About a year and a half ago, Josh Corman and I began having a discussion about the rapid adoption of technology that has the ability to impact human life and public safety. We came to the conclusion that technology is advancing faster than our ability to security it. When we say "our", this is all of us. It is the software developers who write the code that drives the hardware we are using. It is the consumers who need to securely maintain this technology. It is the businesses who go to market with the products that we buy.
These early discussion became a security conference talk at BSidesLV and DEF CON in 2013. Rather than presenting to these communities on what we need to do to solve these problems, we wanted to start a conversation. Most of our community members had been focused on finding the latest zero day in consumer and business software powering traditional internet access technologies and information systems, while only a handful had focused on technology that would truly touch or impact human lives. We saw this as a problem and wanted to work to motivate people to spend more time "researching what matters" but in a way that would drive positive change.
The presentations started a number of conversation both online and offline. Today, the online conversations are taking place on Twitter and a Google Group mailing list. The offline conversations are happening at non-infosec industry events, with media, at private manufactures events, and even on Capital Hill.
The future of this activity which has become known as "I am The Cavalry" (or IATC, or even just the "Cavalry Movement") is making strides to become a 501(c)(3) educational foundation focused on providing opportunities to build public awareness and hold open collaboration sessions between security researchers and industry representatives on developing news ways to tackle the security problems we'll face in the future.
At DEF CON 22, Josh and I gave a presentation on what the Cavalry has been up to over the previous year, but also announced the results of a major initiative.
We spent about 9 months collaborating with security researchers, automotive engineers, policy makers, insurance agents, accident investigators, and standards organizations to develop a "Five Star Automotive Cyber Safety Program" through an Open Letter to the Automotive Industry.
"This letter urges carmakers to:
- Acknowledge that vehicle safety issues can be caused by cybersecurity issues;
- Embrace security researchers as willing allies to preserve safety and trust;
- Attest to these five foundational capabilities to improve visibility of their Cyber Safety programs;
- Initiate collaboration now to avert negative consequences in the future."
If you are interested in the future our automotive safety (and who isn't?) please sign the Change.org petition and join the several hundred other people from around the world who are in support of this important cause.
This is just the start of things to come. I hope you will join us!
Nicholas J. Percoco (@c7five)
Vice President, Strategic Services