Written By:Jon White
July 27, 2017
The Federal Government is trying to get with the Cyber times. I listened in on a panel held July 28th @Defcon. The panel was called Meet the Feds. The FTC, Terrell McSweeny, FDA – Suzanne Schwartz, DOJ – Leonard Bailey and former DoD/DDS – Lisa Weswell were the representatives that comprised the panel.
They discussed how the government is starting to change its course of strategy in an attempt to keep pace with the changing landscape of Cyber security. Ms. Schwartz talked about how the FDA is putting focus on medical device manufacturers working with the individuals that ID device vulnerabilities. The manufacturers are trying to become more proactive in finding flaws and addressing these issues sooner. Regulations have slowed this process, but they are attempting to have them rolled back. In the IOC village (Defcon has a number of specialty Tech “villages”) they were holding a Medical device Hack-a-thon to promote the new strategy. The FDA is attempting to build bridges between the medical device makers and “security researchers”. The Concept of collaboration is being embraced…now that’s a thought.
Leonard Bailey spoke on the cultural divide between lawyers and coders. What acts are legal to perform? There often exists a grey zone, where there is no black or white when it comes to law. There is no binary until facts are pinned down. As products are tested/probed, engagement language needs to be explicitly spelled out. What is allowed and what is not?
The FTC is also getting in the game a bit, by trying to enforce more consumer protections. Over 60 Data Security cases have been opened recently. They continue to go after Robo callers and are being more aggressive asking for help from the Cyber community. A 25k award was set aside to solicit help.This would help to provide more secure devices going into homes. They are supportive of the FDA and ideas like the Medical device Hack-a-thon mentioned earlier,
My favorite panelist, by far was Lisa Weswell. She provided the most meat of the panel. She used to work for the Defense Digital Service, the DOD arm of the White House Digital Service. The DDS attempted to change Government culture in an effort to interact better with hackers and the security community. They convinced the DoD to open its first ever Hack the Pentagon pilot. There was a bounty paid for legitimate discoveries. Some got as much as $15,000. The hackers were able to register/and operate without fear of prosecution for their actions.
She said one of the biggest obstacles to the movement was getting the parties involved to reach a certain level of trust. The government had to extend an olive branch and agree not to keep a list of hacker names that participated. Controls were put in place to limit liability. This included outsourcing everything to contractors, so they could handle this process for them. The contractors hosted the events and responsibility was pushed down to them. Explicit guidelines were spelled out as to what was permitted. The hackers did what they were supposed to do. They uncovered many vulnerabilities to the sites and as a result coding got stronger. Many holes were closed through this effort. The program was very successful and there was no need to get the DOJ involved. One point she hammered… “Bad guys are already in your network, so let’s stop pretending. Let’s level the playing field to let some good guys in.”
The subject of developing new code was also discussed. She believes it is Irresponsible for government to continue to develop code with folks that are not coders by trade. It should be developed by actual software engineers. Also, don’t re-invent the wheel by having folks develop code for something that already exists. It is a waste of tax payer dollars. She believes the Government should be even more open to open source and contribute more to the software community as well.
A big point of interest for me was when she discussed changing the mindset from Compliance based to Security and Risk based methodology. This is something that she has been pushing. She mentioned, it has been a slow process to change this culture. One of the biggest obstacles is training. Admins have been coaxed to focus on singular things from a compliance check list. This usually results in a technician not agile enough to look for things that are actual security issues. She did indicate that she was seeing big shifts in the thought process of organizations responsible for network security. The challenge is real… Stay Tuned…