IATC - Feds (Panel) - Allan Friedman & Jessica Wilkerson
Show transcript [en]
we can get started welcome to besides Las Vegas I am the cavalry track this is [Applause] feds heart hackers with Alan Friedman who said he was a failed academic who went into government and then we have Suzanne Schwartz and Jessica Wilkerson still with us and Beau would still with us if you have a cell phone please mute or turn off the cell phone so we don't annoy all the people around you if these talks are being recorded so if you have a question please raise your hand and we'll bring the handheld mic over for you so that everybody on the whole internet gets to hear your wonderful thoughts and of course we need to thank
our sponsors and our stellar sponsors our bear spray pro tippity tenable amazon and source of knowledge and with that welcome our speakers all right welcome back we've got a very good very distinguished panel of folks here from the government the title of this session is called feds hard hackers and I think in the last session we saw that at least one Fed heart attackers in this one we will see that many many more feds hard hackers and they represent very diverse groups very diverse perspectives and points of view and yet all of them have been intimately involved and there's several other people in the room who have been intimately involved in Harting a hacker or hugging a hacker and getting
more of security research community ethos ideas and people into some of the discussions that intimately affect national security the US economy through cyber security so I'll ask each of the panelists to very briefly introduce themselves for the new group and the new session film because they won't have heard your voices yet before maybe and maybe we'll start with Alan down on the end standing in the back because we ran out of chairs for this thing because he loved it so much I think that's fantast that we have so many people in the session that we stole chairs from the panel so that the audience can sit I think that's the way it should be my name is Alan I used to do crypto I
wasn't very good at it I got a PhD in Applied Economics I wasn't very good at that I post stalked and thought about computational modeling I wasn't very good at that when your mediocre that many things you end up in Washington DC and so after spending time bouncing around think-tank land and universities I got suckered I mean convinced in the joining government so I work for MTA which is the National Telecommunications and Information Administration we're part of the Department of Commerce we are the president's advisor on Internet policy if anyone has heard of ICANN we were involved in stabilizing global Internet governance but we also think a lot about basically creating a free open and
trustworthy Internet that is stable and sustainable moving forward and so the work we do at NTIA is to promote a overall trusted digital ecosystem thank you and I am Suzanne Schwartz from the FDA I first of all want to say that I have the great privilege of working with both folks on either side of me as well as with i'ma cavalry I am a physician by training I came to the FDA in 2010 it'll be seven years in October and one might ask what is a clinician doing in the area of medical device cyber secure door how did I get into that first of all I am the Associate Director for science and strategic partnerships at the Center
for Devices and Radiological health for those of you who may not be familiar with FDA FDA has multiple centers and specifically multiple product centers of the different medical product centers Center for Devices is the center that is responsible for overseeing and regulating medical devices and through a very interesting somewhat circuitous way I became involved in medical device cybersecurity as part of a part of my larger portfolio it has been a very exciting challenging journey and one which I think Jessica in her earlier remarks in the previous session you really liked eat us up well okay for a lot of the work that we've been doing which really speaks to these themes of really trying to promote
collaboration incentivize and bring thank you and bring stakeholders to the table so that all the voices can be heard in terms of really bringing expertise technical expertise subject-matter expertise clinical expertise security expertise policy expertise every you know everything together as part of solving what is a collective very very challenging problem yeah so I think like Alan and Susan said I have the the immense privilege of working with them recklessly on these issues part of it is because they both fall under my committees jurisdiction which is very fun but part of it is just the you know they're they're amazing people doing amazing things and I rely pretty heavily on the work that they're doing to be able to do mine so my name
is Jessica Wilkerson for those of you who are not here for the previous panel I work on the House Committee on Energy and Commerce covering our cybersecurity portfolio so for those of you who don't know House Energy and Commerce has one of the largest jurisdictions in the United States Congress we oversee healthcare energy telecommunications commercial issues it's I mean almost it is you you can think of we probably have some hook into it's fun but it also means that every time there's a cybersecurity issue and just about anything I get a panicked phone call or email and so you know I think we've been talking about the the collaboration between you know the research community
and technical issues in industry and government and I think one of the things that I would use it to kick off the panel for me you know when I was saying that I get a panicked phone call or panicked email every time a big cybersecurity issue happens my response is always to things whose the government agency I need to call and who's the security researcher expert who knows the most about this issue they're my first two calls and then I go out from there so you know that that for me is one of the biggest components of why I'm here and talking about this topic all right great thank you so I do have the the privilege of having three
awesome teammates here with a suit then I think Alan we've known each other for many years before I came to DC Suzanne you and I met at the Atlantic Council at a council event in 2015 I think this maybe even before lunch yeah yeah and then Jessica and I met a couple of years ago and throughout the last few years certainly on the calvary journey but even preceding it they've done tremendous work helping to bring security researchers into government and have their voices be heard in some of those discussions where traditionally we haven't had a place at the table and under the principle of least governance is best governance or the the government that governs least governs best I want
these three to have an active discussion and talk about some of their journey kind of finding out that security researchers were friends not not adversaries to some of their work in government and what the transition has been like over the past few years so I don't know who wants to start first but I'll just throw it over to the three of you so it has been a very interesting journey and when we've learned a lot at the FDA and really broadly speaking within our entire healthcare community because if you go back even to 2013 into that timeframe the medical device industry and the health care delivery organizations as well really we're just beginning to start to see a lot of the concerns
emerge around security of medical devices and on many fronts this was really kind of a wake-up call not just to the community you know to all of the users of devices whether they're again within hospitals as well as the manufacturing side but for the FDA also devices have been notoriously we as they're regulated they're regulated for what's considered to be safety and effectiveness and the very notion that one might be able to exploit a device and as a result of that cause some kind of potential consequence whether it's a patient safety harm or otherwise the very idea of wrapping one's head around that possibility very very very difficult for I think folks who work within the healthcare sector to
begin with a sector that it was very much driven by this idea of helping the public benefiting the public who would ever do such a thing so yeah to start with there was a need for a significant culture shift that would occur that would need to occur and in order to get to that place you really had to start with creating a better and a very basic understanding a foundational understanding of what exists first of all you know within the broader universe what researchers have been able to identify what's happening well outside of healthcare how do we need to really understand or think about things differently and this comes back down to not viewing each other as adversaries
and it's not just nearly adversaries I guess you know among researchers and manufacturers but frankly speaking what we were seeing and that at the agency was a lot of tension between healthcare organizations and manufacturers as well and so there's a lot of conflict and a lot of really needing to bring all of the stakeholders to the table to recognize to discuss what are the pain points what are the challenges we're seeing how can we as a community that kind of collaborative collective come together but it is through being able to articulate what are the issues that one is seeing and how are we going to get to a point of being able to kind of parse out you know and analyze these
problem sets and get to a place that is going to be a much more satisfactory in a much more mature place so in this in two long-winded answer but in this journey over the past few years a lot of what we've been doing is being able to draw in the community it is that convening power so as a regulatory agency we don't only regulate actually most of what we end up doing that is probably powerful is in terms of really bringing people together and convener through public workshops public meetings other kinds of roundtable discussions and summits as well to get expertise to get perspective and I think that that's an important word to use here as well to
understand what is it like to be standing in the other stakeholders shoes and have to deal with what it is that they're dealing with and how do we learn together so a lot of it has been a learning journey for all of us to the extent that I I think I said this perhaps even last year although when I was here last year our guidance the police market wasn't finalized now it is but I don't think our guidance would be as robust as it is had it not been for the fact that we really needed to it was important for us to bring together all the diverse members of the state of the community all the different stakeholders
in terms of informing what would be appropriate as approaches what might not work what isn't what is feasible what's not feasible what might be a better way to go and it was through that collective and being able to take into account a lot of that council that I think we're in a better place and we were you a year ago so Suzanne used the word stakeholder and a duck dropped out of the ceiling so you talk about the role of convening and of course Jessica talked a lot about that on the last panel and that is in fact the primary tool that we have at Mt ia we are not a regulator the Department of Commerce uh
join Department of Commerce and said proudly we're not a regulator and then VASIMR happened so let's leave Export Control aside and also we regulate fish but other than fish in dual use technology we're not a regulator and we like it when markets work and a lot of our mission is to say hey when there are flaws in the market what can we do to bring them on track and make may I talk for a moment about the work that you've done just because I think it was very relevant to what Ali said this morning about economics and thinking about the overall system which is what I love about the FDA as a regulator we don't
hate regulators we just a regulation but we love our friendly regulators and I think what the FDA did is they reframe the problem to make security the easy and positive direction from an incentives perspective and I just love this approach rather than security being something that we impose you must do this you think about you know compliance everyone loves compliance in this room right they basically they listen we're going to do two things one we're going to treat safety and security we're gonna draw a distinction between them and I'll let you talk more about that but saying if there is a security flaw and you've already built an organization that can fix it and then you fix it it's not
quite a get-out-of-jail-free card but it's pretty close from a lawyer's perspective right your risk officer will treat it as a get-out-of-jail-free card and so it really aligns all the incentives let me start thinking about security now because if / when something happens I know that it's going to go better and it communicates at a very high level and a lot of what we try to do at NTIA is to understand what that dynamic is you can't impose security right the beatings will continue until the code quality improves is not something that really flows in a lot of directions and even if we are going to use very strong incentives positive or negative a lot of
what makes policy effective is to make the right thing to do the easiest thing to do and it's to enable the people whose behavior were trying to change to do the right thing so we talked about convening a couple of years ago when I joined government one of the first issues I wanted to tackle was disclosure this has been a fight that the security community has been having for 20 years I think when I announced that the US government wanted to look at this I gave a couple of people in this room PTSD some of them were very very patient some of them not but but most of them were very very patient and said hey it's very
clear here's what to avoid I had to work very hard to convince my colleagues in government that we wanted to avoid the term best practices for this particular issue but I think that's a responsible disclosure we tried to who knew that hackers believed in political correctness when it came to their words right we try to avoid responsible disclosure now it's coordinators squadrons we framed it around collaboration but it was this convening that I think was really important of bringing companies that had been fighting with hackers for a while into the same room as the hackers and both of their initial response was to yell at me which I think helped create it I think is the other thing a common bond both of
them hated me and then they found other things that they had in common with just you know we all do really want to end up in the same place of having better security and once you can have everyone come to the table and admit that or you know what they don't even have to admit it you just have to get them to claim it and then you assume that what they said in good faith they actually said in good faith and so of course you want to do this right well we said that we have to and so now you're all heading in the same direction and from then it's hard work to find compromises no one's going
to get everything they want and the trick is to help everyone understand that moving forward is better than not moving forward and that's where it's really good for me to have regulators and have Congress because I get to say for this issue we're talking about whether it's botnets or IOT security or vulnerability disclosure come talk in this room and we'll find voluntary solutions that work for most of us because if we don't someone with a big stick is gonna come asking questions and that means that I can say listen lobbyists send me your engineer now because otherwise you're going to have to explain to your vice-president or your CEO why they're talking to Jessica's committee so there is a lot of
really powerful use in in in collaboration area so I'm gonna take a slightly different tack these guys I think won all of their points are incredibly well made like I think I said at the beginning of this I rely pretty heavily on what each of them has done when we started doing the committee's coordinated disclosure work the first thing I did or write maybe was the fifth it was it was me on the top was called Alan and say hey Alan I don't want to do I don't want to duplicate what you're doing let's make sure we're working together on this but I think the way that my relationship and therefore my committees relationship with the
research community has evolved was I just got frustrated you know I came to I came to Congress four years ago I started out pretty much answering mail answering phones and then because I had a big tech backer on computer science and mathematics I kind of worked my way up from there but when I actually started to get into the the meat of the policy issues what I realized is that Congress's big power would mean when we come to start looking at different policy issues is to call other people we call other experts we say hey we're relatively clueless on this because nobody really expects Congress to be the expert tell us what we should do so we'd
have a we'd have an auto cybersecurity issue and the advice that I would get from from folks on my committee who'd been there for longer than I did was okay call this trade association and ask this trade association what you should do or call this company and ask this company what you think you should do and I started off tonight I do that I'd call the company I call the trade station unite say hey you know we're looking at this issue this is something that we see what should we do about it the difference if I may sound a little bit arrogant for a minute between me and you're your usual congressional staffer is that I have a technical background
and most people on the hill dump so then when the trade association or the company would say this is what we think you should do I feel like that doesn't make any technical sense and so I'd start asking like well what about this what about this what about this because you know if you do this then the technology is gonna do X and their policies just kind of stopped making sense and so I'm gonna I'm gonna have to call him out because there's there's no way to avoid it I got really lucky in 2015 and Josh Corman was introduced to me on an issue that really we shouldn't even have met about there was there was no reason for
him to be talking to my committee but he did anyway and then what ended up happening is I was like wait a minute this guy knows Tech and he knows policy and what ended up happening is that every time I had an issue so doesn't you say hey I need a car expert all right well here's five people I need a medical device people all right well here's another phone I need somebody else and and so once I started talking to people who to have their you know their guts in the actual technology I would started to get much better suggestions they weren't necessarily politically savvy I'd get some options of hey this is what we
think the policy should be like okay but I'm never gonna be able to do um but what ended up becoming the the way that that mean that the security research community have kind of evolved to work is you tell me what you think the no politics involved solution to this problem should be I will take my political knowledge we will combine the two and we will get to a policy that is technology technologically smart and politically feasible and then that that is the way that we move forward so I mean that that has kind of been my evolution of working with the research community and it's been immensely valuable for me in my committee as
people who have gone through this journey of being not Harding hackers and then your heart hackers you've had to through that process have some moment of enlightenment where you're like oh I know what I should do I should talk to those guys and ladies I wonder if you and you've also seen that happen to a number of people around you Suzanne I remember one particular instance where we were having a conversation with some of your folks our folks and we had to stop the conversation and say wait a minute do you guys even know what coordinated vulnerability disclosure is before we go into this next hurdle like do you have the primitives do you know why
researchers research so I wonder if if you could each individually talk about what some of those triggers have been that you've seen around you and what has been some of the biggest may be indicators that someone is ready to flip from being a regular Fed to a Fed that Hart's hackers I I in some ways was quite lucky because I came from the research community more than academic site that I have been going to use Nix I had been going to Oakland I've been going to a lot of crypto conferences and there wasn't just purely straight academics there were a lot of people who just had been thinking about this and and more lots of black and had fun hair
we have world and so for me the actual hurdle was something close to what Jessa had to say which is getting over the idea that we don't need the whole solution from people right I clearly like been looking for expertise from the lobbyists they don't have the whole solution but they're doing it packaging what they have is here's a clear solution and and one of the things that I think has been really helpful for me is to learn how to frame what I'm doing in a way that makes it clear what is the input we're looking for whether it is sometimes that's the weird thing about that X is this dumb idea to the world is not going to look like
what you'd like it to look like it's a shame but you know you don't get a pony either and and we're going to at least with what's in front of us make marginal change and and communicating on that side but there is something else that I do want to say which is I have had the privilege of introducing some of my colleagues to the research community and there's something that has they love you your exotic you're different in do the first time I got to introduce a political appointee to schedule a meeting with someone in a new Dilla kilt she talked about it for weeks so don't be afraid of that the challenge we're going to have is
understanding what they're looking for and that's part of what we have to learn as as people who are trying to build that bridge on both sides and I think that's what's so incredible about the cavalry community is they're helpful it's a all right we all know that we should be going here but that involves taking a road that is best understood by going a couple of mile posts that the folks in Washington are familiar with and so mutual reframing is going to be very very helpful and policy is a game that everyone can play but you actually have to know a little bit about the rules four you can jump straight it and so on
one hand I want to say yes get engaged don't be shy and I'm sure we will all talk towards the end of the panel about how to get engaged but it also is really important to talk to some folks who have been thinking about this issue for a while or at least a little bit so that you're empowered with how to make your message come through I want to jump in right there because I just had a visual image when you were talking and it was wasn't me that utility was it cannot be unimaginable a fair bit other countries that I see a lot of people who speak different languages if you ever go in
and watch two kids who speak totally different languages trying to figure out how to play with each other they manage to figure it out and it may take some effort but they both know they want to play they know that you know they need to play with each other and so they figure out some common language to frame and build eul's of a game and it seems like there's some of that that goes on when security researchers and hackers meet feds they speak different languages maybe they look a little bit funny to each other they have different cultures and backgrounds and ways of going about things but they still find a way to engage in a common activity together so
that was a pretty pretty cool image that popped into my head and I wanted to leave every onna else with it sure so speaking of language I'm being coached from the side here we ran into when we first started talking to government people Josh and myself we would talk about CBE's and known CVEs meaning the common vulnerabilities and exchange exposures and that's fairly table stakes for anyone probably in this room a lot of the technical people just know what that is that's a fundamental part of what it is to to talk about security vulnerabilities and so we were saying these in policy circles for a long long time many months and talking about things like June I'd
Hussein who radicalized went to Syria and we killed him a drone strike and that he could use a known CVE to take down a hospital well one of the things we didn't realize is that that's a word that means something different to other people so in policy space and in international relations CVE means countering violent extremism so when you talk about CVE something that's fundamentally part of our lexicon to them it clashes with something that's fundamentally part of the international relations lexicon so we talked about known CDEs taking down a hospital there's there is an overlap there and so it's it kind of makes sense but in a way that makes us seem dumb but
once we broke through that we realized that we were speaking this different language so we had to change the way we spoke in order to accommodate some of the different taxonomy 'z that were used in different parts of government international relations conversations with our peers abroad so that was a realization we had throwing the question back to the panel what are some of the things that look like precursors to enlightenment or some of the things that would trigger a might mint in someone and in government to turn them into a fad who are attackers so for me I don't think that I can recall a specific or a single specific like aha moment because I think that this has been incremental
over time and it comes back to really having the opportunity to meet individual researchers to have that kind of really you know almost like a heart-to-heart communication a dialogue understanding the motivations that different individuals are bringing to the work that they do and why it's so and to this researcher this person to do what they're doing it's just getting to that really kind of common understanding of why you do what you do and what your you know aspiration is what your desired outcome is becomes so important for you know for me and for my team in order to be able to build that kind of bridge and to also not only build the bridge between you know us at the FDA and the
researcher researchers but to broaden that out and to really act as ambassadors if you will towards the other you know other parts of the community whether it's medical device manufacturers that are involved individual manufacturers of trade organizations as well as the health care organizations and let me bring another group into the fold here which we've been doing a lot more work with now as well which is the clinic the clinicians themselves and health care practitioners and understanding for that particular group group individuals like myself who may not have that same level of understanding of awareness as to some of the challenges and the concerns around security of devices or security within the healthcare system because of how
their education and their training has been framed in the past so being able to speak this common language so much of this just come down to communicating but for me a lot of it comes back to not being the one talking but rather being the one to listening and really eliciting exactly what it is that is is is getting to the researcher where they are so very very passionate about what it is that they're doing I've learned a lot from each and every encounter that hi with different individuals and I think it just enriches our ability to do the work that we're doing knowing the you know the unique elements that different researchers are bringing
with them to the work that they're doing yeah so it sounds like for you one of the things that leads the enlightenment is seeing that security researchers are super excited about doing this it's not they're out for necessarily one motivation or another but they all bring a passion to it and a drive to get to an end goal that might be the same as your end goal and yes it's by extension what that does is when we understand that that allows us to be in some regard to the translators if you will when we talk to manufacturers who might be impacted who you know see who might see a researcher purely as that adversary and
you know we'll vilify or demonize a researcher and we really that allows us the opportunity to really reframe that conversation yeah so actually you just reminded me of a really special part of Congress for example um because you know we we've run into a couple of issues with with researchers and with manufacturers where the researcher has made some kind of claim and the manufacturers counterclaimed and it's it becomes a spec battle and I would I would use the terminology shield we do we do sometimes become the translator between those two things but we have also served my committee has served as the shield between the two parties essentially saying you know we're not gonna let the manufacturer go after the
researcher and we're not we need to make sure that the researcher understands the constraints the manufacturer is operating under and protecting them both from the situation and maybe some of their worst instincts there there's that in you know I think the other thing for us and I actually do want to mention this because it's important and it's it's happy to come up in our work you know there when people think of Congress I think a lot of the times they don't think of it as a as a positive connotation but you know they're that we've had a couple of incidents recently where we've had folks who want to tell us things they want to say you know
we're aware of a vulnerability were aware of some kind of situation that's happening and and this is my offer to you in this room because I think it is important to mention there's something called speech into in Congress which is that if you tell us something nobody I mean you you have told us we there there's no way that somebody can force us to to tell what that is so there is a really important I think legal protection that that we as Congress can offer in situations like this where we can be as contrary as it sounds we can be a very good ally if if folks are concerned about that kinds of things and that and that gives us a
really good ability to what I think of as the you could partner with these kinds of situations because for us the goal is to um to get to the best outcome as quickly as possible and sometimes that means you know being the person who sits in the middle and helps the situation of all as quickly as possible please plug some of the work you're doing at NDA I thought you'd never ask so but now what can we do there's a lot of stuff going on and Susan and Jessica will talk a lot about much bigger higher stakes things that they're doing but auntie I we have a couple of things where we could still use a lot of help
we have ongoing initiatives on IOT and another one on botnets so IOT is probably the worst bucket to describe a mess of technology and policy issues since we got saddled with the term cyber security right it's they're both horrible buckets but we're stuck with them so we can rage against them or we can just get used to it and the challenge when people talk about IOT security is it often is you know the problem is these things are built without security much so the solution is to build them securely secure by desire well gosh why didn't anyone think of that we've been doing it wrong it's a little like saying you know excuse me do
you know where I am well yes you're lost it's not wrong it's just not actionable it can't help us move forward and so we wanted to do was find a way to make some progress in the IOT security discussion and we said well let's talk about a particular aspect of security it's important given that everything is going to be have some flaws let's talk about update ability let's talk about patching and the cavalry has been very active in this discussion that's been we've been doing this or about seven eight months now um different work streams focusing on both the the technology side and the policy side saying you know because we think about markets they have two sides supply
and demand so let's figure out how we can empower consumers know what to look for there's a working group that is saying hey you know what is again voluntary guidance that we think we can have manufacturers say when you're buying something what should you look for what should the say about patching patching for those of you who know about firmware over-the-air and things like that very big messy issue so this group is trying to distill it down to a small number of things that consumers can look for and Bo in particular was incredibly useful in not just helping address that issue but being the thumb on the scale of security because there are a lot of
lawyers in Washington that wanted to sort of water it down and having the security community actually advocate for security has been very very important at the same time we're also the flip side thinking about okay well when we actually talk about an update what can we say about the features of an update so that we're not introducing new vulnerabilities things like that so if you are interested in IOT update ability please let me know reach out and we're going to be continuing thinking about carving up this issue using this voluntary tool and just take a quick note on the voluntary tool and and working with stakeholders the trick is to understand the leverage and what
people's incentives are because as much as we hate the super cheap stuff that comes over by the container load from these fly-by-night operations that are built without any security in mind because they're terrible for security you know who really hates super cheap electronics people selling expensive electronics and so while they may not be really excited about broader security standards we've been able to make a lot of progress just by saying hey listen it's in your interest to raise the overall expectation of security because it's going to help your market so that's the kind of thinking that we need in this approach and the final plug we'll make is there's an executive order that came out that's thinking about botnets think
of this is the administration response to Mirai about six months too late it's a new administration so it's not their fault they weren't in charge at the time the we are quite lucky we were given a whole year to think about this because unlike the other aspects of this executive order which focused on government finding the solution we are charged by the White House to identify and promote stakeholder action so we need your help thinking about botnets as an ecosystem perspective thinking about it at the endpoints the IOT space thing about the networks thinking about users think about infrastructure there are many pieces we all need to think about how to work together so a few thoughts
on that front about how we can address distributed automated attacks and take it back down to the background level risk that it was circa 2015 we're not trying to eliminate everything we're just trying to make it the casual part of the internet ecosystem so those are my two plugs and one thing to kind of add on to that is in in talking with some people around ECE about the botnet issue one of the things that they said that they had heard before they talked to security researchers is that well the solution to botnets should just be to use the network and forget about the endpoint you can never secure the endpoint just to use the network and
that worked for the people making cheap devices because they didn't want that worked for the some of the ISPs because they wanted to have a legitimate excuse to break that neutrality that worked for a lot of people and they worked for security vendors because then they could sell stuff to go on the network and oppressive regimes yeah it was great for repressive regimes that one but then after talking to security researchers and hackers and some of the people in this room what they quickly realize is that it wasn't just a should we put something on the network use the network it was how do we reform the ecosystem so that it's better and more resilient against this type of thing not
just in the short term what can we do tomorrow but also in the longer term how do we build the incentives to rely on things and Alan you set me up perfectly for my next question which was going to be assuming that folks here in the room and on video are bought into the idea that they want to also be one of the hackers that you heart how would they best go about doing that what can they do to make them more accessible and available to have the right posture and to help equip you to go and address some of the things where you are aligned with them in the right direction and we'll start with either Jessica or Suzanne
since you already put in your pitch so certainly from FDA's perspective of you points number one we always welcome we always have an open door policy with regard to security researchers reaching out to us reaching out to our team with respect to vulnerabilities or research that they're doing whether or not one is having a good response in terms of interactions with a manufacturer with any other organization that's something that people should feel entirely comfortable with ideally it's great if the identifier of vulnerabilities the security researchers are able to go directly to the manufacturer of the medical device and to have that dialogue that identification of what their research has discovered with the manufacturer that does bring us back to
the importance of Gordon a disclosure and having a disclosure policy and that's why that becomes so fundamental to the guidance that we issued back last December Rekha and and I want to also come in and put in a plug here for Allen's amazing work at NTIA on the core new disclosure front because I think that it exemplifies really the ability for industry whether one is at the very immature level or whether one's more sophisticated to find that that space in terms of where one is at in that kind of model of maturation to develop a kind of templates and disclosure policy that's going to work for that organization that can allow that organization to grow as well as it
becomes more and more sophisticated with respect to and more comfortable with dealing with researchers coming forward with with information and having a disclosure policy a place and a process by which the vulnerability information can be taken in and can be appropriately handled so so going back to your question yeah I think that manufacturer absolutely is the best place to start sometimes if a manufacturer if that's not working for whatever reason one can always come to the FDA one doesn't have to wait you know for that matter to come to the FDA and the other organization that we work with that we coordinate very closely with is ics-cert ICS certs involvement in the medical device space
has been just kind of getting expanding more and more with respect to their comfort level as well and so we have a good rapport a good working relationship with ics-cert and with manufacturers and the researchers that enable us to have a good dialogue back and forth and enable enable manufacturers to be more expedient in dealing with the vulnerabilities that have been identified and doing the appropriate assessment for the impact and taking the necessary steps in order to address with the vulnerability is great well I think I would have sort of several categories the first one for how to influence government in a technology smart way is join government so I mean it's it sounds trite but it's it's
really the best thing that you can do if you if you want to really influence the way that that decisions are being made or what those decisions are the best thing that you can do is just get directly involved um I would love to have additional techsmartt back up in Congress there's one other person within the House of Representative staff at the house representatives who I think of who has a computer science background he and I are constantly talking about the fact that there's only two of us you know that working with Alan or going to work for for Suzanne or going to work for any of these agencies I mean we are that the
government is in such a desperate need of tech smart people that that you know please calm I mean I'll be fully honest you're not gonna make nearly as much money as you could other places but I think that the value you could have in the influence that you can have is really hard to to overstate I mean to be frank about it I'm 26 and I get to influence cybersecurity policy for one of the most powerful committees in the United States government so you know that's one way of looking at it the other way that I would look at it is sort of what I was hitting on before with bringing up sort of the
congressional protections that that one is afforded when somebody talks to us my email inbox my phone my door are open if you have an issue that you think is problematic and that you think needs addressing I talked to us talk to talk to somebody in government and tell us that you think it's an issue you know we need to be aware and we're not always going to be aware we don't see the same things that you do we don't understand them in the same way that you do and so we sometimes need that additional help of hey this is the problem this is what you know I think you should do about it and this
is this is how that is it's it's very difficult to overstate the value of that for us and I and I think you know now we kind of look at coordinated disclosure or maybe I'll just say from my perspective what get coordinated disclosure is a done deal I mean we just it's just such an expectation now that you know if you don't have it you know that's that's something that regulators and investigators get very curious about these days but there was a time and it was only two or three years ago where that was not at all the case and so you know we needed security researchers making a huge fuss about we found a vulnerability in a pacemaker
we found a vulnerability in a car we found a vulnerability in X Y Z because we wouldn't know otherwise and that's still true today maybe not as true as it wasn't in past years and maybe it's not as true in issues with coordinating disclosure but in other areas we still need to know so to you know contact us directly and let us know these things because they're they're so important and I think I know what you're about to say which is as Jessica said if you want to really influence change go into government and I think both Suzanne and Alan would love to have you assume there's nothing can hire smart people there's also things like and I don't
know if Travis is here but Tech Congress IO is a way that smart tech people can do a fellowship and a rotation in a congressional office which is a pretty cool thing you go in for a year and you're able to help shape and advise policy and there's also many other ways to engage and get involved such as joining a think-tank as Josh I did and none of these things will have the same there'll be different trade-offs with private sector you won't have as get a paycheck but you'll be able to make the world a better place in a you know a way that affects millions and millions of people and potentially billions of people around the world so I
want to underscore something that Jessica said which is fantastic which is we won right two years even less than two years right two years ago this was an issue that was weird in Washington it was incredibly specialized most people had not heard of it and now it's boring and the ultimate goal for everything we do is mean or the other thing I'm going to do is that since we are in the cavalry track I want to underscore how important the cavalry is for me Washington has special interests and I don't mean the damn those special interests I mean it's really useful what I need to know what does the communication say what's the difference between how the cable industry thinks
about this was the telecoms right it's useful for me to know that and there are trade groups for that privacy has great constituency in Washington I can talk to many different flavors of privacy advocates there had never been an advocacy for security the notion that the stuff we use we should be able to trust and that is an incredibly important voice that needs to be at the table because all the other voices are already at the table and you know I think it's been a learning process for the cavalry to figure out how to approach these discussions in a way that's productive it's been a learning process for me joining government right these are nothing comes naturally this
is gonna be a little slow you know I'll give you a hint the register probably isn't the best source of news for what's going on in Washington you need to do can actually understand what's going on [Laughter] right the the perspectives you get from certain advocacy groups may not help you understand the full perspective but having that voice has been really useful and I think it's made a real difference so for those of you who have been a part of this thank you uh and and I think there are still so much work to do in Washington and around the world this is something that needs to be he's not an American issue despite what certain parts of US
government think sometimes and and we need to make progress on that globally so first I want to echo all those wonderful remarks that you made the relationship that we enjoy with i'ma cavalry has been it's so beyond words in terms of my being able to tell you both and and everyone else who's been involved how important it has been in terms of where we've been able to get to and where we expect to be going but I do just want to also do a little bit of reality check with respect to coordinated disclosure okay we believe that it is critical that is really important in the medical device space it's slow-going in terms of adoption
with medical device manufacturers and so some of what we need to be thinking about over the next 12 months is what are those impediments and how do we get to a better you know a greater adoption to manufacturers who are champions of Corneille disclosure in the room with us right now but we're preaching to the choir and we need to be by next year in a much better place we're not the minority of manufacturers who are involved in corny disclosure but many many more and we are out of time we don't have time for questions but we'll a lot of us will be here all week but one thing I do want to ask is if you are
a Fed or associated with a government whether it's US government or other government and you want to engage more with the hacker community maybe just raise your hand so the others can see you and so folks can can come up to you and talk to you later there's more than that in the room I assure you they're just not always adding themselves but all right with that thank you very much for attending I think we've got a break up next and we'll see you back here for our health care discussion at 5:00 thank you [Applause]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51