IATC - We the People: Providing for a 'common defence' with CVD - Cameron Dixon & Matthew Cornelius

hi welcome to b-sides this is the we the people providing for a common defense with CVD with Matthew Cornelius and Cameron Dixon first we'd like to thank our sponsors without this this event would not be possible before we get started please make sure your cell phones are off or silent and towards the end we will be having a we will be opening it up for questions if there is time I'll be passing on the mic as needed without further ado our speakers thank you everyone thanks and welcome hello I'm Cameron Matthew today we're going to talk about providing for a common defense with coordinated vulnerable disclosure this is a quote from preamble but what we're

really going to talk about after we take care of some feedback let's make it easier for the public to tell the US government about security issues in our systems and require agencies to do something about it that's our aim here it shouldn't be so hard we think who we can we can solve for this so it's earlier in the talk but it's audience participation time has anybody here by show of hands ever tried to report something to a government agency those that who have hands up good and characterize your experience with a thumbs up thumbs down from sideways I see the Guppies in the back with thumbs up and everybody else saying like I don't think this works very well so at

this thing concealer this lights myself

steady thanks thanks for help so as a government official I appreciate and find deep resonance in the experience of my fellow public servant that's Wilke twycross of the Ministry of Magic he was the apparition instructor in 1997 with Harry Potter and his friends at the Hogwarts School of Witchcraft and Wizardry see Wilkie he told the students that to operate an apparition is where you transport from one place to another without traversing the distance between that in order to do that you have to focus on the 3ds that's destination determination and deliberation and in fact these are the three stages of vulnerability disclosure that you might experience as well do you want is where does this go

d2 is am I willing to go through the hassle of trying to find the right place to send this d3 is actually recipients ID where folks are like yeah I'll deliberate about that I'll think about resolving that so like splinting which also in Harry Potter is a painful experience where upon apparition you I leave an eyebrow or some body part behind this experience can be really painful we think that there's a there can be a better way and we're interested in feedback and thoughts on what we have to share and whether it might work so a de facto way for many people to report a security vulnerability is at the domain where the host name where you

found something is to send a message to the security app this is not a new concept at least you know in May of 1997 this was in an RFC standards track and in a new within the stock it enumerated a set of boxes that organisations could maintain and it named their purpose here security for security bulletin in queries you may not know this but the US government actually publishes the full list of dot gov domain names this is something that is published and an updated about once a month on average so you can see here this list is it's also organized by domain type so you can see the executive legislative and judicial branches the the one here on the screen

is the the federal executive assuming the federal agencies there's a full list called current full with everything with that includes all state and local domains if you search for gsa.gov you'll find the full list so I had a thought about four weeks ago what if I emailed all the security ATS in the federal executive branch what would happen what would I get a response would I hit bounce backs yeah auto-replies so I thought about this and thought that'd be a fun thing to do so right so I attempted that so I emailed DOJ I emailed the IRS I emailed fruits and veggies matter gov this is thanks to the our friends at the Department of Health and Human Services

but you know what I saw in response wasn't actually super encouraging so this is mildly redacted to protect the innocent you may be aware that the end of last year and the beginning of this year there was a lapse and appropriations for the federal government I sent this message on July but CSI sent the message on July 8th I got an auto-reply that indicated that they were still on furlough so yeah we're actually working now and so there was an appropriation but that was about a hundred and twelve days past the shutdown that this was still there now to be fair people are busy there's no requirement for them to maintain this but this isn't a great look I think it

demonstrates an opportunity for us to improve so I did some math or at least Google did and I have some metrics that say about one out of every 100 federal executive branch agencies maintain a security app this was pretty disappointing I didn't expect this to be very high but this was this didn't mean so again I'm kind of cheating here like there's no mandate there's no requirement for people to maintain this and within federal agencies unless there's a requirement people don't usually do it they could also maintain a you know a different address they could have a web application for folks to report that to I this was just kind of a test but yeah again an opportunity for

to improve you talked a little bit about the cyber tio sure so what Cameron has started to lay up for everyone seems like a very safe and interesting story right it's like oh that seems smart why are people doing that if they have security at addresses why are there not people are responding to them it seems smart that agencies would have a way for you all to communicate on whatever you might want to communicate to the agency and yet here everyone is not talking about that so that led Cameron and I down this path to where we are now but taking a step back to the beginning of this administration this executive order which came out in May which we just

referred to as the cyber EO Oreo 13800 in government speak basically set a brand new strategy for how we want to manage risk and manage technology across the federal executive branch Enterprise with a very clear mandate that comes up front which I don't think a lot of folks would would say is inherent in the way this administration operates which is the executive branch operates information technology including all the security all the procurements everything else that wraps around how the federal government does technology on behalf of the American people right we don't do it because agencies like to do it or because they have appropriations that tell them to do it or because they like the programs that they have or because

of what their individual agency missions is is we do what we do to serve you all the taxpayers whether you're an information security or your doctor or you're an educator or whatever it may be so if we are doing things that do not one provide you benefit and to allow you to opine and provide us information and communicate with us in a way that allows us to resolve problems we both agree are worth resolving we're not doing it right so it shouldn't have been necessary that there was an executive order that tells us how to do this but that is the frame under which we're operating right now which I think both can and I would agree and I hope most of the

folks in the audience would agree is a smart thing to do a wise thing to do in a responsible thing to do so show of hands how many folks came to the DDS presentation at one o'clock with Harlan and everything else super cool right they gave a lot of great examples they talked about all the superpowers they have they talked about the really interesting stuff they're doing inside the Pentagon well Cameron and I after we just showed you that really nice story of telling you how we operate IT on behalf of the American people we're now going to tell you how that doesn't happen anywhere outside of the Pentagon so I know some folks some folks brought

some beers in here which i think is great because you're going to need them to see how things are totally different in the space in which we operate so we're gonna paint that picture for you and then tell you what we're trying to do to fix some of those inherent problems and how the executive branch is sort of non-defense branch of government operates right so these are the main players and everything and as someone that works in the executive office of the President and for the record I don't think I was the email address that Harlan put in this afternoon but if I am I need to figure out how you got that presentation cleared so I do appreciate

that Cameron made the exact cause of the president the largest symbol over here we are the most powerful we do have the most authority on this we're not saying we're always right about things but we certainly think we are and and we have both the money in the power to help all these other agencies to stuff so if you think about it the EOP we oversee the budget and the sort of management policy and everything else for all the executive branch agencies all of whom you see represented in some cases down here well there's three main partners and how we managed IT and information security across the government that also helped us do cross-cutting initiatives

so DHS where Cameron sits that focuses on federal cybersecurity GSA which is a big technology driver procurement driver and a lot of they run a lot of federal government wide sort of technology programs that help us sort of managed IT probably and then NIST who you all probably know who set standards and help help us at the EOP level promulgate those standards that sort of push them out through policy across the executive groups when if I can join one thing that's crucial understand is that you individual agency that they are the kings and queens of their own castle so they they manage their own infrastructure they manage their systems there's not one single Department of

information security or information systems that that's a good thing each individual agency has their own mission they protect the environment they go to space you know they they provide housing the each of them maintains those systems and how they deliver those services and how they secure those services are informed by that mission and not only is this just how things work but it's actually the law so the federal Information Security Management Act or Modernization Act of 2014 Management Act of 2002 it instructs that individual agencies that they own and manage these systems and now the Office of Management and Budget that they perform oversight over enter me a federal agency information security practices so OMB

can issue memorandum they'll track performance metrics they'll hold agency heads accountable for this this is this is in statute this is law we've kind of talked about this as well but FISMA also gives pretty clear instructions to sisse and to nest where OMB is the oversight arm we administer at at sisse the cyber and infrastructure security agency via DHS Department of Homeland Security we administer the implementation of information security policies so that maybe sounds like bureaucratese but we also in statute are required to provide technical assistance to agencies so the statute requires that sisse makes sure that everything that we do is in line with NIST standards and the things that they promulgate their best

practices as well within the FISMA this is an interesting thing we are given the authority the authority to issue binding operational directives to basically tell side ways sister federal executive branch agencies to do a thing relevant underneath information security to date we've issue Inc eight or nine of these you can go to BHS gov and all of them are there you can see what they are the the tasks that are given to agencies you know their their requirements underneath these directives so this is weird because we again are not in a position of authority you know hierarchically over these organizations we are we are sister agencies which is which is different OMB they have kind of a similar Authority

where they can you know they can do more things than just information security but they can issue memorandum so here's an example from 2015 that was issued that required secure connections required the federal executive agencies to use HTTPS for all of their web for all their internet facing infrastructure this is a good thing so that we've built this story because there could be a federal mandate to do a coordinator vulnerability disclosure to the federal government better and that's that we'd like to talk a little bit about that so what might that look like well there's some prior art here within the General Services Administration which is the most excitingly named organization within the government there is a sub

organization called the technology transformation services and some some folks may know 18f which is a top-notch folks who work there they created the first civilian branch vulnerability disclosure policy you can search for it's a great doc they the the intent of a vulnerability disclosure policy is one to make it really clear where folks can be able to deliver their their findings but also to grant clear authorization that you are unable to take certain actions and if you do those things in good faith and follow our policy we won't sue you that protects you and that provides an incentive for agencies to take action to our mediate to prioritize whatever you have reported verses that they seventy other things that they also

have to do are our friends at the DoD I also have a vulnerability disclosure policy and it's great good stuff so there's some poll and pressure there what if what if sisse performed a similar role to what DoD does for four executive branch agencies we want to replicate that success because they've done really great work but it's important to acknowledge like the different legal and organizational operating environments between DoD and sisse as well as like our individual agencies in relationship to the others so despite the layers of here out of hierarchy between them ultimately the relationship between the DoD and individual computers of the Armed Services is one a Parent Child the relationship between sisse and

the systems of the my organization and the systems of the civilian executive branch agencies is a difference of kind and not degree so here's my cute kids sisse is not responsible for the operation and maintenance of individual agency systems again we administer the implementation of information security practices but we don't run those systems and our relationship is ultimately one of sibling to these agencies so each again let each agency has their own unique Commission and the maintenance of their systems is tied to the to the delivery of the services that they manage ultimately vulnerability remediation is like not a different thing from the maintenance of your system and as effectively as a third-party sis is not in the best

position for us to evaluate the severity of a report in order to rank it against sort of the range of priorities that the agency has they are closest to the the care and feeding of that system and they are in in a role where they can provide immediate or much faster than we can without playing a game of telephone sending it to us and for us to try and triage it and navigate it so there's a couple of approaches that could take care that there are clear benefits of having things be centralized or kind of the DoD model work where they are the front door but there's also the standing you know way of doing things and that is

the law of physics and that's promulgated effectively centralized between our organizations but operations occur are distributed so there's opportunity for us to think about how can we get the benefits of the centralized model underneath a mechanism where things are effectively distributed I think there's a huge value in having say a single executive ranch VDP where you know anything you find in the federal government there's one place there's one policy the trade-off there is that the distributed way would be that there is you know a policy saying that individual agencies must have a VDP that aligns actually pretty well with what a standard VDP is the organization who manages their systems promulgates of policy it would be kind of weird for us

to promulgate a policy for individual agencies when we don't manage those systems we it would be difficult for us to have defined scope it be also pretty challenging I think to be able to say from the get-go upon issuance of you know a directive or a policy to say okay everything needs to be online I think having a single you know federal VDP is a good goal and I think that that's something that we can work towards I think that it would be very difficult and painful immediately so that was not some of the benefits of happiness is that there's a single point of entry for everybody for for people who want to report vulnerabilities there's also a

single point of management for for DoD in assistance it provides them a sense of visibility of like what's coming in it allows them to be able to check that the fix is actually remediated the the flaw that was found and hey beauty is actually presently resource in their environment to do this the organization that was known as us served even though the domain still exists that doesn't actually exist anymore it's do they have a security yet no I didn't get a response from that got got got a 550 there so the I think that there is power in trying to figure out a way how can we do something that gets us the benefits of a

centralized model but still operate in the way that things are going I would love to be able to say like well let's let's fix have let's fix everything first and you know then we can we can make this happen there's something to be said by just kind of parading in the environment we have and getting little wins and working towards to make something better versus you know waiting months and years to try and figure out that great opportunity when we fixed all the backlog in order to accomplish a goal that's gonna say about that yeah I think Tara and I are trying to be realistic about what we're trying to achieve here right like there's

plenty of times that OMB puts out policy and says agency shall do X right and that's the management side of OMB so um B has to two big groups just sort of briefly for folks that are not covering X so the management side which oversees crosscut initiatives throughout the federal executive branch so whether it's technology financial management procurement performance all this sort of stuff and then within OMB we're all so siloed because all the folks on the budget side have their own agencies of their own bureaus or everything else that they manage and they oversee the money for they apportion those funds Congress gives the executive branch the money OMB then tells the agencies how

they're allowed to spend that money and then opens or closes the spigot based on how they do it so we can do big things and sometimes OMB puts out large Posse that says that all agencies thou shalt do X by y date right and most of the time that happens because we on the management side have won a battle a bureaucratic battle inside the agency to do that but that in no way means that the agency has resources available to actually do what we've told them to do and then we spend months and years and budget cycles trying to say no no this is important because M 16 17 or M 18 14 says that you should do this but most of

the agencies do not have resources or it's not really a priority for them so the other way to go about doing this which i think is where Cameron and I and our agencies which have a history even though FISMA says OMB does X DHS does X we have a history of not working very well together right at the macro level at the political level OMB wants to do one thing the adjusts often wants to do another thing and it's a more combative relationship than a productive one so what we are saying is like why don't we sort of roll this out through the normal processes and try to get a try to get agencies accustomed to all this right so

in our 2020 budget I'm getting really bureaucratic and wonky here in the 2020 budget we put language in there that basically said agency some agencies are already moving out on bug bounties some have already seen successes and implementing their own vulnerability disclosure policies this is something we should move towards then every spring OMB puts out budget guidance that says agency shall do X with their budgets and then there's a supplemental that goes along with that to say as you are preparing your budgets also put prioritization on these sort of key areas and a lot of those things align to things like the president's management agenda which you can find a performance at gov had to get

my plug in there since I'm here besides but one of those things that we said which was not attached to any memo or any policy or any butter anything else we have out there is agency should be preparing to resource themselves so that they can run vulnerability disclosure programs and accept collect use and triage and mitigate the reports that they find effectively within the scope of their own resources their own risk tolerance everything else so rather than starting out with a blank sheet of paper that we put a great idea on and say agencies go do X we've already started to get them primed for this so no matter what path we take from a policy

standpoint no matter what we do from a budget standpoint agencies should be willing and ready and capable of doing this effectively because the worst thing that can happen is if we tell agencies to do this and we publicize it and we get you all in the information security community like super hyped up about it and then they all just sit on their hands or they all put up a webpage that gives you another email address that goes into an inbox to nowhere right like that is the that is the way we shut down all of the goodwill we've tried to build with this community whether it's the very specific stuff that the defense does little service is doing whether

it's the broader governmental efforts that we have when we go to RSA or we come here to b-sides or blackout or DEFCON and try to open ourselves up to all the great work that you're doing but we've made the choice already as a government that we don't want to spend a lot more money although Congress has something else to say about that with the new cap still so how do we get better smarter information at less cost where we're not hiring more federal employees we allow this community who cares who wants to report responsibly and wants to help us fix issues that can have deleterious impacts on the public or on government operations or anything else

we can do that in an effective thoughtful manner now it may not be as much as what folks would want if you had total control if you had that parent-child relationship but this is still a pretty broad stretch within the constructs we operate in within FISMA to actually do this in a thoughtful responsible way where we force agencies to build that floor and then give them the ladders whether it's resources or budgetary Authority or our sort of focus on prioritization to move further faster and to get to where I think Cameron's gonna tell folks we want to be sort of going forward part of the thing that I think is challenging is that complexity I think is the thing that makes security

really hard besides you know people when system is presently not for not a resource in a position where we can be the central focal point and it's not clear to me that a piece of legislation that says notwithstanding any of your clause or not knoweth in any other provision of law or even if there's an appropriation of additional funds that that addresses the core issue of the inherent complexity of like the thing that we have that is FISMA is it perfect yeah I don't think so I could there be there be improvements that are there yeah but it's it's standing law and I don't have any expectation that's gonna change so trying to operate and do good

things within the constructs that we have feels more practical to me than waiting till we fix some of these things I think that it's possible for us to have a cake and to eat it too or at least to get to that point so I think that we can achieve some of the benefits that come from a central approach but do so under the norms that the current law creates most of the reasons that I think that people want for sisse to be a front door for the federal executive agencies I think can be addressed in a more meaningful way than sisse immediately being in the middle of the vulnerability reports I think that there's value in minimizing the number

of layers between the initial reporter and the team that's actually performing remediation that's I think that's most likely to result in a speedy and secure so when people say well the this is the thing that I think that will come out of a central essential source or central place that we've reported well they they want to be able to ensure that all agencies have the same vulnerability disclosure policy particularly with respect to the tip prosecution I want that too I think that what you're really saying there is that you want equivalent protection for researchers across the executive branch doesn't necessarily mean that all agencies have the same policy it means that you can have you

know words or words and we can accomplish the same goal in slightly different ways you know I hear some folks say well let's create a single point of intake form alone early reports that's like having a you know a single men on one number that's actually not how 9-1-1 works there is one single number but it works geographically when you call 911 you don't call Washington DC and we don't route your who your phone call to your state to your County into your city but having kind of a virtual identifier of 911 is really powerful that can occur the same way through a security at or providing a way for people to find out and discover what

you know you can unify the mode of discovery and if you don't unify the reporting mechanism so you have the piece I hear people say is we want to assure that all agencies information systems are covered by the policies I want that too but I think that if we do that immediately it would be pretty painful let's let's walk before we force people to sprint so the other piece of that I really want is actually in line with the vulnerabilities equities policy is that when I think there's a sense that when people are going to report a vulnerability and say agency I found something this is a problem that we then are going to take that thing that you've

reported for defensive purses purposes and go to an interagency Council and be able to say oh maybe we'll hang on to that and use it for offensive purposes I I think that we can get to a point and I think it's in line again with what the vet says that we would make it very plain that that would not be a thing that the things that are reported to us would be for remediation as well as for things that come out of you know R&D in the research community so what might the potential requirements of a potential a directive or an MMO or requirement a mandate for federal agencies to do some of this better we want to enable them to

be able to receive unsolicited reports so we could do this a couple ways one that we may do is to say you need to set a security contact for each gov domain it's interesting the whole world is running away from who is but in 2018 the gov registry made it possible that all dot gov domains not just federal in fact plug 80% of the daka the number of dot-gov domains our state and local so they're non-federal but we made it possible so that the individuals can be able to set a public security contact and hey it'll show up and who is so this is pretty powerful so if you find something on a duct of and there's a

security contact you should consider reaching out there first check check check port 4343 I don't actually know who the security contact is here Susan but here going back to all my emails I did kind of cheat again like I didn't check this I really just wanted email the security ATS I could have prioritized the addresses that were here but again this could be a mandatory thing we could say you need to have a clearly identifiable security contact for your domain and it needs to be representative you know that whatever that box hits the folks who are there ought to be able to triage anything that's on that that domain one of my favorite papers in the last few years is

called yuka vulnerability so the team evaluated different methods of providing vulnerability notifications they said well do we do it directly to the domain point of contact or who is do we send it to a national search should we send a long message or a short message we send it in English or based upon the content that's at the hostname should we try and translate it and then they compared that with the observed rates of patching after they provided only blade notification great great paper this was my favorite section of the paper basically it says that you know we sent a bunch of data to us cert and then we asked other asserts that they had said

that we're going to send it you know but it passed the message effectively sending vulnerability notifications to a central cert was no better than the control group and they said that they had better results sending it to the domain points of contact this was pretty energizing to me and was part of the reason that I had tried to advocate to get dog of the stick domain points of contact back and who is great paper so more potential requirements that this could be we would instruct agencies to develop and publish a vulnerability closure policy no PDFs needs to be on a webpage needs to be in text or in HTML we would instruct them what the policy would look like we would

say you need to define at least upon outset the set of initial systems that are in scope you would define the types of tests that would be authorized you would say this is where we're going to receive only little reports that could be at your security contact it could be at a platform that you have procured or that you might manage you are going to you know commit to a remediation timeline so you know it is our goal be able to remediate these in 90 days of course doesn't require people to abide by that but a pledge to adhere to that timeline as well as a clearly a commitment by the agency to you know a

promise not to sue if you abide by in good faith the the policy that's been outlined let me come back real fast as security text but the other thing that could be done is an instruction to tell agencies hey upon issuance you need to have one system hostname you know an asset within scope of your your VDP and a needs to increase within periodicity and then set a deadline and say well within two years time all of your internet accessible systems need to be in scope this is something that could be tracked you then have a meaningful metric with you could be able to evaluate where are things being added to the scope so a couple of interesting

things that could be done with a security test security that text file so here's on the screen Google's security text so there's a couple of fields there let's say here's our contact you can find where their vulnerabilities closure policy is if we told agencies instructed them to put a security text in a well-known place it just provides for one more opportunity for folks to be able to find where in the world I send this thing this problem I found that also provides a mechanism where we could say scan these out and be able to follow the vulnerabilities go policy and check for the scope and do do a diff based upon time so a quick

analogy this is actually being done code gov which is a program that the General Services Administration manages their they manage a program that was begun or at least uh was pushed along by the federal source cord policy which was another MMO that came out of oh em beat there was an instruction here and down at the bottom to tell agencies you need to have a code Jason a code inventory that you will manage and maintain it's gonna go on your agency website the code gov folks then scan that out it's a no defined schema that they instruct agencies to to pull things in and then it makes it so that people can be able to find code underneath a new top-level

agencies so you can say show me all the code that the Department of Homeland Security publishes this is a project that our team works on to be able to scan out HTTP within the federal government and say it's a requirement so we were able to track that similarly maybe there could be kind of like a code gov there could be a vulnerability website to make it really easy you can go to that one place to be able to see when we'll scan out the the you know the information and then represent it on a site that you could punch in a host name and say is this in scope what's the point of contact that I

send this to you and that itself could either be the point of reporting or it could just you know point you to other places out of the hand of the site the outer band mechanism may be more beneficial just because it's challenging to Santa Fe new system particularly in this instance you'd have to manage the authentication piece it's just hard to do system since it started stand-up new infrastructure in the US government so more potential requirements so it none of this matters if the agency doesn't have that if the agency doesn't action the the finding so there would be a requirement for them to have handling procedures inside their organization a lot of that is really influenced by the

norms and the tools available to the organization this is less a technical problem than it is an organizational one and I don't think that we can solve it with technology but by defining these are the things that ought to be in your handling procedures and providing implementation guidance I think that that's accomplishable recorded reporting requirements I think there's a natural tension as an enterprise again my organization doesn't run or maintain these systems to say well you know cut us fully off we don't need to be in the loop so there could be a function where we would need to receive some kind of a push from agency information security teams to say well these are the number

of reports we've seen these are the ones that are outstanding you know that they could try and characterize that in my mind this is the greatest value of having a platform because then the metrics gathering just becomes a function of people using the system and I think again that's a thing that we could get to other things I do think this is similar to what the UK's NCSC their national cybersecurity center does they are they point people similar to say if you find something on a gov dot UK system go find the system owner and tell them but if they're not responsive or you don't have your tell tell us I think that I think that's a role that we

could play you know again we can try and do a base level of evaluation and triage ring and saying is this real I think that's that's powerful but there's also something you said like to allow agencies to flex those muscles and be able to experience the process of like is this a real thing some of those base level evaluation of like is this a vulnerability are things that agencies that I am loath to remove from agencies we want them to have to have those skills because it's just part and parcel of working in security I mentioned I think that any kind of a direction we would try and be as clear as possible and and offer them there's a you know

there's great prior prior art here not only are there great vulnerability disclosure policies within the government and external but there are great guides talking about how to manage programs like this there are ISO standards that exist that we could point agencies to as well at this guidance I also we would be really clear to disambiguate that that hey a vulnerability disclosure policy is not a bug bounty in an individual agency could choose to incentivize on particular systems or on other sets of data this I think would be something separate from that I don't think it would it would prohibit but it wouldn't make mandatory either so like learning to operate I think there's that there's a high likelihood that this

being painful for for agencies as they try and figure this out and and I think it's incumbent upon us to try and better defend the the American people's information my favorite thing to tell federal agency CIOs and sisters I don't care about your agency I don't care about your security I care about the citizens who are required to put things in your system that that is energizing to me and that's what what motivates me I I think that there's something to be said for the US government trying to approach information security practitioners and trying to tell folks how to do their job when our house is clearly not in order so we lack credibility in trying to direct or

instructor say you should do it this way when there's a lot more that we can view in our side and I think if we can demonstrate some heightened confidence I think that then will be an invite to you not just because we're the government but because there's some demonstrated confidence there so the aim here is to try and improve things I have a sense that we're pretty close on some of these things and there will be opportunities to provide more formal comment and direction and feedback but but we're here and we're happy to take any questions and they tend to hear big feedback and concerns from you all we we're trying to act in good faith and

recognize the different incentives that individual agencies labored under while trying to push them along to do things that are like they're there they're not necessarily complicated but they are hard for these agencies you know that's cool that's all we have thanks for hearing us out our email addresses are on the screen internet send us an email we were happy to take off comments and questions thanks [Applause] if anyone has questions the alchemy so knowing when understanding that there's a couple of micro agencies out there that have very small shops have you guys done any sort of research as to like starting up a vulnerability disclosure program the kind of flow of input that's gonna be coming from the community

because when you think about it we've got the whole world right the whole world could be looking into your vulnerability as closure program could be submitting findings so do you have have you done any research to kind of look at the like whether it's gonna be a fire hose even if it's just one system like on average what that kind of looks like your paper shop yeah so we're very cognizant that the Marine Mammal Commission doesn't have the same kind of resources at the Pentagon or a digital we always crack on the Marine Mammal Commission if you're a government dork you know great people great people and we all care about the government but no

it's it's a real concern and so part of what we've thought about in sort of socialized internally is well we can require all the the CFO act agencies for the 24 largest federal agencies to do this and then sort of work there is like a small agency sis so like sort of information Security Council that works across these issues and provides recommendations sort of how to address their particular issues not I can't imagine that we would force the smallest agencies who have one person that is both their CIO their CISO their chief data officer the other chiefs that either Congress or OMB has told them to make they're basically just one person or only two people right so we can't do

that but another thing that camera and I have discussed and our agencies have discussed is what if what if you make DHS or and what if you make them the entity to receive that information on behalf of the smalls and try to work across them right there should be similar to report that or the smalls can say like hey yeah here's our part of disclosure policy report it to these people like what like we are not gonna be able to deal with that based on our sort of budget everything else but we understand that this is important and we hear you we just want to make sure that whatever agency is doing this that they

provide a good sort of citizen experience to the commune it's trying to report right there's one of the things that this administration cares an awful lot about it goes back to yo 13800 right we operate sort of information technology on behalf of the American people right so we want to make sure that no matter what experience you have if you find information if you want to report it to us we we we accept it and we try to we try to work with it right and put it in our workflow and make sure that we mitigate those issues or address any vulnerability with respect to the the the tons of other things that agency sort of IT and

information security shops have to have to deal with but it's a it is one of the problems we have to solve for whether we just sort of say silent whether we provide additional resources to those folks whether we try to come up with some sort of hybrid approach it's it's messy and it's hard but if they're a massive attack vector right they did they don't have as much time to put in that folks in much larger agencies with massive budgets are able to accomplish I'll give comments well I think that there can be some targeting with any kind of a directive or a mandate you know I don't see any reason you know sisse willing for individual smaller

agencies to have their security contact be us you know that seems like something that could be negotiated and worked out but I think particularly for like the larger agencies these are competencies that we want them to have and that they should be able to maintain and manage all right yeah thank you for giving this talk and pushing this forward so one question I had is what about the state and local governments because given like the distributed nature of that we can't just go and push all 'nor ability disclosure on to them but the same time having each of them individually create a VP might get really messy especially for some of the say local governments that have less

resources and get in like all the attacks were seeing targeting these smaller localities what can we do to say provide resources or make it easier for them to work with this community to receive reports so we in our brand of federalism you know they may maintain sovereignty so there wouldn't be a force here I think that there can be opportunity for a federal site to provide additional services so one idea you know it makes a lot of sense to me that the dog of registry is available to us based government organizations why not send these reports directly to gov and they could triage that or they could trade out of it on behalf or they may not

triage but they can insure to pass them to the technical contacts at a state and local government that you know that could be a thing that would be meaningful but I think also the more that we're able to demonstrate as a federal government they're like hey these things are doable we can accomplish these things and show states and locals how to do it give them good feedback show them that some of the lessons learned give them you know what we did but present on a smaller scale I think that they'll be able to learn from that as well yeah it's it's hard like oh and these policy authorities just federal like federal executive branch right like there are things that we do

that knock on effects whether intended or unintended all the way down to state locals but there's no way we would force them to do that but if they're competent capable and can use all the icer standards and use the bps already publish publicly or other work that they see from the federal agencies and do it within a way that makes sense for them is it as an entity you know we would support that and provide guidance and support and be willing to listen and help them however we can the other piece that I just recalled is that on the duck of registry site there is there are some domain security best practices and it does include some resources about VDP in

there so I think just just by letting people know that this is the thing is it can be pretty powerful - all right I'm trying to I'm torn between showing severe gratitude and empathy and also playing a cynic so go far do you both what one question on the first I mean I love what I've heard I want to listen to it again watch the recording see the slides because you have taken some nuanced approaches to maybe take a bite of the elephant one bite at a time the the cynic in me says I mean some of us were involved the NTA multi-stakeholder process that wrote the town top-notch go reader I ran that I wrote

the first draft template we argued about it for a year it's it was meant to be brain dead simple and the scope the throttle was really what's your initial scope was the first phrase initial scope so it could just be your top-level domain I mean I got a lot of guff from the hacker community saying Karl's too slow right and what I if I want to put my cynical hat on and this is a crawl to a crawl to a crawl and how do we could we go faster so later in the presentation I felt less anxious about that but there may be some things like you know the the requirement could be something for

example I want to workshop it on the fly but it could be something like every agency has to do a pilot using this template and report back your metrics like kind of like I think you were almost going where my brain went so maybe some hallway conversation but a lot of folks do want to get to the more advanced cases and it's not even a bird and I almost wondered if we were implicitly assuming this as a burden I instituted one of these in my private sector job I just picked one product and I kept a real narrow you could do a pilot for a short amount of time I did it perpetual but what it showed the

teams was oh wait we've got a flaw in our SDLC can we improve that what kind of moves can we make further left in the process so we don't have these expensive things how much worse would this have been if it was an adversary you found this so it stimulates a lot of positive feedback loop it could also be pressure on your suppliers or your government contractors that weren't doing a good job so it's not always a bad experience the idea of a pilot is you start small startups early and then iterate and you know one of our models in the cavalry track where you are is safer sooner together part of that is the sooner so I'm all for what

bold action can we take even if it's tiny or time-bound or scope narrowly and that's where I want to press on this is I totally understand that constraints you typically have we also want to get to the point where we're we're at least starting the journey so that we can accelerate the pace later yeah a great question and I totally agree as someone that has been in the government for many and it's still not a sin it's it's easy to get cynical but I try to be positive at least in this respect have you ever seen me in a working environment I would seem to be the most negative person with all four-letter words that are out there

no I totally agree and it's because of the work that this just goes to show you how slow the sort of government operates right if anybody saw Alan Friedman's presentation yesterday sorry I forgot multistakeholderism yeah I forgot my gold jacket I was perfect yeah I didn't really go with the with the preppy outfit the the work that Alan talked about on the s bomb stuff the we're not gonna see any real output on that for a year two years three years four years that's just the way the system operates and you can press in certain places but for what camera and I want to see happen like we want oh no no no no let let him

go before you come back like that's what it's about right in fact I almost find it comical and sort of weird in a way that all that work that happened on the ISO standards everything else four years ago that it's not already federal policy right we should have done this two years three years ago right an agency should already be sort of standing up and walking now right but when that happened you have a new election a new administration a new set of priorities and a new concept on budget and agency responsibilities and everything else so the things that seem like intrinsically easy and and doable in the community when we're out here speaking with you

once it gets put inside the grinder not just inside my organ is over sorry my organization or Cameron's or the agencies out there it's always a lot harder than folks imagined which is why like we we come to events like this and we do this work recognizing that yes we know we're behind the ball we want to start the ball rolling and then have you come help push as fast as you can right there's there's some stuff we can do inside but it's only when you build build up a lot of capacity or a lot of influence from the outside that this happens and if we don't do it and I know we've got some some representatives from

the legislative branch in here we're gonna get lost from Congress that tell us to do things in a very specific way which may be totally orthogonal or or antagonist to what the community wants to see happen in agent we'll do it in a very ham-handed backwards way I mean there was a bill passed at the end of the last Congress that has a particular agency who's forced to write upon her abilities closure policy and to run a bug bounty and and and I'm not gonna name names it's not Cameron smart but it's another crime but but I still remember the first conversation we had with the office that was gonna be responsible for doing that

and they're like we don't want to do this this is nonsense we all know about that stuff I got pin tests that tell me everything I need I've got more vulnerabilities than I've got money to do with right so you can see the sort of institutional issues that that we're dealing with and you know in some cases I think it's a perfectly viable approach for OMB to come in and sort of say this is now she'll do a strikes like after the OPM breach the government sort of closed in right decision-making got very close like everything was run out of the white house everything was security first all times like everything down period we're in control agencies you

don't make your own decisions this administration to its credit I think has actually given a lot more trust back to agencies right it's more focused on sort of mission and service delivery and citizen services but there's still these very important sort of baseline capabilities or baseline programs that still need to happen regardless right so Cameron and I are fighting this sort of fundamental tension and sort of where the government as an executive branch entity is operating now the other sort of external constraints be it from industry from the information security community from Congress everything else are forcing us to make decisions but it's in it I know it's not satisfactory to answer in this way Josh but it's

because of all that work that was started two years ago that community building that we're getting to where we are now and then if it gets in and it gets institutionalized and it works and it's better than the stuff we have like you know the crazy amount of FISMA reporting we do every every quarter and the yearly IG assessments that as soon as they're issued to agencies they start audits all over again so that you see can't fix anything then IG says if this works and we get better outcomes at lower cost we can reduce a lot of the other stuff we're doing that's not nearly as important and is not driving real outcomes right so I wish it wasn't so

much a process but you know I'm a I'm a bureaucrat my trade in case anyone couldn't couldn't tell that but like like being inside and fighting those battles and trying to force supposed to do this like it's not sexy it's not fun it's it's not easy but it's worthwhile and it will never be enough for you all but like the part is we have to keep coming out here we have to keep learning more we have to keep figuring out newer and creative ways to to make that happen inside government because it's the right thing to do and it shouldn't be the fact that we owe and B or Cameron assist has to tell agencies to do it they should be

picking up themselves but when they're not we have to be the force that kind of helps push them in a better direction three quick thoughts so on the home gov gov that's a lot of dots and gosh I mean if you go there and you go to the security domain security best practices the NTAs work is cited there it's great like people should people should read it and people should use that we may point people in the direction of that template number two the more that you all talk and blog and write and say why isn't this problem solved the more ammunition that Kem's has since at our agencies to be able to say hey look it's not just us

inside so like do more of that please and thank you for the one that the work that you do I threw up in the talk several like nominal timelines of you know 90 days and two years those are all pretty hand wavy at this point so and it's not fair mate those are the right timelines I would love to move much faster and say you know you need to do this in a year one of the directives that we issued in late 2017 required agencies double down on the HTTP mandate because we could tell the agencies weren't doing it but also instructed them you need to authenticate your email you need to get to a point B at your

domain at the top at the second level domain get to Adam our policy of reject and we gave them a year to do that that was pretty painful for them and lots about lots of outsiders say you'll never get there and we didn't get to a hundred percent but we went for about two percent to about eighty seven percent and that that's a huge win and so like being aggressive and setting some timelines a dear colleague of mine once said that humans just like your bureaucracies just like humans need deadlines so setting a line in the sand and saying this is what you need to get towards allows for some organizational inertia to move in the right direction ok I

think we ran out of time thank you to our speakers really good talk thank you [Applause]