EP62 – WTM: Security Policy
Guests:
Dr. Amit Elazari – Director, Global Cybersecurity Policy at Intel
Dr. Anahit Tarkhanyan – IOT Security Architect and Principal Engineer at Intel
Hi, and welcome to today’s episode of What That Means: Security Policy. We have two expert PhDs today to discuss security policy and each of them is going to be coming at it from a slightly different angle. Dr. Anahit Tarkhanyan is a senior member of IEEE and is a Security Architect and Principal Engineer for the Internet of Things Group at Intel and Dr. Amit Elezari directs Global Cybersecurity Policy at Intel. Welcome.
[00:00:00] Camille Morhardt: I have so many questions and I feel like a real novice in this space. I’m hoping we can take just a couple of minutes and you guys can define what is security policy.
[00:00:21] Amit Elazari: Thank you so much. And it’s such a pleasure to be here with you. Uh, when you think about security policy and the concept of policy, generally it is the best [00:00:30] practices, the regulations, the legislations, the guidelines—our joint consensus and understanding of what are the best practices that shape this environment.
Policy is not just proposed legislation and laws. It can also be defined by social practices, industry practices, technical reports, standards, right? It’s a broad set of norms that are defining this landscape. It is with that kind of broad lens that we go into the [00:01:00] IOT security conversation when it comes to policy, because we are seeing those general forces, market demand shaping the future of the requirements. So speaking really generally, I would say that is kind of a very overarching lens into what would define policy.
[00:01:18] Camille Morhardt: Thanks, Amit. And Anahit, I’ll just ask you to maybe add on to that a little bit and, uh, also help the listeners get used to the difference in your voices, but Anahit could [00:01:30] you actually add on how does this definition expand if you’re going to talk about security policies specifically for IOT.
[00:01:39] Anahit Tarkhanyan: It’s um, It’s a very good question, right. And thanks for having me here as well. To build up what Amit said, all these policies, right? What does it mean at the end of the day for us on the technical side, who are responsible for putting together the final product?
Right. So we have [00:02:00] to comprehend all this regulatory requirements and bake into the product and be able to follow the recommendations from the industry in terms of the best practices coming from that community-developed practices. Regarding the IOT specifically, it is very interesting to see the momentum around the IOT device, because we believe we are at the cutting edge of the technology [00:02:30] innovation. And technology innovation is one of the motivation for the industry activities around the policy, right? So we were faced with the well-known dichotomy that the problem of innovation is when it’s quite common, that business motivation of innovation protests is the cost, the time to market over the security, right?
And that’s what triggers policy activities. And this is [00:03:00] very vivid in IOT space–this space where there is a very high concentration of innovation. It’s the, the devices itself, it’s the workload with AI/ML, with the connectivity 5G for example. All this, basically innovation coming together and IOT basically acts as a canary in a coal mine, right? It’s a risk indicator for the rest of the computing ?press? structure.
[00:03:28] Camille Morhardt: So you guys are basically [00:03:30] saying technology innovation comes first and then policy gets formulated around that in order to address some of the canary’s illnesses. Is that accurate?
[00:03:43] Anahit Tarkhanyan: Yes. So, um, yeah, we can take example of IOT and, uh, see what happened in the IOT space, how it evolved, right. And of what’s happening, what are the challenges? And then Amit can tell you more about how it is really reflected in [00:04:00] various, uh, policy activities around the world.
[00:04:03] Camille Morhardt: That’s another question and maybe Amit you can elaborate on that a little bit, because I don’t even know if security is defined the same way around the world. I was just chatting with Claire Vishak the other day on privacy policy. And it turns out that privacy is viewed very differently, depending on where you are in the world. So is security constant?
[00:04:25] Amit Elazari: I think generally speaking, when it comes to academically [00:04:30] looking at the tech law and policy landscape, we absorb, um, two common issues. First of all, technology is moving ahead very fast and it’s great. It’s bringing great solutions, much needed that advance social causes and in enrich our society. But generally speaking the law often trails behind technology. The law is [00:05:00] slower to be amended. Policies are sometimes slower to be constructed. So as a general matter, innovation technology often kind of trail ahead and the law is trying to keep pace. That is just the general phenomena.
And specifically when it comes to security, I would say that similar to privacy, yes, we do have some joint understanding–a mindshare, consensus. There are frameworks like risk-based approaches to policies like Design Neutrality, [00:05:30] like, uh, the need to leverage harmonize international standards that are common. And we would often see them in security policy, including in the area of IOT.
There is also an understanding of security, which is cultural and yes, there are areas of policy like national security and other domains that we will see different approaches to security, and we will see differences in legislation. And that is one of the areas, uh, where we are often talk about the importance of trying [00:06:00] to leverage public-private partnership and harmonize standards to avoid fragmentation.
[00:06:07] Camille Morhardt: I’m not familiar with security policy. I’m just wondering what are sort of the things that are in definition at this point, what’s kind of at the cutting edge word hasn’t been locked down yet and people are trying to figure out how to deal with it?
[00:06:23] Amit Elazari: Great question. Well, I would say IOT is certainly one of the most evolving areas when it comes to proposed [00:06:30] policies around the world, not just in the United States, it’s gradually expanding to other areas of connected products. We have recently had the IOT Cyber Security Improvement Act that passed in the United States. We now have a federal IOT security legislation that is focusing on driving security, full federal procurement of IOT devices. This legislation is leveraging the efforts by NIST around developing a consensus ?bio? security baselines. And actually right now we have–just as we [00:07:00] speak and our audience can go and look it up– we have out for draft NIST2859B2D a new set of documents specifically for, uh, for federal agencies and IOT device requirements for that sector.
[00:07:13] Camille Morhardt: Pause for just a second. Can you define NIST for us? It the National Institute of Standards and Technology, I think. But what does it do? Who is it?
[00:07:22] Amit Elazari: They’re really, uh, the U.S. body when it comes to the U.S. government that is, um, kind of focusing on driving [00:07:30] innovation and industrial competitiveness by looking at measurable projects like measurable science standards and technology. So most of the security work, if our audience is familiar, maybe with the NIST Framework for Security, which is a very famous document.
A lot of the, uh, the documents, the technical reports, uh, consensus-driven efforts–whether it’s standards, uh, reports and also guidance for actual, uh, agencies, federal agencies are under FISMA–NIST is driving these efforts. But also, uh, efforts around [00:08:00] certification, whether it’s relating to cryptography and other elements. NIST is also participating in this international standard-making efforts at JTC1 at SC27. So they have a fairly broad expertise when it comes to security and they are driving a lot of these efforts, uh, often in collaboration with other OMB or other agencies.
[00:08:22] Anahit Tarkhanyan: Yeah, maybe it’s important to highlight why NIST is important, right? Not only because it is basically producing the [00:08:30] guidelines for the federal guidelines for the U.S. jurisdiction, but NIST is internationally recognized organization that produced quite a lot of well-structured, uh, documents highlighted in the policy area, right? And this structure approach is very important because it’s paving the road for the rest of the industry to take off, to translate to the standard. And that’s what Amit was talking about the ground work that was [00:09:00] done in IOT, cyber security baseline definition under the umbrella of NIST took the next round in ISO/IEC Thunder. Now you can see why—
[00:09:11] Camille Morhardt: And that’s the international—ISO/IEC is the international standard.
[00:09:14] Anahit Tarkhanyan: Correct. And so we started with NIST and it evolved to basically international standard.
[00:09:21] Camille Morhardt: What actually was defined there in that baseline cyber security standard.
[00:09:29] Amit Elazari: [00:09:30] Yeah. So NIST 8259, uh, the original document, uh, is 8259, 8259A, they cover both a technical IOT security baseline capabilities for all IOT devices. So this is horizontal across the market. And based on that, they developed among others, a federal profile–a profile that specifies the technical and non-technical security capabilities for IOT devices for federal agencies. And these are [00:10:00] capabilities like security updates, device authentication, and the like. So, highly recommend for the IOT experts that are listening to us to check that document out. In addition to that, they’ve developed a broader document 8259–again, horizontal—it talks about related manufacturer activities that are supporting these capabilities, but are beyond just the device. And these are issues like the risk assessments, considering the supply chain and other considerations.
What’s important to recognize is the [00:10:30] underlying trends we are seeing in security policy is a focus on measurability. Jurisdictions around the role they’re taking different approaches to that. We know that in the, in the European arena, there is a focus on potential certification. We know that the Red Directive is going through revisions and, uh, that would have a relationship to IOT. We have seen proposed regulation in the UK focusing on, um, uh, leveraging the technical standard in ETSY for measurability purposes. And now we have seen, uh, of course, uh, the U S [00:11:00] federal law. And this is just a snip of what we have and going around the world.
I think one of the things to call out is we often talk about the need to facilitate interoperability and leverage the standards. And that is in fact, one of the elements that you really see coming through the legislation; the legislation calls out explicitly alignment with standards and alignment with industry best practices, but for around IOT and before ?Encore? and vulnerability disclosure. And I’m talking about the U S. legislation.
[00:11:29] Camille Morhardt: Okay, [00:11:30] so standards around disclosing vulnerabilities that you may have discovered is something that comes into play as security policy? When you talk about measurability, how is that related to security? Measuring what?
[00:11:44] Anahit Tarkhanyan: So first you have to define what is the subject, right? What it is that you want to address? There’s quite a lot of work on defining what is that IOT device is right. Number one. Then you define what are the important [00:12:00] components, important baseline requirements for that device. When you establish that structure, when you establish that baseline, here you go; you have a way to measure it. Now you can actually propose some measurable activities along each defined category.
So again, if I pick the example of NIST and a look on what they work on, right? And by the way, this, the subject for the NIST, it was a [00:12:30] relationship between the device manufacturer and the customers. So they are proposing the set of requirements that the device manufacturer has to adhere. There are very specific six pillars identified by NIST your IOT device has to support. Examples are device identification, configuration, data protection, electrical access to interfaces, software updates. And the last [00:13:00] one is the cyber security state awareness.
So now you have the framework on how to measure. This is clearly paving that road towards the measurable IOT security. And we already see the many players in the ecosystem already picking up and executing on the definition that NIST basically introduced.
[00:13:22] Camille Morhardt: So I guess really what you’re saying it’s doing is it’s telling companies not necessarily [00:13:30] how to achieve the result, but that they’ve got to have a way to update, for example; not exactly how you do that, but you must have a way to update. You must have a way to attest the person that’s accessing a system is who they say they are, has a right to access. And then you turn it over to any company to figure out what is the right way to achieve.
[00:13:53] Anahit Tarkhanyan: Right. So they’re very pragmatic, in terms of how do they recommend this activities, right?[00:14:00] The one is capabilities that device is supposed to have, and then there is on top of it there are support functions. Right. And that includes the SDL, vulnerability response, end-of-life and device retirement.
[00:14:18] Amit Elazari: You know, originally the NIST was developed to, to make sure that we have as a report, right? Um, not necessarily as a regulation, right? It is a report. It’s a, it’s kind of a, a guidance. And it was very important to establish that understanding of [00:14:30] the consensus of what are the security capabilities for the IOT. And already by establishing that broad consensus, leveraging all the expertise of industry-again, a broad effort of input from the CSD, from the Council to Secure the Digital Economy with almost 20 trade associations participating just to create that consensus because the IOT security market is so diverse. We have everything in terms of different attack vectors, different use cases, right. We have the Smart Dark dog collar [00:15:00] on one side and then the sophisticated industrial machine on the other end.
Because of the vertical nature and the complexity and the evolving nature of the IOT security landscape, we have to establish that common understanding. And that really is the first goal achieved. I would say both with the NIST, but not just that their efforts around the world. Now that we have our shared understanding, we are seeing people around the world also developing more detail standards. We are seeing more bodies like UL, like [00:15:30] CTA with their effort, 8228 coming in with the, Attestation Framework.
And what you shared Camille is very important when it comes to policy. This is the idea that you can get to the result in many ways. So specifically when it comes to regulations, that’s where we see the leverage of the standards, where we can continue in define and amend the actual technical requirements, we want to maintain that design neutrality. That is the concept that we speak about in policy where the legislation–because it cannot evolve [00:16:00] as fast with technology, and we need to facilitate that interoperability–the legislation stays design neutral. The requirements, including the content, right, the substance and the way to attest stay at that level of the standards body. And we are seeing efforts around the world coming together to not just add more detail on the baseline, but develop attestation framework to support manufacturers around the world.
[00:16:28] Camille Morhardt: There’s lots of different [00:16:30] ways to frame or break down something like Internet of Things. Like you say, the dog’s smart collar might have a different standard potentially for security than say, uh, autonomous driving vehicle or something like that. When we talk about integration with safety and actually what those devices or machines are connected to might matter. Um, if it’s only connected to the dog’s leash then that’s possibly has potential to do [00:17:00] less harm than if you’re talking about, um, a traffic light or a car that’s connecting to a traffic lights throughout the city.
I guess one question is, if I’m a company and I’m designing a product, I imagine some companies are pretty clear on what standards they’re trying to adhere to. If you’re specifically a U.S. government supplier, you probably already know the standards that you need to adhere to. But if you’re just out there designing an [00:17:30] innovative product and it’s in the IOT space, how would I even know where to look to know what standard I should even be worrying about or where to get guidance or what’s a rule versus a recommendation?
[00:17:43] Amit Elazari: First of all, I should call your own lawyer. Uh, no, this, this is a joke. No, but seriously. I mean, um, there are elements to your question–some of them are compliance-focused, some of them are legislation coming from standards and you need to be diligent in this domain and, uh, look at [00:18:00] those different landscapes.
Some of it is depending on your vertical. You mentioned the difference between the dog collar and the industrial. One of the core elements we’re seeing in a lot of proposed policies, but also standards is this idea of the risk assessment. And the risk assessment being central, to which capabilities you are developing as part of your device, what are you implementing? to what extent? And this is a common approach by the way to security policy you see it in standard site, 2702, which is one of the most prominent standards being adopted, [00:18:30] not in the IOT, but in the general security control domain.
[00:18:34] Camille Morhardt: It’s really been very interesting for me to get both of your perspectives on policy and technology, as it relates to security with this emphasis in Internet of Things or IOT. It’s a whole world, isn’t it out there? Uh, it feels like in collaboration is global and it’s across industry and government and it spans everything from, we were giving a [00:19:00] lighthearted or trying to give a lighthearted example, actually dog color involves an actual living beings. So, you know, maybe it’s not even as lighthearted as they get right. Um, all the way over to, uh, human safety and engineering and critical infrastructure. So really good insight.
Um, appreciate it Anahit and Amit. Thank you very much for your time. Just to mention, we have also interviewed Claire Vishak, who is a fellow at Intel on privacy policy. I [00:19:30] think it might be interesting to hear both of these together.
