Is becoming ever more dependent on these things, but i cannot say a lot more. Though, when i am concerned about as a National Security analyst, and what policymakers ought to be concerned about. Very particularly, i am concerned about the destruction andocial properties things like the Financial System , power companies, and the like, that provide a back for our capabilities backbone for our capabilities and im concerned about how things may evolve for individuals apart from the state. My first reaction as the internet of things evolved ever further was that this fromsented a set of risks a National Security standpoint was i concerns, could hack my refrigerator or cause an individual automobile accident, but if i am a terrorist groups like isis and i want to create havoc, lack of trust, indeterminacy, and other contexts in america, maybe if i can make people very unsure about the safety of their automobiles by periodically causing them to wreak havoc, i could achieve political fans in ways that i care about political ends in ways that i care about. There is a sense of the problem. At this point you may feel a little bit like this is just too much in some dimensions to come out from a policy standpoint, but clearly it needs to be thought about. Among the other parts of my background, i was at one point a Supreme Court clerk working not for a Supreme Court justice, and another Supreme Court justice, besides the one that i was working for, Justice Douglas, who was wellknown as a misanthropic, sort of, guy. He kind of love mankind in abstract, but hated the rest of us. Telling a story about his father, which was quite illustrative, said his father was a minister who wandered around the Pacific Northwest and one day he mounted his help it, looked out at his audience, and found just one guy sitting out there and he said to that guy do you really want me to go ahead with this service. The guy looked up at him and Justice Douglas said the cowboy said well, preacher, im just a toly cow hand, but if i went the field and to feed 40 horses and found just one, i would not let the horse go angry, so he decided to give whole service, sermon, prayers, hymns, walked to the back, shook hands with the congregation of one and the cowboy shook hands with him. He proceeded to wander off to his father could not stand it, and yelled, how did you like that, and the preacher said how would you like that i am just a lonely cow hand, but if i went out to feed a field of horses and found just one, i what not dump the whole load i would not dump the whole load on him. [laughter] past wringingt our hands and saying i have contributed some. I think we need to get at the anduses and give the i will be you a summary that represents an abstraction of the phenomenon of the odd complexity of these systems. The microsoft operating system they do not reveal the number of lines of code. Ballpark 50 million lines of code. I asked that Major CorporateFinancial Company person to estimate for me how many lines of code is Company Maintains and he is responsible for. Answer one trillion. These systems are, as others have observed, the most complex kinds of systems we have invented, and that means we have extraordinary difficulty observing them, extraordinary difficulty enabling us to comprehend what is happening within them, and they have exceptional vulnerability. If you take the notion of the stark notion of one bug for every thousand lines of code, the bug does not equal vulnerability, but it gives us some sense of what is involved when you try to write out 50 million lines of code. In fact, in conveying to policymakers this point, which is extremely important, i think, their first intuition is you guys created this problem. It is a technology problem. Fix it. Either you were to, if i am a rightwing politician you are too much about your pieceloving hippies who did not care enough about security, or if i may left wing politician, you guys are to capitalists who wanted get the software out the door because that is what you got paid for and you did not care enough. I say to them, think about something in the world you know the u. S. Tax code. The u. S. Tax code is 4 million words. Rightly a tax code that does not have any loopholes. Write me a tax code that does not have any loopholes. You might suggest they are writing tax codes with the intention of loopholes, but if you write a 4 million document word document and you give me an army of lawyers struggling to find vulnerabilities in the document, i will find them. Understand you cannot create something of that level of complexity without having these kinds of errors. Now give me 50 million lines of code, which are, of course, even less observable to the author. And never, you understand, if you reflect on it, this is a mass production operation. It is not like some Single Person in microsoft since their 50 million lines of code and comprehensive. Nobody comprehends it. It is put together as a variety of different things. Do not think there is a technical answer to this readily available at the scale and complexity that we need it. When you look beneath admiring the problem and start to analyzing it, it it is compounded by the phenomenon of extensibility. An adobe work with system, etc. , etc. , and that interactive affect will create complexity beyond anything my own system did, even if i could somehow generate my own system. It is like the tax code has to work with a whole pal pay of panoply of different Business Laws and state laws. Beyond that, i have a communications problem. The systems are designed to communicate. You understand that. You cannot believe to understand how novel that would have looked 40 or 50 years ago if you could go back. In the late19 90s, the director of the cia, george tenet, safe with shock in shock in says with testimony in the senate, the enemy is on our system, our networks are open, and of course that is the case because of the nature of our communication. The more you let people in, the ine you connect functions up the more you enhance the risks associated with these complex systems. You understand how fundamental it is that we create this iveitative communicat power. The system also transfers information take for example, snowden. Peoplehistorically many like snowden people that come in and take documents, whatever their motives, and then hand them along. What is unique about snowden is 1. 7 million documents. We are never in the history of espionage had anybody take 1. 7 million documents, but it is a consequence of the fact that in these very complex and communicative systems, we transfer information, which is inherent in the virtues of the system. I want to create a world in which an analyst can get at information across a number of different domains. I want to have that ability. If i am right and power system, for example, i want to see the whole sound of transmission lines and the like. Or, if i am running a pipeline system, which valves are open and which valves are closed. I want, as it turns out, to collect information in the Information Age enables me to that. To do that. In the internet of things will expand my capability to that. We did was to collect some 29. 9 million documents, including from me, that ran 100 pages, including favorites, foreign contacts, histories, embarrassing evidence, and the like, put it all in one place, and created so that anyone who hacked into the system could conveniently have it all, where as in a three cyber, predigital age, it was not that concentrated. It enhances that capability. A smart man at microsoft invented the phrase disintermediation. One of the advantages of the Digital World as we take human beings out of the loop. It is terrifically advantageous. If i started with people who are intermarried intermediaries in making my dinner reservations, travel reservations, buying my tickets, i feel frustrated as compared with Digital Opportunities to do that myself. On a larger, national scale, it is usually valuable in government that i democratize information or when i was secretary of the navy, introduced a internet system that had all kinds of technological advantages, saved all kinds of money. What i really valued was that i could empower somebody in the bureaucracy who needed a new aircraft part to simply see the inventory and order it up without going through the silo of the warehousing people, the logistics people and the like, all of which held information as a source of power and created Division Within the organization. Removing those human beings is alsoly beneficial, but it removes gatekeepers, guardians, people that might observe what is happening. Wait a minute, somebody is excellent trading this financial a requestn, or i got notches for a new password, but 50 new passwords, or all these changes that human beings might observe. Finally, these systems are amazingly flexible. We value the fact that our computers or laptops can do so many different kinds of things word processing, comedic munication, spreadsheets, etc. The basic point i will communication, spreadsheets, etc. The basic point i want to offer comes back to the title of the paper. This is poison fruit. This is not a luddite position i am taking. There is no way to turn the clock back. I do not want to turn it back. We need to recognize that inherent in each each virtue that i have summarized along the side is the risk. That to the degree that i concentrated or communicate or take people out of the loop, etc. To the degree i buy the benefits of this technology and each and every one of those steps i introduced, security consequences give rise to greater risk. The virtue of the system is intertwined with its limitation, its liability, and its risk. That is fundamental. It is not just of the complexity of the system gives me these problems. One recent Technology Fixes new not just get me there is every time i buy more security i tend to do so in ways that involve some sacrifice of virtues. I want to spend a minute, having talked about software, just to say a little bit about hardware. The hardware insecurities are quite real as well, and you are aware of that. An easy example i like to get his people think about supply chain and all kinds of sophisticated ways what is being made in china that goes into the f 35 or latest fire aircraft, etc. What i am struck by his even if you preserve your whole system, if it turns on something you used to get the struck by is even if you preserve your whole system, something you used to power an adapter made with a is used for hacking your cell phone, the creative fundamental problem. The range of issues is andaordinarily gray here, from an espionage standpoint, i just would point out to you you are all familiar with the stoxx not experience. Moves to as particular set of frequency converters and the like because they became convinced that some foreign power had hacked into what they were buying to install in their Nuclear Establishment from abroad and they had to begin to produce their own stuff, which, then, of course, set them up for the ofnerabilities for some their own stuff and integrate introduced a variety of efficiencies. The Global Supply chain gives us a chance to forget more vulnerability associated with the Hardware World and i want to show the sophisticated audience ais point by just giving you chance to reflect for a moment on a statistic you are not often horribly exposed to, probably exposed to, which is i want to ask a simple question with respect to the question of transistors. There is a nice, little cartoon that says this guy says it is time for us to spend more time with our children. He says to his wife, how many do we have . If you think about that as a problem, think about the transistor world and imagine the question, how many transistors are manufactured globally every second . I just want you to think about and im not going to embarrass you by having you stand up or embarrass me by thinking i already know the answer. When i first started thinking about this i did a back of the envelope calculation and the number was so unnerving for me that i managed to get some friends at intel to get to work on it and they commandeered the Research Department and came up with a number that was so disorienting that we had a final couple of hours of phone calls and agreed on a number. I want you to think of the question how many transistors are manufactured worldwide per second. Just as a measure of how well you understand this do you have your number in your head . Every second, 14 trillion transistors. System,lexity of this the difficulty of policing it on the hardware side needs to be appreciated. Then, of course, there is the human side. Here is a nice picture of snowden. Before snowden, we had manning. The openness of the system to third parties is striking at one of the leading theories is iranians thought they had the system air gaps. There was a distance between the centrifuge system and a software a physical difference. Of course, all kinds of things happen patches come down. The system needs to be updated. Contractors need to go in and one of the theories is maybe some contractor got infected, brought in the virus, etc. If you are running a worldwide corporation, and aerospace corporation, for example, you have to integrate with all kinds of suppliers from all kinds of portions of the world and that then causes you to share information. Lots of people have access to the information, huge problems, and even at those people are not at the level and the ability to manipulate these people is pretty great. If people have not read the book it is often possible to read that to realize that you, too, can be fooled with some clever social engineering. Every system, when you look at having management problems, configuration problems outside of the software and hardware. Ive given you my password example already. So, you are familiar with many of the efforts to deal with this the countermeasures are a long history. We know we tried barriers in training, but we had fundamental problems with these. They leak very badly. The screening in the antivirals you are familiar with the set of issues, the dependency on existing signatures, the way the antivirals lag the attacks, the way many import vulnerabilities themselves and can be used as the basis for exploits. We have done a lot of hunting the vulnerabilities. It is nice to see the rise of that effort. I think it is going to produce some benefit, so is active defense. That monitoring the situation and the like yields limited benefit. We can create enclaves and encrypt to greater degrees a useful kind of thing, but again, the information needs to be shared and when we get into the sharing, we get into all kinds of vulnerabilities described in the inherent Software Vulnerabilities that may exist. It is hard for me to believe, and when you talk to sophisticated inside operators, it is hard for them to believe that they cannot get into almost everything. If he really cared enough and had enough resources i talked to someone who makes a career of it. He goes around dealing with complex industrial systems. I asked him how many times he is unable to penetrate his client. He says it might have happened once. It is so unusual. The Vice President for security at ogle has said in a at google in a public context has said when google organizes red teams they succeed getting in 60 of the time. They are thwarted 40 of the time. Defending itself. I think we overstate the degree to which we can defend these systems and what happens is dorporations like to hire re teams that affirm the qualities of the people that hired them so you do not wind up getting good penetration analysis, ultimately, about what serious attackers will do. Ill come back to the deterrence point. I want to know that what we are doing is raising the cost for attackers, not actually preventing them. Ae of the things i did was ability hunting, exploit asked them tond i go back to their records and show me a rough indicator id not want to make too much of this. It is just illustrative. What has happened over time in terms of their production function for vulnerability discussion . How many researchers of medium quality they need to find vulnerabilities . Basically, this chart from 2006 2 2007 shows the production function and that it is gone harder to find possibilities as we get things ing and all fuzz kinds of things that are out there, but if one producer could research and find two significant among abilities in a year, and only finds a half that is to say it takes in two years to find it on average, we have significantly raise the cost for attackers. It is now four times is difficult as it was before by this rough, illustrative measure, but it just means if you hired four kaundas many people, you can produce the same number of vulnerabilities hired four times as many people, you produce the same number of vulnerabilities. Here is the report. Every week we get a description of substantial vulnerabilities. Enjoyed by successes even,plevel people, or, the people that are not at the very end of the distribution and win the top prizes. You understand all of this. Hopefully this way of conveying the problem and i want in my closing minutes to talk about my overview of how we can improve the situation given where we are. The fundamental proposition that emerges from this is presumed vulnerability. Presumed digital vulnerability and in Critical Systems treat this as though it is contested inritory a phrase used some congressional testimony. Create lean systems, that is ones with fewer attack surfaces, and recognize that this is poisoned fruit, go on a diet. Ask yourself do i really need this functionality because it is introducing vulnerability, and that does not just mean enclaves and the like. The easiest example for me is a printer. Most people think they want a printer to print. It seems pretty evident. They do not think enough about what marrying the facts capability with printing capability does for the outside world. How about the fact that my printer has a bluetooth capability that enhances its vulnerability . How do i feel about memory in my printer . Int people are buying memory their printer and do not want. I come back to the example of snowden. He could steal 1. 7 million decades. How come he could copy them . Could getwhy he access