November 15, 2016

Where Bits & Bytes Meet Flesh & Blood:DevOps, Cybersecurity, and the IoT

Director | Cyber Statecraft Initiative

Joshua Corman@joshcorman

www.iamthecavalry.org @iamthecavalry

Safer | Sooner | Together @joshcorman

@IamTheCavalry

Triggers…

NationState

OrgCrime Current

DEFENSE

NationState

OrgCrime

Sub-Nationa

l

Hacktivist

Lone Wolf

CurrentDEFENSE

FutureDEFENSE

CC : From: http://www.flickr.com/photos/maiabee/2760312781/

Disclosures

The Before Times

Transition

(5 years +/-)

Better Times(2019 +/-)2014

Pre-Market

1.0

2015 Hospira

Precedent

2016 Post-

Market 1.0

Manufacturer

Disclosure

www.iamthecavalry.org @iamthecavalry

Vs

2) Third-Party Collaboration

CC : From: http://www.flickr.com/photos/maiabee/2760312781/

X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL

Who Wants a

Data Viz?

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

For the 41% 390 daysCVSS 10s 224 days

32

H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”• Elegant Procurement Trio1) Ingredients: • Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and

Open Source Components (along with their Versions)

2) Hygiene & Avoidable Risk:• …and cannot use known vulnerable components for which a less vulnerable

component is available (without a written and compelling justification accepted by $PROCURING_ENTITY)

3) Remediation: • …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

In 2013, 4,000organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …Into XXX,XXX Applications…

SEVEN YEARSafter the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEMOriginal Notification Date:

03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0

PROCUREMENT TRIO + BOUNCY CASTLE

ACME

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

$

$

$

$

$

$

$

$$$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

TRUE COSTS (& LEAST COST AVOIDERS)

AT WHICH POINT… SW LIABILITY?

HHS Task Force

FDA Guidance

DOJ Work Group

DOD Policy

EU Guidance

DOC/NTIA Guidance

Presidential

Commission Report

FTC Guideline

s

Congressional Letters

DOT Principles

NHTSA Guidance

DHS Guidance

Food and Drug Administration

Department of Homeland Security

Department of Transportation

Department of Commerce

Presidential Commission

Report

Presidential Commission

Report

Triggers…

Uncomfortable Truths Require Uncomfortable ResponseJoshua Corman@joshcorman Director | Cyber Statecraft Initiative