LAS VEGAS – Ashkan Soltani and Terrell McSweeny have big jobs: Protecting the nation’s consumers from deceptive or unfair business practices. And they want help from hackers.
The Federal Trade Commission’s chief technologist and commissioner told the Black Hat and DEF CON conventions in Las Vegas that hackers’ research to uncover security flaws and privacy offenses could play a big role in the government’s investigations and technology policy. “The security researcher community shares a lot of our concern about protecting consumers’ data security and privacy,” Ms. McSweeny told Passcode. “Our missions are sort of aligned.”
On the sidelines of the hacker confab, the pair spoke with Passcode about bridging the divide between hackers and the government. Edited excerpts follow.
Passcode: In your Vegas talk, you refer to a ‘flip phone caucus’ in Washington. What’s that?
Soltani: So many people brag that they don’t have any technical expertise – but they’re still making policy. So many people have been like, “I’m not a technologist, but...” or “I have no idea how this stuff works, but we should have this thing – something that’s technically not feasible.”
Passcode: Will members of Congress get more tech savvy?
Soltani: A few of the committees have good advisers that are technical. Some of the congressmen in the recent encryption debates bragged that they had computer science backgrounds. The question is: How do we raise the status quo for everyone? Because they’re all chiming in on these technology policy issues.
McSweeny: You can use a flip phone – as long as you take the time to talk to the technologists and understand the technology. Plenty of congressmen who are on the flip phone caucus are taking that time. The point we want to make is: It doesn’t matter if you’re a user of that technology, it matters that you talk to people with the technical expertise.
Passcode: So how can the security community help the FTC in its investigations?
Soltani: We are monitoring academic conferences, security conferences, press. We get complaints from consumers. But if you write an article about a really egregious practice that we decide to take action on, I can’t call you and say, “Hey, did they do X or Y?” or “How could I replicate that?”
Some researchers are like, “Hey, I found this thing [such as a vulnerability] and I’ll do a blog post about it.” No follow up. No details.
I could spend a month trying to replicate their findings, but I can’t do much with that. Another researcher will say: “In scenario A, with these facts and that software, here’s this bug here’s a screenshot and here’s a script to run it.” I can spend 20 minutes to replicate it and pass it on to the attorneys and say, “Hey are we interested in this? I verified the findings. What’s the law? What’s the analysis we want to do?”
If you want your work or publication to be more valuable, here are some details you might want to include: How do [you] produce it; how you came to that conclusion; what were the caveats or the qualifications for inclusion.
Passcode: Ashkan, before this job, you contributed to The Washington Post’s Pulitzer Prize-winning reporting on the Edward Snowden surveillance revelations. Has this government job been a big adjustment?
Soltani: The work I’ve been doing for the past 10 or so years has always been the same: To clarify how things work and where are the policy issues – whether it’s for reporting or the FTC.
My past tendency – and I think a lot of [the security] community is like this – is to think all the details matter. That you have to know how the entire thing works to have any insight into it.
As a reporter, you know there are things that resonate with your viewers, or policymakers – then you can hook them and bring them into the rest of the story. But how you structure the lead and the headline, that’s also how someone who’s really busy and has a different frame and maybe doesn’t understand this issue, [gets] engaged.
Passcode: What advice would you give security pros who want to talk to policymakers or start a career as a technologist in government?
Soltani: You need to understand the frame they’re operating in. Before I talk to someone about [the Computer Fraud and Abuse Act] or about FTC law or anything, I’ll first listen to the policy arguments, Capitol Hill briefings and debates, and hear what are the things that they’re debating. I’ll find the technical fact that’s going to inform what they’re are arguing about. Without that, I’m just going to give them a bunch of facts that aren’t relevant to them, and we won’t have a dialogue.
McSweeny: When you’re speaking to someone like me who doesn’t know how to code, there’s an entire jargon and lexicon that I don’t understand. So you have to also be able to literally translate the acronyms and some of the technical talk.
Passcode: At these hacker conferences, you have some examples of stunt hacks – such as when two researchers took over a Jeep Cherokee. If everyone’s talking about a video, does the alarm go off at the FTC?
Soltani: The researchers and media are getting better at is making the issues salient. If I told you, “I can tunnel to an [electronic control unit] and change the settings to let me access the gas and pedal,” you’d be like, “That’s interesting – what does it mean?” But if you see someone shut off a car, it would resonate with you.
McSweeny: Obviously, we look at the paper and read media reports and look at all kinds of things trying to understand what’s happening to consumers. But we don’t go on buzz.
Passcode: This could have real-world implications for people’s physical security. Does that factor in?
McSweeny: As policymakers and enforcers, we need put things in perspective. I don’t know how hard it is to do big stunt hacking of vehicles. But I suspect it’s quite difficult.
That doesn’t mean we shouldn’t take it seriously. But a lot of what we look at in the [Internet of Things] space are security practices that aren’t reasonable at all – that make things very vulnerable in a very easy way for people who might want to exploit them. And those are the kinds of things that deeply concern me.
Passcode: Are you going to look into the Jeep issue specifically?
Soltani: We’ve said we’re going to look into connected cars. And we have been prior to that stunt hacking. The topic is interesting – so are drones, so are cameras. There [was] a talk about rifles, the algorithm you use to do sighting. If you can affect that and use that to shoot five feet to the left, those are interesting things.
Passcode: So, Terrell, to your point, does the probability that someone will be able to replicate the hack affect whether the FTC looks into it?
McSweeny: It’s not a factor, so to speak, for us. The legal test is reasonable security. We’re not talking about perfect security. We’re talking about engaging in best practice – having processes and procedures in place. We understand there are people who have [best practices] in place and get hacked anyway.
Passcode: What’s the top emerging issue you believe is going to be a big issue for the FTC now?
McSweeny: I see a wide range of terrific innovation, a wide range of consumer-facing products – and also a wide range of security practices. I worry about the implications of that. I’m talking here about the Internet of Things – specifically, about IOT-connected consumer devices: Things we’re putting on our homes, wearing on our bodies, driving.
We could be introducing vulnerabilities into our home networks and that could be very problematic for people. A lot of the adoption, the success of this technology is going to hinge on consumer trust, and key pieces of consumer trust are going to be people feeling like this stuff is secure, or can be secured.
Passcode: The prospect of hacking a toaster makes for a sexy headline. But if you tell somebody that their toaster may be compromised, will people care enough to say goodbye to their toaster?
McSweeny: I would put that slightly differently: The future consumer needs to think about whether they want their toaster to be connected at all.
Because if it is … you may only get a few years out of it, depending on how long the tech is supported. Whereas your old-school electronic one might last for 20 years. We’re going to need to make sure consumers have that kind of information [for the] choices they’re making.
Soltani: For a $50 toaster you keep around for 10 years – the question is, will you receive patches, and updates, and security support, for that toaster?
People might say, “So what? If they hack my toaster, I might not be able to make toast.” Well, actually, it’s a computer. You can launch a denial of service attack. You can hack into a network. If it has multiple antennas, you can bridge from the outside into an internal network. You can use it to surveil people on their home network, and collect information they use in their home.
So, it may be a toaster you can keep around for 10 years – but the computer part of it may not receive support and it could leave you vulnerable.