IATC - A Good Day to Die? IoT End of Life - Jessica Wilkerson, Allan Friedman, Karl Grindal, Karim

so let's go ahead and get started in I am the Calvary track a good day to die IOT end of life with Jessica Wilkerson Alan Friedman Carl Grindle Kareem farhat and as Sean Maeda I'm gonna use it because I don't feel like putting on the other mic hi everyone as probably the only female on this panel I think it's probably obvious that I am Jessica I work for Congress I am in I am an oversight and investigation staffer with the Committee on Energy and Commerce which essentially means that I don't legislate but I investigate things and it's very fun so I'm here specifically to talk about something that my committee recently did we have been

focused a lot on healthcare cybersecurity and so what we did a couple months ago I think at the beginning of April around then we put out of what we call a request for information and RFI we essentially said hey everyone we don't know how to solve the legacy technology problem in healthcare but maybe you do so write in and tell us how you think we should solve it it was open to the public anyone could respond and you know we'll see we'll see what we can see we'll see if there's anything coming out of that and in this RFI we got all the responses back there wasn't a whole lot of consensus in fact I don't think anybody

actually agreed with anybody on almost anything beyond the fact that coordinated disclosure is good so congratulations everyone and specifically congratulations to Josh Corman Bo woods KD masterís a lot of the ambassadors over the years who've really pushed that policy and without them they would not we would not be in the in the place for everyone to sort of agree that coordinated disclosure is good software Bill of Materials which everyone should go follow Alan over to wherever bisa or black hats being held and talk about his panel yeah the estefan panel there everyone sort of said software build materials is great and we should do that but beyond those two things nobody could agree on anything nobody could agree on

what it means to be legacy and nobody could agree on what you should do with it nobody could agree on whether or not things should be supported until they're completely out of existence you know if a really old piece of technology is still being used in the hospital does that mean that the manufacturer has to support it or if it's 20 30 years later and the manufacturer never meant for that thing to be in existence for that long does that mean that they don't have to worry about it anymore so one of the reasons why this is so critically important to us to Congress to my committee in particular we have jurisdiction over healthcare it is it is

one of our jobs to pass laws that deal with healthcare that help make it better that help protect patients whatever the case may be one of our biggest components of my committee is is healthcare and healthcare law and I think over the past couple of years it's become really clear the healthcare sector is not particularly prepared for cyber security incidents you've got a lot of people in the healthcare sector who still don't understand fully what it means for their sector to be as connected as it is you know they know that their devices are actually in some cases I don't think they know that their medical devices are connected to the Internet but even in the cases where

they do they don't they don't fully understand what that means that's how we end up with wanna cry in a lot of cases that's how we wound up with not Pech it's how we wound up within a lot of the situations that we've ended up in and I think what we have started to see from a policy perspective is this is no longer an IT problem right I mean I I think this is probably something that all of you have run into at one point or another where cybersecurity is the IT director's issue I'm gonna turn it off and back on again let's call somebody maybe they can fix the printer all of it still gets kind of looped into that into

that bucket and nobody really thinks of it as a grand strategic level and so we have been trying to change that conversation to a certain extent but it's been difficult right because again what does it mean for something to be end-of-life what does it mean for something to be legacy and so in doing this RFI and trying to solicit a comment and trying to figure out how we're purchasing Shu I think the only thing that we have determined is that there is still much to be determined I know some of the folks on the panel here are going to talk about various issues but we all I can say from the congressional perspective for my community perspective

we still don't know what to do we don't know whether or not there should be guaranteed lifetimes for some of these devices you know Microsoft has their habit of will support this OS for five years and then you can even negotiate with us for longer support we don't know if there should be a cut-off point of when you can no longer use technology in a given environment we don't know any of it registries all of these things that a lot of these guys are going to talk about I think so much of this is still so new and so unexplored that we want to be really careful about what Congress does because Congress in my committee we

have a lot of outsized influence I think I told somebody recently that word we're akin to an elephant in a china shop not even a bull I think we can actually say that we're an elephant if we if we pass a law if we do something and we don't fully understand the consequences of it we can cause a lot of damage and so I think what we are desperately trying to do is make sure that we fully understand the problem set before doing anything because we don't want to break anything we don't want to make your life harder I assume many of you are information security professionals some of you may even work in healthcare and the last

thing I want to do is added something else to the HIPAA checklist or add something else yes the HIPAA checklist is is something that we talked about quite a bit and I in healthcare cyber even though I really wish it wasn't you know I my goal my committee's goal is is don't make your life more difficult and in fact to this extent possible it's have you tell me what I can do to make your life easier and so I think that's one of the reasons why I'm really happy to be here I have been over at the public grounds room that they were mentioning over at the Platinum Hotel trying to give people the opportunity to ask me questions and

figure out how to get involved with us one of the reasons why I'm very interested to see what the the other panelists have to say because I think we understand that this is a serious problem but we also understand that trying to do something before we understand what that might mean could have some serious consequences and so and if I can just put in a plug at the end of this the legacy technology one is is one that we're gonna be struggling with for a long time and I need your help so if you have thoughts on how to fix that please come help me help you and help me figure out what to do about it without causing

any issues so actually think that's why we wrap it up and turn it over to

everybody is this working all right so we are a team from Georgia Tech School of Public Policy Carlin cream or Mathis Oh PhD students there I got my master and got out now I work in DC and we've been working in this area for okay better and we've been working on this project for a few months now just to outline our presentation today we're going to be presenting two slightly related projects which you've been working on first I'm gonna you know do a introduction of what the IOT security problem looks like the Carl will describe the first project which is you know a standards map being it's a continuation of the work in this day

federal agency did and he's gonna describe what the next steps on that look like I'm gonna then come in and talk about the collective action problem I'll explain what that means why it's a problem for IOT and cream is gonna look at the possibility of a registry as one of the alternatives to solving this issue so very quickly IOT I mean a lot of you have already heard about this but you know it's been bad IOT there's a sort of hullabaloo in the media about this you know you're stealing your credentials vacuum cleaners are spying on you with your webcams washing machines or stealing computer files and our fridges are killing people so the but I think I

really like the subtext to this headline which is that lack of clear and transparent policies about software updates make these devices extremely dangerous and you know regardless of the headline is exactly the point but you know the issue with hierarchy is that it isn't one thing like and so the the definition listed up here is what the IETF which is a not to go into details but it's a technical body that you know makes definitions and protocols about things and they're like you can't get broader constrained node in a possibly constrained Network and you know in these sort of very different domains people club everything to IOT and come up with these astounding numbers so

Ericsson has a figure out there that they're supposed to be 30 billion or 50 billion IOT devices in the next five years the one I put in here is what I think like really explains to us is that there aren't more IOT devices out in the wild and there are mobile phones and you know imagine the conversations we have around security of mobile phones and compared that to what we have around IOT and if so why IOT security like I talked about this is asymmetrical security between different devices different domains healthcare construction ICS machines you know just day-to-day home Roombas and whatnot there are these other attack vectors because IOT is more cyber physical than any other you know

traditional computing mechanism we have have out there an end of life is of course a big issue with IOT right now you don't have all developers and deployers wanting to support devices after you know the initial software update the calls gonna take over and talk about standards yeah so in trying to understand the landscape in this space you can use sort of a sectoral model you know what are these sectors but then you can also sort of look at the standards that are being formed and I'm sort of using that term broadly because the National Institute of Standards and Technology also uses a pretty broad way so I sort of see there as being these two sub

categories of things that authorities are trying to use to like grapple around the problem you've got protocols on the one hand a way to set certain rules for endpoint rules for endpoints and telecommunication connections for security controls on the other security controls being you know those guidelines requirements that you may or may not be required to implement within your company and the reason I don't believe that those necessarily overlap is good rules are often technology neutral so that you're not needing to update them as the technology changes so there was a large project that many of you might be familiar with called the NIST cybersecurity framework started in 2014 was just revised in 2018 and the goal of

this government agency was to bring together private sector groups and basically say you know some you've got sans 20 on the one hand you know which is too short and then NIST 853 with hundreds and hundreds of standards on the other hand and then say like maybe if we picked something in the middle you know people would be able to wrap their minds around it and so they came up with a list of recommendations and an example here is if you go to the appendix in this framework report you get recovery plans and corporate lessons learned after an incident so that seems very sensible you could do that but then they also did something really

nice and useful which is they mapped that recommendation to a bunch of other standards COBIT is a ISO and so these are you know different organizations either governmental or non-governmental that produce these kinds of rules and regulations and while rules and regulations are boring if you want to change a whole sector you know compliance matters so the NIST framework dealed with network security but now we're in a world of IOT security and the question is you know what's different nist started this second project focused on the status of international cybersecurity standardization for the Internet of Things and I think they kind of equated two different forms of standards they had protocols on the one hand you know

secure communications and they had requirements and guidelines on the other they pulled them all together and they basically just started listing standards which I thought was really useful because if they hadn't done it I would have wanted to and so when I found this long NIST report called NIST IR for interagency report 82,000 it has a long appendix with you know a couple hundred standards that have been implemented in the IOT space and so I think it helps to sort of grab your mind around how this is a large space with lots of actors and there's really no you know one dominant player so this is the standards that they listed ranked by their frequency

you know the number of standards listed in the appendix you've got some larger players ISO is the international standards organization I Triple E you you all should know and the IETF the internet Engineering Task Force you know those are some larger international organizations but then you've got a ton of commercial collaboration you know that these non-commercial groups are their professional associations or business consortiums that are all releasing standards and you know fighting to get some type of adoption and then they group these by core areas and so you can see that there are a ton of standards in the cryptographic space lot network security and not as many were recorded in the automation security automation space not as many were

released in the supply chain risk management space but just counting standards isn't really a measure of quality and so they added additional language this maturity thing so an approved specification was one they would also list you know market adoption or you know the is the standard under revision is the standard currently being drafted and I thought that was useful because if you sort of started assigning a value to those and coding for them you can then get a sense for the maturity the average maturity of the standards in the different categories and so network security is fairly mature a lot of standards have been deployed and at least according to this NIST government agency they have conformity

testing they have some type of assessment process that represents you know pretty mature standard but then there is less maturity and other sectors cyber incident management for one security automation for another and so I modeled out the this maturity score by drawing on their appendix and actually got different levels of maturity than they did in the report and so I don't know there might just be a quantitative qualitative difference here but it's sort of an interesting question is you know when I ran the math I got something different than their table but their table didn't explain the methodology for measuring maturity so who's to say but there was a comment period and had I submitted during the comment period

maybe they would let me know and so you see you know that you can participate in this process when the government releases these large reports they ask for public comments very few people cared about this report even though it's you know the best landscape document on IOT standards released thus far came out in February comment period ended in April no one really did anything about it until the last two days and then you know all of these are mostly like IOT companies or you know yeah so these are corporate actors not technologists and you or I would be welcome to you know read through these documents and provide our comments I look forward to seeing the

formal version so as you sort of are tracking the IOT landscape things I'm excited to do at this next stage is to sort of pull apart this distinction between protocols and security controls and ik weighting them might be problematic for how we understand the maturity of the IOT landscape but then also sort of looking at these comparative SD O's you know will national agencies like NIST guide this standards-based you know standards development or will it be these non commercial business consortiums and professional associations I don't know I dropped this tiny URL here this has all my data so if you want to check it out you can sort of look at that and feel free to reach out to me at Carl Grendel

if you have your own thoughts or interest in collaborating on mapping out this IOT landscape space all right thanks all right so I'm gonna do some econ 101 here which i think is a change of pace for visas but let's go for it the way the you know economists strike to think of you know goods out there are any material consumable by us out there is that they're either rival or non rival excludable or non-excludable and the Internet is sort of a public good I say sort of because for the most part you don't deny access to the Internet to people whoever can pay for it can log on get a connection and my usage of the Internet

doesn't bother your users dear Internet sort of unless you're on the same besides Wi-Fi network but the reason social scientists like to classify these things is because now I can say is that you know the problem you guys are worrying about that the end that the Internet has a security problem and nobody's acting on it well Aristotle was worried about that too and people have been talking about this for centuries so this idea of who governs the Commons how do you figure out you know the guy upstream is probably releasing pollutants into the river and you're fishing downstream and you have all this murky water and some buddy bought a router never changed the default

password and now it's being used in a DDoS against you so so to frame this is that there's this action that is desperately required of somebody to take charge and say that you know this is how we fix it but right now the way incentives are organized is that for at least in IOT is that the mantra is cheap and fast and it's not necessarily secure like that's not the advertisement when you see a home security camera or when you see you know one of the Roomba is that software updated patch ability it's usually you know fast easy clean that sort of stuff and so Ostrom who won a Nobel Prize thinking about collective action and

governing the Commons says that there's like these two things that need to happen before narrow a community or a group of people will say that let's let's take action let's govern these Commons and the first thing is that you know the new rules people come up with have to be better than the status quo i think is very 101 if you come up with a whole excellent system but it doesn't work as well as the prevailing system nobody's gonna follow and two is that if you want collective action and you don't want you know top-down regulation or you don't want siloed fragmented spheres of IOT it has to be collective and for that you would need participate very

rulemaking systems so me or anybody in this panel or anybody this room should be able to contribute and organize around that rulemaking system and how do you do that for IOT our cream is gonna talk about that Thank You Sean so following directly from each ounce train of thought if we consider security as a sort of a public good it seems evident from what we're seeing out there that it's being under provided in the market but at the same time the security solution is going to come from industry and market stakeholders that doesn't mean that it doesn't come without a slew of problem on its own or that you know the NTIA or NIST aren't doing excellent

work in that space already so there are many proposals or like public policy IOT security frameworks out there already you know some people pontificate about cyber hygiene and we're certainly guilty of that but there's always a risk there of over emphasizing the compliance aspect of security instead of doing actual security I don't know if you guys remember some years ago there was a big issue with the PCI DSS standards it was a case of perverse incentives basically where the quality Assessors were doing security certification but at the same time selling security consultancy for these people so there was an obvious conflict of interest there a Senator Mark Warner from Virginia proposed this IOT build there was a lot of pushback

from industry it died in its infancy also in 2014 2014 I believe that was a supply chain transparency act that suffered the same fate and there's also a lot of certification schemes out there but they also run the risk of over emphasizing a compliance over sick aspect to it so we're know one end up with nothing here but at the same time something's gotta give so we were sort of thinking of potential IOT registries and we're playing very fast and loose with the terminology here I mean we could debate what a registry should look like but we were sort of thinking that it could be defined as any public or private naming system that securely identifies and stores

descriptive device information and I don't know if anybody recognizes this but this was a recent proposal by the IETF which it's called the manufacturer usage description model it uses what I liked about it is that it uses the standardized yank moduo data module data modeling pattern here so what we like to see is stuff like a namespace this is a u RN here an uniform resource name which is a persistent identifier but this could also very well be an AR n which is what alws uses we also like to see when would the last update was sent if the device is currently supported and whether what the traffic from the Gateway to the I T device looks like so

this is sort of a breakdown of what the different trust systems that are out there so in a hierarchical governance models such as DNS and the ICANN regime you can sort of seed trust from a ruler thority say the root zone file and then you distribute that through our IRS registrar's etc ISPs but there's a central point of failure on the flip side of the spectrum when you have you know blockchain and Bitcoin there's no central point of failure so I will sort of be considering here the pros and cons of different registries and I was sort of hoping to get a mesh between governance structures of registries and their technological characteristics to see it could be deployed for IOT effectively

and if there's anybody that would like to talk to me about this afterwards I would truly appreciate it so this is very briefly what Mudd looks like as I mentioned before we really like that it's a lightweight model that standardizes useful device information it was recently picked up by NIST that are I think either for King or trying to deploy it and then Enterprise the IOT framework they're adding a threat signaling server to it there's also no hardware modifications needed to IOT devices but on the flip side the drawback is it doesn't fingerprint legacy devices and that is a big issue also the mud file which is a file that contains all the useful IOT device

information has just provided bonafide by the manufacturer and you know unless you want to impose onerous regulations that stifle innovation a lot of the smaller players are not really gonna provide it because they just don't care so I just included this to give you an idea of what other sorts of registries are out there but either these are the you know classic competition going on right now between mws and as your major depending on when I pronounce it but these two platforms basically are you know they suffer from the same hierarchical trust mechanisms that the others do so although they offer you know different functionalities they rely on a lot of the same open source code

that a lot of the other platform use there are they also have some of the same drawbacks so blockchain the big hype right so how can it solve IOT so there was this very interesting new concept of a decentralized Internet I don't know if any of you watch Silicon Valley but what we really like about this is that they propose a solution to something called Zoo coos triangle named after the creator of Zika so naming systems usually have a hard time combining these three properties in a system security and uniqueness decentralized trust and human readable or memorized all identifiers as you know naming systems need to combine context and an object identifier to create an

actual ID for an object or digital assets so to sum up here some of the challenges there's no really a space to collaborate so you might have academics that create you know proprietary databases for IOT you might have private vendors that are just acting out of sheer rational self-interest because of you know collective action problems so we really need to formulate a good public policy framework but the question is how do we get there there is a lot of challenges on the global front there's a sort of you know you don't hear a lot about this in the news but there's a sort of a division worldwide division between BRIC countries and the ITU multilateral way

of seeing the world and the IETF and Internet Society on the other hand I'm just mentioning in passing that Bob Kahn's the little object architecture which is really vit use purview right now is picking up a lot of ground in Russia and China so so this is basically our call to action for the IOT community given that this is the I am the cavalry panel this piece is about education awareness we really want to get the world out there we don't want to be inviting onerous regulation so we better come up with a multi-pronged solution thank you and I'd like to go over our details over a question but I didn't want to run over time since I see that

we're already 30 minutes

thank you have you tried turning it off and on again so we're gonna wrap up by talking about something that is actually currently underway and this is not a new idea but I'm gonna try to convince you of two things one that this is the time that we can actually make it work and second that this is something that is really helpful for trying to tackle some of the problems that Jessica laid out of really understanding exactly where and how to prioritize our legacy concerns so who's heard of software Bill of Materials who's heard of s BOM okay so we'll do a very quick overview this may come as a surprise to some of you

but software is not hewn out of alabaster marble by Greek sculptures with little halos over their head right it's assembled out of parts and some of these are very carefully chosen after weighing options and going to conferences and some of them are just ripped off whatever you could find on Stack Overflow and the challenge is actually understanding how what we pick and put in our software affects the user of the salt users of software and there are many paths that when we look forward to figuring out how do we make sure that the devices and the software on those devices is better there many paths we have looking forward but very least let's start with perhaps the lightest

touch possible knowledge transparency how can you be against transparency gets having a little more information a software Bill of Materials is a radical notion that says hey when you give me something with software on it it's helpful to know what are the third-party components that are built that are the building blocks of that software are you giving me vulnerable library version old old or are you giving me shiny new version new new now there are a bunch of benefits to this Transparency has a delightful feature which is often key in promoting better markets you're someone who's buying software there are two vendors out there one of them is willing to show you what the components what's their list of

ingredients the other person is selling you a bag of cookies and says no no we don't want to tell you what the ingredients are but trust us it's okay they're all-natural right you're going to want to go with someone who has that confidence of transparency in fact I'll go you one further if you have a good process for developing your software for developing your product pulling out this list of ingredients is pretty simple it's actually something that works with a natural process heck github will do it for you automatically so will maven there's an eclipse plug-in if you don't have a good process then it's a little harder so going back to the economics 101 this is what we call an efficient

signal it's something that if you look for in the marketplace it can be an indicator quality even if it doesn't mean quality itself so that gets to the purchasing side perhaps the area that we think about the most we think about software building materials or software component transparency I can't use the term software Bill of Materials for a couple of reasons when we think about the value is this notion that hey the things that used to be secure yesterday may not be secure today so I go to the store and I don't pay attention to ingredients I just throw in them things into my cart and I put them on the shelf and then Jessica comes over to join my

family for dinner and Jessica's definitely allergic to peanuts now I can do two things I can call up a Nabisco and say hey I've got a box of this thing it was made at the state are there peanuts in it or I could look at the goddamn list of ingredients right this is why we have lists of ingredients it's so that we can decentralize the risk decision-making that come with consuming delicious tasty treats surely we can ask for the same thing in the devices that make our lives richer better or in some cases safer and longer but Alan you haven't gotten to the legacy question how do we think about end-of-life this is perhaps one of the things that I

think is the most power because when we think about how long a device is going to last we're drifting away from the cameras and the smart doorbells and the thing that feeds my dog and let me look at pictures of him when I'm traveling to Vegas and we start drifting into the things that are keeping granny alive and the things that are keeping the lights on right the stuff that the cavalry is here to really focus on these are things with very long lifespans their technology hooked up to either really big pieces of steel or very well engineered pieces of steel it's all steel I think it's possible they make devices and cars out of other things

these days I'm not a saw I'm not a material engineer I'm on the software side so underneath the hood we're dependent on all of these components if you care about the resiliency of your organization knowing those details helpful is very helpful who's heard of left pad so left pad delightful example of software supply chain it was one of these simplest functions that you could ever imagine right take an array fill it with zeros that way sorry you're facing me that way so right pad it to the left now turns out there are lots of lazy programmers out there say [ __ ] it Washington right code when it's there that's how we write code right we reuse other people's

libraries code reuse 101 for using software so it was used and a whole bunch of great projects the node the node system node ecosystem until one day and I won't get into this story but essentially the guy who wrote it who had a different software package was offended they made a decision he didn't like he took his bat and balls and went home so that meant every piece of software that use left pad was calling a function that they couldn't dynamically link to or rather was calling a function that linked to a function that late to a function that late to a function that they could no longer dynamically linked to whoops we broke node so these are the things

that we're caring about what is the long-term stability make a real difference when the community that's maintaining a particular project says we're no longer gonna support single threading right all of the cool new GPUs that are driving our particular project are multi-threading it's a pain in my ass to support single threaded well that dam is hooked up to a couple of chips that I can't really take out right now and they don't support multi-threading so what do I do having that visibility into your system is the ingredients that allows us to start thinking more strategically about when we're going to have to make certain product replacement decisions these are not things that are cheap right the

difference between stuff and web is when you make a mistake in a web platform it's just hey let's commit a change when it's stuff it involves budget and politics and meetings with people like me and Jessica and no one wants that so how do we plan forward one of the keys is going to be having this level of transparency now just a very brief plug for the work we're doing at NTIA the cavalry is actively involved but we need support from you if you're interested there's a very particular discussion and this initiative it's open sorry it's our multi-stakeholder process right it is open it is transparent focused on saying what is a software build materials and how can we all do it

in a similar enough way so that there isn't unique solutions for healthcare and energy and auto and oh by the way the software industry let's try to find a shared way of doing it that meets all of our needs there is a particular group that is focused on the healthcare sector if you were interested in this it's time to get involved the auto sector has expressed some interest in doing this imagine you're a car manufacturer wouldn't it be really nice to know what's in some of the software that you're folding into the electronics that you're shipping in your cars because under American law you're liable for everything that's in your car so it'd be really nice to have

some assurance that it was you know new fresh software there are lots of hurdles here how do we use this information for the best advantage but we're going to tackle those as we understand what transparency looks like so that is my call to action which is hey get involved now I think we're going to have a broader discussion so this is your chance to dive in ask questions of Jessica who can tell you about life on the hill and how to get involved the Georgia Tech team which is doing some great research and may be able to share some insight into perhaps what the academic world is like if you're interested in engaging in that side in

IOT just remember share questions share your new ideas there are no dumb questions there a [ __ ] ton of bad ideas but that's okay we won't judge all right I'm gonna do we have a volunteer who can help with the roving mic hey there's a guy in an orange shirt

thanks all its a slight is it's a slight looking at the challenge in the complexity of what you're trying to do which is great and amazing is there a challenge in trying to find the perfect solution due to the complexity of the challenge and actually how long will it take to find a perfect solution can we get close to 90% solution or a 95% solution and then go for it or do you think there is a 100% solution for this across the whole industry across all the legislation the whole lot can we get there or are we going to have to go for something slightly shorter than that and do it quicker are you asking this panel's opinion what is the

challenge all of IOT security yeah well software Bill of Materials rolling out the International impacts of that the whole lot it's a big challenge and a big problem space finding the perfect solution is going to be really really difficult across all the different stakeholders so will we get there and if we're not going to get there what does the 90% solution look like all right tell me if this oh it is working okay great I'll take that first I think as trite and as cliched as the same can sometimes be don't let the perfect be the enemy of the good but I think that's gonna be the key here in Suffern build materials we started

having this conversation over a year ago when it was introduced in a big government healthcare report called the healthcare industry task force report and one of the biggest roadblocks we initially ran into when we started having this conversation was folks saying like look this is this is so complicated it is gonna take us so long we're never gonna be able to figure it out nobody's ever gonna be able to agree on how we should do this and so we should just forget about it and I think our response on s bomb was that's not acceptable that's you know being that defeatist about it isn't helpful it's we can get there if we try and so we sort

of demanded that the healthcare sector figure it out we use the power of the Congressional letter to essentially tell the Department of Health and Human Services that they didn't have a choice about it anymore that they were gonna be figuring out how to do for build materials and we looked very much forward to figuring out how they were going to do it so I think from at least from the the congressionals perspective especially trying to be as non-regulatory and collaborative with the industries that we're trying to ultimately help as possible I think our answer is look we we from the energy and commerce side understand that this is complicated understand that there's a lot that has to go into this but the

imperative for doing it that I am the cavalry tagline that bits and bytes have met flesh and blood this is so critically important that you guys are all gonna sit down you're gonna figure it out and you know what we'll see you when you do so I don't know if Alan has any other better thoughts but so so who does operational security for an organization anyone anyone on the frontline of their organization all right how many of you guys used advanced threat intelligence services at least two or three different products three different feats it's a pretty rich industry and yet we still have companies that only use one source of threat Intel my god don't they care

about the children we have to acknowledge that there is a maturity model that we have to you know say hey there are gonna be some folks that are gonna be cutting edge that can use this data today that's the leading edge what we did at NTIA is we didn't frame it around the government has to do it we frame this as a market issue we have supply and demand so we brought together vendors software vendors medical device vendors you know industrial control system vendors and then we put their customers in the room to the people who buy their products we brought in banks hospitals energy companies and all of a sudden it stopped being quite so

impossible and it started being a well what would this actually look like we went from the Y to the how and I'll be honest I am very skeptical that there more than a dozen hospitals in America today that could actually use the Bill of Materials I'm willing to be told that I'm wrong by the many experts in this room but we've got that first dozen they're raring to go and one of our goals is to make it machine readable so that we can fold this into products and we've also worked very hard to make sure that the vulnerability management tool providers could be in the room right at the end of the day the path towards maturity

involves automating folding it into existing products so you start small you start making it something that's nice and then it starts being something that's commonly asked for and then it becomes a default package and then maybe if those bastards up on the hill want to regulate will let them further thoughts

so Alan you mentioned one industry where the end user for this information I think is very well defined and that'd be more the industrial control system space where the end users of the technology are large industrial concerns with with usually technology teams you might understand software Bill of Materials how do you model this and more like automative automotive and medical space where the end users are consumers at large especially when you get into say like personal medical devices or implantable medical devices and automobiles where you have consumers that aren't necessarily technically inclined what should they do with that information if it's a male counterpart that is a fantastic question and I think you're dead on this is not consumer

grade information I'm going to speak in my personal view now this is not the view of the United States Department of Commerce or NTIA I don't believe that the path towards better security relies on empowering consumers we've been trying it in 20 years that's not true 17 years that the field of usable security has existed this is as an academic and policy research priority we have successfully taught the American consumer to do one thing and who noted what have we talked consumers to learn we've taught them to look for the little lock icon we taught them and they finally learned that lesson exactly as let's encrypt push to make sure that every single goddamn website whether it

was legitimate or not whether it was mal malicious or not had transport layer security so now it's a meaningless signal right that is our one victory we have it turns out not terribly useful so we definitely want to push on what the enterprise is where it where the folks who care about it let's go back to the broader IT that I don't want to focus this on Bill of Materials because I think this is true I want to also give a shout out to another project that many of the room worked on through NTIA which is patching right it is one thing to say hey you're buying a TV you should make sure that it's patchable and that patch

ability should you know include some understand how long soft rep dates are gonna be available and also we the update process itself should be secure after all a patching mechanism is a remote code exploit that you really hope only one party can use right so right if the patching is an incredibly dangerous attack surface now oh I may not be able to do this and I'm you know not the most active guy in the world but you know I've been doing this for a while who stayed in a hotel room last night who is absolutely confident that the TV in the room was not turned on and listening to you today the hotels have a very strong

interest in making sure that their if there is a security flaw on the things that they have in 10,000 hotel rooms they can fix it quickly we need to empower them because these aren't experts right again these are still people who buy TVs for a living not security experts we need to focus on how to empower those people to ask the right questions so that was a long way of saying we're going to go with where the levers are the auto industry is a great example where the end consumer may not be able to use the data today but the auto manufacturers would love this data today and so let's promote it and put it

in their hands what happens to it tomorrow we'll figure out that's between them and their regulator right Doug

anymore oh yeah I was just gonna add that in the registry space you can think that there are naming conventions that are known by consumers you know IP addresses are kind of known but a lot of them you've if you asked the average person for their computers MAC address they would have no idea how to find it you know the if you think about the IO G's in the IOT standard space you know the certain ones like Bluetooth or Wi-Fi have been trademarked or branded in a way that consumers can wrap their minds around but you know in I Triple E or an IETF standard is not something that a consumer would understand and so even if the you know

consumers can still benefit from both standards and registry based naming conventions that they might not have to interact with so I think we have time for one more question oh sorry can I get one right of reply from a gentleman of the auto sector and then we'll get one more question thank you okay well I was gonna ask a question I was also gonna point out that some vehicles today are actually made without with me name not just steel but if you look at the software that's in vehicles today off you know oftentimes that software was developed five six seven years ago I mean the car I Drive today was built around Windows Vista time and

the software was probably developed at Windows 98 time so who is I so like Microsoft is not expected to keep windows 98 up to date now how do we do that with with IOT products that are going to be used by consumers for 15 20 25 years I mean I think from what I have seen about the the legacy technology conversation around the RFI and the software Bill of Materials conversation that we are starting to have I think it's it's not that we know the answer to that I mean that was something that came up in the RFI quite a bit I think there was one group actually who came out and said that it was their opinion that if

there's a medical device for example that's still in a hospital than that manufacturer should have to support it it doesn't matter how old it is I think our point was that that's pretty infeasible and that's really gonna stifle a lot of innovation and technological growth I don't have a good answer for you unfortunately I think one of the ways that we're hoping that software build materials really affects the ecosystem is that it eventually becomes to publicly embarrassing to put out old software that people find ways to to get that so we as we continue to cycle legacy devices out hopefully that it becomes sort of too embarrassing to start putting old stuff into the system

into the ecosystem on a on a newer basis and so that this problem almost becomes self-correcting as time goes on we've got to stop now 30 seconds I just wanted to go back to the s BOM train of thought here so we don't really hear a lot just this is just for the sake of you know hearing both sides of the argument here we didn't hear a lot from the manufacturers perspective and their reluctance to really implement s BOM what would you say Alan would be like the top three ways to address their concerns and like how would they perceive this as really onerous and you know stringent imposition on behalf of government so so I'm getting penalty

time so first just make it clear we are not interested in regulation at the moment there are others who want to but the second is context vulnerability may not mean exploit ability and so we need to find a way to communicate that but I think we are now well past our time by at least a minute thanks to the grimace of the gentleman shirt so I want you to hopefully protecting me Jessica [Applause]