FAA, FTC, FCC — How Three Federal Agencies Are Shaping Information Security

for

sure

[Music] do want just give it a quick test

[Music]

yeah e

Mak that

[Music]

Bill hey Bill good okay folks we're going to get started for this afternoon I would like to introduce Elizabeth Warden whose uh talk is FAA FDC FCC fired up how three effing agencies are shaping

infos thanks okay getting used to the mic so I apologize if the volume sounds very loud or not just tell me if you can't hear but as the name and talk suggests we're going to spend the next 25 minutes looking at how the FAA FTC and the FCC three effing agencies are impacting information security and as Mo just said my name is Elizabeth Wharton I'm an attorney who works in transactions and public policy and so I always laugh I am an attorney I am not your attorney uh while again while I'm a lawyer I'm not going to help you solve the mystery of what grits are I'm not going to uh represent you I'm not going to

necessarily talk about youth instead I've been working for the past uh 12 years in both the public policy Arena start off in Washington DC as a legislative Aid to a member of Congress from Georgia helping him on technology issues then went to law school and practiced in the information security technology startup space helping companies get off the ground as well as working with the Georgia Tech technology Association of Georgia and serving as a liaison on public policy issues I've also worked inh house with an information security startup that tended to have uh that lik to cause trouble shall we say and worked on getting them out but sorry as we start looking at the Federal

Aviation Administration the Federal Trade Commission and the Federal Communications Commission really why do we why do we care why have they suddenly picked up an interest in information security data privacy and really the best way to say it is they want to be Beltline ballers they want the money they want the fame they want the politics and the power so what exactly does that mean it means big budgets that suddenly information security data privacy are on Forefront of everyone's mind and you're going to see an emerging theme for this the between the agencies it's going to be the information collection the connection to the use and the expectation what is the expectation of privacy safety

security you see this through development disclosure and Direction how are these agencies suddenly coming into the space and impacting the development of both devices as well as software and systems and disclosure how are they changing what is how you disclose and what exactly you are disclosing they also are impacting the direction as where is the direction both information security is going as well as direction of what the agencies themselves are handling and again doing this through the money the fame the politics we're talking big budgets once the FCC announc their net neutrality rules fiscal year 2016 budgets came out after announcing that they were the FCC was going to enter into the uh regulating the broadband internet

service providers including the information security part of it they requested an additional apologies $73 million in their budget for fiscal year 2016 and part of this relates to opening some new offices they've got the uh they're going to have to add the construction costs but at the same time that's a 22% increase in their requested funding you look at the FTC Federal Trade Commission has been very active lately they've requested an additional $16 million for 2000 fiscal year 2016 so all right we see some of the dollars that they're talking about but what are they doing for the F the spotlight suddenly agencies that were overlooked not unless you were in that area that space you didn't pay attention

to them now they're on their front page now they're having hearings now the Commissioners uh for the FCC are Twitter rock stars so speak they're out there they're promoting themselves whereas before they did not necessarily take quite the headline Ro then you start to talk about the politics once you get inside the belt line it's all dollars and politics and it's the political power so you have administrations where the Commissioners for example the faa's uh administrative head he's a political appointee he's appointed for a 5-year term you look at the Federal Trade Commission Commissioners are white house appointees and they start serving uh five excuse me fiveyear terms with the ft see again all white house

appointees that serve seven-year terms so they're backing policies of the party perhaps that brought them to power well that's great except for the parties change and as they change the missions change and keeping up with that they're also targeting their base so once you start with that understanding that they're talking they're after the money they're after you know the budget battle they're fighting for the same piece of the pie and they're also targeting and going to the methods through which they were appointed you start to get some of the background and before we get too far into the talk wanted to go through and make sure we're all on the same page what we are and what we are not

necessarily going to talk about today so when we talk about uh infos we're just talking about the data we're talking about uh the personal information but as well as just the information that's being transmitted back and forth it can be anything from we start talking about the FAA the aviation it's a flight data it's that information that's being collected and when we start getting into the FTC and the FCC again it's just that it's not necessarily we're not going to have I'm not going to delve into during this talk the Pol mentioned the political parties we're going to leave the politics aside other than just noting that's what's driving a lot of their actions we're not

necessarily going to get into a big ethical debate for example we start talking about disclosures they are what they are that's another talk another day that requires buy me round of drinks uh when we talk about the FAA keep in mind its core is Aviation we talk about the FTC again its core is trade we talk about and we'll reference and I'll reference it because I do get tripped up between all the effing agencies on which one I'm talking about at a different times so if I mentioned the Trade Commission obviously FTC Communications FCC and if you keep that straight three times in a row you're doing good so okay now that we have a little

bit of the groundwork what we are going to talk about what we're not you got you have to look at each agency from its core what is its Mission what is it out to do what has it been charged with and then how is it implementing that right now so we're going to break down each of the agencies go through those and then talk a little bit about where some of the Battlegrounds are emerging and then what's next and then hopefully if I don't talk too fast or too slow leave time if anyone has any questions we can go through uh for followup so looking at the FAA it's safety its mission is safety in the National airspace that's

it it's not information security safety it's not it is they have been focused up until recently on just the actual aircraft safety they've been looking at for example and tripping over themselves so to speak as they roll out how to implement drones the unmanned aerial systems into the airspace the drones with the little sensors they're collecting all this information all this data that's still in the works but as the GAO released a report back earlier this year you heard about well what about the safety what about all this what about the security of this information the security of the systems the the planes themselves and all of the data that is going back and forth and

again not getting into the ethics of the disclosure stuff but you have security researchers who pointing out that mid-flight I can access you know the systems I can take over this plane well what the fa is not designed to do and what the GAO report pointed out the fa is not designed to immediately respond to a security issue on the information security on the data on the system side the fa knows what to do if there's an issue with the plane's structure uh but for example when Boeing was uh pointed out for the Boeing 787s there's an issue with if they're left running for 287 hours excuse me 287 days without a reboot there's a software

glitch that comes up well there's a reason you don't want to necessarily have to restart the plane systems it takes a long time to power it down to power it back up to go through that so it's reasonable to expect that for 287 days it may not get get rebooted well there's a software glitch that can cause a problem with the plane so now the FAA knows about this but they're not equipped to handle it so that's one of the issues they're struggling with because again they're focused on safety not necessarily security and we know it's all ball bearings these days it's all security that every device is connected everything is working together and what's happening to this data so the

fa's slow approach both with the drones and all that technology was also highlighted by when you have a researcher pointing out that here is a vulnerability here's where I can take over a system here whether legitimately or not the fa is not prepared to handle malicious actor who's coming in they can handle someone breaking into a cockpit and dealing with it that way we all got search TSA when we came through fa can you you can deal with that but they don't know what to do when someone calls says hey I have a vulnerability or this information is out there so they don't have this disclosure they don't have a response mechanism and once they've

approved a system once they've approved an airl you know an airplane that's it they've approved it they're not going to require the follow-ups yet so that's one of the issues to keep an eye on how do they work that in because right now you point out a vulnerability and they're just not equipped again handle it then again you also have to look at the data all this data that's being collected when for example the drones the sensors are going overhead who owns that is it FAA responsible for you know do they have oversight no they're not they're not ready to do that they're not prepared to but the problem then becomes how do you secure it because

you're having that information that's coming in so one of the issues with I keep going back to the J the uas is testing if you're using an a approved test site they do have regulations requiring that the data be stored securely after 180 days it gets uh purged and you have to have a a policies mechanism in place so if you're researching and you're doing testing on a test site keep that in mind but similarly for federal agencies back in February the White House issued an executive order that requires for federal agencies using unmanned systems using the drones they have to follow those same rules Sim they have to develop policies for the data security

they have to purge the information after 180 days if it's not tied to an active investigation if you have it has to be data that is reasonably there has to be a reasonable connection and you'll see this theme come up with each of these agencies it's expectation it's the is there a connection what is being collected what is being stored in would you expect this agency to handle this but again when you don't have when you have issues with both the airspace that's one thing but when you start getting into the devices in the airspace we start to move to the Federal Trade Commission because the ftc's job is to protect consumers biology so protect preventing

fraud deception and unfair business practices in the marketplace so again generally speaking they're looking at and under the ftc's authorization act they're look their focus again they're regulating but only so far they're looking at unfair deceptive trade practices so you see what's missing from this security they're looking again at the competition they're not again focused on this so while they've tried and they've been working on it again it's a bit of a stretch no one's sure exactly how they're supposed to enact this and what they've been doing is they've been looking at uh for example they released in January their Internet of Things report looking at development and protection of devices as they're connecting so again

their focus has started shifting a little bit from the safety to the security and by that they're still constrained by the regulations under which the FTC the FTC act so they're having to maneuver within a space for example with their report they've started identifying issues where for example looking to vendors to maintain minimum standards and defense in depth strategy so that you have multi-layers of Defending and again these are just suggestions because how the F FTC excuse me enforce it find and a recall they'll send you a nasty gram letter they'll investigate they will send they may pull a product require you to pull a product off the market but really what are they going to

do they can't force to some extent what's going on so they've asked that uh manufacturers then look at the devices how if you can prevent access to them a process by which to patch through the life cycle of it they've announced a new office that will be looking at research and investigations looking at how technology advances are impacting consumers but one of the questions is do they still have jurisdiction because again they're operating under the guise of the FTC act well that's great except the FTC act expressly prohibits going into uh where the FCC has now come in with their net neutrality and what do I mean by that so what's happened is the common

carriers are expressly excluded from the ftc's jurisdiction well as anyone who may have been watching the news over the last couple months FCC the Communications Commission proposed and finally got through and as of June 12th have gone into effect their net neutrality rules and we'll get into in a second what exactly that means but again look at the fcc's mission because they can only impact what they're doing based on what their expans of their Authority so with the FCC they're regulating the interstate International Communications via radio television wire satellite and cable again they focusing on the safety or and the ensuring the communications they're not really looking at the security but with the net neutrality

rules they're showing and they've announced couple of the Commissioners have pointed out that they're going to start focusing on security but again this was previously in the ftc's domain in the FTC they were looking at the uh Samsung televisions that were recording conversations that were going on unless you disabled the voice activated uh devices or systems on the televisions well the FTC came and said no there's no that data is being stored somewhere it's not being deleted and consumers don't expect their TV to constantly be recording what they're doing it's and the TVs were set to pick up every conver station that or every voice activated sound that was going on in the room well okay then now you got

the FCC coming in saying we're going to start looking at privacy and security so FTC instigated a $25 million fine against AT&T for call center data and with that they were looking at what again kind of well did you allow access to the systems did you a in that case personal information was allowed to the call center well okay that was transmitting personal information but that's great what about this whole net neutrality thing and it impacts Wireless and fixed broadband service providers what is an ISP pardon my graphic skills but AT&T Verizon Google Fiber Comcast Cox time work if you're providing the services you're an internet service you're Broadband provider and you fall under net neutrality you're not an ISP

if you're Netflix if you're Facebook perhaps Google is a search Eng YouTube the vo Services where gets interesting is Facebook announced in the last week that they have drones that are ready to deploy that will be able to provide internet services well by doing so that's going to start putting Facebook as an ISP provider under net neutrality with net neutrality you have to be upfront you have to say these are the pricing policies these are the data speeds this everything we have that you there's no throttling there's no slowing down giving priority but again it's just the internet service providers and it's not it doesn't get to that last little that last mile it also doesn't get to

the edge services so by Facebook operating the drones and then leasing them out does it somehow put them as an ISP provider under net neutrality if you're not an ISP provider you're not Broadband right now as a company you don't care as much about net because it doesn't apply to you as much from someone at home sure it's keep an eye watch your billing make sure that your speeds aren't getting slowed down but that's about all it does well okay but not really because you start getting into a little bit more and you deal with whether there are uh the call data information so what numbers you're calling when you're calling them the under the F CC's rules and under net

neutrality that information you can request that they not store it so every month when your phone bill comes in and it lists out what you were what numbers you called you can request some of that information to be deleted but whether how that impacts with the FTC and the FCC whole another story because again by net neutrality made internet service providers common carriers said we're bringing them back in by making them common carriers it took them out of the F the trade commission's jurisdiction trades commission act expressly says nope we're not uh we cannot we have no authorization over the over common carriers well great so now we know what happens to your call data at the beginning if it's FCC but

what about the data privacy what about the information that's being transmitted and if you're doing research how are you able to then go so really the FAA FTC and FCC essentially aren't equipped to handle what happens when malicious actors when you're doing research and you report something they don't have the response abilities to come in and in the case of the FTC one of the issues they had was they were investigating a privacy breach with uh lab MD lab MD's a vendor came said found 10,000 patient records on the internet they're investigating them they go great but information again came through a vendor through further investigation there's allegations and currently Department of Justice is looking into it the vendor was the one

who actually released the information so you've got that FTC investigation underway a vendor who had legitimate access to the information put the documents leak them online and FTC doesn't have a response mechanism to pull it back lad and D who through members of congressional t testimony the investigation it's apparent they actually didn't do anything they were meeting their protocols they were doing what they were supposed to be doing but the problem is they're now out of business uh FTC investigation no way to pull it back no way to handle what happens when someone Lies when someone put that information out there so as a researcher you have to be aware of that and again they're trying to figure

out the plan they're looking into it the FCC FTC are both but the problem is who has a jur jurisdiction what systems you're talking about and being able to adapt to take over and provide disclosure opportunities and fixes so I think we're just about out of time so if anyone has any questions happy to go through anything or highlight talk about it

afterwards yes so if drones are the thing providing service does that mean Facebook is now under FAA rules who knows and that's the problem they're not equipped because the FAA is looking and Fa doesn't have a have a mechanism to respond to and control the data all they can tell you is well the drone's up there it's in the airspace okay but I can take over I can take over that drone I can crash it don't exactly we'd ask that you not but I can get the data from that and the data I can tell it to pick up additional data please be kind to it and don't do that I mean that's they just don't have

it and they don't know what to do with it and so that it's kind of the Quagmire and why they're not permitting DRS or one of the issues they're dealing with the DRS yes

in order because it's all budgets and it's and that's the problem is everyone says well we're going to do this and the FTC uh I've had the privilege of being on a conference call where we have one of the FTC Commissioners up in arms over the FCC is coming into our data privacy we're going to do we're going to do something about it and that was the that was we're going to look into this we're going to have a study committee well okay um but again if I've done research and I I want to know what what can what can I do can I research this can I look into this and they don't know

it's it's the Gap that they have yet to close it's the mountain they haven't climbed yet is there any existing case law combining boundaries between different agencies when you talk about something like uh SEC is definitely focused on communication well there communication going on uh but I know the FAA also gets some control of communication in respect to airspace um and communication across the the uh for the air the air control set towers and the and systems of that of that nature that are communicating and and and and restricting certain bandwidths that are reserved to them that the FCC has been excluded from and cannot lease out to other places is there any Clarity in the

case law that that helps Define which which agencies should be handling which type of devices a little better and unfortunately with if we think government moves slow case law tend to move slower and so one of the most recent with the FAA or excuse me with the FCC and fcc's fight over common carriers um one of the recent AT&T finds dealt with uh and it was by it was preet neutrality so in net neutrality is still being fought out in the court I mean appeals were filed most recently last week this week um yeah and one of the issues was well if you're doing non-common carrier things then do you then fall under the FTC do we still

uphold the fcc's fine against uh and this was another AT&T because they were doing non-common carrier things well the clarification of well you're definitely a common carrier it's still going through the appeals process so right now the fine stands but that's part of the problem is that no one necessarily anticipate well what happens I mean what also happens with the FAA and FCC with the whole battle over uh the Spectrum and where the Spectrum intersects I mean the FCC can't figure out what to do with the Spectrum right now themselves good luck so the court cases again haven't caught up and are still dealing with it [Music]

[Applause]