.. >> voters in england will decide whether to remain part of the european union-- union. david cameron is leading that campaign to remain in the eu and today he will go before the british liaison committee about the upcoming referendum. you will be able to watch that live starting at 11:30 a.m. eastern on our companion network c-span. here on c-span to a conversation on privacy, security and government surveillance life

from the houston institute in washington starting at 12:15 p.m. eastern. >> recently our campaign 2016 made a visit to pennsylvania during the primary stop in a growth city college, slippery rock, university, washington-- washington college and jefferson college where students, professors and local officials-- officials learned about our resources covering the campaign trail. visitors were able to share their thoughts about the upcoming election. are best ended the week in warrington, pennsylvania where this it a middle school. a special thanks to our cable partners, comcast and armstrong cable for their help and coordinating the community visits. you can view that when he documentaries at cam.org. >> coming up next on c-span 2, a conversation on smart homes, homes that have lighting,

heating and appliances controlled remotely by phone or computer. we will hear about the benefits of smart home since privacy and security risk from the atlantic council in washington. this is about 90 minutes. [inaudible conversations] >> good afternoon. welcome to the atlantic council. i am the director of the center here and vice president for the council. we are thrilled to welcome you to our event, smart designs for smart homes for the launch of the new issue brief which we have out there. smart homes in internet of things. and discussion also on the opportunity here that networked homes will offer to society as well as the risks that they pose to security and privacy, so interesting topic that will be

increasingly prevalent in our daily lives and also with broader implications. it is thursday, and this afternoon's conversation is part of our monthly series. i will go home tonight and figure that out, but, the series as many of you know if you come every month is designed to convene cyber experts from different sectors to examine topics at the core of the councils cyber mission. today is a special cyber wrist thursday because it's my pleasure to announce when it today's palace, joshua corbin, will start tomorrow april 1, as the director, new director of our cyber statecraft initiative and even though it's april 1, that is a true statement. josh is also the cofounder-- no one is happier than me about that. [applause]. >> josh is also the cofounder of: i'm the calvary. a grassroots organization that encourages new secure you

purchase in cyberspace and beyond in response to the world's increasing dependence on infrastructure, so watch this and the program will be heading more in the direction of today's conversation, but even much further. josh has employed a very unique approach to security and policy by connecting human factors, adversary motivation, social impact to help position him as one of the most trusted names in this space. before joining the council, he served as chief technology officer for soda type and adjunct faculty member park carnegie mellon heinz and we are thrilled to have him. before i let to josh take the stage for his remarks, i would like to think our media partner pasco from the christian science monitor for joining us and welcome those of you who are following the conversation online. i encourage all of you to join the conversation on twitter using #: ac cyber as well as cm passcode and josh will give you

another count to tweet from a now josh come over to you. thanks very much. >> all that right. think you are coming. my name is josh corbin and for the next hour i was to be the chief technology on certain, but i am excited to start tomorrow. i think it's a key point in history about three years ago we decided to do this, i am the calvary thing and in some ways it's a terrible name and another ways it's a wonderful name, but we found we are growing more concerned our dependence on connected technology was growing much much faster than our ability to secure it and while many of the best brightest in the cyber security realm is trying to protect credit cards and highly replaceable assets, we saw this defendants was permitting-- permitting our automobiles, homes, everything and we are putting software and

connectivity into every aspect of our life what we know and cyber security is once you had software you make something palpable and once you connect to something else is exposed, so to me that internet is not that software is eating the world, but software is infecting the world and if we are going to place our dependence upon it we need to make sure it's dependable and worthy of trust, seven and came from the recognition the cavalry isn't coming and it was a call to action to the voice of reason and technical literacy in the research community to say stop waiting for someone to come solve this for you, look to your left, look to your life-- right if you're not sitting in your chair they're not coming coming. is the personal adaptation that i am the calvary and once we're outside our comfort zone and talk to public policymakers, general public where bits and bytes mean flesh and blood. we want to focus on the intersection of technology and human condition, but more specifically where the

consequences of failure included public safety and human life. without much of a plan other than boldly going in that direction, we started the chain of influence and meeting with people in washington and going to places we didn't normally go speaking with people we didn't normally speak with, but really with empathy and a score in the heart of an ambassador we have tried to bridge the divide between the technical community and policy community. in at just the last three years of experience as we've seen the fruits of that labor. in fact, on this stage last march i met suzanne's words from fda, which really catalyzed by trust, high collaboration relationship and you saw the january's postmark that it's for connected ♪ ♪-- medical devices and anthony 180 in their attitude toward security research and now essentially almost requiring medical manufacturers have a positive relationship with the research committee by

encouraging the adoption of court needed disclosure programs research. we have seen the excrement work and what becomes clear in the meantime is if you look at the headlines, this has gone from a concerned we are worried on the horizon to one happening in real time. just the week before that security conference we saw the hack of eight nissan. we saw the first self driving car have an accident going at 2 miles an hour, but google did hit a bus. more recently we saw when somewhere we so did bill-- debilitating to a hospital in hollywood, 40, that they had to move patients, potentially critical care patients and now, we see yet another one, which is now actively probing other hospitals. whether they are targeted attacks are indiscriminate collateral damage, this dependence in areas affecting public safety and human life are coming to the forefront. i was just in munich for the security conference discussing

how maybe this is not about norms and treaties between nationstates, but we should also be looking at cyber safety exposure to sub nationals, activists, people maybe with less resources and less hacking skills than the will and might of a nation-- nation state, but with more willpower to use it and as you have seen recently we saw the unsealed documents confirming iranian hackers manipulating controls in a water facility, so if not now, then when? i'm really excited up coming here and it today's topic is someone has to fill this void and we have to act quickly to know what the right thoughtful and plentiful response will will be to cyber safety and i'm honored to be picking up where jason healey left off with cyber statecraft initiative and bring a heavy focus into cyber safety because this is not only-- the impact will simply be measured in public safety and human lives, but confidence in human-- key markets like automotive and medical and if we would like to

avail ourselves of the safety advances or if we would like to improve the state of patient care through use of modern technology, a critical element of that is public trust with these technologies and it's up to us in this room to dry that conversation and make sure we don't wait for a really serious failure that scares people away from trusting these technologies, but we preserve and deserve the trust we less upon them. in today's installment we would like to talk about a paper originally it collaboration between the members of the calvary and myself and the atlantic council of great lindsay on smartphones and while there are several reasons to look at safety and privacy in the home with ever connected consumer electronics and home alarm systems and appliances etc. and while there are promises we want to make sure in our desire to adopt these new technologies we can maintain the trust and confidence in them, so we don't have a nightmare state scenario.

a report came out today and if you have not looked at it and if you read one and what only one thing please look at the scenario from 2025, but we will get into that a bit on the panel, so without further do i'm excited to have my first panel at the council. in a different role. us about our panelist to the stage, please. we can clap for them. [applause]. >> all right and i will go down the line here. please wait your hand, great lindsay. andrew and beau woods, deputy director for cyber statecraft initiative. would you like to introduce yourself claimant i'm great lindsay. greg lindsay. i am also a senior fellow in the city foundation, contributor as company and variety of other

sort of posts regarding city, technology. >> once we go down the line we will get opening remarks. andrea matwyshye. >> i am a professor of law and computer science at northwestern university and also a visiting research collaborator at the center for information technology policy at princeton and affiliate scholar of the stanford law school center for internet and society. i also had the privilege of serving in 2014 as a federal trade commission senior policy advisor focusing on securing privacy and their academic residence. >> and beau woods. >> i have to follow that intro, unfortunately. i am beau woods deputy director of the atlantic council cyber statecraft initiative with about 10 years on the technical side and now, for the past couple years working with the calvary

coming more to the policy side. >> okay. we will start with greg and give us framing thoughts on the idea of smart homes, the promise, the peril, how do you see this is you? >> i have been covering really the notion of smart cities at my way into this issue and i covered when ibm and its big three during 2008, after that election of president obama and the financial crisis and there was a whole shift in how we approach what is now the discourse or at the internet of things. when we look at smart homes it's always been extremely tech heavy market campaign. there's more-- no organic reason to want a smart home. when you are back to the 1930s the first vision of smart home started appearing and that trickled in divisions in the 1960s of the jetsons. walt disney and the notion of these pushbutton automated phones that would relieve us of

drudgery, but in the 80s is that tech come he's like microsoft and others pushing this idea that the future of computing was the smart home, home of tomorrow and filled with these visions of how we would automate our homes. consumers never really wanted them. we saw this elaborate push to create elaborate interoperable homes and of course they were buggy and brittle and taking great analog systems and make them harder to use. the real problem with smart homes separate from hacking is the notion we all remember in the early '90s when it was-- we could even make the computers worked our printers and the question is do you want your house to work the way. this led to consumers not embracing it and if you have seen the press release out there, poland 9000 people around the world asking about their appetite for smart homes and the american in the study who live with the vision the longest, 45% could see no reason at all why they would be smart home. by far the number one reason to

want it would be cost-saving, electricity and so even today this notion that we will live in these beautiful perfect seamless homes that of class where everything is a touch screen service, people just want cheaper electricity bills. so we are still looking for the first really killer app. we have a whole nightmare scenario in there that josh mentioned about what it will be like living in one of these haunted houses, made haunted by hackers and worms and every thing else but it boils down to the question of how will we realize the problems of the end realize this vision. will it be powerball, electric cars that will free us from great dependence of-- [inaudible] >> you are the co-authoring we will let you go next on framing remarks. >> so, one of the things and doing the research for this that we can clear quickly is looking

at statistics, some of the statistics until announced today, for instance, but also some of the other work done, it became clear that while consumers have an excitation that they will have to have these devices, they are terrified of them. something like 66% are afraid their smart devices will be hacked and the data in them will be extracted out of their homes for some kind of commercial value by unwanted intruder. that's a pretty scary number for anyone who is trying to sell into that market. so, what are the biggest things as josh highlighted early on is we are already trusting these devices and smartphones clearly consumers don't necessarily trust them. they may not want, but they feel like they will have to buy them and in going around to some of the other places and other

industries like the automotive industry, like the medical device industry, every auto conference i go to know people say, i don't want one of these new cars, it's hakuba. i will get an old car from the 70's or 80s and dry that around the cuts that will be way safer. though, it won't. that's the opposite thing. in medical you see people like diabetes patients like j radcliffe who have set i don't trust this device to working away that's automated that can affect my body chemistry. i'm going to go back to it injecting myself 15 to 20 times a day within it-- insulin. these are personal choices people make, but in aggregate those choices have a really significant potential impact on the market share organization think they will get from some of these investments that they have made in internet of things and smartphone devices. so, if you are a kick starter size project and you think you got a 10 million-dollar potential pipeline, but it in

the pulley being $1 million that you got a business. your business model won't sustain a 90% degradation of your market. same thing for larger players only with less severe consequences in their business model, but some of the internet connected things they are creating make off-line. you may not have the products and services associated with the smart home that you thought you would when he bought it. because there will be financial impact if we don't recognize and realize the market potential that exists for these or projected market potential, so i think that is one of the hidden bad things that could come up in two or three years is we start to see significant investments that have been made by corporations and cities in connecting everything go away. they are not realized and that has a significant financial consequence to us as well as to global product makers and markets.

>> indeed. all right. what about you, andrea? >> following up on the excellent points i will highlight one competition concerns and one consumer protection concern. on the competition side following the comments, there is currently a deficit of market information to allow consumers to make informed decisions across devices. for example, pricing structure"-- disclosures with products don't usually disclose what the lifecycle is of a particular product. how many years world cup product be patched? how may times have penetration test and run? the quality of the security and code integrity in a particular device is not necessarily something that a reasonable consumer can take into account when trying to decide whether this product a cost of $15 more is worth an extra $15 versus this other product when they are both apparently the same iot

device with respective marginality. thinking about those hidden costs rather the park is rewarding iot companies that are investing in security and taking care of the consumers that are trusting those products with access to their homes and information. so, that's a competition point and on the consumer protection side, there is a bigger conversation plane up on some of the other comments about the question of what i call technology suitability or sometimes the fancier technology is not necessarily the better technology for getting a particular task accomplished. i say better with bacon because as some perhaps overzealous chefs think if they sparkle bacon on everything that is suddenly that much better, but if your diner is a vegetarian you just destroyed the diner's meal. so, thinking through what task we are try to accomplish when

bringing a device into our home winter enterprise and how those connections facilitate or add risk to the bigger picture of our lives. so, let's quickly take a example, let's say i'm a state department employee and i live in dc and i'm out of shopping and i see this really neat connected oven with a nap and i can operate my oven for my phone geewhiz, that's kind of cool. but, thinking through how the oven can ask to my wi-fi network , but kinds of information i access from home with respect to my professional life, whether there's sensitive information that could potentially be compromised if the security on the internet connected oven is not necessarily up to par and

whether vulnerabilities are getting patched. we have already seen the first internet of an exist in the first vulnerabilities on internet ovens, but wholly apart from the data control aspect, if you have a small child in the home, for example, and of the child likes to play with your phone may be an internet connected oven with easily accessible at is not necessarily the best choice for your home at that point time your life, so thinking through the totality of circumstances and how the technology capabilities of particular devices, iot devices you bring in your home connect with those tasks and risks that are the reality of your existence is the consumer protection side of this puzzle, so with one hand we want to reward the companies in the marketplace that are doing great job and thinking about security and consumer seven the other hand we want to train consumers to help themselves in form and make good purchasing decisions.

>> thank you. so, speaking of that, when we had lunch the calvary initially we talked about four different projects is wet for different markets and regulators and market dynamics one was automotive cyber safety, medical cyber safety, industrial control and public infrastructure, which is a large and difficult grab bag and the last was consumer iot and the home. we kind up at the iot and the home in the back burner because with a focus on public safety and human life we said we'd love our privacy and we would like to be like to enjoy it and more of the life and limb kind of consequences were found in the others, but it was a very exciting opportunity to worth with the atlantic council and greg on this because it forced us to stretch which models we have been using to solve the problems andrea outline for cars medical devices and many of you have seen these, but we had a five-star automotive connectivity for vehicles and

while it has fancy names the way i would describe it partially to my neighbor's, all systems fail, please tell your customers how your blitz belliard, how you take up avoided failure without suing the helper and how do you capture and study and learn from failure, how do you have a response to failure and how you contain and isolate failure. more recently this january, publish the hippocratic oath for medical devices which is similar. when we try to applied to smartphones and we will have the so, they question this morning, we found those controls are useful, but they were additional market enables and information to customers that were required, so the teaser to the audiences think of what you would do to help the consuming public avoid products that may endanger their family save your privacy. we will pose the same question to our panelists, which i will join now.

so, first question, if we got smart phones right and this is for anyone, if we got it right and i know you have been skeptical that we can get a smart home right, what is the primary case you would want to see out of an intelligently connected home? anyone? >> i will go first. going through in looking at some of this i really like the convenience features of some of the smart home stuff. i don't have a amazon device to tell me when to reorder and automatically reorder, but appeals to me because sometimes i forget the-- to buy detergent, so if i could have a way to just like say into the air, alexa, by laundry detergent and it will automatically refill it then that would be easy for me and that would mean i could show up to work with clean close, maybe one day when it wouldn't have happened otherwise. so, for me i think that convenience factor is really where the sweet spot is for

smart homes. not necessarily to automate my decision-making process, but to make it easier to act on those decisions and help inform the process. >> anyone else? >> i agree with beau in the sense that convenience is the reason it will happen. the fact that everyone anticipates a smart home will happen, but they are terrified of it and they don't know how i think is an extension that comes out of the framework that exists now by facebook, google and others which is we harvest your data and resell it to others. if the service is free the product is you, so the science fiction author has written about this where he looks at the internet enabled fridge, is like icon of failed dreams of the smart home and really the true internet of things is a fridge supplied by amazon for free or at least that cost in exchange

for them harvesting data and you won't need to tell alexa you ran out of detergent because amazon already has the padded-- patent on predicable ordering. so, i think one of the problems is convenience will create this data regime, data capitalist regime which is all about harvesting your personal information that will lead to the vulnerabilities we haven't some of the use cases about. i'm most excited about some of the stuff around home utilities and energy stuff. the most exciting consumer product is the tesla power wall, which is interesting because they canceled the larger capacity version, but the notion of doing what's been talked about for literally 35 years by people to create more sustainable resilient micro- grids to really enable the shift of more renewable solar powered energy because you have home storage products that could feed into electric cars leads to an interesting shift in how we produce and consume energy that has implications for climate

change in other strategic issues where the us. i like to think it will be done. >> for me, i think the best case scenario is a home where the iot gadgets are totally personalize a ball, totally customizable because the assumptions that work for say the majority of people don't necessarily work for all people, for example i travel a lot and so if i had automatic ordering of certain things there would be a constant pile of rancid food and various products sitting outside my door blocking entry, fire hazard and probably my neighbors would hate being. there are individualized needs that consumers have whether it's to facilitate their engagement with a particular product or because their life is structured a way or because they have special limitation on their environment because of a particular other human in the home or their own physical

challenges that they have, there is a need for customization that sometimes is absent in some iot devices. so, i think my ideal iot home would be one where human override existed on all of the things and the devices would allow me to tell them what i want them to do, not assume that they know what i want them to do >> interesting. yeah, i think i've always been interested in the power savings and the smart meters and the dynamically picking the cheapest price and that kind of idea. execution has been a little different. one i have struggled with his eye that there was promising smarter use of networks that work-- sensors for home security. stunningly, i've been disappointed to find nearly bluetooth door lock or automated high-tech home security system has been comprised by one of our friends.

i don't think that they'll get on any of that equipment they have tried, so it's ironic the devices we buy to keep bad guys out of our home may be the very thing that with the mentor homes, so we talked about nightmare scenarios and here in this future, but what you think the most likely realistic first hack is? i know we have baby monitor screening, but what is likely to become demised first in the over connected home? >> i will take out again. so, i have-- if you have read the news lately about hospitals and the rent somewhere compromising devices to be able to monetize that and one of the things i think started looking at thinking about early on is if you have a fridge that has a monitor on it, that might be huggable and if i had your

intention span for two seconds i'm going to serve you an ad, so whether the product maker intends that to be the outcome or whether someone hijacks that project to serve you ads when opening the fridge to get milk, maybe it serves for different the premise of the like that, but i would expect that type of driver to be the first catalyst for someone to want to hack a smart phone-- smart home device to advertise to you and if you do with the right way-- i don't want to give me ideas, but if you do it in the right way it will be on the pet-- undetectable of normal operation of the device. it will say this fridge must have updated the software and now they are selling ads. i don't like that. you will think it's a manufacturer that did it. again, they will be bred reputational impact. you can also see a similar thing accomplished not by actively reaching out to change something, but one of these smart homes go under or forget

to renew their website and someone just goes and buys the domain name. now they have complete control of infrastructure that you're smart devices connecting to and they could again change the firmware, whatever. if they just put a file out there, then you, your fridge goes and retrieves and pulls it, that might be totally legal. i don't know. it's conceivable. we have someone who knows or would be able to tell us, but it's conceivable that it's legal someone just got-- forgot to renew the domain name and that would probably be my first expectation would be someone would hijack it to serve ads or other financial mechanisms. >> i think a lot of people look at the device themselves or how you can manipulate sensors, but most of the internet of things have some sort of back and harvesting or storage or configuration so that amount of information through any of these even if any retoucher device

could be interesting on the backend. anyone else? >> i don't know if it will be the first, but i think one of the most interesting ones that will happen is one that is not hacked at all, but simply extension of the logic of how this is developed. that's the notion 10 o'reilly published with the o'reilly books that the business model of 1.0 was advertising then web 2.0 and internet of things will be insurance. there's another say nine i forget who said it, in the future every piece of data is a piece of credit score data and there is a whole bunch of startups using that to figure out your financial viability. one of the things in the nightmare scenario, which is not even a nightmare, just an extension, but the notion something borrowed in which a protagonist can open his door because he's behind on payments with the landlord so yes unscrew the door off the hinges and we start to imagine in the future we are like basically behind or

your credit score says you are unviable to run the smart home and you are essentially locked in your house until you pay your back bills. we imagine you turn your power up during the day and crawl out the one window that you have not turned into a smart window and this is the logic that comes out of uber drivers taking vehicles that are financed by buber-- uber and there are financed in their cars are switched off remotely and they are unable to drive. we have already seen these systems evolve. where there are punitive punishments. it's interesting. you think you own a smart home, but we know from things like the digital millennium copyright act that in the future your house will be a license from the software companies and if you fail to meet the terms of service you will suddenly be shut out of your house by not even hackers, but by the actual companies that supply this. >> i think we can also assume the techniques for marketing that we have seen used in the smart phone phase will extend

naturally to all of that it devices, so for example there are currently some enforcements actions potentially in progress relating to apps that surreptitiously buried somewhere in the license agreement received consent to turn on the microphone on your phone in order to monitor your tv viewing habits in your living room. now, undoubtedly you have additional information also collected about the private conversations happening in the room and we had smart tvs behaving in similar ways through the remote control collecting. information with the microphone. so, i think it's reasonable to extrapolate from marketing purposes that all of the devices will look for new streams to modify the information that they have access to. short of voluntarily binding

themselves to never do this, in some sort of non- amendable way in the contracts, i think it's readable to expect that most of our iot devices are planning on a secondary stream of income and it to the example of the locked up cars, we also had in a consumer scenario we had creditors who were cutting the engines on some cars while the debtors were driving and that caused safety issues. so, while a car is maybe not strict the part of iot home, it is in the garage and vaguely connected, it's all part of this bundle of iot devices that have that remote access capability, not only for the consumers, but for the authors of the code and that creates a wrinkle in the some of the traditional relationships of control that

consumers have come to expect. with respect to the product that they purchase. >> i will give an exotic one. as soon as i learned of the cost savings you could have with the intelligent thermostat like from nest, thank goodness we are good guys, but we had the idea of essentially small manipulation on a large population of nested devices to essentially pump and dump based on investment and energy sources in the region, so you could make a significant amount of money quickly by making small adjustments on too many homes consumption electricity. that the more exotic one. i think one of the more troubling ones is think how many devices right now are connected in your home to the wi-fi, just try to-- is it five, larger than last year and how me will be there in a couple of years? if you look just at the home router, the wi-fi routers, about half of the original infection that made many reset your

passwords or your social media accounts, about half of the original infection spread were compatible, so you had devices that were warm herbal to the attack, but could not be remediated at all. a lot of these devices exposed, you may not have known they were even running this or connecting, so i'm more worried about the zombie leper colony of these devices were any one of them that fails is now access to every part of my home network including more sensitive work material, cameras that monitor my children, front side camera my television without turning a light on. i'm actually looking for devices that are not smart. i want a market for traditional dumb devices in some cases. >> that goes to my competition point that as we march bravely forward into this world of iot, it's not only about consumer choice along iot devices, it's

about consumer choice with respect to how technologically connected these devices are. losing the bottom end of the not connected devices, a form of improv first consumer choice or marketplace because impoverished if we eliminate the ability to have a less vulnerable option when we need it. of course, the scenario of the home and having just one device be a point of compromise, not only is the information on your home network, but if you're the state department of holy i referenced, that attacker who accesses your network through that one unpatched security camera can then potentially follow you onto your employer's network because if you are accessing that network from your home network they can piggyback on and suddenly they are not only obtaining your privilege information, but the privileged

information of your employer depending on who your employer is it to be a national security issue. we have seen exit no compromises happen by consumers who are simultaneously government employees, for example, when we look at the sony drm root kit problem from 2005 where these cds had code on them that is intended to be digital management code, but in reality it was coded in a way that opened a security hole in every system that the cd was played in. dod employees played cds in their work machines and other government employees played those cds. the employees clearly never intended to cause you problems for their employer. they were just try to listen to music the same way consumers will never intend for their comical cyber toaster that they just purchased on a whim to cause a security problem for their government employer with

sensitive information. >> i was at an event at the new york auto show last week and we were discussing security issues and one of the things was they had discovered a backdoor into one of the cars where gus, exploiting the cds where various character strengths in the cd you can pop it in the cd and suddenly you can unlock access to the systems below. also, it's funny you bring up the notion of purchasing your cyber toaster on a whim because there is been this interesting proliferation of interesting sites like wish.com. , mothers that so inexpensive chinese manufactured goods we don't know the total providence and we can imagine also said interesting state actor level stuff where you can push a profusion of compromised devices that can then create trojan horses into the homes where you are now-- your phone, your emoji and suddenly it's based date-- hacked into your wireless network and a has been, but now,

we imagine this stuff in the house. >> i think also about a month ago and i forget who it was, but someone in the law-enforcement apparatus of the us government said we love this internet of things proliferation can't wait to use it to find the flaws and use them to track down, identify, survey of potential criminals. well, kind of extending that a few years ago dod for bid any use of these because they could became ways to transfer malware into sensitive networks. now, does that mean dod will issue a new memo saying you cannot have any smartphone devices? back to an earlier point, what will that do to some a smartphone devices for now maybe potentially dod or any state us employee might be for bid and from buying certain classes of device because they are so

poorly secured over the lifecycle. so, that's one of those things that could become a wicked problem in the future. what her that in a relations we can even think about or expect right now that will come about 10 years down the line based on choices, design choices of purchasing choices we make today >> i think there is an interesting issuing professionals in the military where leaving incredibly strict guidelines, physical security access, what technology can use, with systems can access the network and we are locked out of people bring their laptop home for their work home and wearing currently lacks their. i remember one christmas there was a story about the digital picture frames a best buy where certified preowned from china, but this is not a rare occurrence. especially on the lower end of the devices for the consumer.

i remember having to leave my electronic at a military base and could not bring anything in, but the general i was speaking with had a rotating set of pictures on his digital frame and i said so wise that allowed in here. this isn't simply about your home. it's about these consumer grade electronics. if i were a hacker trying to do competitive industrial espionage i would, mise microphone capabilities on all the smart tvs and in the boardrooms of my competitors. there are a number of cases and we are just not creative enough in our assessment up what people will do because our guard is down when we are at home. so-- >> my question is-- on used to moderating panel so i will ask questions, also. to be what's interesting is coming from a industry view, this is not something where consumer should be required to handle their own security. test b manufacturer level and to me it's interesting that right now the whole internet of things is basically a gigantic glacial

bottle of various standards. yet cisco pushing the internet of everything and ge pushing the industrial internet and there is people are fighting this a negotiating and boardrooms and security is a low-level discussion and to me, how do we bring that to the forefront with the manufactures and also is there a way to sort of create the sort of nested hierarchies of secure networks inside of homes so that whatever i bring home does not automatically have same level of access privileges? these are not new problems. it's been addressed in every averment level, military and enterprise ideas. we have refused to deal with it. >> i would love to probe some of these. one framework we have been using for iot is a very obvious question is when we saw this in the enterprise, we have it, by the way, but the assumption is how is iot different and a really simple framework i use is very different adversaries have different motivations.

there are different consequences of failure. there are different operational context. you will be behind a physical security and perimeters and network layers. there are different compositions of the hardware, firmware and software used. there's different economics, which is one of the big problems and there's different timescales. some of these things, the time to live might be a year and semi 30 years. how often do you replace robin? so, those things take some of our best practices and shatter them. that is one thing, but within those there are a number of things preventing us from doing well. what do you think? >> if you look at corporate it security apparatus, there's about $80 billion a year spent globally increasing it and about 10% year-over-year on products and services. i think the total number is around $2,050,000,000,000 if you include it people and that's on top of the existing it

investments made. this is just add-on. if you buy a couple hundred dollars worth of smart home gear , will you also than by a couple hundred dollars worth of security gear and managing to maintain it and give it out? i have done it stuff. denice-- it security stuff in my day job and when i go home i don't want to do that, so it's like the story of the cobbler kid has no shoes. i will be one of the worst people whom i stop will be woefully unprotected if you leave it to me to do it and i am capable of doing it. i do it professionally, but poor people like my mom and other consumers who are less will educated in cyber security, what is the hope they could possibly be able to secure their devices in that corporate it security space transplanted onto smartphones secure to? >> one of the other problems that exist is that we really have not created what i might

call digital of the structure around security flaws generally, not just iot context, but more broadly and traditional context. we have certain ways of assessing vulnerabilities, numeric system for trying to identify them, but those systems are not scaling optimally, particularly in a world where there are billions of iot devices and if so these are bigger picture problems about infrastructure information, infrastructure or vulnerability information sharing that we need to bolster an scale and improve in order to be able to get the information in a sensible way, to allow comparison of the products based on security to help consumers make good security choices, these underlying steps are not yet fully developed. so, we like to talk about information sharing frequently and discussions of information security when talking about

legislative paradigms, but just sharing the existing information doesn't solve the underlying structural deficit that we still need to work through. iot is potentially crystallizing the inability of what we are currently using to scale in the best possible way to build our society out with this high degree of conductivity while maintaining the traditional balance of consumer protection and competition in the market place. >> i'm going to ask one more kind of rapid fire speed run of the panel and then i will encourage you to also ask questions. as far as what to do about it, i agree-- my neighbor will never be a security professional and they never want to have to be the it person for their own smart home across dozens of devices, so we outlined several recommendations of what either add transparency to consumers or basic spec to capabilities to

reduce possibly harm. what do you think would be free to use one or more, what would be good additions to that we recommend or elsewhere that could make it so we don't have secure these things and we're getting more inherently secure? >> i think one of the biggest things is some of the existing consumer practices in non- smart devices. one of the things i found fascinating and talking to people in the retail industry is of course, we go into by something and we bombard the people with questions unless we have done tons of research and we know it is and that's also one of the retail folks that concerns. so, if there is some way that a store employee or retail outlet can be able to have a quick answer of, yes, it's secure rather than well, here's what you do, put this in front of and do that and-- if they can have

those quick answers, that helps them sell more products, which goes back to the market competition drivers, so if someone comes into a store and says what is the most to secure x device in the retail employee can say is this when i can tell you why with three simple bullets, but also you can read for yourself. i think that is something that is powerful to go-- goes up to a retail channel. barring that, there is remediated action you can go through if for instance someone market something with a secure web cam or secure baby monitor and you find out it's very much not a secure device. there are ways you can contact that ftc to report these things, so this may be a technical thing , but that is something my mom can do and she has done before, to call better business bureau or someone and take that step, which a lot of people don't talk about in our industry. i think we should talk about those more. >> okay. >> this might be the utopia, but

i was begin earlier the discussion about recording devices and smart televisions, if i recall correctly the samsung smart television where if you read the terms of service you that it was regarding accommodations and it actually said at the bottom do not have personal conversations in front of the television. that's at every thing because rather than have a television that did not record your conversations and rather than have the option to have it not record your conversations he simply assume the risk it will record anything you say and be used against you. to me the utopian broader political discussion we need to have is we need to end the current data collection regime, which is the fact that any hardware maker with their their services will click everything they can from you and they own it. we need to have some sort of scheme or alter the scheme to create that you own your data, something like world economic forum new deal data or some other approach i would create real protection around your data which would then force the manufacturers and providers to

then treat it with the appropriate seriousness rather than, you know, just don't have personal data in front of our devices at any time because they need a have to worry about it begins the one, which is the current regime. >> that's the price that it doesn't reflect, the data collection having which goes to the broader transparency point. i think one other thing i will contribute before we open up for questions is the hopeful? that this is a space where technology tools can help to translate concepts for consumers, policymakers and creators of these technologies. we have a robust community of experts who can act as third-party auditors, but sometimes that information doesn't translate well in filter into the public consciousness to inform the less technology sophisticated consumers with respect to the state-of-the-art of what we know to be true in

the security research community. building technology tools, being able to facilitate the translation effect both among consumers, but also to help small businesses, creators better embrace the importance of security by design from the ground up and to recognize that security isn't something you can slap on the end of the process. it's not a band-aid that can be layered on. data needs to be inherent in the broader structure of the device and architecture of the device or it's a lose lose both for the creator and for the consumer. >> well, a very large thrust of the five star for automobile crash test is that you don't have to know the differences between the three star, poor star, or five star and it becomes an actionable device for less informed public to tell relatives safety ratings of different vehicles and that's one of the reasons i five-star automotive cyber was not meant

to be a checklist of security things thou shalt do, but more the kind of things you had invested so when the public becomes more savvy or interested in this buyer criteria they can at a glance in a consistent way until the people are doing. in a several of those are outlined in here as well, but i think one that came to mind is there actually was a congressional action from a chairman of the house of foreign relations called the cyber supply chain management transparency act of 2014 essentially asking for food labels for software that if you sell to the government you should have building materials used and no security defects and they should be possible. you can imagine how much software industry hated this bill, but just yesterday we did a webinar with financial services industry where they said that's a great idea and they basically are now saying to the big software providers, we

want to see a food label of the software you are selling us in your commercial goods. that's where they stopped. what this allows you to do is make a more informed decision work with abby good for my mother lot? no, but could that allow organizations to tell who is better or worse hygiene and one thing i'm telling on my friends and family is if you buy an internet connected device it better be patch of all and that's a simple thing to ask for because-- and the other thing i tell them to do is don't buy internet connected device if you don't really need it, but part of it is you must be this tall to ride the internet of things that if you connected and expose it you must have the ability to fix it. with that, is anyone in the audience going to question? when a microphone. feel free to also say what you think we should do for the actionable decision making. go. >> so, one cannot-- i'm a security practitioner as well and one of the things i've

noticed is i'm looking at these devices and i stop her moment and think if i wanted to see how secure this devices, what would i have to do and i think about it and i think about it and i think about it and compared to what i would have to do for a piece of software on my computer's, it's unbelievable. i mean, and i do this, like i have the gear to do this. i don't want to have to buy two toasters and take one apart and start connecting to the pins employees in that kind of thing. so, i think the problem that calls for the star rating or whatnot, i think it extends farther in this world than it ever has before. it's kind of weird in that there is a level of transparency here that even though these devices are simpler, they are even more opaque and more-- than the more

complex ones we are used to in cyber. >> moreover, it may be illegal for you to do that analysis things to the computer fraud and copyright. thank you for the comment. let's take three of these and throw them into the melee. over here. you can speak loudly, for the video, please spirit there is a new security research exemption for research on including irt devices, security research that conforms to the limitations of the exemption, so basically everything is consumer product and loosely covered by this exception, which allows for the circumvention, not being a violation of the good faith testing and of the code in consumer products such as iot devices in order to analyze the time for the integrity of the code and whether they are flawed.

[inaudible] >> i'm in a different generation then you are and we used to play games with peoples minds, so if i had something in my house and i knew someone was monitoring it , which is played with information, but it seems to me the network's passing laws that makes it illegal. they are collecting information on me and it's illegal for me to play games with their minds and that's my real question, like they will turn it into a security thing and by the way you just can't-- scenic it's one of the reasons a-- the research community defended this act was to try to-- if you look at the hacker community for example as a untapped domestic resource that can find flaws and improve and get them takes more quickly than why would we activate that resource, so there were quite a

few prominent researchers to try to get exceptions for medical devices which kicks in in october. >> messing with smartphones, it just won't necessarily be by individuals and not example of today microsoft twitter guy run amok turns to the point of people messing with your house to turn into fastest-- fascist. ..

do we just have to wait and see? >> that's a good question. so some of the issues without with industrial control systems i think it's kind of an open secret that they are widely considered highly vulnerable and highly exposed and as high consequences from their failure. we so recently there was an iranian guy who is charged with hacking a dam. likely apparently the slew state was not operable remotely and there wasn't that much water behind the dam. so i don't know that we'll be able to head off all of those disasters. i don't know what their impact will be but i think to some kind of a planned response is important. we will need to some kind of response if and when that does happen. but doing all weekend before

that by having this design layer that takes the security into account is going to be really important. >> being proactive certainly has a benefit to ever look at other historical legal context, for example, in environmental regulation, we need to wait for a river to be on fire. it was until the cuyahoga river was inflamed that we passed and got environmental laws in place there's one of the most aggressive regimes we have. rather than waiting for a river on fire event, it might be a more desirable and more logical strategy to be proactive and to think through the optimal pathway for crafting both responsibilities and structures of information transfer before we have a river on fire and information security context.

>> we may not get to it but one topic is the lack of in sort of software reliability as part of the issue. also it stymies the insurance world as well. but one thing we should not assume is just because you can connect it to the internet doesn't mean you are required to do so, special in industrial control systems. if you've ever played with showdown, there are things i should not be connected to the internet that are and they have hardcoded default password you can even change if you wanted to. i used to say instead of worrying about sophisticated nation-state attacks, maybe first you should handle meta- swipe, free attack tool. below that i realize what a second, we are not in patching known for love those. of verizon report about this unless you have this stunning

graphic that showed 97% of the successful attacks last year were due to just 10 known vulnerabilities and they had a patch available for more than a decade. wait, maybe the lower level, minimum hygiene is make sure your industrial control systems are not nakedly exposed to the internet. i think we have a lot of things we could and should be doing a the easiest way to secure that 30 year old industrial control system is to not that it exposed to the net. something like stuxnet the bridged the gap because a bunch of other factors but we are taking significant elective risks through our unnecessary elective attack surface. i saw you first, and then you. >> russell with stanford university's hoover institution or there's a lot of focus on talking about software assurance, but given the fact the iot is, the iot in the home has toasters, ovens, refrigerators, dryers and

washers, we are not looking at a hardware assurance as well and the vulnerabilities that are embedded within hardware. and since the supply chain for a lot of these things is coming from overseas what are your thoughts on hardware safety? >> a lot of the work we do we talk about those differences, the third way, the fourth what is different in composition. what we need is a hardware or firmware software stack of widely different than you might see in an enterprise device. in some cases this common componentry, and others like you by a palette of some embedded chinese chips for the cheapest that day and my be different the next day. there's no insurance. are never as likely to be assurance on some of these things. there is an experiment with underwriters laboratories to make a cyber seal. the initial round will be on

medical devices and industrial control devices. the likelihood when we talk about different economics with home and for consumer, this might be a kickstarter thing with two employees in the garage into my be the next thing bought for 3.4 billion it doesn't usually get completely scrapped and rewritten. this is a particularly pernicious issue including the hardware you refer to. >> going back to your earlier point about fluctuation arbitrage, at the bottom and is oem chips you just bought off of random auctions listed at the high end it is when your nest is brought to you by enron. the entity supplying it is engaging in various practices that would become illegal and then we have the rest of that which is not even hacking. it's simple manipulation. >> but we will end up with is we will have some minimum standard of care. think about a commercial

wrestler. you can't just have a commercial wrestler. even though the hacker committee hate any kind of regulation there are times when the government for public safety and the public good in the form of minimum kitchen sanitation code. there may end up being something like a gold star see where it's more of a carrot on a stick or a minimum standard but we'll have to come to put we device that can meet a certain threshold will allow discerning citizens to go by those and only those. it may not be as deterministic as an underwriters laboratories ya guaranteeing this will not catch on fire. in lego engineering is deterministic and cybersecurity is not. we have a whole lot more complexity. i think what we'll end up doing is having to import whole lot more segmentation and isolation in the way we set up our dependence. you don't have to put software on everything. you don't have to connected to everything else but it's going to take a whole lot of stumbling and fumbling before we get there.

>> i will briefly comment -- complement one of your points. on the point of a minimum standard care for security, the federal trade commission has instituted a reasonableness standard for security, and all companies and dental products as a consumer protection measure. they are enforcement activity, over 50, with respect to security and reasonableness is the hallmark of activity. there's a report called the start with security report that provides a list of practices that have been considered in face enforcement actions and its intended partially as assisting document to start that are trying to struggle through these questions of hardware and software security in their new devices. >> there's a sister organization as well called build a secure

and their unique focus is on very small indigo go kick starts a project where there creating guidance i and referenced architecture that you're going to make a raspberry pie, here's how to do in a secure way. they're trying to take popular small electronic low-margin iot platforms and provide free guidance and reference architectures that there's a better chance of it being done less horribly, better chance of less horribly. >> earlier you had also asked about ideas for what we know to do to fix things. one of the things as i actually am starting a money going to be a cybersecurity analyst for the state department, and i don't have anything smart in my house. if i were going to something smart in my house i would have three dumb routers and i would completely put all the internet of targets behind one router on

one hand, have the internet come through the other and put anything that it wanted any level of security on on a completely different subnet and different branch probably why it. by the same token what i would like to know i don't like the opinion of you is considering some people don't want to use the internet of things, to have a mandatory rule of law that every device has a mechanical non-software controlled on-off switch so i can shut off the internet and not worry that it can be turned on through software and hacking. there's a click to turn off my tv's wi-fi, to turn off my refrigerators wi-fi, the ovens wi-fi and so on. if it would be a good viable first step two of the people who don't have enough security since. montgomery told there's a switch. it's right back here, click it

and you'll be fine. >> so switching to a dumb device, right? in fact, we were car shopping about three years ago and i try to find even though i knew hackers look at most of the cars i could in which gore had the best security program. fast-forward three years later, i know on a first name basis some really intelligent support person at every single cargo to its readers leaders i still can't answer what the best programs are. we of little glimpses in peaceable one of the more stunning moments on a trip i said to my wife, this car has 4g lte wi-fi standard in all vehicles. she said, he said doesn't make you want to buy this car instead of the other? she said i don't think you know my husband. [laughter] then he had to say you can osha to doctor she said i'm not a ninja to but a preacher i can't shut it off. and that's what i call them no, you can't shut it off. some of the recommendations

suggest you should describe to your customers what happens, how much it would still function when it's not connected or how much, what are the failsafe modes if it were compromised. would be great to a safer connection. these are the discussions we want to stimulate. when you start making recommendations to consumer electronics companies we have released a list of options they can choose from. >> and to help consumers know to ask that question. because unless you're married to a security pro or study it, you might not even know to ask that question. of the car manufacturer and it's a multi-thousand the purchaser investing in. it's just something you care about but it didn't occur you to ask. to help consumers know which questions you ask into the pressure with their buying golf on companies to have good budget programs in place, to open the policies with security

researchers who find flaws, to have feedback loops, that information available about whether there's a kill switch or human override. it an autonomous car and some is going horribly wrong that was simply not anticipated by the coders rebuilding this device. code is written by humans. we can't anticipate everything your we are human and code is written by humans. so sometimes, you're going to mistakes and i'm a firm believer in the importance of maintaining human override in circumstances where unforeseeable event causes something. spent a lot of industrial control systems and medical clinical environments have a requirement for an analog override. we are losing that discipline and some of these other safety critical cases. will have to find a way to get back.

>> department of commerce. i want to say that parts of the government that are strongly encouraging cooperation between vendors and security researchers. but i wanted to talk about what we can do to leverage market forces independent of just combating control regulation. one example is collaboration between the nationa national asn of real doors and international consortium to have a checklist as you're selling your home. if you're buying any of you want to know what's in there and jordan know to get the first look at, hvac system of debt. there's a checklist is a at least what smart devices on home and when with a built? is not the best for security because it's not written about security but it's a good start. are there other economic forces that we can use to collaborate so it's not just consumer versus spender but you can get some large powerful commercial forces on the side of the consumer? >> i like your example. one of the things we talked

about in the paper is the right to be forgotten for homes. when you sell your home you change the locks. when you resell your home do you delete all the data from the system, that is personal data about you that goes to the new owner? what does that look like? would have to just change the entire thermostat because it is tied to your account with your password? do just head over the past were too many people are moving? thinking about those things, the lifecycle of the advice -- device, a fridge for up and -- or oven, how do you as a consumer, that buyer of the new place or the seller of the old place do that? maybe your fridge just keeps buying meat and having u it sent to your house and your vegans so you move in and you just get all this meat shipped to your house. how do you stop at? you don't have the password to

stop syndicate. what happens? so i like your specific example. >> building off that, i'm curious, what are the basic interoperability standards between competing manufacturers? one example we hav have in the 5 quasi-nightmare scenario is, imagine you have each announced as coming from a separate vendor because you've added to a piecemeal. what happens when amazon kitchen stops talking to your microsoft bathroom? what happens if they are all jostling to basically fulfill your competing demands? we have all these things where the snow didn't see the manufactures will lose have guarantee some basic interoperability. i don't know how we legislate the equivalent for what the smart home is are some standard on that i don't think that's been looked into enough, or what happens when the manufactures go

to war with each other or just glitches between the two where you have on reproducible glitches from various rooms because of the way the systems are configured? we are going to now build it home. >> i'd like to take a parallel from auto lemon laws. recent america wasn't the vision was to sell a vehicle new more about its history than the buyer so it was a device put in place that did not add more information but maybe gave you an escape clause if he found something with the lemon law. you can argue those are not necessary more data with things like carfax where there's more transparency about the events in the maintenance that went into that particular vehicle. that's at least for our part, it is spending time with the research community, they are not big fans of legislation or power

structures. most seem to be okay with the idea of transparency to enable free market choice. that's one of the reasons which we have tried to talk about food labels or demonstrate if it is patchable. one of the things were going to tell people why we don't have five star ratings is either for vendors who have disclosure programs. in your initiative, in lieu of of information i might be able to glean about automobiles is a short list of car companies who have or are about to have inviting researchers reported in. someone with a front door welcome mat instead of an implicit beware of dog site is more likely to with issues and fix those issues than an organization that doesn't. it's not causal but it's something i can act upon. i think one of the strongest issues will be free market forces and the best way to unlock those is to have more transparency to enable the free market choice her.

>> in the commercial industry for smart buildings and smart kitchens and so forth, they talk about a 35% savings in operating costs. there's a couple of things i've been hurt in this discussion to one of them is ip version six is probably necessary. the other is there's a whole list of local and regional building code and building inspector issues that go on in terms of doing that bad retrofitting is almost impossible. design it initially becomes the answer. another word that probably hits the cards being is something called emp, either by terrorists

or by natural causes, like a solar flare to bring down the whole network. and then you might not even be able to crawl out of your window. so some of that hardening might be really interesting. >> so one of the interesting things that you mentioned that i will latch onto, maybe taking your point too far in a direction you didn't intend, but if you look at the fleet buyers of automobiles and have to do a software update today it requires physical access to be the update. to have to take the car out of service until they get the update done. if you go to any other rental car agencies, they might have a fleet of 100 cars at that location. how many hours does it take per vehicle if they had to go out and do that? went to be taken out of service so they are no longer producing revenue? i can see a scenario in the

future if you go to restaurant and say i'm sorry, we can't serve any food that requires refrigeration because we were waiting for the person to come update the refrigerator. like in the commercial. [inaudible] >> on your cell phone via automatic updates. maybe there's something that you can do in the refrigeration but again, that means you must be connected to the internet. that's one of the things that opens up the greatest potential risk from adversaries the if it's isolated already then you have a better window i would say to be able to wait and maybe you don't have to shut down your fridge before you update. so the connection to the internet part is what makes you have to shut the fridge down before you can go and use it. >> let's take one more question and then we will do some closing remarks. >> on sort of with greg on the whole vision of the smart home with the jetsons.

i want to know where my fine car is? and but seriously, if you look at cars in the highway safety institute and all the testing they do, until there is some entity that actually tests, not talking about standards, right, but, of course, voluntary, talking about people who crash things are do the equivalent of the iot, how, my supposition is that consumers will never really know what is safe and what isn't, right, until there's actual testing. and so in order to accelerate something like that, josh, you're talking about liability, if you look at places like the mayo clinic who have impose

liability on their vendors, you know, if your software fails and there is a breach, you are liable. >> through contract, yes. >> through contract. unless there's a consumer movement, right, to demand liability on the manufacturer who's bringing something into my home that has this vulnerability known, then i don't, without those two things i'm not sure that just relying on the goodwill of manufacturers to do the right thing. because we know that something not going to happen. they will push product out the door with no vulnerabilities because they can't. >> is will get to interesting legal territory. when we're talking about

physical objects, a chair, a table, traditionally the refrigerator their adventure protections as a matter of law under the version of a thing called the universal commercial code that has been incorporated by state legislators into all contract law. that gives consumers sort right to record. yoyou can reject product that arrives at your door that are not conforming with what they were supposed to be when you purchased it. we have these protections for physical objects, but then over here in code land, the software has generally been shared with these end-user license agreements that say you use it on to own risk, whatever happens is not our problem. when it was a chapter of your latest book that got lost when you got the blue screen of death on your laptop, you are annoyed that you kind of delta with it. but the blue scheme -- blue screen of death on a medical device that is iot is real death, right?

so here we have this physical space, nor about liability come at a higher level of consumer protectioconsumerprotection bece information disparities. and over here we have this as is where is known for supper. these are clashing in the iot context. that's what we need to resolve. courts are going to need to struggle with this and that's where the rubber is hitting the road in the iot car, i guess. sorry for that spent a teaser for a future discussion, one of the ways i met andrea a couple years ago was posing the question ofhow is software liability the worst possible idea except for all others? especially when it comes in bits and bytes. the basic thesis is you want to place the top burden and the party in the best position to avoid the risk and then they can offset the residual risk with insurance levers all swear. so this will come to a head.

maybe it's the first kid who gets hit by a self-driving car but i think i don't is what will trigger the condition it is better to have a plan before that moment end of a knee-jerk we reaction afterwards. let's just do a 30-second closing remarks in any particular order and then let's have -- >> she said it took a river on fire to trigger protections like the. i think they can of the fire to great the national safety board. someone has written a lot about air travel. i agreed to i would love some of the national transportation safety board for the internet of things where i work flights. i sleep like a baby on the because i'm it's the safest thing i can possibly do given the oversight of the. a plane crash is zero tolerance and also as anti-fragile cold weather several culture to improve it and make sure it never happens again to patch of those older those. i don't know what it would take to create a cultural shift but that would be a great thing. a glitch, a nest that burst at

our neighborhoods across america, something like that. i don't think you get a cyberattack, i do know if we could even plan hackers by some horrific failed a glitch or death for property damage might be what it takes. >> so kind of drunk on your point a little bit, you said the manufacture will not get us out of the goodness of arts. not only that they can. there is fiduciary responsibility of management to return investment to the shareholders. until security becomes a monumental or significant financial issue for organizations, maybe they can't. maybe that's one of the faces we should start looking at more is how do we make cyber safety of financial issue for organizations with carrots and sticks, market demand, whatever it might take. that might shape and shift the landscape more than some of the

other things. >> my final thought is coordination opportunities. playing on that last point, while some entities will argue a producer duties requested maximus profits and cut corners on security, different organizations will argue long-term maximization of corporate value instead requires investment in r&d in building the products of that will engender loyalty from our customer base and keep them safe. so coordinating, rewarding those kinds of behaviors across all parts of our ecosystem. for example, the securities and exchange commission issued a guidance that strongly encourages/requires disclosures of material breaches of security by publicly traded companies. they made some comments that perhaps the disclosures in the 10 days are not quite the level they were hoping for, but coordinating information in the marketplace that's coming from part i of the enterprise with double degenerate disclosures

that are coming from part b and looking for the big picture story about how ended because of security or doesn't care about security and what affirmative measures are they taking to be the best version of themselves in order to help consumers stay safe, to engender a sense of trust in the marketplace, and to nudge forward innovation in a way that bolsters our economy as a whole rather than compromises our information flow. >> i want to end on a colonel of hope tying a few things together that we heard. at our first constitution caucus, andrea, beau and others with her and andrea told the whole room it was going to take a death, it would take a river on fire before anyone would listen. our stubbornness said we are going to try, old relationships and trust and use empathy and we want to be safe or sooner

together. and sitting right there right next to suzanne schwarz last year started a pretty intense exchange of education and awareness across between industries. and when we talk about you said it would take truth of harm of medical device to trigger a corrective action. similar to your point, dead body. the week before death can't that issued the first ever essentially recall the safety committee patient on a hot fire -- proof of our because through the dialogue they conclude an unmitigated pathway to harm was sufficient to trigger a corrective action. now in the guidance pics of the idea of saving lives and waiting for really bad things to happen, we are stubborn enough were not going to wait for that and i think discussions like this and collaborations will allow us to be safer sooner together. let's take it to the next stage. thank you for your time, and thank the panelists. [applause]

[inaudible conversations] [inaudible conversations] >> coming up on c-span2, a conversation on privacy, security and government surveillance live from the hudson institute in washington at 12:15 p.m. eastern. later, president obama travels to flint, michigan, to meet with local officials and residents about the water contamination crisis. and the president speaks at flint northwestern high school. you can see that live on our companion network c-span at 3:55 p.m. eastern.

>> both iraq and afghanistan i hope those countries with their constitutions being sort of facilitator of agreement on key issues among iraqis or afghans. your influence is considerable, state or government very anxious to meet with you when you ask for a meeting stake sunday night on q&a, former u.s. ambassador to afghanistan and iraq and the united nations zalmay khalilzad discusses his memoir "the envo envoy." speed and we saw the extremes such as zarqawi exploited, although we've been directed towards the end of the period that i was there by the surge, by reaching out to the cities, by building up iraqi forces, by establishing a unity government killing zarqawi at the end, to bring about security. violence was way down but,

unfortunately, when we left and the documents held by rival regional powers, pulling iraq apart, violence escalated every device has now spent sunday night at eight eastern on c-span's q&a. >> earlier this week a new hit of voice of america made her first public remarks since taking the job. she spoke about the future of voa and challenges in international broadcasting. she spoke after brief introduction and then took questions. >> welcome to newcomers and welcome also to those watching online and watching on c-span television. my name is adam powell. i am the president of the public diplomacy council, and i am the director of washington programs for the usc center on committee patient leadership and policy. there is a green light on.

more about our partners on -- [inaudible] communication leadership. they are hosted by the american foreign service association. our guest today is, the new director of the voice of america if she has a long and distinguished journalistic career, biography on the reverse of your programs. she's one to go surprises -- what she said when she was sworn in we do have to change. we must change. we need to change in a big way. so change is coming. change is here. amanda bennett. [applause] >> let's just test the technology before i start. is this now working?

is everybody dreaming of? that's terrific. thank you. and than thank you very much, am come and thank everyone for coming here. i look at in the audience and icy all kinds of friends and colleagues out here. i so appreciate your coming and i can't thank all of you for being here so i'm going to single out one person from the voice of america, alan, whose greatest the voice of america kept me from making an error in his speech on about today. so i need to thank them right now. and then second, i'd like to acknowledge my predecessor as director of voice of america david, who has been as helpful and warm to me as a human being can be in helping prepared for the speech other i like that one too please acknowledge david booth at the atlantic council. [applause]

>> so is adam says it will do no biography just flip the page over and read it yourself. but let's get a couple things you might not know because i am of an age that i was part of a movement that cheap airfares and curiosity about the world sent all of us out around the globe. and the migration of a don't think it ever happened penetrate before when it was associate with the war. so as a result of this when i was in high school i was an exchange student in the philippines. when i graduated from college i worked as an author in paris taking care of six children into bulldogs. i spent the early years in my career in canada, and unless any of you have any misunderstands, canada was then and is now way more of a foreign country than any of us acknowledge. later i was a second "wall

street journal" correspondent in china at a time when the newly opened country was most definitely a foreign country. since then i've worked at five different media organizations and i had a really, really good luck to be the winner of all of them were at their peak of their journalistic power and reach, and all of them known for their seriousness and integrity of principles. so for all this i am way, way more of a journalist and diplomat becaus because the medm going to say i'm all journalist, no diplomat. many of you in this room who have followed the voice of america, led voice of america, worked for or with voice of america are way more expert than i am at the diplomatic purpose of voice of america. but i'm here to save you that i think that we are very much more

alike than we are different. and the great journalism is, in fact, great public diplomacy. so let me remind you just briefly what happened we sleep and the changes that have already come to voice of america. under the leadership of new ceo john lansing who is the ceo of the broadcast board of governors of which voa is the largest part, we shifted to five strategic focus is. one is that we will target our resources towards five specific geographic areas, and issues that are vital to u.s. foreign policy. china, russia, iran, cuba and violent extremism wherever you find in the glow. we will accelerate a dramatic shift to digital and social media, emphasized impact on hold ourselves accountable for that. and has strategic cooperation across the fight independent networks that make up the

broadcast board, and acquire external content. so not only do i completely agree with these goals, i also believe that these issues reflect in large measure the challenges that are felt by news organizations all around the world and are also being felt inside voice of america. so curating and cooperation, these are hallmarks of the modern media scene. competition once ruled journalism as multiple media operations were competing for audience, fighting against each other to distinguish themselves. yet for more than a decade news for physicians have all realized they must share resources in order to succeed. partnerships proliferate, nonprofit organizations partner with for profit organizations. radios hard with newspapers. all digital or possessions

partner with print and tv. and even as we've seen with animal papers, the creation of a multi-organization, multiplatform, multi-country coalition that bout itself into a virtual investigation team. so would only make sense in this environment we do our best to bend over backwards to collaborate with our partner organizations, radio free europe, radio free asia, and the office of cuban broadcasting. and as for impact, what else hester elizabeth about in the last 40-50 years? ever since watergate all media or possessions, all the journalists have striven covenant i. domestically to protect our children, to eliminate abuse, to expose corruption, expose inequities. internationally to work to explain and root out terrorism, genocide, human suffering

wherever you find it. so in the area of digital, just this morning i had the great pleasure to announce that we will have our first deputy director of voice of america and more than two decades. sandy will be joining, has just joined voice of america and she comes to us from a robust beauty and digital background. she was critical to the newsrooms move to a digital first position of the "washington post," reorganizing the entire news operation to support that goal. and i knew started based on social sharing she was the managing editor who learned how to use all different platforms to curate and combined content ever to reach different audiences. and her aim will be to accelerate our booth to popular

and emerging technologies, to engage as many people around the world as possible, especially in places where there is no free press. we need to get our audiences where they are. now i say that the biggest issue for last, which is -- saved -- actually being the voice of america. most american news organizations are already coming america. telling america's story. they just don't realize that's what they are doing. we need to cover foreign policy, of course, but we also need to cover america. we need to cover america through the benefit of the people around the world we are trying to reach. and to do that we need to use the amazing resources. we have most of them inside the building right down the street,

to create unique, interesting use, and to speak to the vital interests of the people we are trying to serve. so what does that mean? it doesn't surprise me at all that one of the most popular features of our russian service is a video dictionary of american political terms. little videos explaining what's a soccer mom, what happens when you filibuster, but this canvassing mean, and how about the bible belt? one of the most popular stories come out of the russian service was a little feature on a 90 year old california woman who was delivering groceries to her neighbors, which within minutes of it being posted through -- tonight assures him, took the comments thing i wish we had that in our country. i love seeing the picture of a normal american society. how about other topics that are

of great interest to the audiences we are trying to target? well, i don't know if it will surprise you as it surprised me to discover that iran is crazy for -- we need to create a robust coverage of entrepreneurialism which is the hallmark of our society to cover silicon valley come to help connect the ideas that come out of silicon valley with a young entrepreneurs in iran a need to know and what to do so much about that. these will be stories that appeal to people who aspire to have the kind of starters and success that you find coming out of silicon valley, and to me others of them around the world. how about american business? i don't think it's any accident when you think about what china is like now to realize that iraq

-- a rockstar in china is one of the. we need to beef up our coverage of american business and its deadly of american philanthropy, which is probably the most robust of any in the world. and write about these topics can not just about the features but this is topics that are of interest to our audience around the world. we need to build exciting, unique content that speaks about the assets in the united states in ways that our audiences want to hear and can relate to. like education. from the wealthiest high officials child to the child of the poorest nigerian or rwandan or ugandan or tanzanian, every parent of those child realizes that education is the key to their better lives. we need to put our heads together inside voice of america to get ways to cover on american education in ways that will speak to these hopes and

desires. and there's medicine. people may apply to other countries to get their faces lifted, cheap treatments, medical tourism. but they come to us when they want to save the lives and the lives of their loved ones. our coverage of medical issues, like zika and ebola, literally doesaves lives big and expanding the coverage to coverage of medical advances on the cost and availability of drugs, and simply our knowledge of the best ways to keep our families healthy will help translate the things that are wonderful about this country to our audiences. in africa, in asia, in afghanistan there is a huge hunger for news and information about women, about their education, about their business success, about their striving

for independence, about the things that lead to their development and growth in the world economy, and the forces that are holding them back. we need to devote our resources and our thinking to helping to explain and encourage that movement and that information and that knowledge. so we need to cover everything about america. we need to cover the good and the bad, as william harlan hale said in february of 1942, just days after the beginning of our intriguing to world war ii. he said in the first voa broadcast com, as you all know,e news may be good, the news may be bad. we will tell you the truth. we will cover the country honestly and fairly. it's troubles in shortcomings, but it will not be a fair

picture unless we cover all the other things about america as well. its people, its energy for change as well as its force to resist change, its generosity as well as its agreed, it's hope equally with its despair. that striving for a just society as well as the failures to achieve it. there's an amazing amount of resources and passion and commitment inside the cohen building, and among our brave and dedicated responders around the world who face danger every day to bring us in the rest of the world for news of their struggles. i believe we can show the world the amazing things we can do, and in doing that we can truly be the voice of america. thank you. [applause]

>> i will not subject myself to questions. [laughter] >> please wait for the microphone and identify yourself. >> thank you very much for an excellent presentation the my name is greta morris and i am a retired foreign service public diplomacy officer. and thank you especially for talking about the various issues and subjects that the voice of america is covering. i wonder if you could talk just a little bit about the media, because the media of voice of america has changed a lot since 1942, with voa television and also digital media. if you could just comment a bit about that and how you make the choices but which kind of media to use. thank you. >> i will be happy to add to that question. i first need to make an unpaid political announcement, which is adams keep persuasion brought me here at the end of my second

week in the office. [laughter] i don't want to say that i'm here, i'm happy but it's really not fair. but actually, actually, you know, coming into the voice of america made me realize how much the struggles inside the voice of america near the struggles of these organizations all around the world. they are actually is very little that is unique about the process of moving from one technology to another because he had the exact same issues of trying to protect your legacy means of tradition at the same time moving as quickly as you can new technology. this is very difficult, very complicated and very expensive balancing act. you can't use it because all this group of people is moving to this kind of taking the news, that we will throw away this kind. this is a subject that all media has grappled with for the last two decades come at a don't

think it's going to get any easier because what we're finding is just as soon as we get up and we think we're at the cutting edge of technology, a week later technology has moved. what we need to do is try to figure out how best to reach our audiences with news and information where they want it, how they want it, and in the platform they want it into the best weekend at doing that. and that means becoming much more nimble and much more attuned to the way our audiences consume media. >> i used to work it into your as used to work it into your as to what used to work at npr and stewart occasionally as a commentator spent welcome, college. >> thank you. my question, you talked a lot about information and mention nothing about culture or music or comity or any of the other things which commercially sort

of our the voice of america worldwide and are very, very powerful. and also there's a lot of success in the record of voice of america into the music and other cultural expression to have you any plans for that, for not only cultural coverage but for transmitting cultural impressions because i complete the acknowledged and no that part of history of voice of america is a history of the culture, and i think i have some ideas in the back of my head. as you think of some kind of interesting stuff going on out there that would be a very great use to the voice of america. i don't want to talk about these because a lot of these require negotiations with other parties but it involves bringing parts of american culture out to the rest of the world that have never seen them before. i have to say that yes, you are right. it's not my forte but i certainly recognize this is an extremely important part. >> this woman here was next, and then you, sir.

stick a mic night is back here though. [laughter] >> my apologies spent this woman comes next after you. we've got to get the microphone up front. >> paul delaney. i spent most of my career as an editor and reporter at the "new york times." on the way over i ran into 89, white men, african-americans its biggest i apologize. i'm having trouble hearing you. i don't think the microphone is on. i'm not getting what you are saying. >> on the way over -- can you hear it now? one, two, three. >> go ahead. i will try. >> i ran into a nonwhite non-african-americans citizen, and when i told him where i was coming, he asked what, i've heard of voice of america, what is it?

is there any way that you can explain to americans what voice of america is, what it does, introducing to the average american who has never heard of voice of america? >> and i'll answer that this way. those of you with a deep knowledge of the history of voice of america no part of the historical roots of voice of america coming right about the time of world war ii, there was a prohibition on voice of america broadcasting its content into detroit for obvious reasons. he didn't want to create a government competitor. i think given the fact the pervasiveness of social media people getting information on social media it's almost impossible and certainly irrelevant to block the content to the united states which is not competing with anybody. in today's media but i feel like

we have a great deal to offer citizens in the 20. so that's one way of answering it. the second way of answering is, i was considering this job from christmas time until i took the job two weeks ago. i was paying a great deal of attention to what was broadcast, what was written, what was on the website, what was on it at. i was listening to things as i went for walks. it wasn't until i got inside the building that i realized how much awesome stuff is being produced inside. it's for some reason not getting out in ways that we can easily consume and appreciate. so making people around the world more aware in different ways of what a terrific content is being produced i think is going to be one of our biggest challenges. because there's almost more stuff going out there that you can squeeze into a single app or a single newscast for a single

web app. so i think we need to figure out how to use our content over and over and over again. effect under no this has been done and i don't know whether he will actually ever get but do you know that video, that video presentation of the american political terms that was done for the russian service? i thought it would be really awesome to subtitle it in english and say here's what the russians have details about what our political system and. put it on youtube and see what happens. why not? why not try things in a bunch of different ways? why not take the content we producing and use it in as many different ways as we possibly can? i think there's a big job to be had there because seriously there is way more really interesting stuff going on voice of america that even i realized. now. >> thank you. i was struck and very much

appreciated the third point you made in your presentation about the mission of of america, which is to talk about america. to cover stories within the united states. all different kinds, but i was born in another country. i came here as an immigrant because i found it to be a fantastic place to live and raise a family. and so i'm glad to hear you wanting to cover those prospects of this great country, as well as the negative ones which are very easily covered by anyone who has a newspaper. bad news is always easy to find. do you expect to find any controversy within voice of america for those kinds of stories that show the whole picture? because the journalists, by

their nature, gravitate towards bad news and because you don't want to seem like a propagandist anyway. >> i would like to emphasize i'm talking about writing positive story to talk about writing interesting and important stories. the way i would say is if anyone were to objectivist i was there when i was in my late 20s i covered the american automobile industry. when their sales were going up we write about why. when the sales were going down, we wrote about why. it was a beach. we were covering a beat, writing stories about a beach. some of them wound up being good, some bad, some neither good nor bad they were simply stored about what was happening. why were managers being laid off, what was going on? i think thinking about the united states of america as the biggest, most interesting, most

vital be you could mostly think about the beat of our ask the look about this. i'm not saying going out and cover positive story to i'm single out and cover all stories. don't transcribe news you hear from events happening. go out and make news. make news by finding out the stuff we don't know about and tell us about it. that's the way i would explain it to know this gentleman. >> mike anderson, retired foreign service officer we all know the commercial american media have had to reduce their overseas presence. they have cut back their burrows -- bureaus around the world almost consistently. has the same trend happened with voa i can you talk about we have correspondents and you have enough of them? just some thoughts on the need for americans to be overseas

reporting directly from respected countries? >> if you don't mind, two weeks another probably get away from the issue of budget resources, what we need except to say if you ask the journalist do you need more resources, the answer is probably not going to be no. so that's the first thing. but yes, i see two things being a tremendous opportunity for us. one is the necessary reduction of overseas assets but america and to be pretty much all american and western european news operations all over the world. and also the pouring in of similar assets by those we might consider our target audiences. and so i think putting those two things together mean that if we use our resources wisely and well, which i believe that we are, can and should be doing i