00:00:00.000-->00:00:05.005 >>Good morning >>Sound off John >>uh I it it's great to see so many folks um uh great to see so 00:00:12.112-->00:00:18.318 many folks here uh uh standing room only in the back uh so uh we're here from the government 00:00:18.318-->00:00:23.323 and we're here to help [cheering] uh my names uh Jonathan Mayer I'm chief 00:00:26.360-->00:00:31.231 technologist for the federal communications commission's uh enforcement bureau uh I'm joined 00:00:31.231-->00:00:34.434 by wonderful colleagues throughout the federal government uh we have Lorrie 00:00:34.434-->00:00:39.239 Cranor who is chief technologist of the federal trade commission, uh Eric Mill who's a senior 00:00:39.239-->00:00:45.712 engineer at 18F in the general services administration uh and Allan Friedman who's director of 00:00:45.712-->00:00:50.717 cyber security initiatives at the national telecommunications and information administration 00:00:53.287-->00:00:57.658 [inaudible yelling from audience] alright let me try a little louder and with apologies 00:00:57.658-->00:01:02.095 to the folks who are near speakers uh uh and Allan Friedman down at the far end who 00:01:02.095-->00:01:07.301 is director of cyber security initiatives at NTIA uh within the department of commerce ah so 00:01:07.301-->00:01:11.571 it's a great cross section of different technology policy roles within the federal 00:01:11.571-->00:01:17.311 government um uh we have uh uh working on cyber security in the main component of the executive 00:01:17.311-->00:01:21.748 branch we have delivering services uh throughout the government uh we have uh 00:01:21.748-->00:01:25.385 independent agency working on security and privacy issues real thought leader within the 00:01:25.385-->00:01:30.390 government um and then we've got the FCC um [laughter] uh >>yay >>So I'm going to ask uh each of 00:01:33.260-->00:01:39.700 our participants to to say a few words uh about their agency and what the agency's been working 00:01:39.700-->00:01:43.870 on in technology policy and the role in the agency uh and then for the most part this is going 00:01:43.870-->00:01:49.009 to be an extended Q and A session uh it's up to you to lead the conversation uh there 00:01:49.009-->00:01:53.513 are microphones to the left and the right of the room uh please line up uh and have your 00:01:53.513-->00:01:58.552 questions ready uh and uh my game plan is to just alternate um and and we'll do our best to 00:01:58.552-->00:02:05.459 answer okay so Lorrie could you start? >>Hi good morning um so the the federal trade commission 00:02:05.459-->00:02:12.165 uh focuses on consumer protection and in the security and privacy space we're very 00:02:12.165-->00:02:17.170 much interested in protected consumers from having their private information breached and 00:02:19.506-->00:02:24.511 leaked um we're we're interested in protecting them from unfair and deceptive practices scams 00:02:26.780-->00:02:31.785 fraud also spam robocalls these are all things that we are very interested in um investigating 00:02:35.756-->00:02:40.761 and in finding ways to protect consumers we also do outreach to consumers about how they can 00:02:43.163-->00:02:48.168 protect themselves and avoid falling for some of these scams um we are very interested in 00:02:52.005-->00:02:57.310 talking to researches and if you come to our session at one pm we will get into more detail about 00:02:57.310-->00:03:02.249 that but we we would like to work with the researcher and hacker community to identify uh 00:03:06.319-->00:03:13.260 vulnerabilities that we need to be aware of to identify tools that we can use that consumers 00:03:13.260-->00:03:18.265 can use um and so uh we encourage you to come talk to us we've also set up an email 00:03:20.767-->00:03:25.772 address research at ftc dot gov uh where you can send us um the things that you've discovered 00:03:28.475-->00:03:34.381 that that you would like us to know about uh we also have a number of events that are coming 00:03:34.381-->00:03:39.386 up this fall that uh we are um going to be interested in having researchers attend um they're 00:03:42.255-->00:03:48.929 going to be open to the public as well as webcast so we have a workshop coming up on drones we 00:03:48.929-->00:03:53.934 have one coming up on smart TVs uh we have one coming up on um disclosures uh so privacy 00:03:56.103-->00:04:01.942 notices are one form of disclosure but other kinds of disclosures as well uh a bunch 00:04:01.942-->00:04:08.248 of things and then in January we will have our privacy con event you can read about all of these 00:04:08.248-->00:04:13.253 things at ftc dot gov slash tech thank you. >>Sure so uh I'm I'm Eric Mill uh and I'm with a 00:04:17.157-->00:04:24.131 group relatively a new group in the federal government called 18F it's like one eight f and uh 00:04:24.131-->00:04:27.801 we're about two years old and we're housed in the most excitingly named agency in the 00:04:27.801-->00:04:34.174 federal government the general services administration and we uh so we're about a couple of 00:04:34.174-->00:04:40.313 hundred people mostly not in DC and we are trying to do technology right in the federal 00:04:40.313-->00:04:45.385 government so we actually have dozens of engineers product people ux people design folks 00:04:45.385-->00:04:50.590 security people and we are trying to make sure the government can do well for 00:04:50.590-->00:04:55.829 itself on technology and that uh that to make sure the government can do things the way that we 00:04:55.829-->00:05:01.568 all want to do things we can embrace the cloud use open source do agile development uh 00:05:01.568-->00:05:05.739 we can bake in privacy and security from the beginning of the of the development process 00:05:05.739-->00:05:11.444 so we we try to lead through uh implementation and delivery uh we do some some of the things 00:05:11.444-->00:05:15.849 that are maybe most relevant to this crowd um so we're uh currently working on getting a 00:05:15.849-->00:05:21.288 bug bounty program started on our on a number of our public facing systems um shout out to 00:05:21.288-->00:05:25.559 DOD who just uh did the first government bug bounty program fairly recently uh hack the 00:05:25.559-->00:05:31.598 pentagon definitely learned a lot from them um we're also uh trying to hire and it's the 00:05:31.598-->00:05:34.968 government does in in fact employ information security professionals we're trying to do 00:05:34.968-->00:05:40.273 it a little bit differently and hire uh people that are senior technical implementers that 00:05:40.273-->00:05:44.411 don't require security clearance and put them at work on a variety of government wide 00:05:44.411-->00:05:50.584 systems uh that that make the country work better um and then in particular um part of my work 00:05:50.584-->00:05:56.089 there is focused a lot on on encryption and uh in particular 18F has been a really animating 00:05:56.089-->00:06:01.761 force on web encryption on HTTPS in particular um there actually is a federal policy mandate 00:06:01.761-->00:06:06.366 right now in the executive branch to move everything to HTTPS only with strict transport 00:06:06.366-->00:06:10.403 that's something that um our organization has animated and put a lot of energy into 00:06:10.403-->00:06:15.609 something I personally work my tail off on and uh that's uh gotten me the chance to meet a 00:06:15.609-->00:06:20.347 lot of a lot of the good folks here and uh hopefully we're trying to hopefully we're making 00:06:20.347-->00:06:25.352 the government a better place >>I'm Allan Friedman I'm with the uh US Department of Commerce 00:06:29.889-->00:06:33.693 in the national telecommunications and information administration uh 00:06:33.693-->00:06:39.733 we're part of the administration we are the president's advisor on telecom and internet policy 00:06:39.733-->00:06:45.105 uh you may have heard of uh my boss is Secretary Larry Strickling who is trying to uh 00:06:45.105-->00:06:50.110 keep the internet free and open with the icann iana transition uh and thank you uh and in fact 00:06:52.445-->00:06:57.550 that's uh a large part of what our organization does is represent the equities of a free 00:06:57.550-->00:07:02.489 and open internet uh both inside government discussions uh as we sort through policy uh as a 00:07:05.158-->00:07:10.163 giant complex government uh and also uh across the private sector um in fact we take this 00:07:13.433-->00:07:19.973 notion of multi stakeholder engagement quite seriously uh too often there are policy 00:07:19.973-->00:07:25.545 issues where if we wait around for legislation it's going to take too long and it may not be 00:07:25.545-->00:07:30.784 great because there's going to be lots of uh complexities and legislation a pretty big hammer 00:07:30.784-->00:07:36.122 regulation also takes a while and uh when Jonathan isn't writing it himself it's not 00:07:36.122-->00:07:42.762 always optimal uh so what's the tool we have left and our tool is we try to get the right 00:07:42.762-->00:07:47.767 people in the room and say guys let's solve this among ourselves with the right engineers in the 00:07:49.969-->00:07:56.309 room from all the different relevant stakeholders uh so that we can demonstrate that this is 00:07:56.309-->00:08:02.015 a solution that can be solved by coordination collaboration rather than waiting around uh 00:08:02.015-->00:08:07.020 for you know long uh drawn out legal processes or regulation uh we have two ongoing initiatives 00:08:09.055-->00:08:15.028 that might be of interest to uh you guys right now uh one is on everyone's favorite topic 00:08:15.028-->00:08:21.334 vulnerability disclosure uh we know that this is not a new issue but on the other hand uh 00:08:21.334-->00:08:26.573 the cliche that everything everyone is now a software vendor really is true and there 00:08:26.573-->00:08:31.644 are a lot of organizations that have never had to work with researchers before so we're 00:08:31.644-->00:08:37.117 bringing together security researchers vendors uh middlemen everyone possible and saying hey 00:08:37.117-->00:08:42.789 how can we equip companies and organizations around the country and even around the world to 00:08:42.789-->00:08:48.695 know what to do when someone knocks on their door and says hey uh there's a big problem in 00:08:48.695-->00:08:54.234 your system and we can help you solve it how do we get people along that path the second 00:08:54.234-->00:08:59.372 initiative which we've just announced is around everyone's buzz word favorite uh IOT 00:08:59.372-->00:09:05.078 security uh it's sort of universally recognized that one everything is going to be 00:09:05.078-->00:09:11.217 connected sooner or later and two security is a giant flaw no one's really building it in 00:09:11.217-->00:09:16.756 right now how do we start that process how can the government promote a better marketplace for 00:09:16.756-->00:09:22.662 that. So we're starting with a small bite and saying hey patching seems like an important 00:09:22.662-->00:09:27.667 issue but there isn't really a universal definition for what it means to be patchable so let's 00:09:30.270-->00:09:36.910 get tech engineers people who make products consumer representatives security 00:09:36.910-->00:09:42.816 researchers in a room and say what are the different dimensions of patchability here 00:09:42.816-->00:09:47.720 are all of the the technical details here's the user experience here's the 00:09:47.720-->00:09:53.226 connectivity issues let's build a taxonomy then try to collapse that down to a small set of 00:09:53.226-->00:09:59.165 definitions there is no one size fits all and from those definitions have a couple of 00:09:59.165-->00:10:05.271 words that we can tell consumers don't buy a smart widget without this on the box voluntarily this 00:10:05.271-->00:10:09.175 isn't the government saying don't do this this would be consumer reports or Mudge or 00:10:09.175-->00:10:14.547 someone else saying hey look for these words but these words are backed by a couple of paragraphs 00:10:14.547-->00:10:20.920 of technical specifications and by the way if you lie about what's in your box we have some 00:10:20.920-->00:10:25.325 colleagues in government who uh know how to take care of that so if you're interested in talking 00:10:25.325-->00:10:29.128 about IOT security or vulnerability disclosure we're very happy to have you engaged 00:10:29.128-->00:10:34.334 uh and we hope you do because when we meet it we say its multi stakeholder whoever shows up 00:10:34.334-->00:10:38.438 gets a voice to weigh in and make sure that everyone else can hear what you have to say. 00:10:41.307-->00:10:46.713 >>Thanks uh so let me touch on the FCC briefly and then uh again open it up for questions 00:10:46.713-->00:10:51.684 from the microphones uh so the FCC Is the federal regulatory agency for communications 00:10:51.684-->00:10:58.291 infrastructure and services um and that includes communication security and privacy um so in in 00:10:58.291-->00:11:04.797 the US legal system um the FTC is sort of the closest we have to a catch all data regulator um 00:11:04.797-->00:11:08.668 uh but there's a lot of sector specific regulation so for instance our colleagues at the 00:11:08.668-->00:11:13.673 department of health and human services deal with medical security and privacy uh FCC does 00:11:13.673-->00:11:19.479 communication security and privacy um and it's an independent agency in two senses 00:11:19.479-->00:11:24.117 uh the first is we're not within one of the cabinet departments uh and the second is the 00:11:24.117-->00:11:29.122 commissioners are nominated by the president and confirmed by the senate um but they don't 00:11:29.122-->00:11:34.627 report to the president uh so if the president wants to provide input on a FCC preceding he 00:11:34.627-->00:11:41.167 writes a comment uh to the agency uh just like any of you can uh so uh so the independence 00:11:41.167-->00:11:46.172 is very real um the FCCs core function is uh independently proposing enacting and enforcing 00:11:48.441-->00:11:53.580 rules so it's a little bit of a blend of the three branches of government um we say here's what 00:11:53.580-->00:11:58.985 we think the law should be on this issue and then put it out for comment and uh and and any 00:11:58.985-->00:12:04.958 of you can write in and say why we're right or wrong um then the FCC finalizes those rules and 00:12:04.958-->00:12:09.963 then ultimately it becomes a job for where I sit primarily the enforcement bureau to make sure 00:12:09.963-->00:12:15.401 those rules are followed um so the FCCs authority in communications covers a range of 00:12:15.401-->00:12:20.406 technologies um radio and all sorts of RF emissions um uh uh television uh uh whether 00:12:23.009-->00:12:29.248 broadcast or cable or satellite or fibre or whatever's next um uh telephone of course and the 00:12:29.248-->00:12:34.854 agency's recent focus has been especially on uh broadband internet uh so you may have seen 00:12:34.854-->00:12:38.825 uh the term net neutrality somewhere or other I'm just gonna guess this crowd's heard 00:12:38.825-->00:12:43.830 that one before um so the FCC proposed uh strong rules to protect the uh the open internet 00:12:45.965-->00:12:51.537 um and just a month and a half ago the uh DC circuit concluded that uh those rules were 00:12:51.537-->00:12:57.877 consistent with federal law and net neutrality is the law of the land um so uh much of the net 00:12:57.877-->00:13:04.117 neutrality proceeding focused on uh uh the kind of economics of innovation online um but at the 00:13:04.117-->00:13:07.754 time the commission said we know we're going to come back and look at security and privacy do 00:13:07.754-->00:13:13.660 more rules on security and privacy kind of left that open for another day and so uh 00:13:13.660-->00:13:19.232 earlier this year the commission proposed rules uh for ISP security and privacy uh saying 00:13:19.232-->00:13:23.970 ISP should be transparent about their practices should have reasonable security protections 00:13:23.970-->00:13:30.843 in place for your data um and uh and that you should usually have choice and opt in choice if your 00:13:30.843-->00:13:36.649 ISP wants to repurpose your data for advertising or anything else um we've also been vigorously 00:13:36.649-->00:13:40.520 enforcing security and privacy protections that are already in the books so for instance 00:13:40.520-->00:13:44.757 earlier this year we settled with Verizon for tampering with their customers internet traffic 00:13:44.757-->00:13:49.729 to insert unique identifiers that made them trackable online uh there was a over a million 00:13:49.729-->00:13:55.068 dollar fine but more importantly Verizon agreed to make the process opt in uh for for any of 00:13:55.068-->00:13:59.639 these headers going out to to third party businesses uh we've also done data breach cases 00:13:59.639-->00:14:04.510 against AT&T and Cox uh and just earlier this week you may have seen we reached a settlement 00:14:04.510-->00:14:10.783 with TP-Link a router vendor um over uh selling some routers that could be modified to uh 00:14:10.783-->00:14:15.822 create radio interference but um an important part of that settlement was TP-Link 00:14:15.822-->00:14:20.059 committing to working with the open source community in chips it manufactures uh towards 00:14:20.059-->00:14:25.264 bringing linux support custom firmware support under their routers uh so even when we're 00:14:25.264-->00:14:28.935 kind of operating in one of our kind of classic areas we're trying to make sure to promote 00:14:28.935-->00:14:33.139 innovation um and make sure that uh sort of the freedom to tinker is protected the freedom to 00:14:33.139-->00:14:39.078 lawfully tinker my boss likes to point out um let me close by touching on some of the uh 00:14:39.078-->00:14:44.517 exciting work in progress we have uh so just recently the commission set up um uh the sort 00:14:44.517-->00:14:49.655 of licensing infrastructure for uh upper microwave spectrum upper microwave spectrum I knew 00:14:49.655-->00:14:54.727 nothing about before uh coming to the agency um turns out the technology is now there to make 00:14:54.727-->00:14:59.298 this very useful spectrum and it's widely believed to be uh an important component of 5g 00:14:59.298-->00:15:04.937 wireless technologies and so the commission set out its security expectations for for uh for the 00:15:04.937-->00:15:09.942 spectrum and and and uh plans to address 5G more fully uh soon um those those expectations include 00:15:13.079-->00:15:19.085 that there be uh a routing security and for voice and voice calls and uh text message uh 00:15:19.085-->00:15:24.557 community uh uh security from one communications device to another communications device um 00:15:24.557-->00:15:27.927 uh we think that's what we think that's what the use of the spectrum should look like and if 00:15:27.927-->00:15:31.764 you'd like to hear more about it uh one of my colleagues uh Admiral Simpson is going to be 00:15:31.764-->00:15:37.804 doing a uh presentation at the internet of things workshop here at Defcon. Um we've also done 00:15:37.804-->00:15:42.008 quite a lot of work recently to address robo calls the chairman sent out letters to the major 00:15:42.008-->00:15:48.581 telecom firms um saying uh he expects immediate action AT&T is taking up the charge uh they're 00:15:48.581-->00:15:53.286 leading the new um multi industry working group uh to deliver actionable results 00:15:53.286-->00:15:58.324 including uh new deployments of call authentication standards new efforts to make sure phone 00:15:58.324-->00:16:03.763 numbers like the IRS main line can't be easily spoofed efforts to build uh compatibility 00:16:03.763-->00:16:10.503 interfaces so folks can bring uh filtering like spam button uh technology into the phone system 00:16:10.503-->00:16:14.373 um and then I mentioned earlier the agency's been working on security and privacy rules for 00:16:14.373-->00:16:20.413 ISPs uh we propose those uh in March uh the comment period closed recently and so that that 00:16:20.413-->00:16:25.751 uh remains work in in progress. Um so that covers what I want to cover for the FCC and again this 00:16:25.751-->00:16:29.956 is this is your session and it's going to be mainly Q & A and so there's a microphone there and a 00:16:29.956-->00:16:34.961 microphone there uh and by all means lineup and we'll take your questions thanks. [applause]. Ok 00:16:40.867-->00:16:45.872 start over here >>Yes, I imagine this is for the FCC, I'm wondering what is your timeframe 00:16:51.244-->00:16:56.249 for the telecoms to harden their system seven vulnerabilities [laughter] >>Uh so uh we work 00:17:01.954-->00:17:06.559 closely with the telecoms to implement better protections uh across their networks including 00:17:06.559-->00:17:12.698 SS7 uh the commission hasn't put out a a a firm timeline uh on that particular issue but an 00:17:12.698-->00:17:18.271 important part of the 5G uh communications work that the commission's doing is saying 00:17:18.271-->00:17:23.009 here's the way we think the world has to look going forward um you know obviously we're not 00:17:23.009-->00:17:26.846 going to tell companies how to build their their networks um but we're going to set 00:17:26.846-->00:17:31.284 expectations and we're going to work with them to make sure they meet those expectations um and 00:17:31.284-->00:17:36.088 for now that's that's an ongoing conversation but the commission does have regulatory authority 00:17:36.088-->00:17:42.962 and can always be firmer if if that becomes necessary. >>Uh over on the right. >>Hi uh this 00:17:42.962-->00:17:49.769 question is for the FCC what are some bits of advice you can give to private citizens so that we 00:17:49.769-->00:17:55.207 can be impactful during the request for comments stage lately it's becoming an 00:17:55.207-->00:18:00.146 increasingly politicized event with large corporations lobbying excessively hard and we don't 00:18:02.949-->00:18:06.752 have the monetary resources to have our voices heard and we as technologists know that some of 00:18:06.752-->00:18:08.754 the things that they're doing have led to stagnation of broadband in rural areas, 00:18:08.754-->00:18:10.756 increasingly nasty uh behaviors, like with Cox trying to do the opt-in service for additional 00:18:10.756-->00:18:12.758 privacy and it's just it seems that it's getting worse in some ways, how can we have our voices 00:18:12.758-->00:18:17.763 heard? Thank you. >>So let me start with the uh FCC component uh of this then I'm going to 00:18:35.514-->00:18:39.585 hand it off to Allan and then Eric to address getting your um voices heard in the processes 00:18:39.585-->00:18:45.358 they work on. Uh so the F, FCC's usual process for for doing a rule making is we issue 00:18:45.358-->00:18:50.029 something called an NPRM a notice of proposed rulemaking um where we say here's what we 00:18:50.029-->00:18:56.235 think the laws should be on this area, uh in this area uh and then there is a usually about a 00:18:56.235-->00:19:01.674 thirty, forty five day, um uh comment period then another equally long reply comment 00:19:01.674-->00:19:06.946 period um then uh there's some period of internal decision making uh stakeholders can 00:19:06.946-->00:19:10.049 continue to come in and meet with the commission, continue to write letters to the commission 00:19:10.049-->00:19:16.188 uh and then ultimately uh the commission proposes final rules then usually someone sues um and 00:19:16.188-->00:19:21.193 uh uh and then finally after judicial review um the the matter is settled uh so that's 00:19:24.697-->00:19:31.270 uh that's the process uh as for making sure your voices are heard um uh well I have to be 00:19:31.270-->00:19:37.743 careful not to comment on of any uh uh ongoing proceeding uh I think it's fair to say that um 00:19:37.743-->00:19:42.748 I've been really heartened to see how the process works um uh being in the agency um smart 00:19:45.051-->00:19:50.823 comments get noticed and if you come to the conversation with something new to say and 00:19:50.823-->00:19:55.828 especially if you have some real data to bring to bare um it gets noticed uh and so uh uh sort of 00:19:58.631-->00:20:05.137 the the the the best advice I can give on how how to uh kind of contribute to the debate is 00:20:05.137-->00:20:10.142 make sure that um uh uh what you write is you know not to plicative uh uh you know ideally 00:20:14.413-->00:20:20.019 doesn't use curse words at us or something [laughter] um uh and and gives us some real really 00:20:20.019-->00:20:26.926 constructive advice uh uh they get sent those comments get singled out um let me also add 00:20:26.926-->00:20:30.296 just as a purely procedural matter make sure you're commenting on the right 00:20:30.296-->00:20:36.769 proceeding uh every so often folks will file comments in the wrong place um and I and uh the 00:20:36.769-->00:20:40.840 system at FCC has recently gotten a lot better for filing comments we have a whole new 00:20:40.840-->00:20:47.780 online comment filing system um uh but make sure you file in in in the right right docket um and 00:20:47.780-->00:20:51.517 make sure that the issue you're writing in about is is appropriate for that docket so 00:20:51.517-->00:20:56.655 sometimes folks will have really smart things to say and really great data but it's just not 00:20:56.655-->00:21:01.827 germane to the specific issue in front of the agency um by all means call that to our attention 00:21:01.827-->00:21:07.099 feel free to uh um uh kind of reach out to who who you think is the appropriate contact at 00:21:07.099-->00:21:12.138 the agency um but uh it's easy for it to get buried in a docket if it's not germane because 00:21:12.138-->00:21:15.841 someone will review the comment and say it just doesn't bear on this particular proceeding so 00:21:15.841-->00:21:21.914 that's a kind of a procedural note. Okay so now over to Allan and then Eric. >>So >>So as an 00:21:21.914-->00:21:28.020 example of a comment process that uh impressed me how effective it was, uh a few 00:21:28.020-->00:21:32.158 months after I joined the department of commerce last year, I get a call from one of 00:21:32.158-->00:21:38.597 my colleagues uh in a different part of commerce called the bureau of industry and security. 00:21:38.597-->00:21:45.070 He says hey we're about to release a proposed rule based on this arms control agreement 00:21:45.070-->00:21:50.075 known as Wassenaar. So we had some discussions and we helped prepare them for the fact that 00:21:53.646-->00:21:58.651 they were going to get some strong responses and we did get a lot of responses and many of 00:22:01.253-->00:22:07.193 those were really helpful um this was a case where industry and the security industry were 00:22:07.193-->00:22:11.197 on the same side uh but they brought two very different perspectives that was very 00:22:11.197-->00:22:16.202 helpful um it's challenging because often people were commenting based on news stories 00:22:19.205-->00:22:24.944 that were based on other news stories and so by the time they filed their comments it wasn't 00:22:24.944-->00:22:29.114 something that was directly related to the regulation because a lot of the stuff is 00:22:29.114-->00:22:34.119 quite technical so as Jonathan said you know make sure have as much preparation as you can. Uh 00:22:36.689-->00:22:43.429 but this is an area where we got the comments and uh they were overwhelmingly negative uh I 00:22:43.429-->00:22:49.868 think there was one comment in favor uh out of over two hundred and so the US Department of 00:22:49.868-->00:22:54.807 Commerce worked with our government colleagues and has gone back uh to Wassenaar to try 00:22:54.807-->00:23:00.613 to renegotiate and so that I think is an example of feedback from the security community 00:23:00.613-->00:23:05.618 driving policy in the direction that it should um and so as you are preparing to engage uh it 00:23:08.754-->00:23:13.859 helps to talk to other people uh if you have colleagues or friends who are engaged in the 00:23:13.859-->00:23:19.131 policy network uh they'll be able to give you a little bit of background. If you're curious at 00:23:19.131-->00:23:24.203 least in our case I don't know if the FCC can do it but in commerce we'll talk to you about 00:23:24.203-->00:23:30.009 what we're looking for so that you can tailor your feedback uh to to give us the insight that 00:23:30.009-->00:23:34.046 we need to make good decisions. Uh there are lots of organizations out there that are 00:23:34.046-->00:23:40.653 engaged in a lot of these issues whether it's EFF or I Am the Cavalry uh we need more 00:23:40.653-->00:23:46.992 advocates for security uh as as a unique value so please try to engage and learn as much as you 00:23:46.992-->00:23:52.498 can and then give us as many feedba- as much feedback as possible. >>So uh I'll just 00:23:52.498-->00:23:56.335 briefly add on it's actually a bit of an outside perspective so I'm not in a regulatory agency 00:23:56.335-->00:24:01.707 now at GSA um before this I was at an NGO a non nonprofit called the Sunlight foundation that did 00:24:01.707-->00:24:05.277 open govern- does open government and transparency work for about five years and I 00:24:05.277-->00:24:11.016 worked a lot on uh trying to make the regulatory process more accessible to people because I 00:24:11.016-->00:24:16.021 watched many different times uh people leave the opportunity on the table to come and comment on 00:24:18.957-->00:24:24.330 a regulation and I'll tell you that like the people who will always comment on a regulation 00:24:24.330-->00:24:30.035 that affects them are like affected business or the private sector not very often comparably 00:24:30.035-->00:24:36.308 do you get like real public constructive input on things and it's it's not always well known 00:24:36.308-->00:24:39.545 that like and this is distinguishing from a lot of other countries in the world 00:24:39.545-->00:24:44.316 that in the US executive agencies that are that are issuing regulations must respond 00:24:44.316-->00:24:49.088 to every unique comment they get. They have to at least acknowledge it in some way and 00:24:49.088-->00:24:52.958 I've read many final regulations that address, that went down and addressed all the different 00:24:52.958-->00:24:58.630 groups and notable comments that they got and you know changed their minds on small and large 00:24:58.630-->00:25:03.902 things as they went. You don't always get your way but when you participate you showing up 00:25:03.902-->00:25:08.507 really does matter and that was my personal ex- experience as an advocate and like open 00:25:08.507-->00:25:14.880 government um lobbyist sometimes uh working on these issues that showing up is is everything so I 00:25:14.880-->00:25:18.650 really do encourage you to you don't literally I mean the federal register if you go to 00:25:18.650-->00:25:22.388 federal register dot gov they've actually added in the last few years uh a number of really 00:25:22.388-->00:25:27.626 great alerting and feeds systems for you to follow things more easily. It's actually a really 00:25:27.626-->00:25:32.898 great team that uh built federal register dot gov uh they were invited by OFR to do it after 00:25:32.898-->00:25:38.537 they did an app contest uh as an outside group of developers trying to reimagine what federal 00:25:38.537-->00:25:43.709 regulation and commenting should look like and that is uh so I and there are other servers that 00:25:43.709-->00:25:48.480 will help you do that and I just strongly encourage you to take that seriously. >>I I'll just 00:25:48.480-->00:25:53.485 add that at the FTC um we we often are looking for public input uh usually when we 00:25:55.487-->00:26:00.993 announce that we're having a workshop there are opportunities to comment both before and 00:26:00.993-->00:26:06.398 potentially get on the agenda as well as after the workshop and we are very much interested in 00:26:06.398-->00:26:13.205 people who bring us data um you know we we want data we want we want empirical results and not 00:26:13.205-->00:26:17.976 not just um you know the the opinions which which are nice too but but if you are a 00:26:17.976-->00:26:21.880 researcher who can bring us data that's something that we are going to be very interested in 00:26:21.880-->00:26:26.885 seeing. >>let me amplify that point before moving on to the next question um we hear a lot 00:26:29.254-->00:26:35.794 from lawyers in the government we don't hear so much from technical experts um and so uh 00:26:35.794-->00:26:40.799 those that sort of input is incredibly valuable and it gets noticed. >>Hi, so you mentioned 00:26:43.435-->00:26:48.740 that the DOD now has a bug bounty but for sort of an opposite perspective uh one of 00:26:48.740-->00:26:53.078 the things that I do is run Census dot io and other scanning for security things and five 00:26:53.078-->00:26:57.049 years ago when we started the DOD sent us a very strongly worded email saying you'd better 00:26:57.049-->00:27:01.253 stop scanning us so that means we can't participate them with them we can't tell them about 00:27:01.253-->00:27:05.858 vulnerable TLS implementations so how do you engage with the DOD beyond just submitting to 00:27:05.858-->00:27:11.396 their bug bounty? >>That's a difficult question given that none of us are from the DOD uh 00:27:11.396-->00:27:16.201 so we're probably not going to be able to give you the answer that you're looking for um but 00:27:16.201-->00:27:22.074 you know in general uh the closer you get to communicating with subject matter experts uh 00:27:22.074-->00:27:28.146 inside different agencies uh the more you get answers that make sense and uh and creative 00:27:28.146-->00:27:34.620 solutions to different problems um the the defense the DOD hack the pentagon program was started 00:27:34.620-->00:27:39.057 by the Department of Defense digital service which is a relatively new team inside DOD 00:27:39.057-->00:27:43.395 it's part of the US Digital Service uh which is a white house initiative um that is 00:27:43.395-->00:27:49.301 creating digital service teams in a few different agencies and uh but that's about the best I'm 00:27:49.301-->00:27:53.805 going to I or maybe anybody here is going to be able to give an answer to that. >>I think just 00:27:53.805-->00:27:58.810 uh large organizations are not monolithic uh and so the as as as we said you know the closer 00:28:03.649-->00:28:06.151 you can get to the people who engage the better uh in the private sector uh you know they 00:28:06.151-->00:28:08.153 we work with large companies inside our process on vulnerability disclosure who are 00:28:08.153-->00:28:10.155 trying to figure out how can we work with researchers even as you know their general council's 00:28:10.155-->00:28:12.157 office is writing comments about how we need to bring back uh DMCA controls on on their 00:28:12.157-->00:28:17.162 products so uh the trick is to find the allies in any organization that you can um I 00:28:32.644-->00:28:39.551 think this panel probably is a great way to start to find the right people uh and um so good 00:28:39.551-->00:28:43.188 luck and thank you for reaching out >>Thank you >>And thank you also for fur running Census dot 00:28:43.188-->00:28:48.193 IO so I I GSA 18F uses that data in in our work all the time um I I you know I personally use it 00:28:50.629-->00:28:55.701 in my work to understand the government surface area and to report things to other agencies 00:28:55.701-->00:28:59.338 as necessary and to tell people when they're falling down on something and then to work with 00:28:59.338-->00:29:04.276 them to fix it so really like big thank you big thankyou to you for that [applause] >>Uh so 00:29:09.781-->00:29:14.219 I'm a student who is going into my uh senior year at highschool and I was just wondering how did 00:29:14.219-->00:29:18.390 you guys get into the federal government and how could a prospective student also get in? 00:29:18.390-->00:29:23.395 Thank you. >>Go down the line? >>Uh that's so one I I I think there I'm going to speak for 00:29:28.400-->00:29:34.039 everyone and say we desperately need smart, passionate, technically aware people in 00:29:34.039-->00:29:39.044 government uh desperately and you know the advice I would give is if it's fairly easy right now 00:29:43.181-->00:29:48.754 to go from the technical world into a policy track uh my background is in computer 00:29:48.754-->00:29:54.626 science, wasn't very good at it so I have my PHD in policy uh and when you're me- uh so pol 00:29:54.626-->00:29:59.097 that means I'm a mediocre economist and a mediocre coder and when you're mediocre at that 00:29:59.097-->00:30:04.102 many things you end up in Washington [laughter] uh and and uh you know you know I was an 00:30:06.571-->00:30:11.810 academic and then someone talked me in but I think the advice I would give is stay on the 00:30:11.810-->00:30:16.982 technical side as much as possible but engage in policy in your spare time and eventually 00:30:16.982-->00:30:21.453 you'll find an issue where you can find the right person and weigh in and they'll say we need 00:30:21.453-->00:30:27.826 you on our team. >>Yeah I I mean so as somebody who went um primarily my background is in 00:30:27.826-->00:30:32.864 software engineering uh I have a CS degree but I work a ton on policy day to day now and uh 00:30:32.864-->00:30:37.836 it's really as simple as becoming an expert in something and being willing to talk about 00:30:37.836-->00:30:43.041 it publically, privately, leadership without fear and have confidence in what you say and 00:30:43.041-->00:30:49.481 really develop your skills as a communicator, right, so like being a good writer is just a 00:30:49.481-->00:30:54.319 universal skill that will make you more effective at bringing people uh into your way of 00:30:54.319-->00:30:59.291 thinking um co- uh projecting that you know what you're talking about and that's 00:30:59.291-->00:31:04.930 something that you know even, even if it's not going to be for for you know even if you don't 00:31:04.930-->00:31:08.767 end up working on policy for some amount of years take take the time to keep exercising 00:31:08.767-->00:31:12.971 those muscles, to to keep writing and to keep getting feedback on that and to keep 00:31:12.971-->00:31:17.976 becoming a good communicator. >>Yeah so um I started my career uh working in AT&T and um was 00:31:21.313-->00:31:26.318 doing research on uh privacy mostly and I actually um presented research to the FTC 00:31:29.421-->00:31:34.426 twenty years ago I went to their workshops and when um FTC staff said can can someone explain 00:31:36.895-->00:31:43.335 again how third party cookies work I would you know take time from my day to call them back 00:31:43.335-->00:31:48.573 and to explain it yet again right and and basically became known to them as someone who was 00:31:48.573-->00:31:54.179 willing to explain these technical concepts in in plain language uh I then became a 00:31:54.179-->00:31:59.184 professor at Carnegie Mellon and have um uh steered my students in their research to trying to 00:32:01.520-->00:32:06.525 make our research relevant to some of the policy needs um and submitting um our our results to 00:32:08.627-->00:32:14.399 government agencies and so right now I'm actually on leave from Carnegie Mellon and uh the chief 00:32:14.399-->00:32:21.006 technologist position at the FTC tends to be an academic who comes in for for a year or two 00:32:21.006-->00:32:26.411 um the other point I want to make uh for our our high school student friend is that um if if 00:32:26.411-->00:32:31.416 you know that you're interested in government service there are scholarship opportunities for 00:32:31.416-->00:32:37.989 you um so scholarship for service if you basically if you are a US citizen and um and have 00:32:37.989-->00:32:43.862 technical interest uh you can get the government to basically pay your tuition um in exchange 00:32:43.862-->00:32:48.667 for you then committing to do some work for the government and so it's a great opportunity. 00:32:48.667-->00:32:54.873 >>Uh to amplify something Lorrie said um it's about explaining things to other people I mean 00:32:54.873-->00:32:59.511 the the community that we're all apart of here that you know this conference is tremendously huge 00:32:59.511-->00:33:03.849 even just this room is is filled with people this is a large amazing community and you could 00:33:03.849-->00:33:09.187 spend years your you could spend your entire career committing to and within this community and go 00:33:09.187-->00:33:14.025 very far but there are certain kinds of of things and certain kinds of impacts that require 00:33:14.025-->00:33:19.898 you to speak outside this community and to ma- make your work accessible and approachable 00:33:19.898-->00:33:24.769 to a larger set of people because even a lot of people who aren't professional information 00:33:24.769-->00:33:29.908 security folks, professional privacy folks have an interest in that, aren't dumb, like can 00:33:29.908-->00:33:34.212 can, like and are intellectually curious and are willing to apply and integrate that stuff into 00:33:34.212-->00:33:39.351 their work so it's so something to remember too that even though uh it you know you may not ever 00:33:39.351-->00:33:42.821 have to you may never be confronted in in your life with a time when you have to 00:33:42.821-->00:33:47.893 communicate to the broader uh community like it's the there are certain kinds of work where 00:33:47.893-->00:33:53.632 you really should do that. >>So um I'm also uh a loaner from academia uh I'm on loan to the 00:33:53.632-->00:33:58.637 FCC from Stanford um >>Go bears! [laughter] >>that was inevitable [laughter] you know we we can't 00:34:03.008-->00:34:08.013 all go to school at a country club. So uh so uh I uh I'm I'm in a different stage in my 00:34:12.317-->00:34:17.355 career from Lorrie of course um I hope to be faculty in the not too distant future but I'm I'm 00:34:17.355-->00:34:23.695 uh I'm just rotating out from grad school and so I want to note there are opportunities 00:34:23.695-->00:34:27.832 absolutely at that stage of your your career coming out of academia if you don't know what 00:34:27.832-->00:34:32.771 you want to do next you want to take a little gap between from between what you're doing uh in 00:34:32.771-->00:34:37.075 academia and whatever comes next um the government has great roles there um there are a bunch 00:34:37.075-->00:34:41.680 of great opportunities straight of college, straight out of grad school um uh there there are 00:34:41.680-->00:34:47.252 programs to support that um uh more programs are coming online all the time uh there are also 00:34:47.252-->00:34:52.457 wonderful internship and fellowship opportunities to explore um even even with uh you 00:34:52.457-->00:34:57.395 know six month or one year stint in government you you can have a tremendous amount of impact um 00:34:57.395-->00:35:02.934 so >>Or a summer internship which we we actually have uh three summer interns at the FTC 00:35:02.934-->00:35:09.307 in technology roles this summer >>Um and I I really want to em- emphasize Eric's point about 00:35:09.307-->00:35:15.313 communicating with folks in government uh I think uh kind of having worked on both sides and 00:35:15.313-->00:35:22.020 I guess I should come clean, I'm also a lawyer um the the way in which folks communicate in the 00:35:22.020-->00:35:28.693 hacker community is very different from the way folks communicate in government um and 00:35:28.693-->00:35:33.898 uh I don't for better or for worse but uh learning how to sort of speak 'Washingtonese' is 00:35:33.898-->00:35:37.802 really really important um that's something you can learn in advance of coming to the 00:35:37.802-->00:35:40.872 government and it's a great skill set you can pick up if you spend some time inside the 00:35:40.872-->00:35:46.011 government. Yeah, over on the left >>Great thanks, uh Dan Tinen for the Guardian uh I have 00:35:46.011-->00:35:50.548 a question for all the panel members uh and it's kind of a general one. There's been a lot 00:35:50.548-->00:35:55.220 of speculation lately given the hacks for the DNC and Hillary Clinton's campaign that the 00:35:55.220-->00:35:59.724 actual election could be hacked in particular by a certain nation state whose name begins 00:35:59.724-->00:36:06.097 with R so I'm going to ask you to rate on a scale of one to ten, one being not a big deal, 00:36:06.097-->00:36:11.102 ten being holy shit, how worried you are about this happening and if so what worries you most? 00:36:19.277-->00:36:24.983 [laughter] >>So remember when I was talking about uh learning how to speak Washingtonese just 00:36:24.983-->00:36:29.988 before? Yeah um no comment? [laughter] >>Yeah it's yeah it's I mean I don't think it's not 00:36:35.660-->00:36:41.199 really any of our my certainly not my area of expertise here >>So I'm going to I'm going to 00:36:41.199-->00:36:46.871 use this as a pivot which is the other aspect of engagement policy is to know when to say 00:36:46.871-->00:36:51.876 that's a great question but I don't know let's bring in actual experts uh and fortunately uh 00:36:56.214-->00:37:02.854 since 2000 uh there's been a lot of great research on security of electronic voting machines, uh 00:37:02.854-->00:37:08.960 and I don't know where some of obvious people here uh right there couple of great professors 00:37:08.960-->00:37:13.364 out there uh the other lesson I would take away that's highly policy relevant is if you really 00:37:13.364-->00:37:18.369 are interested in this um go and volunteer for your local elections board uh you will be 00:37:21.106-->00:37:26.111 the only person there under seventy uh the seventy year olds are wonderful uh and it is a 00:37:29.347-->00:37:34.352 great way to learn how complex the technology and the bureaucracy and the ideal high 00:37:36.387-->00:37:42.060 level goals of democracy all work together. So if you are interested in understanding the 00:37:42.060-->00:37:46.798 security of the election system get some on the ground experience while you're hacking 00:37:46.798-->00:37:52.337 your election uh device as well. >>Yeah I I I have been an election judge in Pittsburgh for 00:37:52.337-->00:37:57.075 the past ten years and it it's a really interesting and eye opening experience I I 00:37:57.075-->00:38:03.715 definitely recommend that >>First off thank ya'll for coming here today um I can't 00:38:03.715-->00:38:07.785 imagine it's exciting to be told you're going to be at Defcon as representing the feds but thank 00:38:07.785-->00:38:13.258 you for coming, appreciate that. And um that being said I had two questions mainly for the FTC 00:38:13.258-->00:38:17.262 where do you see the breach indus- breach insurance industry going and do you see that's 00:38:17.262-->00:38:22.033 going to drive private sector upping their cyber security game because we know legislation 00:38:22.033-->00:38:26.504 ain't gonna do it and is that a growing stagnating industry? So that was my first question, 00:38:26.504-->00:38:31.075 second question is, you said a minute ago uh you want smart and passionate people but the 00:38:31.075-->00:38:37.515 government culture tends to bring out a least performance necessary attitude. Is there 00:38:37.515-->00:38:42.987 anything being done at the executive level to change that kind of culture? >>Um yeah so on 00:38:42.987-->00:38:47.992 breach insurance um yeah I I once again I'm going to say that I'm not an expert in breach 00:38:50.028-->00:38:55.033 insurance and I'm I'm not really sure um on on the issue of of getting uh smart people to want 00:38:57.168-->00:39:03.107 to come to government um I I think that uh that the administration has made a number 00:39:03.107-->00:39:07.245 of pronouncements about wanting to do this saying that like you can wear t-shirts and jeans to 00:39:07.245-->00:39:12.016 work um you know it's a good start but that's not enough for you know just just along the 00:39:12.016-->00:39:18.923 lines um uh I I think that you know within our agency uh we're an agency that's mostly 00:39:18.923-->00:39:25.029 attorneys and um it's set up for to work the way attorneys work and as we're hiring more 00:39:25.029-->00:39:30.568 technical people we're saying wait we may need to do things a little bit differently for our 00:39:30.568-->00:39:34.439 technical folks so that this becomes the kind of place that they want to work and where they 00:39:34.439-->00:39:39.577 can thrive and I think the leadership is very much open to that. >>I want to add something 00:39:39.577-->00:39:45.583 on the culture change so 18F is a new office we're about two years old in the GSA and one of 00:39:45.583-->00:39:49.921 our missions there and in the rest of the government is to work on that cultural problem to 00:39:49.921-->00:39:55.760 attract people to government and also to make it a great place to work uh for people I'm actually 00:39:55.760-->00:40:01.332 I really enjoy my job at GSA it's actually the nicest most humane place I've ever worked uh 00:40:01.332-->00:40:06.404 in terms of remote work in terms of you know having uh being in the cloud for email on docs and 00:40:06.404-->00:40:11.509 calendar for having really nice people to work around me to have computers to deploy things to 00:40:11.509-->00:40:15.747 etcetera and that is that's a that's a really valuable thing there's something that's really 00:40:15.747-->00:40:20.485 dangerous though that I know we have encountered and I have encountered is that it's very 00:40:20.485-->00:40:26.724 tempting to talk about um culture change as people change and to talk about problems that 00:40:26.724-->00:40:31.362 you perceive in the government as problems with the people but that's it's really not the case 00:40:31.362-->00:40:35.733 and the government turns out to be filled with a lot of really smart well meaning people in 00:40:35.733-->00:40:41.339 some really terrible incentive structures with a lot of fear uh that drives executive level 00:40:41.339-->00:40:45.276 decisions like fear of being criticized fear of being punished fear of being hauled in 00:40:45.276-->00:40:51.115 front of whoever and uh that is it's it's that thing that you have to attack through 00:40:51.115-->00:40:55.386 transparency through a little bit of courage through changing incentive structures as 00:40:55.386-->00:40:59.857 necessary to re to reinterpreting or rewriring rules around hiring all those 00:40:59.857-->00:41:03.695 things and and yes those things are all being worked on at the executive level and at the 00:41:03.695-->00:41:08.800 ranking file level in different ways it is just a big problem the US government is the largest 00:41:08.800-->00:41:13.738 organization in the history of mankind um and it's very decentralized but it is being 00:41:13.738-->00:41:18.676 worked on all over. >>The only thing I would add to this as someone who is quite new to 00:41:18.676-->00:41:23.681 government is some advice that was given to me uh when I was first approached uh is your 00:41:26.484-->00:41:32.991 first boss is really helpful and I'm lucky and I think many of us are lucky to have fantastic 00:41:32.991-->00:41:39.697 supervisors who recognize that doing meet the feds and stuff like that is really important to 00:41:39.697-->00:41:45.136 the missions of the policy that we're trying to change and so if you're contemplating joining 00:41:45.136-->00:41:51.009 government uh think a lot about uh your supervisor and and what that relationship is going to 00:41:51.009-->00:41:56.013 look like because a great supervisor just makes your job a lot more fun. >>Hey um my 00:41:59.450-->00:42:04.155 question is a what kind of metrics or data points do you guys capture to make sure that 00:42:04.155-->00:42:10.361 your organization is safe or secure or on the right track? >>Sorry uh can you repeat the 00:42:10.361-->00:42:15.299 question, or Jonathan maybe? >>Yeah so what kind of metrics or data points do you guys 00:42:15.299-->00:42:20.304 capture to make sure that your organization is safe or that you guys are on the right track? 00:42:27.612-->00:42:33.451 >>Yeah sure so I mean it sort of varies alright so um in terms of monitoring your own systems uh 00:42:33.451-->00:42:36.220 people use all sorts of different scanning tools, uh people use all sorts of 00:42:36.220-->00:42:42.060 different metrics about uh the kind of costs that are incurred on those systems uh I know that 00:42:42.060-->00:42:47.265 so one of the things I work on is measuring encryption presence and quality uh around the 00:42:47.265-->00:42:52.470 government and around 18F's and GSA's systems especially um and you know using all of the same 00:42:52.470-->00:42:56.140 tools that you all probably use things through Pasted Lip Curl things that are based in in 00:42:56.140-->00:43:01.078 SSLI's uh we use data from IPV from ZMap scans of the internet um you know we're we're running 00:43:03.181-->00:43:08.186 in UNIX based environments and so you know we we use the same tools that you all do um and and 00:43:11.489-->00:43:17.462 uh use that to improve our work. >>So I believe we're getting the signal from the goons that it's 00:43:17.462-->00:43:23.134 time to wrap up uh so thank you all for your questions um we're going to stick around for a few 00:43:23.134-->00:43:28.239 minutes to uh allow additional questions outside if you're not inside >>Please go out that exit 00:43:28.239-->00:43:33.244 door on that side of the room >>Thanks again [applause]