 Professor of Security Engineering at Cambridge University. He is the author of the book, Security Engineering. He has done a lot of things already. He has been inventing semi-invasive attacks on, based on inducing photo currents. He has done API attacks. He has entered a lot of stuff. If you read his bio, it feels like he's involved in almost everything related to security. So please give a huge round and a warm welcome to Ross Anderson and his talk, the sustainer of this book. Welcome, and thank you for listening to the French translation of this presentation, directed by the 36th CAUSE Communication Congress in Leipzig, in Germany. Hello, I'm happy to be here today. I'm going to tell you a story that started a few years ago, and it's about the regulation of safety. It's the night of the regulation of security. In February of this year, there was this show of children who had been reminded, why? Because they thought it was a communication that the back-end servers weren't sure. And the hackers could follow the children, so this was immediately identified by the device and called on the children. And this was a bit of a way to talk about the so-called internet of things that didn't have any eyes of the non-safe device that they could suddenly be ordered to take it off the market. And of course, they didn't know that if their material wasn't sure, they could be removed from the market. In 2015, the research department of the European Union asked for regulation of safety because the European is sure to be able to identify security for the internet of objects. And from cars through drugs to aircraft. And if you start having software and everything, there's going to be a lot of data. And suddenly start to have software. And the agency that takes care of security, such as the implementation or the automobiles, must start to be interested in the safety of the software. A report was made in 2016. And it was released in an entire version of Report Vice in 2017. And this report said that if you have software everywhere, the security becomes the only problem. And by the way, in most European languages, it's the same word. For example, in French, security in the Spanish language, security. So how are we going to update the regulation on security? So the problem that the European Union has to deal with in the European Union is the economics of information security because we see that the complexity is that most of the time, the systems are failure because many of these ideas go across and the principles of security are false. Now, it's already well known that in some industries, such as aviation, that the industry for security is better in its sector than in others, like the one in the pharmacy. When we think about the car, at the beginning, the security was abominable. People weren't interested, for example, in security security. And it's just that the United States, for example, set up a committee on the subject, which brought the issue of autonomous security on the front of the stage. In the European Union, we have a series of regulations and regulations with more than 20 agencies, plus the UNECO, who take care of these issues. So how do we understand this whole ecosystem? We chose to study all these vehicles according to three different paradigms to see what we could learn from them. One of them was cars. Some of them were called Karchark in 2011 to the University of San Diego and Washington where some agreed to learn how to control the distance of a car. So... for Schlimmessel and Manusakta in Germany? Yeah, okay. We'll get it going sooner or later. Anyway, this was largely ignored because in 2015, but in 2016, the industry started to be interested because two people who had been in the NSC were the NSA's hacker team. The NSA were able to use the Kragsler's Uconnect to control a Jeep Cherokee. They were able to control a vehicle according to the location of the place where the vehicle was. They simply needed their IP address. They managed to publish papers on the subject. They even managed to release a vehicle on the road. And then it made the news in particular in the U.S. and Chrysler had to remember in this factory 1.4 million vehicles to work on the software. Some of you may know Pierre Martin Winscon who was driving the Volkswagen and he found that he had a large number of vehicles by inserting a mechanical software. And he was put in process for that. It's an important model concerning vehicles and a lot of things in the IOT. And what's important is that the MENA model is not only external it's also internal. And you also have to keep in mind the OEMs. Now medicine so we can see of the scene in the intensive care units in Swansea hospitals in the intensive care units. And just as a car has got about 50 computers in it so in the same way that a car has more than a dozen of computer equipment inside we can see that a little bit everywhere as you can see on the MENA. It's a comparable number to the one of the processors in a car. And only here surveillance and the management of all this is done by nurses and not by engineers. Here we have images of pumps of fusion pumps that can be found in intensive care units as you can see they are all different. So it's a bit like driving a car in the 1930s where you start to drive and then you realize that the acceleration pedal is not in the place where you expected it. So I thought the acceleration would change speed. So for example up here to increase the morphine dose you have to press 2 to decrease it you have to press 0 on the bodyguard bodyguard 545 to increase the dose we press 5 to decrease it and we press 0 This leads to accidents and a lot of accidents So you could say well we have standards but we have standards for example for the litre symbol you have to use a L so it's not confused with a 1 bodyguard and if you look up to lines you see 500 ml is in small letters but you can see that if you look at a different line the yellow line up and the litre is written in minuscule and we have different examples of these failures on the market So the research shows that failures in usability kill several thousands of people in the UK each year like the road accidents So in Great Britain and in Europe regulations but since the safety and safety are lost it tends to improve the medical field so we can focus on Kevin Fu and his research in the University of Michigan which led to the panic of the FDA so the same ones on the previous slide also the FDA we couldn't possibly recall all those but the FDA it turned out that 450,000 pacemakers made by St. Jude in 2017 we realized that around 450,000 pacemakers made by St. Jude could be hacked and to remove that and replace it with a new one to replace these models for patients who had such pacemakers but it's a big deal since it's a surgical operation and a cardiologist has to be ready in case of cardiac attack and it also has financial implications so what should we do well the European institutions are interested in the problem and to review the regulations on the medical equipment from next year it will have to be more economic it will have to be market studies and there are obligations imposed to those who are preparing the software and to be interested in the life cycle of the machine so there at least we have a foothold and I think it's possible to be designed and manufactured in such a way as possible against unauthorized access that could have functioning as an intent so it will be perfect for the manufacturing but the third thing that we looked at was energy and in general there have been one or two talks of this conference and basically the problem of your life cycle devices is that the problem is the life cycle of these products that can last for a long time as with the Christel Jeeps anybody who knows your IP address can read from it and with an actuator's IP address there are companies that make a lot of money using software to protect themselves for example from fires so one way in which you can deal with this is having one component that connects you to the network are you replacing it? that's one way to have a renewable security for your oil refineries for your oil refineries the equipment that connects you to the internet can be replaced every five years that's harder than before when you put it on a car where there are at least 10 different interfaces that are connected to the internet in certain cases for example the temperature the pressure of the tires it's particularly difficult for the automotive industry because of the fragmentation of the responsibility in the manufacturing chain of all the actors that come to the manufacturing of the different parts of the car the main questions that emerge from this background is who is responsible for the investigation of the incidents and to whom they should report the engineers and security and how to effectively report the incidents that are coming how do we communicate the engineers in security and those in security in particular when we know how the world of security can be fragmented between different specialties some companies are beginning to get this together when we think for example of the company Bosch who managed to gather these jobs but even those who did that from an organizational point of view how did they get to communicate the skills it's not obvious and in the European Union are the regulators in any case becoming engineers in security most of these institutions don't even have one engineer among their staff it's mostly people who work in politics or lawyers and of course at the congress here I have to ask how do we prevent the case of monopoly or abusive lock-in we don't see the kind of thing we saw in the US so we ended up with a number of recommendations in the beginning we would get Vandals to self-certify for the CEO products could be patched and then turned out to be more we then come up with another idea self-certification auto-certification but it's not really possible in fact it was Mozilla that lobbied against it and so we got something through which I'll discuss in a minute in the European Parliament there was a lot of lobbying against what happened we wanted to create an European agency to manage security and the reaction to that a year and a half ago was to the creation of the creation of the Enissa office in Brussels with technical people the people who prepare the political side we will also expand the directive on the responsibility in terms of production to make sure that the people who are responsible of the mistakes made by a software for example Google Maps are not necessarily the people who use the software directly and finally we will have to update the Enissa directive N-I-S in particular to see how we can implement the security and safety for example once all cars are connected there are gigabytes of data that are transmitted when there is a car accident where will the data go to the police up to the car makers to the regulatory to the one who built the car how will we design a system that will bring the right data to the right place while respecting the privacy of the individuals and other legal obligations it's a big project and we don't know exactly how it will be done but at the moment if you have an accident with a Tesla we are forced to pursue a Tesla in justice we need a better legal regime for that it's up to us to find a way to create a more efficient system from this point of view but it will take a lot of time if you want a secure system it will take a long time but there's one thing that struck us after we've done this work there's something that struck us after we've discussed this with dozens of people involved in the security after we've discussed this with dozens of people involved in the security we were just chatting we were just chatting with these people we were just chatting with these people and we were wondering what we really learned from all this exercise about certification and decentralization so, in particular this there are two types of things that we know how to secure the phones like the phones and the portable computers that are secured because we correct the security problems but they become obsolete pretty quickly and then we've got the things like cars and then we've got the things like cars and the medical devices that we test extensively before they are made available publicly but we don't connect them to the internet and they are patched so what will happen in terms of cost for maintenance now that we're going to start patching the cars and we're going to have to do that and since we're starting to connect the cars to the internet and it's something we've ignored before but it's something we're going to have to correct so if we have to start to send the cars to the garage to patch them up it's going to cost a lot of money so what's this going to mean so what's this going to mean so this is the trilemma so this is the trilemma so this is the safety life cycle standard life cycle for safety without patching we get the safety and the durability but on a safety life cycle standard we have patching but it breaks the certification in terms of safety if we have patching and re-certification in terms of safety with current methods we get costs in terms of maintaining safety so how do we get safety, security and durability this brings us to something else that a lot of people here are interested in so here the image is the sentennial light the light without light it's been lighted since 1901 so in 1924 the three major companies General Electric, Osram and Philips agreed to reduce the battery life in order to sell more so this is something that tends to happen with connected objects and we meet today where companies try to make it difficult to see to correct and to fix products now you might not think it's something that politicians will get upset about you might think that it's something that politicians will not be interested in but something that you should really be interested in is the life cycle of the products the average age of a car in Britain which is considered useless in the United Kingdom is 14.8 years old so now we have all these great software that allows the car to drive alone taking the view two years ago that they wanted people to scrap their cars after six years and buy a new one so if you're a Mr. Mercedes you're a business model and if your lease on a new car and if the customer is not quite so rich so this is the view of the vehicle makers so this is the way to think of car manufacturers often exceeds its lifetime fuel burn but now we have to consider that the cost in terms of CO2 of a car exceeds the quantity of the amount of the amount of the amount of the amount of the amount of the amount of fuel used on its lifetime fuel burn that leads us to the conclusion that if we have a life cycle of 6 years then we drastically reduce the the final km of the vehicle there are also other consequences in the case of Africa for example where most of the vehicles are on occasion so for example if we consider Nairobi the cars arrive they are already 10 years old they are used for 10 years and then they are sent to other countries until the point where they are no longer usable yes there is more about safety I don't know what the rules are here but in Britain I have to get the safety questions I don't know if they are the rules in Germany but in the United Kingdom I have to bring my car to check in terms of safety after a certain age almost every year and once the software update is available will we be able to export this car to Africa I couldn't resist the temptation to put a little drawing my engine makes a weird noise can you look? yes just open the trunk I can't open the trunk anymore just put the car in the big wheel and we will look for a new one that's what would happen if we treated the cars as we treat electronic products what is reasonable to hope in terms of life-threatening car for the car it's maybe 18 years let's say 10 years after the sale of the last product in a product range for the medical instruments we can say about 20 years for domestic cars 10 years of engineers from the engineer's point of view the question is when can we make the software update for 20 years if you are writing software now for a vehicle that will be sold in 20 years what should you put in place as a security measure and how are you sure that's what you will be able to do in 10 or 15 years that's all the ecosystem that comes up with this question in reality so what does the EU do I'm happy to tell you that in the third alternative the EU has managed to pass a law on it it's the directive on connected products it says what kind of product we need for at least 2 years or more if it's in the reasonable of consumers we hope that at least 10 years for everything for vehicles and it's the sale that has the proof in the first two years so we have a legal framework for that and it creates a demand for the patches and now the responsibility is on us if the people who work today are still working in 2039 the objects will still be in 2039 so we will have to take into account the projects and tools like GIT and Jenkins and Coverti so here's a question for the computer science what else is going to be here for a sustainable computer once we have software in just one so research topics to support 20-year patches include a more stable one so it might not be for crypto but for the history of the last two years when we look at the example of the crypto we see how complicated it can be the cars show us that it's difficult to maintain this long life the more you multiply the testing environments the control systems also tell us that sometimes you have to make small changes to limit what you have to have and when we look at the android case we wonder how do we make the manufacturers continue to improve their products for those of us who teach at the university or who do research at the university so today I teach security and security in the same course at the university we have to think about all of this in more unified terms in terms of research what can we do to make the manufacturing tools more durable for example if you add crypto tools we will say that sometimes the compiler is improved and allows more intelligent work and to get rid of certain things that are more useful all of a sudden from one year to the next your crypto in terms of security if you try to make more changes so one of the things we thought was that the programmers can no longer communicate on this subject then Simon, David, Shisplan, Norl and myself will work on this and that's what we published in a research article at the university at the macro level what does it mean we will have to do a lot more in terms of life we will see for example that there are 1637 max for the Boeing but in terms of the aeronautical industry we have a good long-term on the subject of other areas especially when we think of the automobile what can we use as a guide what can we get as a guide for all of this would be the economy of security we've known for a long time but as I told you the technical problems are complex they are often unresolved because there is not enough reason for the actors to try to solve them researchers can explain if it's Alice who keeps a system for example that it's Bob who is paying the costs in case of failure then you know you're going to have a problem the same kind of problem applies to safety the more safety and security are linked the more these problems are going to be important and so we need research and studies on this area so our papers are sustainable, sustainable standardization certifications in IoT certification in IoT so other papers are on my page where the link is displayed so that's the first place where you can go to learn more about the subject there is also our blog and we often fail we also discuss all this we will discuss all this during the workshop on the economy of information security in Brussels that will take place in June 2020 so perhaps we will see some of you there in June so here are some books about the security engineering thank you very much Ross Anderson for this presentation so we're going to start this question a little differently than usual so Ross has a question for you so you're going to decide about the next cover of Ross you're going to see the first and the second so who do you prefer the first cover among you and the second ok I think the public clearly prefers the second and we're waiting with patience to see this second cover yes so do not hesitate to ask questions the first question comes from the internet were there reasons for which you did not talk about the aeronautical industry in your research yes we were asked to study three fields and we worked on the three fields on which there were two hi thanks for your talk so where do you believe the balance will fall in the fight between privacy between the manufacturer to prove that it wasn't their fault and the right to repair so the answer it's a very complex question and we tried to answer so so but we have to try to send the necessary data to the I'm sorry I did not understand microphone number 4 please thank you for this presentation as an engineer in software to do much more harm than a simple doctor in terms of use of software so why is there no conversation around the responsibility of the insurance of the professionals again a complex question so it's true that in countries like Canada there is a particular status for doctors it's a question I think quite cultural and it's true that there are a lot of if we had only people who only did software engineering we wouldn't be all there today that's why it's good that there are several profiles so my question also concerns aviation because as I understand many old equipment are sent to developing countries and how do we see I'm a journalist of indigenous origin and this is interesting because a lot of equipment are sent to Pakistan after their first use and so this question is interesting what can you say there are different things to say good things don't necessarily have to involve the technology of the information for example we could see the development of perfusion pumps for developing countries so with a concept that will allow for use in countries like Pakistan or African countries so countries that have access to technology don't need to necessarily be the richest countries and we can have such equipment in countries where intelligent cars are not necessarily a priority another question from the internet why force the update by law well politics is the art of the possible and realistically we can talk about a certain amount of things in a certain political culture in this moment because we don't have the opportunity so if we say simply that you have to stop connecting cars to the internet that's not something that the industry is ready to hear it's more reasonable to say that once a product reaches a certain degree of danger then you have to put regulations to not bring this product that people are more ready to hear that's what we see for example with the case of carbon emissions for the most automotive in the European Union in particular in the face of the automotive that came from China microphone number 4 please microphone 4 please hello I'm an analyst in security in the automobile I'm aware of the standard that's coming out next year do you know the standard that comes next year the subject it's not something I've been working on in detail my point is not so much a question but a little bit of a pushback a lot of the things you talked about are being worked on a lot of the things you talked about are being worked on a lot of the things you talked about a life cycle of the vehicle is being considered by nobody I know a life cycle that's not a future with a life cycle six years ago we could talk about a life cycle as well it's not something we discuss senior executives have been talking about just that in terms of autonomous vehicles so it's something related to different conferences about autonomous vehicles and I can assure you that it's something that we heard about it's all the time we had thank you for applauding and thank you