Participation, and a host of sirius xm radio make it plain. And the mayor of newark, new jersey. Even when we get together as black folks and have an agenda, we have to understand we have to unite with other people. Win. Bject is to there are hundreds of people that are in jail, that have been beat, that are dead. We are not activists and revolutionaries because its fun. Followed at 10 00 by nebraska senator ben sasson american value, the Founding Fathers and purpose of government. Turns out the meaning of america is persuasion. The meaning of america is love, building a better product or creating a Better Service or persuading someone to marry you or to join your church or synagogue heard there is a huge civic mindedness in american history. Sunday evening at 6 30, newt gingrich. Theirple have to change minds. They have to have some willpower. Because of the way opioids work, they also have to change their brains back. This is a biological thing. Your brain is in organ. Was the doctor hands you these pills once the doctor hands you these pills, for a lot of people, those pills damage that organ. Sunday, december 4, on ndepth, the attack on pearl harbor. The author of countdown to pearl harbor, the 12 days to the attack, the author of japan 1941, and the author of pearl harbor, from infamy to greatness, followed with an interview by pearl harbor survivor. We are taking your phone calls, tweets, and emails questions email questions from noon until 3 00 p. M. Information security and hacking experts including the ceo of hacker one, the founder and therowd, Information Security adviser from Fiat Chrysler talk about Cyber Security threats. You appeared at an automotive Cyber Security they appeared at an automotive Cyber Security conference. This is really an exciting time for industry, the Cyber Security industry. Also, the Auto Industry. Bringing this together and having the inaugural summit is timely. The discussion is securing the car. Some of you are probably thinking, what does that mean . That is what we are here to tell you about today. Crowdsourcing of security vulnerabilities. A number of other previous panels have discussed this. We are going to dive into some details. I would like to start off by giving each panelist a twominute opening comments. Talking about their role and what they are doing. Lets start over to my right. Casey ellis. Casey it is a pleasure to be here. It is amazing to see such a turnout. We are seeing this conversation of all at an incredible pace so it is good to have you in the room. My background, im clearly not from america, i am australian. I started of craft in 2012. It was a combination of two things. The realization there is an Incredible Group of good guys that think like a bad guys and girls. Already wanting to help. What we are looking at his two groups of people who need to have a conversation but are historically terrible at getting along. There is a need to adjust that and improve that. The other side of it, i have been in the Security Industry for my entire career. Looking at basically the deficit and how we are discovering vulnerabilities and creating feedback loops, to firstly remove the stuff already there. And then get better at avoiding it next time around. What we are doing, we have automation. We try to fill that gap. There are unfilled Cyber Security jobs. You have one person being asked to compete, to find a vulnerability first. When bug craft started, it was feedback from a bunch of different organizations that i work with that were more traditional. Saying, this makes sense. This is a logical way to level the playing field. It is a pleasure to be here today. Dan he is the senior manager of security architecture. Titus i have the least interesting accent on the stage, i just learned. To tell you more about my role, i am in the i. T. Organization. What we are doing as far as the Security Program is, making sure we are a cross functional multidisciplined. I have a team that are consulting, helping the vehicle side. Understanding the threats we see on the i. T. Side and how those can be applicable to the vehicle. One idea was the idea of the bug bounty. We see it on the technical side. We think it would be applicable for an automotive company. We are excited i. T. Got to be part of that. That we have a seat at the table. Our input is valued. Dan to my right is martin. Martin we are in this together. Hacker one is the number one platform for Bug Bounty Programs and coordinated this closer. There are over 500 companies. 60,000 hackers around the world ready to hack you for your benefit. When you know your vulnerability, you can fix it. As a result, the companies are the most secure in the industry. We are working with car Mapping Service companies. General motors. Uber. We were handpicked to run the heck the Pentagon Program for the secretary of defense announced a program where hackers were invited to hack the pentagon. In just a few weeks, we had 1400 hackers who discovered 138 severe vulnerabilities. They had paid previously 5 million over three years to find 10 vulnerability. They reached out, paid 150,000, and found 38. The first report came within 30 minutes of opening the program. That is how fast the 15yearold kids hack. I have an accent, i am from finland. I have been in california for the past 13 years, mostly in open source and infrastructure and now in security. Dan can you describe for us, how does the Bug Bounty Program work . Marten a Bug Bounty Program is liking either could watch. You are traveling and ask your neighbors to take a look at your house. No matter how well you build your house, no matter what alarms and locks, you cant protected against everything so we ask the world around you to help you. The Bug Bounty Program, coordinators disclosure, does exactly that. You ask the world to look at your software system. You say, look and report, dont do harm. These people think bad but they act good. You invite them to come in. When they have reported something useful, you reward them for the results that bounty can be as little as 100. We found a bug that was so severe, the company decided to pay so much back to the hacker. The result is the hacker is more committed and will look for more. You will get more and more vulnerabilities found. It is actually good for you. It is as good as going to the doctor and doing checkups you dont really like to do. Much better to know your weaknesses than not to know. Titus i would like to add and say, it is not always hackers. We are talking about vehicles. People have been tuning give vehicles, trying to get as much performance as possible. When you made the vehicles connected, you wanted people to figure out, what can i do with the mobile app and website . They are finding, as they are trying to get additional functionality, they are finding vulnerabilities. I know some people had already been reaching out to us and saying, i saw something. After a few of those discussions, we said, we need to have a coordinated program to make sure we are communicating with them. If you are going to do research, this is how you do it safely. Saying, i saw something. After a few of those this is how we want to reward you for that research. Dan why is chrysler doing this now . Titus it is an evolution of the program. We have already been working with them. There are a lot of passionate people, people who like to hack, test and break things. Make sure those are considered in our designs. There have been a couple of articles recently since the announcement 1500 was the headline, may not be enough. Good and bad criticism, positive response. How would you respond if somebody said, 1500 will not be motivating enough . Titus i would say it is a motivator. I understand the comments and criticism. We have to start somewhere and that is where we are working with our friends. Giving us an idea of where we should start. We may evolve. We will revisit it. Casey the way these programs work, one of the mistakes that happened on early on, they went out with the number that was interesting to the press more than a commitment we were willing to uphold to the community. What we have seen, we have been running as tight as mentioned, programs for technology programs. A lot of organizations in more traditional verticals. Including a number of automotive manufacturers. The idea is, start at a level that is sane. We are putting a lot of work into figuring out what this is. I think this industry is just getting started. We are at it went where we can start to collect data. And say, what is a sane starting point . The number, i responded to some of those comments, is more about, it is not about putting out this flashy number that is never going to be upheld. It is about aligning expectations between the organizations starting this conversation and the people who are going to participate. Doing it in a way that can be upheld. What we see with these programs is, you start at a particular point. You reach a stage where the velocity of submissions drops below certain level. We generally go and say, congratulations. You have graduated from the level of security that you are going to get feedback on at this level. It is time to think about upping your game. Dan when you say there are other motivations besides money . Other motivations besides money . A discussion we had last evening, for a young hacker in college, a Computer Science major, they can get that on their resume. Casey definitely. It is time to think about upping the initial motivation, the preeminent one, hackers are going to hack. We have heard that before. These are people who are fascinated and compelled to understand the true nature of how things work. Try to be able to manipulate them to do things maybe they should not or are not designed to do in the first place. There is that intellectual curiosity, the preeminent feature. Beyond that, we are seeing a lot of people get employed. By the reputation they build in bug programs. It is purely meritocratic. It is not, where did they go to school . This person had this company. That is proof they are skilled in the real world. Cash is king. As things normalize, that is going to be the steady and consistent motivation. The others still exist. Titus think about auto security. There are names we know. This allows us to identify those people. Seeing the future, we do a closed boundary program. These are the researchers we went to work with because they have a history of finding things. Dan the benefits of coordinated disclosure programs are vast. We heard a couple of them this morning. Why are some companies or vendors still resisting . What are some reasons why companies are not adopting this . Marten the must not care about security. The fact is, i have tried to provoke you. It has been proven not just the best that the only way to detect vulnerabilities in live software. When human beings create problems, only human beings can find them and not the same human beings. We have seen this effect in open source software. I remember, the database people said, i cannot use it, it is open and dangerous. Companies decided against it because they thought it was a cancer and a risk. Today, if you do not run an open source software, you are doomed. There is a similar principle with software. The principles are taking over security. We will look back and say, how could he have had a time when we did not do this . It is a question of how fast minds will change. I see evidence of this changing much faster. Here we have the secretary of defense launching a Bug Bounty Program for the department of defense. They are working with Nuclear Weapons but they are using the help of 15yearold kids. It is a shift. Defense. You must have the courage to face yourself and say, tell me about my vulnerabilities. In return, i will share my experience with all of you. That takes some confidence. Not every company has that. If i can add to that. Completely agree. The two others i believe are the mix, we talked about good guys that think like bad guys. Most people think the types of people that can do these types of things to a computer are bad guys. That is the perception. That is what we have to overcome. The reality is it is not true but it is more interesting to talk about crime then good things. The other component is the operational overhead, dealing with the community trying to give you input. They are at the table, they are very effective. It has efficiency issues. A lot of the considerations people have before they launch these programs, sometimes that can be a blocker. That is a big part of what we have tried to make easy. Particularly for traditional verticals. Can be a blocker. Dan we are getting great audience questions. I want to go over to titus. What else is being done . What are automakers doing to change the way they manufacture vehicles . What else in addition to the bug bounty . Titus considering security at the design phase including all the other experts. Understanding these are a connected system. We segment as much as we can. We engineer as best we can. The threats are evolving. We have to make sure we can respond very quickly. Dan we are getting some Great Questions from the audience. I will jump to one of these really quick. Why are researchers offended by the word responsible versus coordinated . People may not understand the difference. Casey it is a term that gets a moral wording attached. That is the main reason. The term responsible has been abused. The reality is, the idea of this conversation has been happening for the last 15 years. This is not a new thing that is happening. It is just picking up a lot of steam. That wasnt always the case. That has been basically thrown at the researcher community. Not all of them are justified. There are cases where there is the element of, you are getting someone calling you ugly. No, i dont like that, youre being irresponsible. That is part of the precedent. I like that term because the responsibility is not just on the hacker side. The thing that is becoming more of a feature, companies becoming proactive, that sense of their responsibility to hold up their end of the bargain. It is an ageold debate. Do we use this word or coordinated disclosure which is end of the bargain. It is an ageold debate. Technically accurate but people to understand what it means . There is a rich history. Marten i would go back to that question and put blame to those who have it in security for 15 years. You have created the worlds most complicated terminology. We should come up with easier words and make this an everyday part of what everybody is doing. Just like in my view, the Automotive Industry did with safety. They embedded it without thinking much noise about it. That is what we need to learn. It needs to start from the beginning of the lifecycle and we must give it simple, understandable names. Casey id like to apologize for the language. Dan we have five questions in the nature of white hat, black cat. A number of different renditions of this. Lets start with, how do you bet to you are talking to . How do you know it is a good guy and he is not going to somehow do evil . Marten if you are bad guy, guy means man or woman, young or old, you are already hacking. You dont wait for any program to start. It is already happening. We are adding good guys to the mix. The second major thing, the programs we run reward you only for good results. A good deed every day and that is the only thing that gets rewarded. If you have a malicious and could nation, why would you spend time . You get no benefit. That is the basis of the environment. Knowing sociology, we know bad guys are maybe one in 10,000. There are bad actors but 1000 more good actors. 15yearold kids in the philippines, morocco, pakistan. Everywhere. They have good intents, they want to do good. They are a little too intelligent to fit into society. They are sitting at home and wondering what to do with their lives. When you give them real work to do, they will do wonderful things that are good. That is how you make sure the form is positive. In programs like hack the pentagon, we did vetting. I would throw it back to and say, how do you know your employees are all good actors . You dont score them the way we do. We keep track of everything they do. We know more about our hackers then you know about your employees. Titus i couldnt agree more. They are earning a reputation. They are also given the parameters. Parameters. They are going to see, these are the parameters. This is the only place we want you to look. Do not do denial of service. We do not want you to go to jail. They know, this is what we will keep me out of trouble but allow me to experiment. Dan we have a number more in that area. I want to get a broader perspective. A crowd issued its research on bug bountys. How does the Auto Industry adoption compared to other industries . Casey i think the people in this room have the maturity to get it. You can control your vulnerability if you know where it is. You cant compare the best control the behavior of an adversity. Is that the right question to be asking . You cannot control the behavior of someone who is intent and skills to attack you early. They are just going to do it. The task becomes, how resilient are you going to be when they come along . What we have seen is an incredible acceleration in adoption. You think of it as a spectrum. Facebook and google. The crazy bay area Tech Companies. More aggressive when it comes to their adoption of technology risk. At the other end, folks like the dod. Western union. A bunch of conservative companies in this mix. The consistent trend we have seen, it is moving a lot quicker than we thought it would. That is driven by the results. That is driven by the efficiency. The severe need to get better at this quickly. Given how quickly consumer demands are accelerating. Having a way to have security be a part of that. It is driving demands. They are looking at the president being set by these Tech Companies and saying, that is kind of scary. It is going to make some of us uncomfortable. They are stepping in and starting to do it. The other thing is there are those that understand sometimes you have to wear a suit and tie to work. If you are running a private program or a program in which you are trying to give