. >> looking at issues without with industrial control systems, stuxnet, et cetera, how do we address those before they're happening with smart homes or can we or do we have to just wait and see? >> that's a good question. so some of the issues without with industrial control systems, i think it's kind of an open secret that they are widely considered highly vulnerable and highly exposed, and there's high consequences from their failure. we saw recently there was an iranian guy who is charged with hacking a damn. luckily apparently the gate was not operable remotely and the wasn't that much water behind the dam. i don't know that we'll be able to handle all of those disasters. i don't know what the impacts will be i think to some kind of a planned response is important because we will need of some kind of response if and when that does happen. but doing all we can before that by having this design later that takes security into account is going to be really important. >> being proactive certainly has the benefit that if we look at other historical legal contest that the context, in en

looking at issues we had with industrial control systems stuxnet, et cetera, how do we address those before they happen with smart homes or can we or do we just have to wait and see? >> that's a good question. so some of the issues that we've had with industrial control systems, i think it is, kind of open secret that they're widely considered highly vulnerable and highly exposed and there is high consequences from their failure. we saw recently there is an iranian guy who was charged with hacking a dam. luckily apparently the slews gate, was a, not operable remotely and b, there wasn't that much water actually behind the dam. i don't know we'll head off all the disasters. i don't know what the impacts will be. having a plan to respond is important because we'll need some kind of response if and when that does happen. doing all we can before that, by having this design layer that takes security into account going to be really important. >> being proactive here certainly has a benefit. if we look at other historical legal contexts, for example, in environmental regulation, we needed t

news reports or, for example, that came out of the, that came out of the stucks innocent activity -- stuxnet activity. when the news reports said that planners involved in carrying out that attack identified as the holy grail, the individual engineer or other individual who may be working at that plant who was very careless with a thumb drive, and that is the, you know, that is the, that is the linchpin that enabled, potentially -- according to news reports, proper caveats -- that allowed that attack to go forward. so when you stand back from that and say, therefore, what does that say to the united states as far as the threat environment that we face, we do have this broad experhapslation of capability -- extrapolation of capability now among a variety of actors where there were a smaller number we might have dealt with in times past. but we also have a prioritization of our resources. and the prioritization of those resources needs to be based on, you know, what are the overall objectives of these entities with respect to harming the u.s. or our interests, friends and allies. so we have st

something like stuxnet the bridged the gap because a bunch of other factors but we are taking significantctive risks through our unnecessary elective attack surface. i saw you first, and then you. >> russell with stanford university's hoover institution or there's a lot of focus on talking about software assurance, but given the fact the iot is, the iot in the home has toasters, ovens, refrigerators, dryers and washers, we are not looking at a hardware assurance as well and the vulnerabilities that are embedded within hardware. and since the supply chain for a lot of these things is coming from overseas what are your thoughts on hardware safety? >> a lot of the work we do we talk about those differences, the third way, the fourth what is different in composition. what we need is a hardware or firmware software stack of widely different than you might see in an enterprise device. in some cases this common componentry, and others like you by a palette of some embedded chinese chips for the cheapest that day and my be different the next day. there's no insurance. are never as likely to be as