 I think people will still trickle in but let's go ahead and start because it's Friday afternoon and perhaps The sooner we complete the sooner people get to escape Except for those poor souls who are going to go back to work wherever that may be I've got to go to the airport so I'd rather go back to work My name is George Perkovich. I'm a vice president for studies here at Carnegie Thank you all for coming the Purpose of our gathering is is both to release Ellie the Vita's New paper on ICT supply chain integrity Which is the product of several years of work very intensive engagement both with Relevant officials and former officials in many governments as well as in the private sector in the tech sector so I think it's a Formidable piece of work and so we're happy to be Releasing it. Ellie will give a kind of a short praisy of the of the report and then we're Thrilled to have Two of the most brilliant people I know Actually, it's three with Ellie So I'm not going to talk long because I don't want to deprive you guys have the opportunity to hear from from Ellie Mark and Bobby Mark Chandler is the executive vice president and chief legal officer and chief compliance officer of Cisco He covers a whole gamut of the issues that are germane both to this topic and broader issues of Ethics and in governance Has been general counsel since 2001 And has provided, you know insights that we've always found useful not only on this topic But any of the topics that we work on in our technology program and then Bobby simply is The now at Carnegie Mellon where she's been since 2017 the director of their Computer emergency response team Before that she and where we met her was she was director of the cyber strategy implementation at at MITRE Corporation before that was acting Assistant secretary and DAS at the Department of Homeland Security, so she's really really informed and knowledgeable and brilliant about kind of the the Real-world dimensions of some of the risks that were that we're talking about here And so we're really glad to have Bobby with us as well With that let me get out of the way. Like I said, Ellie is going to do a brief presentation Then I was gonna You know kind of ask mark and Bobby a couple of leading questions, and then we'll just turn it open To all of you and have a discussion Thank you, George, and thank you all for being with us and particularly this distinguished panel that I'm on So the origins of this research go back a couple of years before this Current phase of the US China duel over trade in general and the integrity of components became kind of a mainstream issue and certainly before 5G became kind of a household name and What motivated the the analysis the research and Ultimately obviously the publication Was the sense that our dependence on these products and services as governments and societies as corporations and individuals was skyrocketing and With this dependence was also the growth of the vulnerability to their use misuse and abuse for purposes that range from warfare and covert operations and law enforcement all the way to crime and vandalism and While some people may look at those and say, you know warfare is fine and espionage is fine covert operations are fine Low enforcement are fine. Obviously people differ in their perspective of whether those legitimate use misuse and abuse of those capabilities So it was clear to us from the outset and and the dialogue that we've had with with people both in governments out of governments Incorporations and so on in the academic world That there was a monumental challenge in front of us to try and reconcile The requirements between legitimate leveraging of those vulnerable weaknesses and vulnerabilities let alone the creation of new ones With the risk inherent in doing so and opening the floodgates for the misuse and abuse So how does one balance between those and as we dug deeper into the issues two additional realities became clear First that the admiral work by done by others prominent among them NIST and BSA that is represented here by by Tommy Ross and so on but also others in Establishing criteria for supply chain integrity of both firmware and software We're truly invaluable But they didn't cover I all the considerations and all the scenarios of concern and so there was some room there to identify what would be more A clear policies that one should try and encourage To try and and bridge the gap from what is technically possible to what is actually necessary to To build trust to rebuild trust Intain integrity of those products and the second reality was that he couldn't be accomplished by technical solutions alone not withstanding the importance of technical solutions or even procedures and so on and Clearly since we have launched the effort to try and study those issues the politicization and actualization of the discussion of supply chain integrity which has now Become almost inseparable from the broader discussions over trade and competitiveness and qualitative edge and industrial infrastructure and so on greatly exacerbates the anxieties about the integrity of of ICT products and so on and making the Production of an informed policy of a responsible policy on a national basis let alone on an international basis So much harder to come by so All of this actually was suggesting that the task we took upon ourselves was was going to be quite formidable But nevertheless, we were also looking at the risks of what would happen if you one didn't try and come seriously at some some policy Recommendations not withstanding the difficulty involved both for the United States as well as for others and their risks inherent for Innovation prosperity employment welfare and so on if they weren't to be those policies that would be identified adapted and ultimately harmonized internationally so the effort that this paper tries to share with you is Development of a holistic concept of ICT supply chain integrity that has technical components But alongside the technical components also has operational organizational and policy attributes ones that weaves together both corporate and governmental obligations One that is generic. It doesn't say speak about the United States is distinguished from China or others and so on but it feels that those ought to be kind of global requirements standards expectations and so on and It tries to balance the risk between Airtight Integrity and one that does allow for government to meet their legitimate requirements for information So Ultimately what the report suggests is four attributes of integrity one which we call trust is To codify the responsible behavior of government and corporations what they ought to commit to to do and what they ought to commit to refrain from a Concept of accountability of other actions the concept of transparency of their policies the processes and the products and Finely receptivity to requirements of governments and customers alike so then The report after identify those four clusters of attributes both for corporations and Governments and the expectations of them in rebuilding trust We go on to explore the modalities to anchor these rules of the game Discuss some incentives that may be employed to encourage adherence to them and Not least important is to explore Verification mechanisms to enhance the confidence that those who subscribes to these norms Will actually apply them or if you wish frame differently to discourage those Who actually just some wish to to subscribe do them only on or to abuse them get the the semblance of Compliance but not leave up to those expectations So the verification aspects as well are an important part of this study What is possible? What is not possible to achieve in enhancing one's confidence in the compliance to these obligations? I I Wish to conclude this introduction by saying the following that on the overall tone of the report is rather somber Because these are quite formidable expectations and those would not be easy to get Governments to sign on to corporations to sign on to let alone harmonize those intern internationally nevertheless, I do derive some optimism from Three three basic developments The first is I think the there is a growing of awareness of what are the risks and costs associated with a fractured supply chain with disrupting supply chains that have evolved over the years and introducing to them very arbitrary very non-realistic very parochial Considerations and doing so in ways that are knowing not even be consistent Between government but not consistent over time. So I think one this rising awareness is some source of optimism The second thing that Was to be as someone who didn't grow up in the supply chain domain was the biggest revelation Was that the cybersecurity requirements that we put so much emphasis on are actually highly synergistic With the requirements for quality assurance for safety for export control compliance for licensing and for marketing in terms of getting Customers buying and so if corporations and governments look at those as things that go hand-in-hand Both the management Bend with and their be willingness to sink in resources to them But also the benefits that would accrue from looking take taking this integrated approach would be huge And therefore there is some room for optimism that we would get things that may not be done If it was cybersecurity alone that was driving the process and the third Modest source of optimism, but nevertheless an important one is that there are some new technological developments that make some aspects of what we're talking about here More possible, particularly when we talk about distributed of late ledger technology Blockchain and the like Which makes it makes traceability a lot easier and sharing that traceability concept With all the way through the supply chain and the use throughout the life cycle and so on so the combination of those three developments the awareness the Synergy between cybersecurity requirements and the others and some technological developments do create some room for optimism and I would conclude by saying this is not just a dream many of those things are already making the way into the behavior of some of the most sophisticated players particularly on the corporate side and Proving that this is not just desirable But to some extent at least possible already and that's where I Basically conclude so let me conclude my introduction here Thanks, Ellie What I want and I want to come back to you at at some point if others don't raise with a couple of thoughts to draw you out Further Ellie, but what I thought I would do to kind of get us started Is ask you know mark and then Bobby question But as I do that feel free to comment on anything Ellie said kind of in his introduction as well But the comment I would first direct it at mark is in a sense You know if if the if one of the premises here is is building trust in ICT supply chain integrity I mean how does distrust now manifest itself and how big a problem is this and how would you describe the the ways in which it's expressed? Thanks, George and just first off. Thanks to both of you for pulling together such a remarkable piece of work to highlight The opportunities and the challenges and addressing the issue I think I liked your your optimism Ellie in the introduction There are elements there that will help solve the problems But there are also problems that are very very hard there And I think the only way we start working on them is by having them out there where there's Ability to have a discussion and some transparency around What the gaps are in our ability to to deal with these issues? I had a little Lesson in what this is ultimately all about on my way over here I was at a meeting at the Four Seasons and happened to have lunch with someone that Bobby used to work with it at Homeland Security I've been following who was the the general counsel and the first Obama administration and I got into an uber to come over here and I Was pleased that when I was entering in the app I just started right C-A-R-N and up came Carnegie Endowment and I was done didn't even need to find the address and I got in and my driver Jamaica the first thing she said to me was so do you think the world will ever be at peace and And I thought well that's kind of interesting and so we we talked about Fewer people really being killed by violence in the last few years and many times in in last centuries and where the world might go with that and She shared some thoughts with me and I wasn't quite sure why we were having that conversation and we Kept going and we were kind of quiet for a while and then she said to me So so do you work on peace things with your career? Is that what you do? And I said why do you ask that she said well on the app? It said you're going to some peace place So I thought you know we got to step back from this a little bit and realize that as We become more and more and the genie is not going back in the bottle and this goes to your question about How distrust manifests itself the genie is not going back in the bottle our our economic systems particularly in certain their defense systems are going to become ever more dependent on network technologies to be effective and Because the stake in that is so high from a national security and economic security standpoint the Use of tools to undermine that security will be ever more seen as acts of war and Threats to those that infrastructure May lead to physical war of a more traditional sort to defend those systems than to retaliate so The stakes the stakes couldn't be larger and I was very grateful to Jamaica for getting me focused on that and seeing that I was coming to the Carnegie endowment the I Think that the distrust isn't manifested itself. It doesn't manifest itself in an unwillingness to use Technology, and I don't think that's that that is what it's stake here, and I I Am less worried about the implications of balkanization which was pointed out in the report as one of the areas where there could be disruption You know the concept that underlines the way we do Security in our own organizations these days is now called zero trust. I mean it's a concept that goes back almost a decade But the starting point is you don't trust anybody There are insider threats as well as outside threats and a castle-in-mode approach to security isn't isn't going to get you there anymore You have to start by always identifying who's doing what and how they're doing it and when they're doing it So I think if you start with the idea that zero trust really is the world we're in then then it's not going to go down from there in Terms of level of trust because you're starting with zero trust But what you do want is for the benefits of the deployment of technology to be more fully realized And that depends on people having confidence that they'll be able to address the threats that are out there in a sensible way and that we avoid undermining security in ways that are Will be counterproductive for everybody and I say that about everybody because the reason people will do that is if they think they can gain a Competitive advantage in one sphere or another by by undermining trust and you know the two that I would focus on are That were highlighted in the report are first the fact that governmental efforts to Undermine trust and in a systemic fashion will Certainly encourage other actors to engage in in similar activities and in a relatively Uncontrolled way and second to an escalating Competition between those who are most expert in it to keep coming up with new ways as people try to defend against it It's really very analogous to some of the great work that you've done George for so long in the in the nuclear Proliferation area, so I think we can take some of those concepts and see how to apply it So the starting point for me in looking at this is the corporate obligations that you put on I'm I thought they were all very reasonable and things that we are we are implementing at Cisco in terms of transparency of vulnerability reporting and speed of fixing vulnerabilities in terms of using not just the published standards, but But also Other internal mechanisms to have a secure development lifecycle just as to is to critical Examples for making our products as secure as as we possibly can So I look at that and I say we can do those things for governments. I think we are much more going to be dependent on Social sanctions and real-world real-world avoidance of Products that come from systems where there's a corruption of the security and that that is caught out I think in a world of agile development Pre-review of code is is never going to find what we need to find but as we find intentional disruption We need to have mechanisms that will effectively punish those who have violated the norms So that's that's how I see that playing out. I don't see trust The reduction in trust reducing use of technology Yeah, I'll follow on that a little bit and again not to preamp anything that you want to put out Is a general comment, you know on the paper and what we've heard so far, but I but it The question I was gonna ask and then mark just said something that made it made a variation for me The question I was gonna ask was kind of from from your where you sit in your experience, you know Which is a bigger concern, you know in terms of kind of state efforts to manipulate the supply chain for Whatever purposes they do or say criminal actors manipulating or Just shoddiness and sloppiness in other words, you know poor poor Development premature release in the market that creates vulnerabilities because that that picks up on something marks it at the very end About, you know preview reviewing code won't work And if you see intentional, you know kind of manipulations then then the response to it of ostracism or whatever the right word would be But but the key word there was intentionality as opposed to, you know What could be just shoddiness which still leaves that much more vulnerability for other actors to join in so how do you weigh those? so this is where I I think I get to be a little bit of a heretic because I actually think that's an irrelevant question and so so one of the the wonderful things about What we do at Carnegie Mellon and the team that I run is we're an applied research organization So we actually aren't a response team We started the idea of what a response team was 30 plus years ago such a thing didn't exist when the Morris worm Happened we didn't have this idea of what response was and my team said oh, we're gonna need to do something We were asked when the Morris worm happened to do and we created this concept of response We've evolved beyond that now that's done by by other individuals We spend a lot of energy and my experience is we've spent a lot of energy trying to Figure out which is the bigger problem is the bigger problem that we need to increase quality we need to increase Process in that area or is the bigger problem that we have a Dedicated adversary trying to take action against things and that energy is not as useful spent in that way as is Let's solve the problem right and there are a different range of tools that we can use We have to acknowledge that both exist either from human error from Good intention, but Not an ability to see how a product is going to be used far in the future Or from the fact that an adversary might be taking action internal or external things are going to happen And so we need to make sure we're ready to be responsive In that means there is an entire Community of individuals who need to know why in any particular event because that allows you to bring Interventions to bear there are different interventions that might be used But scoping the two in my experience has not really changed the things that organizations whether they be product manufacturers or Service providers have to do in order to be ready to respond in that activity now that might be again There might be use cases where that And so one of the I think wonderful intervention or inventions innovations in the paper is that separation of what corporations need to do and what governments need to do because It was a Gordian knot and being able to distinguish the two and Recognize the appropriate interventions available to each party. I think is really a powerful way to approach it it also and I think Ellie your comments about Optimism are always welcome In that space, but but it also lets you look at supply chain issues across the life cycle and Really enable those interventions to happen at the relationship level, right? There's a relationship between supplier between members in the supply chain There's a set of normative interventions that are possible at the relationship level all the way through the engineering if they're shared engineering To how do you handle operations? The product and operations we think about vulnerability management in that space to and through any potential integration that might occur in manufacturing of the supply chain selves and That I mean that's at least how we frame the thinking it aligns well with how What what exists here and I think for me means that we are Able to launch from today's problem to the problems that we foresee Which are ones of everything is being programmed So how are we ready for an everything being programmed world? How we manufacture things is radically changed and radically changing and so How are we ready for that in a world where? You know, you're not you're not actually you're printing more things than you're producing sometimes but now we can we can We've got a more durable framework to apply to these next generations would you and Mark you know you guys should jump in on any of these but when you Think about the problem from the way that you just did And you think about then like the things that government needs to do or Kind of agree not to do to contribute to a better outcome there as distinct from what Companies need to do. How do you see it because the report as you talk about you know has these kind of things? You recommend the governments do and the private sector and as I recall and Ellie should correct this I mean some of that happened We're starting you started talking with governments and about government restraint And it was they who said okay fine But if you're going to restrain us then there needs to be action on on the other end too So how do you guys think about those that division of labor? I Would say on the corporate obligation side. I agree very much with what Bobby just said about the quality issues That's incumbent on us in a competitive environment to do it anyway I look at the corporate obligations here and there's nothing on there that I don't want to get up and be able to say to my Customers, I'm doing So it's it's sort of core and fundamental One of the one of the questions that arises in that respect is how do we make sure that? Companies that do things that go beyond the baseline of what customers expect will get rewarded for that We we looked at a situation a few years ago involving our sale of video surveillance management software in Geographies that were singled out for human rights issues And we made a determination that we wouldn't sell video surveillance management software to Pleat broad public policing efforts In those geographies We would still sell to Point solutions like a stadium or a railroad station or a theme park or something like that but not for general policing and And the the way this is played out in at least some places is first off None of our US competitors followed suit So we could sit there and watch competitors win market share While we could feel we were doing the right thing, but not getting any reward for it beyond the Important but not necessarily relevant to our shareholder to our shareholders aspect of feeling better when I look in the mirror in the morning Second over time we found that In some repressive regimes they didn't want to buy equipment from us anyway So it so my competitors ended up American competitors ended up losing market share and I could still claim Bragging rights for that, but it was sleeves off the vest and weight because because there was no business there anyway Although there was at the outset so I think we need to find a way for For companies to be rewarded and I didn't I didn't I see that highlighted in the report Because these are table stakes. These are things we need to be doing anyway. Our customers come to us and say How are you avoiding the potential for supply chain interruption in a period of global trade disruption? How are you managing the? Chain of custody of components so that you're sure that they aren't being interrupted. Where are you building your? intelligent components Those are questions that we have to answer anyway from our biggest customers But we don't get a lot of direct feedback and reward for that And we could go beyond that to some other elements that we would look for companies to do in working with governments where there could be a Certification and seal of approval on that side for corporate efforts to go beyond the baseline requirements here And in the government side, I look to you to to add on that One of the things that I think The report does a good job of and and if you think about the sort of life cycle framing I talked about is is being able to Apply to government the interventions that are available to government By which I think is is an important thing to Sort of recognize and so when you think about incentives for behaviors, whatever those might be That's an intervention available to the government. There are incentives available to government that aren't available Corporately, so that's an interesting Oh tax policy As an example Liability waivers other examples that are that are available there. Um, I I Haven't thought about your comment though about how to How to apply those interventions to along a social policy contest construct So that's an interesting idea that I think is worth an exploration. I Think some of the some of the some of the things we're talking about here are very direct Social policy implications as we as we look at the way products are deployed and the way Misuse of them and the way supply chain interventions And systemic undermining of security can have very huge social implications It's that connection of that to the supply chain is that's that's a real there's a lot to explore there Yeah, it's something we're something we're thinking about every day the implications post-snowden for us were we're quite interesting in that there was a very interesting picture that appeared in In the the book that was published that went along with the Snowden revelations And it showed it was from an NSA newsletter and it showed a It was talking about the fact that Signals intelligence doesn't rely on necessarily on assets being far away and it said here's a picture of a specially trained personnel at a Secure location Installing a beacon in a product on route to a specific customer so that communications could be monitored now, you know is Relieved as a citizen that this was specially trained personnel at a special location It wasn't some guy they found sleeping on a bench and McPherson Square just doing it, you know on the sidewalk there The picture that accompanied this Was a picture of someone standing at a desk and there was a box on the desk and the box said Cisco on it It could have said anybody because because you know, we didn't give them the box It was un root to the to a specific customer and taken out of the Supply chain and we know that the government through the export control and pre-shipment inspection regimes Intercepts products Which we can't control whatsoever because they've left our custody So it's kind of random But it is a vivid picture and it led to a lot of questions about what we do now in the report It was highlighted that that's the type of intervention that probably you want governments to be able to do very Stuxnet was another example very targeted very limited scope for a particular Intelligence or national security purpose and that will always go on the question for us then is is the allegation that came out of that fed by international competitors was well Cisco seems to be cooperating and installing You know monitoring devices on its products, which was false So we had to deal with the fallout from that and the fallout the fallout was very very real So the transparency regimes that talk about what governments will do how they will do it and Keeping that separate from what the companies are doing is really critical and for that reason I will say and this goes to your comment that I found not Very comforting some of the suggestions for how corporate government Cooperation could help and you rightly pointed out that public companies at least aren't going to want to be associated With efforts like that and we just can't be because once you start saying that you will do anything that will Undermine the ability of your companies to trust your products Every of your customers to trust every customer will start to think that way I wonder who are you doing that to so I don't see how we can we can engage in those targeted efforts even as we Understand governments. Well, we just need to draw the line and create incentives for what governments will do and how to get them Not to do more than that Yeah, so I want to take this these points that Mark and Bobby had made and Try to take to take the discussion a bit further in in in several respects first is I think that what we try to do is to put down baseline requirements Mostly formulated as criteria and their operationalization should change over time Hopefully in a more expansionist version to include more and more of the CSR or ESG requirements as we believe that those are The attributes of responsible behavior so just as we've seen this so carrying on climate and and child labor and And and things of that nature and in other environmental aspects I think that the idea here is to look at those criteria and say, okay This is absolutely necessary now, but looking ahead particularly in the direction of Bobby was talking about We need to do even better than that and clearly that gets us to the second point of rewarding those That actually go beyond those requirements, which is why I'm not made mentioning. This is minimalist requirements Those are not minimalist requirements, but those are as we see them baseline requirements and so the procedural aspect as We see it is to create to not just to anchor those obligations by both the corporations the governments in some formal documents Be those of the OECD or the GGE or whatever G20 or whatever it is and so on but to create around them corporate social responsibility processes as well as other government and corporate Type of processes that involve multi stakeholders initiatives as the nature of gear here has been involved in the soul But I think that the issue that mark is talking about in terms of the incentive structure Is the one where we need to be the most creative and you will excuse me You've both of them you have referred earlier to my optimism So let me bring in my pessimism in only in order to say what I where I think we need to offset for this So my pessimism is that governments connect to get to get their act together on the Syria and I think that the one hugely Acute problem that we are encountering is that the government are deeply torn Between would they do they want the products more secure or less secure? Do they be do they want to intervene or not to intervene and by the way if you think that this is a problem with China Australia is trying to have the laws require you know introduction of backdoors and so on and The gov. So the governments have a huge problem getting direct together and striking it right Because some of them are more concerned about human rights and the other one are more concerned about suppression or Introduction of fake news or whatever it is and so on or privacy a treat the privacy differently so my Being so skeptical about governments getting it right and intergovernmental processes getting it right I've been some hope on actually commercial incentives and Where we are trying to go as Carnegie and where which is in more general direction and Specifically applied to this but not confined to this activity is to say How can we remorse better behavior by commercial players that? first Are credit rating companies insurance companies holding companies Sovereign wealth funds financiers we can go on and on with the list That those would say just as they say we won't invest in tobacco products Or we won't invest in those who are doing things in coal They would actually say we consider your behavior to be more admirable on all of those attributes or At least many of them and so on and the beauty behind them is there is a good business reason for them to do it And they also can harmonize their requirements Internationally in ways that government have a much harder difficulty a much greater difficulty to do today So my answer to to Mark's proposition is we are already trying to get the commercial players To internalize those requirements as requirements of their own The difficulty they have had was to quantify and operationalize those requirements in a way that they can anchor them Into their own Whatever it is policies that they require or guidelines and so on but we have seen them doing it with respect to other areas And that's what we would like to do So yes, we would like to see governments more receptive to people who go beyond them Not just stand by their obligations but go beyond them But we would like to see the commercial incentives kicking in and rewarding even more those that go beyond the baseline requirements Well, I think your your suggestion for a multi stakeholder group that would do reviews of complaints and make determinations Is a is a good and constructive one because right now it's a little bit of Wild West when issues come up things come up like the The Snowden issue that I described we're going to have people out there trying to Leverage and take advantage of that for commercial purposes even when it's unfair. I think that you know the current debate over 5g security and The aggressive steps of the United States government has taken in in some areas Have one effect of at least drawing attention to this issue Forcing a response now whether we have to watch for in each case both on This country and every other country is other responses genuine or the PR driven and how do you measure them? But I think this calling out process can be very useful, but The development of a mechanism like the one you propose would be a big step forward because it would take it out of the Media scrum and turn it into a somewhat more technically grounded evaluation I think the the important element within that is the measurement As you point out, right? How do we what are the observables that can that that? We can recognize that can support the transparency regime for this kind of a global conversation And that some of that I think is possible because of the instrumentation in the processes And some of that is something that we've got to figure out how we take one step away and can look at So that it's not in that media scrum If anybody would like to comment or ask a question to please I'll call on you and then just please Introduce yourself. I'll start with the lady here. Yeah, well I I would Reiterate I think what I said before that I don't think it's a regulatory regime from governments that will do this I think there's a huge marketplace incentive at this point for companies to adopt the type of Implement that what we're described in the report is obligations I view them as marketplace imperative if you look at the at the list and they're all Layed out in in table four on page 25 of the report. They're all Sensible and things that no company ought to be able to not do and be credible in the marketplace the challenge is then to come up with a way of measuring compliance with that so that There's a distinction between things that happen by accident things that happen intentionally One interesting way that we experience this is that we have a very proactive policy at Cisco of Patching vulnerabilities as quickly as we can we find them and then and then making that public including the patch so that people can Implement the fix and going to major customers have and get it implemented first We have we have competitors who whenever we do this put out a press really saying Cisco discovers another backdoor And in fact these aren't backdoors that were put in these are security vulnerabilities code is written by people It will have errors in it and some of the errors will create security vulnerabilities So we need a way to step back from not not have and you know We've never done that with competitors because we always think that if you start tearing You're gonna end up in a in a in a very bad downward cycle if you do that So I've been disappointed when I see competitors doing that and think they can leverage the normal code development process for some kind of commercial advantage But I think what we need to do is move to some sort of certification regime and Review process with the major vendors appointing representatives to sit on it and when an issue comes up to make a determination whether this is something intentional or not and be able to give a stamp of approval that Yes, you have violated These principles that you've set out now I think there are a variety of different processes like these where companies sign up sign up for all kinds of certification systems sometimes their technical certification sometimes their social policy certifications Getting companies to sign up for that isn't the hard part a lot of people will sign in Anything the hard part is then measuring in a way that's credible and then being able to call out in a way that Customers and others will be able to just say no, I don't want to work with that vendor anymore I think for the companies that's going to be a private process I don't think there's a way for governments to effectively do it partly because I think it will lead to more politicization and I don't expect governments to be calling out their own national vendors as problems and And we needed to wait to internationalize that and that means using a private body So I think that the obligations of the companies and the acceptance of the companies is the most effective scalable way of Driving this kind of change Across the across the global community, so I agree with you mark in in that regard the piece that I find More difficult Is is as you point out that sort of what is the transparency requirements and to whom are you transparent to and how is that consumed and used so that the reward structure that Exists can can grow and be evolved and so this idea of leveraging That sort of second level of regulators right the financial regulators and the risk regulators I think is an important sort of important part of of how we can adjust that and drive change I agree with everything that mark and Bobby had said let me say that in thinking about this mechanism As we refer it which is described in the letter part of the report. I Think the ground of why can't be a governmental one has already been made very clear I think mark has put his finger on it the politicization being the number one issue, but not the only one and you do want Engagement of those corporations in this Grievance airing mechanism that some corporations may not be living up to that expectation So what you should understand at least as you actually visit this part of the report is What we try to do is to bridge two worlds in our recommendations One of them is the customs that have become The centerpiece in the more advanced and corporate social responsibility processes that we have been engaged as Carnegie But you know here we have only been engaged in one or two of those But there have been others who have accumulated a lot more experience and even there it became clear that what sets apart those corporate social responsibilities processes that Are little more initially than than the public relations exercises and the more serious ones Is that there has to be built into them a grievance airing mechanism? And so we've tried to see what those grievance errors mechanism need to look at and the purpose is both to Detail those who think they can get lightly away with not leaving up to those expectations as Well as to support to to give a this brand name to those who who actually live by those expectations That was one part of the input to the try and devise this process The other one is some of you know George and I have been heavily involved for years in arms control Processes and so on which has also been confronting this issue of verification as a centerpiece and so on and While not the perfect world again Clearly the issue of how does one build the processes that the balance between Protecting your IP protecting your privacy And so on and not becoming too onerous in terms of the frequency and the inspections and the cost of them and so on And at the same time giving leaving open the option to do so And creating a somewhat less but the politicized framework under which it's done So what we've tried to do was to marry those two There was part one to marry those two cultures in the recommendation of how we think about the the mechanisms But the second thing that I would mention is People here have talked about the measurements or quantification or whatever it is and so on clearly we measuring multiple attributes Some of the attributes pertain to quality assurance some of them pertain to cyber security Some of them pertain to privacy protection some of them protect to environmental protection Some of them pertain to long-term availability Some of them protect you pertain to whether the governments can coerce or not coerce the vendor to actually interrupt So they're the multiple attributes that we try to measure and Clearly this lends itself to an absurd of clearly subjective interpretations and so on The result has been that what we had felt is That we need to turn to turn fern for most to some of the leading corporations To to try and develop those criteria together of how you measure operationalize it and then try those on on the on the skeptics or on the Unpersuaded and the governments and so on to get them to actually Feel and so on but a lot of this ultimately embedded Not in government decision-making but embedded in poor market forces Precisely to avoid this issue of politicization. So we see this is merely at the beginning of a process That is trying to say okay here the attributes We all agree need to be the characteristics of a trustworthy product and a trustworthy vendor Here is the processes that would need to be in place to assess that trustworthiness Okay, now, let's agree as a next step by a quorum of some of the more reputable players but globally Of what that they actually agree that those that should be the process those should be the criteria and And provide some of their top technical people and we have benefited from the dialogue with some Leading players around the world in helping inform us as to what they think might be possible in this domain But there clearly is a lot where quite the distance to go beyond what is actually incorporated in the report itself Thanks, my name is gear Smith I chair the corporate social responsibility practice at the law firm Foley Hoag I want to begin by thanking everybody up there. Congrats Ellie. This is a great piece And thanks to Carnegie for hosting this and Bobby and Mark your comments are very insightful and much appreciated I have two overlapping questions And they take off on two words that have been used a lot and one phrase that hasn't been used at all which I'm fine Curious one words transparency, which we've used a lot and other is is Multi-stakeholder initiatives MSI's and then the one that hasn't been referred to at all is the UNGPs The UN guiding principles on business and human rights, which is the umbrella that a lot of this comes under So my first question is as an old guy who's been in CSR for a long time The ICT industry doesn't come to this new it comes to it late I mean we we look back on you know decades ago with Nike starting with this We look at Shell and the Goni land in Nigeria and the lessons learned there I think one of the commonalities is if we learned anything is that Transparency is the modern-day Rosetta stone for credibility for external credibility and for that matter internal credibility within a company And I think my first question is looking back on these decades of experience in other industries Are there pieces that you could cross pollinate are there lessons learned for the ICT industry to draw up draw upon and grow from So you don't have to reinvent the wheel a bit and the second overlapping question is I'd like to see where can we take an MSI Can use the UNGPs as an umbrella for this What we know what some of the drivers are to the table But can we get the platforms and the developers and the apps together in a way where? Everybody has a sense of responsibility and buy-in and seize the commercial benefit You know to getting this done right and I realize I've compressed a lot into that But I'm just trying to take a little bit of history because some of this isn't new at all And how do we you know really knock this forward out of the ballpark in a meaningful manner? Gare a great deal of what I know about corporate social responsibility and And Related issues comes from the interaction with you and some of your colleagues over the years and the admirable work you're doing So I think you know some of the answers. Let me let me try and address the two specific questions Nevertheless in a kind of a very partial way First I think cross pollination is definitely an important aspect We have tried to do it on a very modest scale if those of you who would actually look at the report There is an annex there and looks at the counterfeit drugs They have been confronting that issue for much much longer With some success but not complete success I think both they're the success of their efforts, but also some of the limitations of that effort are quite instructive And so I took take take that as one example of cross pollination of saying, you know, how does one? Inform what you're trying to do based on the experience of other industries and so on I thought that that having looked at several others Including some you haven't mentioned and so when we found that the counterfeit drugs and so the hundred thousand people are dying a year Just out of her counterfeit medications to give you an example. I mean staggering figures Not to mention the financial losses companies Experience as a result of this which is another motivation to deal with it So the motivation has been there some action has been taken and so on I take from that cold cross pollination with this other industry Several sobering lessons. I will mention just one We're engaging here in risk mitigation. We won't solve the problem completely We will try to make it more difficult. We will try to make it Less life-threatening or whatever and so on we won't solve the problem completely This and and secondly that this is a multi-stage process because every time you make a step you move a step ahead New vulnerabilities emerge or transpire and so on so this cannot be done Just once and for all this is an online and ongoing struggle Particularly if we try to blend it with what Barbie has said that manufacturing processes are changing Software and hardware are becoming more and more difficult to distinguish And so on some things that are difficult to explain are making the way into the production and to the our products and so on so forth So we would have to be this for a long long time And I think as Bobby has said we have a big catch-up to to to play in this domain and so on Multi-stakeholder initiative the only partial answer that I would give is that the last the fall of last year The OECD had gone out of its way to create a new type of forum Which does embody This multi-stakeholder aspect in the sense of bringing both governments and corporations into it with supply chain at the center of it It was an experiment. It's going to continue I think now the issue is driving it It has all the benefits and all the weaknesses are associated with a big and so on To me one of the encouraging aspects is that some of the companies on both Russia and China Where tiptoeing in that direction to explore? I wouldn't like to shut it out for them But I would like that I wouldn't like to compromise on the standards either And I think that if we have that that Imprint of the of OECD that could be helpful way of doing it But that's only one option that I would mention You know when I look at the list that you enumerated a few minutes ago of Elements that you thought were important for corporations quality assurance cyber security privacy impact environmental impact availability and Vulnerability to coercion by governments if I got that right It seems to me that a number of those gear are built into the way Any responsible corporation behaves today and the starting point has to be the UN guiding principles It's I mean in our human rights report That's our starting point to say here the fundamental obligations that we have as an actor and that is a corporate actor in this society so I think quality assurance and Cyber security of our products and availability are things that our customers demand. That's a commercial matter Even though it may dovetail environmental impact and privacy impact are things that Some customers will demand others are less concerned about but where if we're following Basic principles of how our products will operate Those are taken into account and need to be then measured and called out where we fail I think where this gets really interesting in this whole discussion to me any way in terms of what the challenges is is the coercion of governments Ellie referred to the the Australian situation and Sitting to my left is Eric Wenger who leads our policy efforts in this regard and Eric Eric knows more about this. He forgets more about the Australian situation in a morning Then I'll ever know in my life because he testified at the Australian Parliament about this and What was what's interesting about the Australian intervention was that they want to have the ability to? Avoid encryption And I think relatively have not agnostic about whether they get access before informations encrypted or by some kind of forced decryption they Certainly not inconsistent with what Attorney General Barr Suggested to Facebook yesterday Ironic in that I you know the director of the FBI at the same time is telling everyone to use encryption to avoid theft of intellectual property I Don't think there's a what was particularly insidious about the Australian Proposal and still unclear how that's going to play out. It's been adopted, but untested Is a requirement that vendors not be transparent and not document features that will allow interception of information We've always felt that we needed to comply in any country where we operate with a lawful intercept Warrant for particular criminal matters There's a huge issue with turning over all information But when there's a legal regime that requires turning over Information for a particular investigation you comply with it the idea that we can't report and you know We look at USA Freedom Act which Specifically makes it easy for us to report and how many requests we get how much you know How many people are affected by the requests we get to to provide information? Contrast that with the system where you're not even allowed to document that you have a feature that's capable of doing that It's an extremely bad idea. We're not doing it but But we need a mechanism to keep calling out the Australians for doing it and make it very hard for any other Government to do it including the United States And that can only come I think by punishing in the commercial world Products that seem to comply with those kinds of regimes. It's a it's a non-technical Aspect of security if you will in that it's not it's not something that you it's broken and you fix it It's something that's done intentionally for a policy reason And that's where the I think the heart of this is is To create You know, this is something that's not covered directly in the guiding principles I mean you can infer it from some of the privacy and autonomy principles But the way that will work is by having conversations like this and having Organizations like Carnegie establish a baseline of expectations and having companies and governments Where we can start to do that. I mean look at what happened post-snowden here with with for instance PPD PPD-28 and the the minimization requirements Those were critical and say it didn't go far enough and with the vulnerability's equity process, which I felt was very inadequate under the In the Obama administration, I think that actually the Trump administration has Come up with more precision in that process that's been it's been a positive in terms of making that a more robust and Transparent process, but I think as we take reports like this We encourage others to do similar work you build up a set of expectations and your work points in that direction as well Where it becomes unavoidable to do those things. I Think you know answer to the previous question just to allude back to that it would be Easy easier to think that a government could just set a rule and you have to do this I don't expect governments to do that. I think this is going to be something that comes from civil society Setting expectations for the way governments will behave the way companies will behave and then having a sanction in the form of commercial punishment for companies that are Subject to governmental rules that don't allow them to meet that I'm the lady next to Tommy My name is Melissa Hirsch. It's okay Hirsch I'm a risk consultant and actually my background is in Long long time ago in biological warfare controls as well as being a supply chain consultant in the private sector also past life So what I was interested in actually marked one of the last things that you just said sort of took some of the words that I was going to use which is you were looking for ways for greater market differentiation and market penetration by Demonstrating compliance or beyond compliance towards Best practice standards in the industry the problem becomes when you have a Group whether it's your multi stakeholder group or a private sector entity you can talk about having Incentives for being part of this and there's third-party risk, you know compliance driven efforts already being put in place but The bigger issue is Corporations can't sanction and you said the word sanctioned. How do you is there an opportunity for corporate sanctions? Governments can sanction other people So there's an incentive But there's also the role of disincentives and I wanted to push you a little bit on what you thought that might be Because and just to expound on that a little bit more. It's not just third-party risk issues and internal manufacturing Risk vulnerabilities, but it's also about the investor profile and who's financing the investment So it's a mix of if you want to bring the governments in its investor screening plus third-party risk and Who gets to punish because that was what you just said corporations have to be able to punish somebody Who gets to do that and how do people comply and why would they comply with the corporation saying you ought to be You ought to be punished. You're my competitor Okay, three three comments on that Is you've presented the question very pointed way, but I didn't fully recognize what I said in the way It was played back and that's fair. I mean, you know, there's no written transcript at this point that I'm aware of So the First I Don't see this as a as a mechanism for differentiation in a greater market penetration by my products necessarily that might be a a Short-run effect, but the long-term equilibrium space should be that it's it's table stakes for participation in the market and so that so that the The the only products that survive in the marketplace are those that people believe are not going to be systemically Systemically vulnerable So I mean there may be differentiation about speed of fixing vulnerabilities and that kind of thing But I'm much less likely to call out anybody else for that recognizing that stuff can happen to anybody It's relatively random So I don't see it as it is a differentiating mechanism, but as setting of a baseline number two the The point that there needs to be a sanction and I'm not sure I used the word punish, but but if I did I'll own it Doesn't necessarily mean that a government needs to do the punishment or the sanction the sanction can come from a shunning effect by those who just view The activities of an entity or an individual in some cases is untenable We're just not going to work with you and that can be Civil society calling people out it can be Customers calling people out it can be the media calling people out and in the case of what I think was a very constructive suggestion here the creation of a multi-stakeholder organization led by representatives from various vendors that provides a You know, I always hesitate to use the word objective because that raises all kinds of epistemological questions but a More neutral way of evaluating against a set of baselines what types of systemic in insecurity Mechanisms may be in place and if there's enough credibility behind that body it matters, you know, you think in the You know of organizations like toof in Germany they do a very good job of providing product Certifications in some area widely respected in that toof seal matters I think vehicle like that for Certification that had multi-vendor support as well as involvement of government certification organizations such as Anisa in France or or comparable organizations in other countries Would be a way to do that. So I don't see this necessarily a governmental job to punish and sanction I think that punishment and sanction can come through a variety of organic or planned mechanisms that aren't governmental A governmental job either to stand up the multi-stakeholder body Right, there's been it particularly in this country a number of examples where Corporations have gotten together to do something and government has come to the table. Oh, I actually agree with you I mean, I actually think it should be industry but but my question I guess was more along the lines of You know, there are certainly going to be countries and other companies that are going to adopt the more vulnerable Software firm or hardware, whatever it's going to be So I understand the shunning effect They may not get the big contracts and the juicy contracts that they really want to get because they don't have those baseline mitigation solutions in place But that doesn't stop the other issue of other people using Those products and processes and that actually then becomes an even wider industry-based foreign policy question You of how much is industry going to be trying to then I dare I say it lobby government to then make wider statements against Those vulnerable solutions, so I'm just trying to understand a little bit more. I do think it should be industry-led I Want to complement what market said and explain perhaps a bit further That the shining effect or alternative formulation is the rewarding for those who go beyond the baseline a Incorporate all of those There are different ways of thinking about them. I clearly think that liability is one of them, right? I mean so so I Sort of I'd rather use it selectively But I do think that you know sort of so that the liability has proven to be a restraining mechanism to some practices and Particularly one of the things that now the way of the beginning to understand So some of the financial consequences and others, but let's focus for a second on financial consequences of subpar equipment in terms of engineering that is like that susceptible to business interruptions as well as other types of Consequences and so on is something that these is Increasingly in the interest of the commercial other commercial players to try and figure out because ultimately we're talking here about Staggering figures of the consequences that follow if you become dependent on this if the electricity a supply It doesn't operate or the or the communications or the water or whatever and so on and given that we're now dealing with Increasingly digitized environment and so on so I think that there is this Acute needs to try and and understand this and reward those who are willing to put in place those risk mitigation measures Not just in the development or research and development, but also in the in the life cycle management of those products So I think that that's something that is with us That's where the commercial into commercial players are vastly interested and so on both to avoid the Reputational aspects of having supported this and so on as well as to avoid some consequences to them as part of whatever their investments or or or their Business dependence and things of that nature So I do see that there is a considerable potential there and I do see quite a few precedence of how this was done Historically, right? I mean you can't get the insurance companies where the driving force behind smoke detectors They were behind behind Lighthouses to avoid shipwrecks behind private security companies behind sort of deployed on ships to a deal with piracy of the Somali coast And so on but at the same time they said and here is our expectations of the role of engagement on those issues We need to be able to in to endow them With criteria that on the one hand represents note a lot the lowest possible commentator But a significant one of some things that are they shouldn't expect things that are impossible mark has already made them to the point That there are security weaknesses that are discovered as part of a of a of an ongoing development and marketing of products Naturally, right? You shouldn't be punished for those but if that becomes an endemic problem with some vendor We clearly want to sort of to flag that and say that so and is that Vendor actually responding to criticism that suggests that their development processes did not we're not up to par or they they went Quick enough to fix those things that were discovered and so on so we look at this as a dynamic process And that's where I think we need to go additional comment there, I think we focused very heavily on the corporate side here and Maybe I brought that on myself, but I'll tell you a story that I lived a year and a half ago that Illustrates the governmental side of this and why I think this report is so important in May of 2018 Talos, which is an internet research organization that belongs to Cisco discovered a Malware propagating that had the name VPN filter and we discovered this in a large number of devices in Ukraine and we had a Internal Best guess that this was being done to either intercept in interfere with an upcoming election or with a Large athletic event that was scheduled in order to interfere with the utility grid And we had to make a decision what to do about it. You'll find our decision documented in a public blog that we posted If you just look at Talos PA LOS VPN filter it will come right up for you in May of 2018 We had to make a determination at that time whether to notify authorities in the Ukraine that we saw this coming or simply to put it out there with some Suggestions as to possible attribution And It was a very difficult decision because the more customary approach would be to Notify authorities, but we weren't confident in that case that that wouldn't actually Lead to the triggering of an attack since there'd be no public awareness or ability to patch and what we elected to do is you'll see is to Publish a posting Describing exactly what was going on suggesting where we thought it might be coming from With the thought process that when it was out there The perpetrator would not be willing to then Institute the attack because it would be visible Simultaneously in the moment where it came from and that the acceptability of undertaking that would not Be something that the unacceptability would not be something the perpetrator was willing to bear and I think and I think that Doesn't necessarily work with a hidden private actor, but when you can attribute it and you're dealing with the government You have a much better chance and in fact that that bet it was a very hard decision to make how to do that Really wrestled with it The effect was that we saw no attack and people were able to patch and and nothing was launched But to me it showed the value of exactly what we're talking about here If you build robust vehicles to do that beyond the kind of threat research that my company is very good at doing That then you can build a world where those things are found identified and the Acceptability of doing them is so low that Governments won't even try and that's what you want. We want to do is harden this system Again through mechanisms such as that so that people will say we're not I say people I mean governments won't even try Because the sanction if you will using that word again But not meaning that someone is a government has a law because the sanction is great so how do you take an example like that and then institutionalize that so that we find them systematically enough and well enough and the Informations out there in a way that people don't even try because that's what we're aiming at here is so that people don't try No, is that fair? I I didn't mean to go on so long. I know you had a question Where that I think you're patching the example does raise mark Which is the following? I mean I think that your experience or at least what came up in the the research We have done in this report was that whereas some of the best corporations are committed to patching Critical vulnerabilities and doing so expeditiously and so on the level of adoption of the patches is quite appalling and Even I'm among the critical ones so we are facing in many of those cases situations where the operators are Really falling behind in applying those patches for extended period of time when the vulnerability is known I Widely recognized and so on which makes it even more dangerous and yet the patching so maybe Bobby would want to comment I'm mentioning this because I think we have focused on the responsibility of the vendors We haven't focused on the responsibility of the operators. I think when we talk about this supply chain integrity and the lifecycle approach Usually important issues that the operators should be equally committed To take it to the next level and so if informed of a critical vulnerability Rather than sit on their hands, they have to act quickly and patch it and so on Yeah, so that I think that that comment is incredibly true we find today that that the uptake of patching is Not what we want it to be And it the interesting thing is There aren't bright lines Between when uptake is great and when it isn't whether it be criticality of vulnerability or size of organization or So we've really tried to figure out what are the root cause Elements so that we can try to affect them the one thing that we've we've found is systemic that makes a systemic difference Is whether or not somebody whether or not a Technological environment has an auto update like feature and whether or not that is turned on by default Right, and so I mean those those sound obvious But it actually turns out those two things are really complicated to get into place But those two things make the most difference in terms of patch uptake. So so there's a Really complicated set of reasons here why patching isn't adopted And I'm not sure that the reasons are going to get simpler, but we're really focusing on trying to To find the find of the solutions in the space The other thing I think is important to recognize is that this is not just an issue associated with security patching right, it's it's this actually is a functionality and Update mechanism writ large and so we were trying to to decompose this and determine if security is the justification Are people doing functionality patching more easily? Are they just ignoring some set of of things and it proves out to be to be a sort of a universal Universal mechanism, which is I think unfortunate Tommy flip side of that too is that is it auto update mechanisms are great for making sure the patches get disseminated And if they get corrupted It's a it's a it's an ideal mechanism. Yeah, I know you to exactly It's one of one of those cases where there's a flip side to everything which is that Keeps people from moving forward on what might be a good idea Thank You Tommy Ross of BSA So I It's been a great discussion. I've really enjoyed it And I I think the paper does a really great job of laying out potential incentives in ways of thinking about a couple of the stakeholders Corporations and governments in the software arena. There's another I mean there are other Stakeholders, but one group is really important that I think is Hard to impact with some of these incentives, which is the group of people that develop open-source components and as you know, I mean modern Enterprise software in particular or big big pieces of big big software products and services integrate dozens or hundreds of open-source components and and they usually reside in These big repositories by language and whatever and there's they're they're maintained by you know people individuals or non-profit organizations That don't apply a lot of governance around those repositories and as a result There are open source there, you know, they're they're huge volumes of open-source components in those repositories that have known vulnerabilities That are no longer maintained etc. And it's very hard for In some cases for developers to get information about, you know, how those components were developed whether they're maintained etc So I'm just curious as y'all think about this if you have any ideas about how to apply incentives to sort of raise the tide of Good practice quality control security in in those environments where where traditional commercial incentives might not necessarily be May not work in the same way So I think some of the incentives are similar and we've talked a lot about transparency and the ability and the ability to to present more More than just the code itself as the transparency of that component, right? We sort of had this philosophy that the code is in fact as transparent as possible But no, but people don't actually spend the time this to necessarily Have the time to necessarily look at it before they consume it and so we've got to find ways To produce metadata about it sufficient that folks understand the risk of the use of it As it goes forward and and so thinking about that model I think leads into the ethos of the open-source community and I'm in no way Detractor of open-source or it is it is an important part of the ecosystem That's there and so how we think about that I think becomes a part of it And then you're coming of it is used in so at some point this becomes consumed by Someone else and becomes a part of the supply chain of some other entity and they've got to understand what it means to them In order to consume it and so that metadata about it either Produced by the original developer or produced by someone who's now consuming it and incorporating it into their product line Becomes the important element of how we go forward a lot of the more modern Software development practices are producing data about the software as it's being produced. So how we expose that Right kind of analytics on top of it is an area of fertile for work You know me. I think that some of the work that you've been doing at BSA Particularly with Steve Lipner and so on it's quite inspiring on the traceability aspects And so on that we need to make as part of this norm that pertains to all of those sources and so on Make this as part of the expectations of what you partly include. So, how do we develop the culture? I think is the challenge, but I think the the technical The technical mechanism for doing so is is you have highlighted what it ought to look like In terms of now the development of large bodies of software thank all of you for coming out on a Friday afternoon and I want to thank Mark and Bobby and Ellie for a very illuminating discussion and decisive discussion and I hope people will Find the time to read or at least skim the paper and if you find it useful to pass it along and forward along to others It's available online, of course, but again, thanks all for coming