is to make sure okay you guys said you were going to have this part done by this week how you doing this is going to be a series of meetings it will require work just as legislation requires lobbyists we're going to require smart people not the lobbyist the smart people to actually figure out how we can find common ground that is going to be a little onerous my background is an engineer and an economist talking shouldn't work right

Kumbaya is not how we can think of getting things done but this has to happen for a number of reasons first has anyone ever been in a long meeting a couple day meeting trying to solve a problem and on the third day you realize that on the first day what she said was Bloody obvious and you end up following it anyway that's just how groups happen but we have to bring people together the first goal is to build trust having people in a common room helps most people realize oh they're not just crazy people with weird hair they actually mean it when they say they care about security they're not just in it for the

glory oh I never thought about how long it would take to develop a patch yeah that kind of makes sense that they would have to actually figure out how it wouldn't break all their customer systems we all know this it helps to be in the same room and acknowledge it we need to build trust we want to build predictability one of the main outcomes has to be that both on the vendor side and the researcher side they know what they're getting into or at least they know what they think they're getting into again this isn't going to solve everything there are going to be plenty of people in the world on both sides who say screw

it that's not a way I want to do it but if we can make it so that most people when they come together and say I have found something in your system you want to take a look at it we can actually say oh this is what I could expect and I can expect certain things from certain types of organizations and an organization can communicate with me what I might expect and I can communicate with the organization what they might expect that's going to be a huge deal in making this work better and perhaps the end goal is going to be in reducing friction we want to make it so that this Market works and this community works

because we're not just trying to solve the market and we're not just trying to build the community we're trying to solve both of these issues or at least address both these issues at the same time but the more time we have to spend dealing with this [ __ ] and keep having the same debate in the long run the less work we can actually do about securing products for customers for consumers for Citizens around the globe so what's the big picture Okay so markets evolve this is good some times markets evolve and it gets a little tricky how can we smooth the way we love it when markets work but people sometimes need a little handholding as

things evolve as things change as things mature certainly the security Community has evolved and matured and we know the vendor Community is evolving and maturing as well so we need to make sure that this happens in a fairly smooth way when I have predictability we also want this to be something that we can export right how many countries do you guys know of around the world that are saying oh my God everything on the internet is broken I know we'll fix it with regulation or even worse I can say that everything on the internet is broken and that gives me an excuse to regulate the internet for you know economic political Etc reasons and of course there are some of

the real concerns that we all face as part of our jobs as part of our daily use as re daily lives as researchers you know how do we try to find some way of making sure that this isn't something that gets pushed illegally I don't think it's a real exaggeration to say that if things continue in the current path there could be some very real challenges Congress doesn't handle Nuance well right try thinking about how to explain rapid 7 in a congressional hearing and why it should be legal at all well that's fine you know Rob said this morning we're all just going to go offshore great except one that's just not good for anyone

so how do we get the people who make the decisions about legal to think well like I said I don't have a gun I don't have a badge the US government is an incredibly large and complex organization you guys have worked in large organizations you know that different parts are trying to optimize different things that's the way it's supposed to work the Department of Justice is trying to protect us the best they can with the tools and the mental models that they have so one of my goals is to give Congress the Department of Justice and I'm sorry I don't have a picture of Loretta Lynch looking thoughtful so we have our ex attorney general up here uh something to look at

and say oh this works we can actually come up with an example of the research community and the vendor Community collaborating cooperating therefore we don't need to regulate or even better as we change laws we'll improve them and if those of you who heard uh Jen Ellis talk this morning she talked a lot about the need to improve uh her perspective on how to improve dmca and CFA and the other's laws but it's not just law enforcement we need to worry about there is a certain amount of pressure we're trying to [Music] involve if more companies every day are starting to depend on the research Community they're going to look a little more as scance when other companies in

their space go running for their lawyers we want to change Norms here this isn't something that changes easily this isn't something we can say if we all do this then X will happen with great certainty but but we can say that companies talk that lawyers talk and the more people that we have giving talks saying Hey listen rather than running for your lawyers at these big Bar Association conferences in very attractive exotic locals saying listen you don't have to run for your lawyers here are examples of how this works we want to bring them in the fold as well so final bullets so I want to make sure there's plenty of time for for questions

and conversation we are launching a multi-stakeholder process on vulnerabil disclosure it's going to be open anyone can participate it's going to be transparent meetings will be webcast there's nothing that's going to be hidden and it's going to be based on consensus not unanimity we don't vote consensus just means enough people in the room say yeah I think we've got it we've got it from here we're not trying to create a new government agency we're not trying to create a new ongoing program the goal is really to have the community come together and find what it needs in however cap we can do that and if we can only take a small bite at first we'll take a small bite

and then we'll take a bigger bite if we think that the best thing to do is to say well let's just look at web applications because those are easy or consumer facing websites and then we'll get to the difficult stuff that's fun too so I don't think the first immediate point should be leaping straight into industrial Control Systems uh right you never want to start off something like this where one side can just say people will die right don't want that and similarly there's also a lot of other regulation so we're trying to find areas where listen this is unregulated let's keep it unregulated but we need your help so how can you help talk to us

there's my email address my Twitter handle please if you have something to say let's find some time to chat this week I'm leaving Saturday morning because apparently I hate future Allen um tell your friends join us for our first meeting in September it's going to be in the Bay Area uh it'll probably be the second week in September maybe the 3D but probably the second week in September uh probably at Berkeley we're still trying to find the exact location I was trying to nail it down for this talk we don't have the exact time if you're interested let me know I'll make sure that you get notified when we have the meeting out it's going to be webcast and this isn't

going to be a little passive webcast we actually try to build this in such a way where people who are participating remotely can actively participate and engage and ask good questions if you think this is weird if you think it's hokey tell me how can we make it better so that's really what I have to say today um this is your government we are trying to do our best uh and if you have suggestions for how we can do it better please let me know and there's a mic here or we can pass it so there is a a group of people who are already working on the same problems the same bullets that you have uh why are

you trying to duplicate the efforts uh which well so there are many groups of people are trying to work on this problem group of people are so I'm just going to angle this up a little bit there you go the group that's working on uh vulnerability disclosure and coordination is called vulnerability coordination special interest group it's uh formed under Forum of incident response and security teams but the group is for anybody who's interested in participating in vulnerable deoration and disclosure fantastic and sorry it's a special interest group it's it e sig uh it's a forum of incident response and security team Sig okay yeah first which the same people who brought you CVS and so fantastic uh the group started uh

kick started in uh in June so it's new okay we have only had few meeting so far uh all the goals that you listed are the same as the group that's fantastic I will endeavor to learn I've talked to at least half a dozen people who are members of first uh founding members and I will make sure that I can work with them closely thank you so would you like an easy question a hard question or an unsolicited testimonial uh let's go in reverse order never go wrong complimenting people first uh so I've known Allan for quite a few years in quite a few settings I'm really really excited won't leave me alone that he's in this role

and this opportunity is happening it may succeed greatly it may fail greatly but it's really important it's really valuable and he's a great person to be in this role all right now will you take your money okay now for the hard question um so in some of these past efforts I'll point to the cyber security framework as one example a high proportion of the participants uh their job title was was uh government relations coordinator liaison from big company XYZ and a lot of the contributions were in the direction of I'm here to push or nudge this effort this direction because it's in the interest of my sponsor and my personal opinion is that sort of effort that sort of talking is

not value added to getting things done so how do you imagine organizing or recruiting or uh facilitating so that there's more effort toward getting things done and less toward what I'd call lobbying sure I think there there are two responses to that one is uh it makes sense when there's more than one voice from an Enterprise or an organization coming because for several reasons one there are many organizations that legitimately have multiple voices right Microsoft Google they have many different separate stakes in this so it makes sense they don't participate as one body two uh often if I can get and and Josh Corman has talked about this as well if I can create a room in which the lobbyist is

in the same room as the deputy ceso that's fantastic right what are the chances that those guys have sat down and talked before uh in terms of the real question which is if someone's working in their self-interest is that somehow against the general public interest I think the goal behind the multi-stakeholder model is to say if they come in good faith then we don't want to work against a large groups of people's self-interest because that's not how you create voluntary progress so the goal is to have people come and say Yes common self-interest let's find how your self-interest overlaps with the self-interest of others if we have a space as I I don't believe that we can

look at the space and find uh in instance where there is simply no Common Ground uh there are enough people that want the same things the challenge is how we've been talking about it has been framed poorly so we need to talk about self-interests so that we can identify oh if you feel that way well maybe we can do this does that make you happy does that still satisfy your real goals because people will take particular positions that they think are in their self-interest but in fact the positions are only slightly tangential to their real interests there are going to be organizations that say you know what I've been told this you know this is

great we like what you're doing we're not going to change what we're doing we've thought about this a lot we're not going to do it and that's on all sides right so uh used Nick security conference said should we have a vulnerability disclosure policy these are really smart people who've been doing security research for decades and they said no we believe that if something is intellectually important enough to be accepted at yck then we're not interested in the broader social ramifications we're not going to have a declared policy we have to respect that that has to be built into our discussion you had an easy question how is your process similar or different to past multi-stakeholder processes

including cyber leap year uh cyber security frame work and the national trusted identity something right sure uh the first one I can punt on I don't know enough about cyber leap year uh the Cyber framework came directly from President Obama's executive order 13636 uh which said hey whoops my first plan of having regulation didn't work thanks Chamber of Commerce uh that policy was going to give all the power to DHS and they said all right well if we can't do anything by mandate we're going to get everyone a room to do it voluntarily what does that look like well the first order say let's just find out what all the existing tools that are available are and create a

framework for organizations to assess risk and figure out how to clim that risk chain maturity model so I really like the notion of a maturity model uh as as a tool um that was the goal of that was to build a very specific document uh while it was led by the community a lot of the drafting was done by nist uh and it really was hearing from many different people uh as well as iterative the goal here is really to focus on the iterative dynamic of conversation from a fixed Community rather than to make sure we hear from you know we want the participants there at the beginning um another way of thinking about the differences is the framework

looks at risk inside an organization we are looking at the the overall My overall mission in the US government is to look at risks that span between different parts of the ecosystem where no one actor is coming together there are areas where people are already working great we don't want to duplicate uh n stick the national strategy for trusted identies in cyberspace also out of the US Department of Commerce uh is focused on a very particular engineering task uh they have a standing body they have a they have a Steering group they have uh internal governance they have a checks they have a checkbook uh they've been giv grants uh and they're really trying to solve a

very important problem which is how do we create a whole new identity layer in the digital ecosystem how do we Foster it in such way that still reflects the values of uh privacy and digital autonomy and things like that and basically the way they've got companies to participate in that is hey guys if we don't work together in four years we're all going to be doing our online banking with Facebook connect API uh so let's find a solution no let's see digital identity is another talk unless somebody bumps me off I'm going to keep asking questions one question are are you including Mikey Dickerson and his group youed parp I do not yet know Mikey Dickerson tell me

about Mikey Dickerson uh Mikey Dickerson is the head of the US um cyber digital us digital service okay sure the people who came in and basically unfucked healthcare.org and then were set up to basically a an executive branch body to keep track of digital stuff and so they have they're they're actively bringing a lot of people from industry and so they have a rotating body of people who you should make sure his organization is at least aware of this effort because he'll want to send people to that's that's a great idea and and thank you and certainly I I personally know a lot of people at at 18 andf which is uh where where you know

it's the the Digital Services Group is based um I will say that one of the reasons I have not done a lot of affirmative Outreach on this particular issue is our focus and indeed our mandate is not inwardly facing ingov uh now part of that sounds like a copout you know government heal thyself uh the challenge is twofold one it's actually astoundingly hard for the government to heal itself we have it's so much harder for the US government to make progress in IT projects uh than it is for any large organization and two uh there is a law called the federal advisory commission act faka which legally prohibits me from asking for lots of people's

opinions uh without going through a formal congressionally mandated process uh for internal government Affairs if you're advising government policy you have to go through this process this is why government is so awesome uh and and uh so uh yes I cannot devote this to this cannot be about government policy uh but certainly we'll reach out to them specifically is Broad ties to Industry great people who responsible operations and response thank you no that's great and certainly a lot of people said listen you're focusing a lot on the product people focus on the operations people and that's been that's been very helpful anyone else other than R all right a pro provocative idea for you maybe in addition to consensus you

might want to actually Pro promote progress in Divergent directions and then maybe in addition to talking you might want to promote doing as in pilot projects tabletop projects anything that gets something done to show how something might work to inform people's opinions about what is or is not possible or what the consequences might be or how something might be done what's a pilot project in the space look like and if anyone has an idea of what that I don't have a Clear Vision so if someone can share with that please tell me I don't I don't know enough details about this specific case and if I spouted something off the top of my head I'd just be stupid but uh I think

there's a number of ways to uh mock up or simulate administrative or uh economic or even uh regulatory processes in ways that you can attempt to assess how well they're going to work functionally how they would work uh institutionally and you could I think get some useful work done promoting people to go off and do something for 90 days and come back and report on a result in addition to talking about things and offering uh encouraging people to arrive at some consensus that's that's a great idea by the way for those who don't know uh Russ's dissertation is on computational models of organizational and Technical Systems uh uh so there there's a certain where did he pull that idea from uh and

certainly you know in terms one of the things as I've been traveling this great land of ours I've been talking to a lot of people what the process would look like uh would there be working groups uh some people have said actually what we want you to do Alan is appoint uh chairs from the community that are trusted uh because you as the US government can't tell people to shut the hell up they don't know me well enough uh but uh so we want you to Appo chairs the way you know an ietf group working group does uh to manage the process and you just stay behind the scenes and write the big old government checks uh there

are lots of other options that we can explore when it comes to process I like the idea of trying to have do outs uh and certainly one of the the process it's a natural fit is at least go home and write something and then come back and let's kick it around I'm done thank you I've got a question fantastic [Music] I think all of us in the room know that security people could yell about a problem till they're blew in the face and until the public knows that there's a problem nothing gets done MH because public pressure moves companies that's how it works so how do we get the public to listen to what the heck is being said

on both sides of this table where do we pull the public into this conversation that is an excellent question I don't have a clear answer to that uh you know my my Approach has always been uh or at least not always been is has certainly been to say uh high-profile incidents tend to inspire reactions that may not be thought through as well as they could be uh the natural pathway from strong public concern to policy has been through Congressional hearings or initiatives like the Department of Commerce trying to hire a failed academic uh so you know we're going to say the latter is a decent step forward the former again is quite tricky um if if you have an example of where

strong public concern has led to a strong nuest response I think that's great uh and would love to chat with you more on that but uh certainly that's something that I would like to think about a lot more uh you know the it's almost like section seven in the paper instead of you know oh we're going to have logging and auditing right which you have in every system and you never care about uh similarly in a lot of security talks it's oh well we need the public and consumers to drive things uh I don't think we can sit around and just wait for that no yeah but we need to get them on board so that everybody's moving in the same

direction together as opposed to the oh my God somebody drove a car off the side of the road right fix it and I sure and I I think one you know just off the top of my head one thing that we can imagine is you know a discussion or at least some market research uh from the vendors from different sites from different types saying how much inconvenience are you willing to put up with while we try to secure your products for you can we have a website that's down for a little bit while we upgrade it uh most marketing people say absolutely not you can't do it uh everything has to be done hot swap

uh can we find some way to engage the public or at least build some patience for it so that we can sort of ramp up the cycle that takes and and you know have the timeline question be resolved a little more satisfactorily uh that could be something that you know the vendors can focus on uh you could imagine um certainly having the security research community consider public uptake of patches is another approach right okay that should be part of my internal calculus about how I'm going to engage with this vendor is what are that vendor how is that vendor how are those vendor customers going to respond and how can we as a security Community increase that public

awareness as well so certainly you know talk to everyone you know and make sure their their shit's up to date anything else that was brief in my remarks I'm happy to go on for long long time yes the D with bringing in the public I'm just going to hand this to you okay thank you the dangerous with bringing in the public is that anything that could influence their opinion is either something that they can monetize on like some kind of a software liability if you buy an internet wireless router and vulnerability is found to get 10% of the money back or something like a Jeep driven into a ditch or whatever that is dangerous and get the gets the

the hype going which would cause often a knee-jerk reaction and from legislation so that's also undesirable I'm not sure you really want the public kind of pulling this or I'm not saying they need to be pulling it I said they need to be in the process because if we don't keep them aware of what's happening when a solution is found or a consensus is reached how do you then get the public into the game how many people have have cars whose airbags will explode on them and they aren't bothering to get but the large majority will never care about security they only care about usability it's it's our responsibility to make it secure by Design and and I think one of the one of

the tools we have at our disposal is we have Civil Society to play the the intermediary uh and certainly uh I've I've talked with uh you know both consumer groups as well as civil society groups say hey what do you think about this I the eff doesn't just care about hackers they care about everyone on the internet and and I've talked with Kurt about this he's skeptical but open to it uh so I think you know that's one other area that we try to engage the public is through the proxies of Civil Society [Music] yes um I think also part of it is as companies hopefully become more transparent and it's becoming a new normal hopefully to disclose

vulnerabilities it will I think over time become a measure of and you know you disclose a vulnerability and within x amount of days it's patched because that is something you can measure from the outside I think over time that might you know kind of a track record for a company of how secure they are or how they handle their security so I'm I'm not saying that this is something that the normal mainstream Layman can look at and measure and kind of validate the company but you know it's at least it's a step clo like it's something that other people or companies maybe can build on top of to make you know a a smiley whatever you want to put it on like of

your the company's security awareness and security responsiveness um it's not something we're going build today because it's a very very new things for companies to disclose their vulnerabilities and and how soon they patch them but um hopefully that is one of the things that can bring the public in thank you did you have a response quickly I read a interesting blog recently from a German researcher he he's running a pretty big German research company incidentally the same guy who's hosting the Troopers conference and he has a large crew researching different devices cars medical devices and so on hypervisors and they find a lot of vulnerabilities and he says in his experience Over The Last 5 Years companies have actually

gotten worse in handling vulnerability disclosure which is not a very reaffirming thing if he's right well so yeah feel free to jump in on that but I think while you're saying that I think there's a lot more complexities uh and certainly as companies CL maturity ladder uh you would expect a certain U-shaped curve uh as they go from not being aware at all to being uh you know saying oh wow we've got to bring in all these people to make sure that what we're not doing is making things worse uh so I was chatting I dinner last night with a vendor uh who said You Know listen go back to uh you know the heart

bed patches so we had to release a patch and then we had to release a patch for the patch then 6 months later it happened again that the first time we tried to fix something that it didn't take we had to update it now if you're developing Enterprise sof if you're developing a cloud product that's okay right you can do it on the fly if you're developing very large big steel enterprise software uh that gets a little trickier and that gets this notion that it's a very heterogeneous heterogeneous idea um the high level principles have to find a way to reflect that while still pushing the goal that we have to protect people so talking about the principles and back

to you you mentioned the security Community should be the one driving the change and you also mentioned that five years from now disclosing vulnerabilities is getting worse and worse and who is pushing the security community and who disclos vulnerability is the security Community itself so how would you interpret that if we're going down and getting wor into disclosing vulnerabilities we have more vulnerabilities to be disclosed transparency seem to be a [Music] problem I actually said that this guy said that over the last five years we had gotten worse in his experience so we had been getting worse for The Last 5 Years in this guy's experience and I don't know if he's right it was just an

interesting read we are now degenerating into doing peer review of hearsay which is always a tricky anyway anyway we have another interesting example the OD Day from the last week the right to file the dild the Mac OSX OD day there was as far as I understand no real way for that to be disclos to Apple in a more responsible manner they're not listening I that's why this conversation has to be with both groups it can't just be us telling the vendors get your ship together because they're not going to do it and similar and because that's happened we've had those groups and similarly the vendors have sat around and said you know we need these guys to

get their act in order uh it has to be both groups coming together and figuring out what can we do to work together and and that is the coma moment and and it's easy to miss it but I think that's the tool we have at the moment and the risks of not doing something are pretty high so if there's a Better Way Forward we're all ears uh and and I think you get the last comment before we last one before we wrap up here um I actually have some firsthand experience um because we're one of the companies that also host bu bouny programs and I think on our platform we have about 10,000 vulnerability reports come in

over time from a couple hundred companies and we just recently started actually disclosing vulnerabilities and we're just at shy of 50 I think but a few months ago it was zero so it's kind of saying like we're it's just getting started but I think it's slowly getting there but we also just discovering more vulnerabilities I think and and you know the the final caveat is of course and and I think Russell like this as well uh as with just about everything in security data is going to make our lives much much better and I know that a number of the companies who are playing the role of of middlemen have stepped in on that uh there's there's a young grad

student at Penn State uh that's been doing some work the hacker one I know Berkeley has written a very interesting paper on it so there's some data that's coming out and and certainly we're reading it viciously uh if you have personal experiences horror stories words of caution please get in touch uh and we really are very interested in making sure that we can make this work so thank you for your [Applause]

time that was Wonder is