<i>prerol music</i>

Herald: Our next speaker, he's a professor
of security engineering at Cambridge

University. He is the author of the book
Security Engineering. He has done a lot of

things already. He has been inventing semi
invasive attacks based on inducing photo

currence. He has done API attacks. He
has done a lot of stuff. If you read his

bio is it feels like he's involved in
almost everything we like related to

security. So please give a huge round and
a warm welcome to Ross Anderson and his

talk, The Sustainability of safety,
security and privacy.

<i>applause</i>

Ross Anderson: Thanks. Right. It's great
to be here, and I'm going to tell a story

that starts a few years ago and it's about
the regulation of safety. Just to set the

scene, you may recall that in February
this year there was this watch Enox's

Safe-Kid One suddenly got recalled. And
why? Well, it's unlikely that unencrypted

communications with the backhand server
allowing an authenticated access and

translated into layman language that meant
that hackers could track and call your

kids, changed the device ID and do
arbitrary bad things. So this was

immediately recalled by the European Union
using powers that it had under the Radio

Equipment Directive. And this was a bit of
a wake up call for industry, because up

until then, people active in the so-called
Internet of Things didn't have any idea

that, you know, if they produced an unsafe
device, then they could suddenly be

ordered to take it off the market. Anyway,
back in 2015, the European Union's

research department asked Eireann Leverett,
Richard Clayton and me to examine what I

would see implied from the regulation of
safety, because the European institutions

regulate all sorts of things, from toys to
railway signals and from cars through

drugs to aircraft. And if you start having
software and everything, does this mean

that all these dozens of agencies suddenly
start to have software safety experts and

software security experts? So what does
this mean in institutional terms? We

produced a report for them in 2016, which
the commission sat on for a year. A

version of the report came out in 2017 and
later that year the full report. And the

gist of our report was once you get
software everywhere, safety and security

become entangled. And in fact, when you
think about it, the two are the same in

pretty well all the languages spoken by EU
citizens. <i>speaks other languages</i>.

It's only English that distinguishes
between the two. And with

Britain leaving the EU, of course you will
have languages in which safety and

security become the same. Throughout
Brussels and throughout the continent. But

anyway, how are we going to update safety
regulation in order to cope? This was the

problem that Brussels was trying to get
its head around. So one of the things that

we had been looking at over the past 15,
20 years is the economics of information

security, because often a big complex
systems fail because the incentives are

wrong. If Alice guards the system and Bob
pairs the cost of failure, you can expect

trouble. And many of these ideas go across
the safety as well. Now, it's already well

known that markets do safety in some
industries, such as aviation, way better

than others, such as medicine. And cars
were dreadful for many years for the first

80 years of the car industry. People
didn't bother with things like seatbelts,

and it was only until Ralph Nader's book,
Unsafe at Any Speed, led the Americans to

set up the National Highways,
Transportation and Safety Administration

and various court cases brought this
forcefully to public attention that car

safety started to become a thing. Now in
the EU, we've got a whole series of broad

frameworks and specific directives and
detail rules and thus overall 20 EU

agencies plus the UNECE in play here. So
how can we navigate this? Well, what we

were asked to do was to look at three
specific verticals and study them in some

detail so that the lessons from them could
be then taken to the other verticals in

which the EU operates. And, cars were one
of those. And some of you may remember the

carshark pepper in 2011. Four guys from
San Diego and the University of Washington

figured out how to hack a vehicle and
control it remotely. And I used to have a

lovely little video of this that the
researchers gave me. But my Mac got

upgraded to Catalina last week and it
doesn't play anymore. So, verschlimmbessern?

Man sagt auf Deutsch? Oder?
Yeah.

<i>applause</i>

Okay. We'll get it going sooner or later.
Anyway, this was largely ignored because

one little video didn't make the biscuit.
But in 2015, there suddenly came to the

attention of the industry because Charlie
Miller and Chris Valasek, two guys who had

been in the NSA is hacking team hacks a
cheap Cherokee using Chryslers Uconnect.

And this meant that they could go down
through all the Chrysler vehicles in

America and look at them one by one and
ask, where are you? And then when they

found the vehicle that was somewhere
interesting, they could go in and do

things to it. And what they found was that
to hack a vehicle, suddenly you just

needed the vehicle's IP address. And so
they got a journalist into a vehicle and

they got into slow down and had trucks
behind them hooting away, and eventually

they ran the vehicle off the road. And
when the TV footage of this got out,

suddenly, people cared. It made the front
pages of the press in the USA, and

Chrysler had to recall 1.4 million
vehicles for a software fix, which meant

actually reflashing the firmware of the
devices. And it cost them billions and

billions of dollars. So all of a sudden,
this is something to which people paid

attention. Some of you may know this chap
here, at least by sight. This is Martin

Winterkorn, who used to run Volkswagen.
And when it turned out that he had hacked

millions and millions of Volkswagen
vehicles by putting in evil software that

defeated emissions controls. That's what
happened to Volkswagen stock price. Oh,

and he lost his job and got prosecuted. So
this is an important point about vehicles

and in fact, about many things in the
Internet of things for Internet of

targets, whatever you want to call it. The
thread model isn't just external, it is

internal as well. There are bad people all
the way up and down the supply chain. Even

at the OEM. So that's the state of play in
cars. And we investigated that and wrote a

bit about it. Now, here's medicine. This
was the second thing that we looked at.

These are some pictures of the scene in
the intensive care unit in Swansea

Hospital. So after your car gets hacked
and you go off the road, this is where you

end up. And just as a car has got about 50
computers in it, you're now going to see

that there's quite a few computers at your
bedside. How many CPUs can you see? You

see, there's quite a few, about a
comparable number to the number of CPUs in

your car. Only here the systems
integration is done by the nurse, not by

the engineers at Volkswagen or Mercedes.
And does this cause safety problems? Oh,

sure. Here are pictures of the user
interface of infusion pumps taken from

Swansea's intensive care unit. And as you
can see, they're all different. This is a

little bit like if you suddenly had to
drive a car from the 1930s an old

Lanchester, for example, and then you find
that the accelerator is between the brake

and the clutch, right? Honestly, there
used to be such cars. You can still find

them in antique car fairs or a Model T
Ford, for example, for the accelerator is

actually a lever on the dashboard and one
of the pedals is as a gear change. And yet

you're asking nurses to operate a variety
of different pieces of equipment and look,

for example, at the Bodyguard 545. The one
on the top to increase the doors. Right,

this is the morphine that is being dripped
into your vein once you've had your car

crash, to increase the dose you have to
press 2 and to decrease that, you have to

press 0. Under the Bodyguard 545 at the
bottom right, to increase the dose you

press 5 and to decrease it, you press 0.
And this leads to accidents, to fatal

accidents, a significant number of them.
Okay. So you might say, well, why not have

standards? Well, we have standards. We've
got standards which say that liter should

always be a capital L, so it is not
confused with a one. And then you see that

and the Bodyguard on the bottom right.
MILLILITERS is a capital L in green. Okay.

Well done, Mr. Bodyguard. The problem is,
if you look up two lines, you see 500

milliliters is in small letters. So
there's a standard problem. There's an

enforcement problem and there's extra
inanities because each of these vendors

will say, well, everybody else should
standardize on my kit. And there are also

various other market failures. So the
expert who's been investigating this is my

friend Harold Thimbleby, who's a professor
of computer science at Swansea. And his

research shows that hospitals safety,
usability failures kill about 2000 people

every year in the UK, which is about the
same as road accidents. And safety

usability, in other words, gets ignored
because the incentives are wrong. In

Britain and indeed in the European
institutions, people tend to follow the

FDA in America and that is captured by the
large medical device makers over there.

They only have two engineers. They're not
allowed to play with pumps, etc, etc, etc.

The curious thing here is that safety and
security come together. The safety of

medical devices may improve because as
soon as it becomes possible to hack a

medical device, then people suddenly take
care. So the first of this was when Kevin

Fu and researchers at the University of
Michigan showed that they could hack the

hospital, a symbolic infusion pump over
Wi-Fi. And this led the FDA to immediately

panic and blacklist the pump, recalling it
from service. But then said, Kevin, what

about the 200 other infusion pumps that
are unsafe because of the things on the

previous slide? Also, the FDA, we couldn't
possibly recall all those. Then two years

ago, there's an even bigger recall. It
turned out that 450 000 pacemakers made by

St. Jude could similarly be hacked over
Wi-Fi. And so the recall was ordered. And

this is quite serious, because if you've
got a heart pacemaker, right, it's

implanted surgically in the muscle next to
your shoulder blade. And to remove that

and replace it with a new one, which they
do every 10 years to change the battery,

you know, is a day care surgery procedure.
You have to go in there, get an

anesthetic. They have to have a
cardiologist ready in case you have a

heart attack. It's a big deal, right? It
costs maybe 3000 pounds in the UK. And so

3000 pounds times 450 000 pacemakers.
Multiply it by two for American health

care costs and you're talking real money.
So what should Europe do about this? Well,

thankfully, the European institutions have
been getting off their butts on this and

the medical device directors have been
revised. And from next year, medical

devices will have post-market
surveillance, risk management plan,

ergonomic design. And here's perhaps the
driver for software engineering for

devices that incorporate software. The
software shall be developed in accordance

with the state of the art, taking into
account the principles of development,

life cycle risk management, including
information, security, verification and

validation. So there at least we have a
foothold and it continues. Devices shall

be designed and manufactured in such a way
as to protect as far as possible against

unauthorized access that could hamper the
device from functioning as intended. Now

it's still not perfect. There's various
things that the manufacturers can do to

wriggle. But it's still a huge
improvement. The third thing that we

looked at was energy, electricity
substations and electro technical

equipments in general, there have been one
or two talks at this conference on that.

Basically, the problem is that you've got
a 40 year life cycle for these devices.

Protocols such as Smart Bus and DNP3 don't
support authentication. And the fact that

everything has gone to IP networks means
that as with the Chrysler Jeeps. Anybody

who knows your IP address can read from
and with an actuator's IP address, you can

activate it. So the only practical fix
there is to re-perimeterise and the

entrepreneurs who noticed this 10 to 15
years ago and set up companies like Beldon

have now made lots and lots of money.
Companies like BP now have thousands of

such firewalls which isolate their
chemical and other plants from the

internet. So one way in which you can deal
with this is having one component that

connects you to the network, you replace
it every five years. That's one way of

doing, if you'd like sustainable security
for your oil refinery. But this is a lot

harder for cars, which have got multiple
RF interfaces. A modern car has maybe 10

interfaces in all those there is the
internal phone. There's the short range radio

link for remote key entry. Those things.
There are links to the devices that

monitor your tire pressure. There's all
sorts of other things and every single one

of these has been exploited at least once.
And there are particular difficulties in

the auto industry because of the
fragmented responsibility in the supply

chain between the OEM, the tier ones and
the specialists who produce all the

various bits and pieces that get glued
together. Anyway, so the broad questions

that arise from this include who will
investigate incidents and to whom will

they be reported? Right? How do we embed
responsible disclosure? How do we bring

safety engineers and security engineers
together? This is an enormous project

because security engineers and safety
engineers use different languages. We have

different university degree programs. We
go to different conferences. And the world

of safety is similarly fragmented between
the power people, the car people, the

naval people, the signal people and so on
and so forth. Some companies are beginning

to get this together. The first is Bosch,
which put together their safety,

engineering and security engineering
professions. But even once you have done

that in organizational terms, how do you
teach a security engineer to think safety

and vice versa? Then the problem that
bothered the European Union, are the

regulators all going to need security
engineers? Right. I mean, many of these

organizations in Brussels don't even have
an engineer on staff, right? They are

mostly full of lawyers and policy people.
And then, of course, for this audience,

how do you prevent abuse of lock-in, you
know, in America if you've got a chapter

from John Deere? And then if you don't
take it to a John Deere dealer every six

months or so, it stops working. Right. And
if you try and hack it so you can fix it

yourself, then John Deere will try to get
you prosecuted. We just don't want that

kind of stuff coming over the Atlantic
into Europe. So we ended up with a number

of recommendations. We thought that we
would get vendors to self-certify for the

CE mark that products could be patched if
need be. That turned out to be not viable.

We then came up with another idea that
things should be secure by default for the

update to the Ready Equipment Directive.
And that didn't get through the European

Parliament either. In fact, it was Mozilla
that lobbied against it. Eventually we got

something through which I'll discuss in a
minute. We talked about requiring a secure

development lifecycle with vulnerability
management because we've already got

standards for that. We talked about
creating an European security engineering

agency. So that would be people in
Brussels to support policymakers and the

reaction to that. A year and a half ago
was to arrange for ENISA to be allowed to

open an office in Brussels so that they
can hopefully build a capability. There

with some technical people who can support
policymakers. We recommended extending the

product liability directive to services.
There is enormous pushback on that.

Companies like Google and Facebook and so
on don't like the idea that they should be

as liable for mistakes made by Google
Maps, as for example, Garmin is liable for

mistakes made by the navigators. And then
there's the whole business of how do you

take the information that European
institutions already have on breaches and

vulnerabilities and report this not just
to ENISA, but the safety regulators and

users, because somehow you've got to
create a learning system. And this is

perhaps one of the big pieces of work to
be done. How do you take, I mean, once all

cars are sort of semi intelligent, once
everybody's got telemetry and once that

are, you know, gigabytes of data
everywhere, then whenever there's a car

crash, the data have to go to all sorts of
places, to the police, to the insurers, to

courts, and then, of course, up to the car
makers and regulators and component

suppliers and so on. How do you design the
system that will cause the right data to

get to the right place, which will still
respect people's privacy rights and all

the various other legal obligations? This
is a huge project and nobody has really

started to think yet about how it's going
to be done, right. At present, if you've

got a crash in a car like a Tesla, which
has got very good telemetry, you basically

have to take Tesla to court to get the
data because otherwise they won't hand it

over. Right. We need a better regime for
this. And that at present is a blank

slate. It's up to us, I suppose, to figure
out how such a system should be designed

and built, and it will take many years to
do it, right. If you want a safe system, a

system that learns this is what is going
to involve. But there's one thing that

struck us after we'd done this work, after
we delivered this to the European

Commission, that I'd gone to Brussels and
given a thought to dozens and dozens of

security guys. Richard Clayton and I went
to Schloss Dagstuhl for a weeklong seminar

on some other security topic. And we were
just chatting one evening and we said,

well, you know, what did we actually learn
from this whole exercise on

standardization and certification? Well,
it's basically this. That there's two

types of secure things that we currently
know how to make. The first is stuff like

your phone or your laptop, which is secure
because you patch it every month. Right.

But then you have to throw it away after
three years because Larry and Sergei don't

have enough money to maintain three
versions of Android. And then we've got

things like cars and medical devices where
we test them to death before release and

we don't connect them to the Internet, and
we almost never patch them unless Charlie

Miller and Chris Fellowship get to go at
your car that is. So what's gonna happen

to support costs? Now that we're starting
to patch cars and you have to patch cars

because they're online, I want some things
online, right? Anybody in the world can

attack us. If a vulnerability is
discovered, it can be scaled and something

that you can previously ignore suddenly
becomes something that you have to fix.

And if you, you have to pull all your cars
into a garage to patch them, that costs

real money. So you need to be able to
patch them over the air. So all of a

sudden cars become like computers or
phones. So what is this going to mean? So

this is the trilemma. If you've got a
standard safety life cycle, there's no

patching. You get safety and
sustainability, but you can't go online

because you'll get hacked. And if you get
the standard security lifecycle you're

patching, but that breaks the safety
certification, so that's a problem. And if

you get patching plus redoing safety
certification with current methods, then

the cost of maintaining your safety rating
can be sky high. So here's the big

problem. How do you get safety, security
and sustainability at the same time? Now

this brings us to another thing that a
number of people at this congress are

interested in: the right to repair. This
is the Centennial Light, right? It's been

running since 1901. Right. It's in
Livermore in California. It's kind of dim,

but you can go there and you can see it.
Still there. In 1924, the three firms have

dominated the light business. GE, Osram
and Philips agreed to reduce average bulb

lifetime some 2500 hours to 1000
hours. Why? In order to sell more of

them. And one of the things that's come
along with CPUs and communications and so

on with smart stuff to use, that horrible
word, is that firms are now using online

mechanisms, software and cryptographic
mechanisms in order to make it hard or

even illegal to fix products. And I
believe that there's a case against Apple

going on in France about this. Now, you
might not think it's something that

politicians will get upset about, that you
have to throw away your phone after three

years instead of after five years. But
here's something you really should worry

about. Vehicle life cycle economics,
because the lifetimes of cars in Europe

have about doubled in the last 40 years.
And the average age of a car in Britain,

which is scrapped, is now almost 15 years.
So what's going to happen once you've got,

you know, wonderful self-driving software
in all the cars. Well, a number of big car

companies, including in this country, were
taking the view two years ago that they

wanted people to scrap their cars after
six years and buy a new one. Hey, makes

business sense, doesn't it? If you're Mr.
Mercedes, your business model is if the

customer is rich, you sell him a three
year lease on a new car. And if the

customer is not quite so rich, you sell
him a three year lease on a Mercedes

approved used car. And if somebody drives a
seven year old Mercedes, that's thought

crime. You know, they should emigrate to
Africa or something. So this was the view

of the vehicle makers. But here's the rub.
The embedded CO2 costs of a car often

exceeds its lifetime fuel burn. My best
estimate for the embedded CO2 costs of an

E-class American is 35 tons. So go and
work out, you know, how many liters per

100 kilometers and how many kilometers
it's gonna run in 15 years. And you come

to the conclusion that if you get a six
year lifetime, then maybe you are

decreasing the range of the car from 300
000 kilometers to 100 000 kilometers. And

so you're approximately doubling the
overall CO2 emissions. Taking the whole

life cycle, not just the scope one, but
the scope two, and the scope three, the

embedded stuff as well. And then there are
other consequences. What about Africa,

where most vehicles are imported second
hand? If you go to Nairobi, all the cars

are between 10 and 20 years old, right?
They arrive in the docks in Mombasa when

they're already 10 years old and people
drive them for 10 years and then they end

up in Uganda or Chad or somewhere like
that. And they're repaired for as long as

they're repairable. What's going to happen
to road transport in Africa if all of a

sudden there's a software time bomb that
causes cars to self-destruct? Ten years

after we leave the showroom. And if there
isn't, what about safety? I don't know

what the rules are here, but in Britain I
have to get my car through a safety

examination every year, once it's more
than three years old. And it's entirely

foreseeable that within two or three years
the mechanic will want to check that the

software is up to date. So once the
software update is no longer available,

that's basically saying this car must now
be exported or scrapped. I couldn't resist

the temptation to put in a cartoon:
"My engine's making a weird noise."

"Can you take a look?"
"Sure. Just pop the hood. Oh, the hood

latch is also broken. Okay, just pull up
to that big pit and push the car in. We'll

go get a new one."
Right? This is if we start treating cars

the way we treat consumer electronics. So
what's a reasonable design lifetime? Well,

with cars, the way it is going is maybe 18
years, say 10 years from the sale of the

last products in a model range, domestic
appliances, 10 years because of spares

obligation plus store life, say 15.
Medical devices: If a pacemaker lives for

10 years, then maybe you need 20 years. Of
electricity substations, even more. So

from the point of view of engineers, the
question is, how can you see to it that

your software will be patchable for 20
years? So as we put it in the abstract, if

you are writing software now for a car
that will go on sale in 2023, what sort of

languages, what sort of tool change should
you use? What sort of crypto should you

use so that you're sure you'll still be
able to patch that software in 2043? And

that isn't just about the languages and
compilers and linkers and so on. That's

about the whole ecosystem. So what did the
EU do? Well, I'm pleased to say that at

the third attempt, the EU managed to get
some law through on this. Their active 771

this year on smart goods says that buyers
of goods with digital elements are

entitled to necessary updates for two
years or for a longer period of time if

this is a reasonable expectation of the
customer. This is what they managed to get

through the parliament. And what we would
expect is that this will mean at least 10

years for cars, ovens, fridges, air
conditioning and so on because of existing

provisions about physical spares. And
what's more, the trader has got the burden

of proof in the first couple of years if
there's disputes. So there is now the

legal framework there to create the demand
for long term patching of software. And

now it's kind of up to us. If the durable
goods were deciding today are still

working in 2039, then a whole bunch of
things are gonna have to change. Computer

science has always been about managing
complexity ever since the very first high

level languages and the history goes on
from there through types and objects and

tools like git and Jenkins and Coverity.
So here's a question for the computer

scientists here. What else is going to be
needed for sustainable computing? Once we

have software in just about everything. So
research topics to support 20 year

patching include a more stable and
powerful toolchain. We know how complex

this can be from crypto with looking at
history of the last 20 years of TLS. Cars

teach that it's difficult and expensive to
sustain all the different test

environments. You have a different models
of cars. Control systems teach for that

you can make small changes to the
architecture, which will then limit what

you have to patch. Android teaches how do
you go about motivating OEMs to patch

products that they no longer sell. In this
case, it's European law, but there's maybe

other things you can do too. What does it
mean for those of us who teach and

research in universities? Well, since
2016, I've been teaching safety and

security together in the same course the
first year undergraduates, because

presenting these ideas together in
lockstep will help people to think in more

unified terms about how it all holds
together. In research terms we've have

been starting to look at what we can do to
make the tool chain more sustainable. For

example, one of the problems that you have
if you maintain crypto software is that

every so often the compiler writes, okay,
so a little bit smarter and the compiler

figures out that these extra padding
instructions that you put in to make the

the loops of your crypto routines run in
constant time and to scrub the contents of

round keys once you are no longer in use,
are not doing any real work, and it

removes them. And all of a sudden from one
day to the next, you find that your crypto

has sprung a huge big timing leak and then
you have to rush to get somebody out of

bed to fix the tool chain. So one of the
things that we thought was that better

ways for programmers to communicate intent
might help. And so there's a paper by

Laurent Simon and David Chisnall and I
where we looked about zeroising sensitive

variables and doing constant time loops
with a plug in and VM. And that led to a

EuroS&amp;P paper a year and a half ago: "What
you get is what you C", and there's a plug

in that you can download them and play
with. Macro scale sustainable security is

going to require a lot more. Despite the
problems in the area industry with the

737Max, the aerospace industry still has
got a better feedback loop of learning

from incidents and accidents. And we don't
have that yet in any of the fields like

cars and so on. It's going to be needed.
What can we use as a guide? Security

economics is one set of intellectual tools
that can be applied. We've known for

almost 20 years now that complex socio-
technical systems often fail because of

poor incentives. If Alice guards a system
and Bob pays the cost of failure, you can

expect trouble. And so security economics
researchers can explain platform security

problems, patching cycle liability games
and so on. And the same principles apply

to safety and will become even more
important as safety and security become

entangled. Also, we'll get even more data
and we'll be able to do more research and

get more insights from the data. So where
does this lead? Well, our papers Making

security sustainable, and the thing that
we did for the EU standardization and

certification of the Internet of Things
are on my web page together with other

relevant papers on topics around
sustainability from, you know, smart

metering to pushing back on wildlife
crime. And that's the first place to go if

you're interested in this stuff. And
there's also our blog. And if you're

interested in these kinds of issues at the
interface between technology and policy of

how incentives work and how they very
often fail when it comes to complex socio-

technical systems, then does the workshop
on the Economics of Information Security

in Brussels next June is the place where
academics interested in these topics tend

to meet up. So perhaps we'll see a few of
you there in June. And with that, there's

a book on security engineering which goes
over some of these things and there's a

third edition in the pipeline.

H: Thank you very much,
Ross Anderson, for the talk.

<i>applause</i>

We will start the Q&amp;A session a little bit
differently than you used to, Ross has a

question to you. So he told me there will
be a third edition of his book and he is

not yet sure about the cover he wants to
have. So you are going to choose. And so

that the people on the stream also can
hear your choice, I would like you to make

a humming noise for the cover which you
like more. You will first see Bill's covers.

R: Cover 1, and cover 2.
H: So, who of you would like to prefer the

first cover?
<i>applause</i> Come on.

And the second choice. <i>louder applause</i>
OK. I think we have a clear favorite here

from the audience, so it would
be the second cover.

R: Thanks.
H: And we will look forward to see this

cover next year then. So if you now have
questions yourself, you can line up in

front of the microphones. You will find
eight distributed in the hall, three in

the middle, two on the sides. Signal Angel
has the first question from the Internet.

Person1: The first question is, is there a
reason why you didn't include aviation

into your research?
R: We were asked to choose three fields,

and the three fields I chose were the ones
in which we's worked more, most recently.

I did some work in avionics for that was
40 years ago, so I'm no longer current.

H: Alright, a question from microphone
number two, please.

Person2: Hi. Thanks for your talk. What
I'm wondering most about is where do you

believe the balance will fall in the fight
between privacy, the want of the

manufacturer to prove that it wasn't their
fault and the right to repair?

R: Well, this is an immensely complex
question and it's one that we'll be

fighting about for the next 20 years. But
all I can suggest is that we study the

problems in detail, that we collect the
data that we need to say coherent things

to policymakers and that we use the
intellectual tools that we have, such as

the economics of security in order to
inform these arguments. That's the best

way that we can fight these fights, you
know, by being clearheaded and by being

informed.
H: Thank you. A question from microphone

number four, please. Can you switch on the
microphone number four.

Person3: Oh, sorry. Hello. Thank you for
the talk. As a software engineer, arguably

I can cause much more damage than a single
medical professional simply because of the

multiplication of my work. Why is it that
there is still no conversation about

software engineers caring liability
insurance and being collaborative for the

work they do?
R: Well, that again is a complex question.

And there are some countries like Canada
where being a professional engineer gives

you a particular status. I think it's
cultural as much as anything else, because

our trade has always been freewheeling,
it's always been growing very quickly. And

throughout my lifetime it's been sucking
up a fair proportion of science graduates.

If you were to restrict software
engineering to people with degrees in

computer science, then we would have an
awful lot fewer people. I wouldn't be

here, for example, because my first
degree was in pure math.

H: All right, the question from microphone
number one, please.

Person4: Hi. Thank you for the talk. My
question is also about aviation, because

as I understand that a lot of the, all
retired aircraft and other equipment is

dumped into the so-called developing
countries. And with the modern technology

and the modern aircraft where the issue of
maintain or software or betting would

still be in question. But how do we see
that rolling out also for the so-called

third world countries? Because I am a
Pakistani journalist, but this worries me

a lot because we get so many devices
dumped into Pakistan after they're retired

and people just use them. I mean, it's a
country that can not even afford a license,

to operating system. So maybe you could
shed a light on that. Thank you.

R: Well, there are some positive things
that can be done. Development IT is

something in which we are engaged. You can
find the details of my Web site, but good

things don't necessarily have to involve
IT. One of my school friends became an

anesthetist and after he retired, he
devoted his energies to developing an

infusion pump for use in less developed
countries, which was very much cheaper

than the ones that we saw on the screen
there. And it's also safe, rugged,

reliable and designed for for use in
places like Pakistan and Africa and South

America. So the appropriate technology
doesn't always have to be the wiziest?,

right. And if you've got very bad roads,
as in India, in Africa, and relatively

cheap labor, then perhaps autonomous
cars should not be a priority.

Person4: Thank you.
H: All right. We have another question

from the Internet, the Signal Angel, please?
Person5: Why force updates by law?

Wouldn't it be better to prohibit the
important things from accessing the

Internet by law?
R: Well, politics is the art of the

possible. And you can only realistically
talk about a certain number of things at

any one time in any political culture or
the so-called Overton Window. Now, if

you talked about banning technology,
banning cars that are connected to the

Internet as a minister, you will be
immediately shouted out of office as being

a Luddite, right. So it's just not
possible to go down that path. What is

possible is to go down the path of saying,
look, if you've got a company that imports

lots of dangerous toys that harm kids or
dangerous CCTV cameras are recruited into

a botnet, and if you don't meet European
regulations, we'll put the containers on

the boat back to China. That's just
something that can be solved politically.

And given the weakness of the car industry
after the emission standard scandal, it

was possible for Brussels to push through
something that the car industry really

didn't like. So, again, and even then that
was the third attempt to do something

about it. So, again, it's what you can
practically achieve in real world politics

H: All right. We have more questions.
Microphone number four, please.

Person6: Hi, I'm automotive cyber security
analyst and embedded software engineer.

Most the part of the ISO 21434 Automotive
Cyber Security Standard, are you aware of

the standard that's coming
out next year? Hopefully.

R: I've not done any significant work with
it. Friends in the motor industry have

talked about it, but it's not something
we've engaged with in a detail.

Person6: So I guess my point is not so
much a question, but a little bit of a

pushback but a lot of the things you
talked about are being worked on and are

being considered over the years updating
is going to be mandated. Just 30, a 30, 40

year lifecycle of the vehicle is being
considered by engineers. Why not? Nobody I

know talks about a six year lifecycle that
you know, that that's back in the 80s,

maybe when we talked about planned
obsolescence. But that's just not a thing.

So I'm not really sure where that language
is coming from, to be honest with you.

R: Well, I've been to close motor industry
conferences where senior executives have

been talking about just that in terms of
autonomous vehicles. So, yeah, it's

something that we've disabused them of.
H: All right. So time is unfortunately up,

but I think Ross will be available after
to talk as well for questions so you can

meet him here on the side. Please give a
huge round of applause for Ross Anderson.

<i>applause</i>

R: Thanks. And thank you
for choosing the cover.

<i>36c3 postrol music</i>

Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!