Designing smart communities that are people-centric, transparent and resilient/transcript

From IGF-USA Wiki
Jump to: navigation, search

>> DAN CAPRIO: Good afternoon, everyone. I'm Dan Caprio with the Province Group. Thank you very much for joining our panel on Smart Communities. We have a very distinguished group of panelists, and I should say at the outset, Gail Slater from the White House is unfortunately unable to be with us. She sends her regrets, but with all of the news of the week, she's gotten pulled into some other things and so avoiding a trade war with Europe is a good use of her time. But she really did want to be here and sends her regrets.

So this is a really interesting panel because, you know, we've spent a lot of time over the years at IGF and IGFUSA thinking about the Internet of Things and some of it theoretical, some of it practical. We've had lots of discussions about privacy and security, lots of discussions about frameworks, and you know every year it kind of continues to evolve.

But this year, we thought that we would sort of take it kind of to the next level and really sort of dig in on smart communities, really as an example of things that, you know, real world examples, things that are happening in practice that relate to some of the difficult problems of interoperability that relate to how do you provide privacy, how do you provide security.

And so we've been able to assemble a very distinguished panel with lots of different backgrounds related to smart cities and smart communities, and so what we wanted is to be fairly informal and have, you know, have a conversation among us, a little about their expertise and what they're seeing, and then have a conversation among the panel, but then also open it up and have lots of time for Q&A.

So with that, I think what I'll do is just introduce all of the panelists at the beginning, and then we'll turn back to it.

So first, and this is really significant, so Eddan Katz is the Project Lead on Protocol Design Networks for the World Economic Forum and so he has a lot of background in the industrial Internet as to relates to smart communities, but has also participated in our work on the Internet of Things, the Dynamic Coalition at IGF itself, and so thank you for taking the time to come and join us and we really look forward to hearing from you

Next we have Sokwoo Rhee, Associate Director of cyberphysical systems at NIST and has a lot of examples with smart cities and the global challenge and so we look forward to hearing more about that.

And then Michelle Richardson who is the Deputy Director of the Center for Democracy and Technology and she also leads CDT's freedom, security, and technology project.

And then last but certainly not least, Jeff Brueggerman, Vice President of Global Public Policy with AT&T.

So what I've asked all of our panelists to do is spend a few minutes sort of talking about your work and sort of how it relates and then we'll come back and do a round of questions, so Eddan, the floor is yours.

>> EDDAN KATZ: Thank you. Thank you very much to the organizers and thank you to Dan and Shane and the IGFUSA

I'm Eddan Katz and work at the World Economic Forum we have offices that opened up last year for the fourth Industrial Revolution and in that we have different project, one on artificial intelligence and machine learning, on drones and I work on the protocol design networks, is norm setting agreements across the different projects, and what I'm talking about.

What I'd like to talk to you about today is about the industrial Internet of Things, the manufacturing sector and how it onboards IoT. The industrial Internet of Things safety, security, and protocol was published, it's online in April, but it is an ongoing process of trying to implement a means of updating and increasing the adoption of cybersecurity best practices within the IoT space. And that's what I'm going to share with you some of the observations about coming to some consensus and experience and norms and what we confronted there, and some of the framework and best practices that are outlined in the IoT Safety and Security Protocol.

So first of all, the target audiences for this, one major part to start off with in regards to the issue of the governance is that in issuing this, we included a broad set of stakeholders, including finance and insurance, and so skipping to the end, the inclusion of insurance providers throughout the process meant that the adoption of these cybersecurity practices would influence as it's being implemented, whether or not there would be eligibility for insurance or discount, and so this is targeted with that as a policy lever in this multistakeholder setting, but also manufacturers, anyone who is deploying the Internet of Things in their manufacturing, in which has now increased exponentially and is a major aspect of the new means of production.

But also, which everyone in these best practices are not intended only to be relevant to the industrial sector, but to IoT, generally.

Something with observations in regards to trying to deal with the insecurity, the vulnerabilities that are inherent in the IoT, especially as in regards to the manufacturing sector, one of the principles that really motivated the agreement that has come across multistakeholders of companies, governments, civil society, academia, was the nature the nature of the cyberphysical environment. One thing that's interesting about the IoT is connecting the data harms that can occur with vulnerabilities in cybersecurity with the physical harms. So in the industrial context, if something fails or malfunctions someone could actually get hurt on the manufacturing floor as a result of that.

So the fact that there is decentralized interconnectedness, the fact that there is an erosion of boundaries between the production and consumer space, means that this is a shared responsibility, and so what are the motivations and impetuses for the framing is that not one particular entity is governing, not one particular entity has control, but this is something that ought to be described as a shared responsibility.

In regards to the necessity and usefulness of it being focused in part on insurance, is that the distributed risk exposure, this is one of those examples where you don't immediately sense the harm of what might happen if there was a malfunction or attack on an IoT grid, but as we've seen in some examples around the world, in the Ukraine the electricity grid went down after a hack twice over the past few years. There could be significant over the last few years but it's remote in terms of trying to realize that and trying to tweak incentives

We are at a moment in time where there is uncertainty about where the liability lies and whether there is any intentionality to how it works.

So one of the ways of solving it, of solving the problem and trying to increase cybersecurity practices is the notion that a lot of us are familiar with, the by design, security by design, and so one of the ways in which we're trying to help identify this problem and how it can be solved, given the diffuseness of it, is from incident response to harm prevention, to do the work upfront, and so trying to come up with a methodology, which is what we did by policy principles that are embedded in the technological infrastructure and understanding that there are components of it that there are the information technology side but also the operational technology side. These are older machines that weren't intended to be interconnected, legacy device, and how do you deal with all of that.

The way in which we've gone about setting these norms is through the agile governances, the principles that we're working with and how we are not being a governmental body nor a standard setting organization. The world at norm convenes and sets standards and tries to find standing. This is one sense of cybersecurity in which there is lack of clarity in how to enable adoption because of the fact that there is such rapid change, this has to be agile in being able to be updated and implemented. So the World Economic Forum is trying to be a platform for this policy development, and in this context, the IoT ecosystem, the industrial IoT ecosystem includes a wide range of entities which is why it needs to be dealt with horizontally from hardware makers and device manufacturers to vendors and IP service vendors, and standards body, all of these are relevant.

Insurance is a great lever because of the history the impact of insurance as regulation, the modification of behavior that's enabled by shifting incentives and creating insurance either discounts or liability rules in regards to that.

The IoT protocol is sectioned into three different parts. There is the Device Safeguards which makes recommendations about encryption and segmentation and is patches and updating privacy interoperability and these are in the Device Safeguard section. So these are our particular recommendations on the technology side.

There is another whole cluster on the Internal Governance and Risk Management and this really utilizing responsibility matrixes, board oversight, deals with the fact that in order to really implement this within companies, there needs to be coordination between the business end, the IT end, and other parts of the company, and set some rules on to ongoing testing and assessment

And then finally, the last cluster of what the IoT protocol deals with is in regards to information sharing, performance indicators, recordkeeping, and our metrics, and one of the co chairs of the project was the United Nations counterterrorism executive director and there is a security resolution, a UN Security Resolution that mandates that national governments can survey their domestic industries to find out about vulnerabilities, and so this is falling under that and moves that forward.

So I just went quickly through that, and I'm hoping that this provides some insight into how to deal with regulating IoT, how request proposing a governance structure or coming up with these kinds of norm setting agreements, and I look forward to hearing from the other panelists and answering questions when they come.

>> DAN CAPRIO: Thank you. Thank you very much, very good presentation.

>> SOKWOO RHEE: All right. So I'm briefly going to tell you about what I do, and before that what NIST is, probably most of you have at least heard about what it is but you may not what I do. I'm going to give you a little bit brief of what happens as far as IoT in the last two decades and why we are here and why we are talking about cybersecurity and privacy issues as of today.

So, NIST is in National Bureau of U.S. Department of Commerce, we do a lot of standards, obviously, but we do a lot more than standards. We do measurement science and can cover a lot of different things. It could cover physical science, chemistry, cybersecurity, and all the way up to IT and emerging technology such as AI, artificial intelligence.

My job at NIST is a little unique in a sense that I work on more of the innovation side, and so my title is Associate Director of Innovation for Cyber Physical Systems and my job is Ecosystem Development, Community Engagement and Prototyping and pirate and collaboration with the industry and academia to create momentum in the market that will end up eventually with the safe standards and best practices.

Why doesn't NIST just go out and dictate standards? That's not how it works. We can write 300-page documents any time we want, but if industry does not take it and use it, it's just a piece of junk, right. So that's not how we want to do it. We want to create consensus in the industry and market, and the market has to drive the standard, and we want to help them accelerate the process, that's what we do and I do.

My portfolio includes Internet of Things and Smart Cities in general. Those two are not separate. Internet of Things really has three different category, one is consumer IoT, the other is more industry IoT, and the third one is the public sector application. And so if you apply IoT concept to Smart City and municipal environment, that becomes a Smart City.

So we started IoT is not new, by the way. It's been around for decades, multiple decades with different names. There was M2M, they called it like Machine to Machine and Device Network and all of that.

About 20 years, the term IoT was coined out of the center at MIT and then scientists basically came out with it.

Early 2000 was essentially with IoT, that's where all of this academic research that was going on with the sensor technologies and wireless connectivity started to come into industry. There was a bunch of new startups that came out of that. There was Dust Network, and Millennial Net and (?). And then there was a huge assignment of billions of dollars to invest into IoT, and then went into ice age, starting from about 2006.

The problem was, including myself, I was the founder of one of those companies at the beginning, and then the problem was we invested a lot of money into developing technologies, sensors, protocols, and call systems, and all of that, without clear understanding about what are you actually going to do with it. Oh, we just through in sensors, like they're out there and somebody is going to pay money for it. Well, we thought so. That wasn't exactly the case.

So back in around 2012, about 5 years ago, I was brought into the U.S. Government to work on IoT as a fellow, and then what we wanted to do was work with industry, specifically one of the examples of industry in the consortium run by AT&T, and GE, and Intel, and now is going into one of the largest ecosystem for industry Internet, about 250 members around the world.

And our job was to work with them and create the market momentum with a specific goal to create the real world applications that can create real value because from the experience of early 2000, we clearly understood technology for technology sake were not going to cut it.

So I worked on it, and then for about a year, and then IIC, the International Consortium took off and doing a great job still, but we started to look into the public sector, because at that time we started believing that cities, municipal government is what exists that is sort of lagging in terms of adopting all of these emerging technologies, and IoT, we believe that clearly could help. Water and agriculture in rural areas, there are so many different applications that we see that municipal government could adopt these emerging technologies and make a quantum leap in their service.

Now, so that's the background. So I've been running a program called the Global City Team's Challenge for the last four years now, and that is essentially a collaboration program with innovation and nurturing new technology and new products specifically focused on the measurable benefits that is what it called.

One of the problems that we saw and quickly saw in the municipal government, with IoT technology is so fragmented. It's not just municipal government. It's IoT problem in general. But the definition of fragmentation in municipal governments is a little different. It's a siloed process, meaning one city that invests millions of dollars to cover the traffic congestion city, and another city which is probably only 50 miles away, spends millions of dollars to do the same thing, and after three years of R&D they come to the same and by the way they sometimes use the same vendors, and so point is, here is the problem. If you want to see an emerging technologist to take the market share and you really need to create some kind of hockey stick, you really need to see that not just from a technology perspective, but from business perspective, you need to see exponential growth in the market and that cannot happen if you only keep developing, basically, investing the wheel over and over again. You have to develop new things on top of whatever exists today. That's the way to create this hockey stick.

IoT and Smart City, as of today, or even today, even after four years of work that we have been putting through, is still not satisfactory. But we are getting there.

Now, however, in the Global City Team Challenge which is a collaboration between NIST and multiple federal agencies including the National Science Foundation, Department of Homeland Security, Department of Transportation and NTIA, ISA, NITA, so on, in collaboration with about 200 cities around the world and about 400 companies and non profits around the world we have created about around 180 projects or action cluster, and those are the ones that collaborate between collaboration between the public and private, they come to the project, and our job is to identify and nurture what we call replicable deployments.

We believe if a technology is good for only one city, that's great for that city and there is no two ways about it. But that does not replicate to other cities, and in fact this often not at all.

And so our job at NIST is to identify the replicable technologies and hopefully they can become best practices and eventually lead to standards.

Now, so we successfully created this market movement. Five years ago in the U.S., there was very little talk about smart cities, and in Europe there was a lot of talk about smart cities and in Asia as well, but the U.S. was a little lagging. Today we all talk about smart cities and nobody even asks what that is anymore because we all know sort of what that is, and just funny story. Five years ago, I was in the one of the panels and one raise their hand and say, hey, do you think the transportation is part of smart city? He doesn't think so. He thinks transportation is separate. Today's view is that's a stupid question. (Laughing). Transportation, you talk about smart city, no way, right. That was like that four or five years ago. Today, we don't ask that question anymore. So we believe, we create we successfully created with partners and everything, not just us but with collaboration of everybody, with successful understanding and momentum in the marketed.

Here is the problem, now we're seeing that a lot of pilots and moving into deployments, a lot of them are not necessarily ready for security and privacy issues, and we are seeing this the last couple of years. While these risks existed in theory for a long time, but now we are seeing a real example of how this could actually hurt us.

So here is the thing. In traditional IT system, if you don't have a service measures and what you lose is your emails and credit card number, which is bad and I'm not saying that is good, but in smart city, in cyber physical systems and IoT, if your cybersystem is penetrated, then somebody might die, right. That's the difference here. All right.

So this year the Global City Team's Challenge is specifically focusing on identifying, again, the best practices with cybersecurity and privacy specifically under smart cities and smart communities’ area. What we have found out so far is this. This is funny. I talk to a lot of city folks, including mayors and all of them and I sit down and say, so what is your top three concerns in your city in terms of smart cities? And a lot of answers come, but usually something of about security and privacy comes out in one of those.

So it's there and everybody knows in the industry that this it is important thing. And my next question goes to, okay, so what am I actually doing for that? Oh, then it starts, oh, well there is a company that we buy products that has something there that we don't know about. That's the level of response we get, which means there is really no comprehensive understanding and policy and framework in place that cities can take and use. It's not necessarily lack of technology, it's more about resource issues, sometimes a bandwidth issue, and sometimes it's a guideline issue.

I'm seeing good signs here and there, and there are several cities that started hiring what they call Chief Information Security Officers, like CIOs and CEOs, in addition, and New York City started coming out with guidelines for cybersecurity and privacy specifically for smart city area. They started this work a couple of years ago, and they even came up with a draft, but there are a very small number of cities in the world that can afford to even come up their own guideline. It's just, they don't have the level of expertise, right.

We have 19,000 cities and local governments in the United States, 19,000. All right. Only probably 5 or less than 5% of them have enough resources to come out with under the comprehensive guideline for cybersecurity in the United States, so we need a different approach.

By the way, the Federal Government can help, but there are 19,000 local governments. We cannot fund them all. That's basically impossible for us to do, so you need to create a market, need to create a virtual market that can almost like organically be able to create consensus and best practice for that, and that's what they're shooting for maybe. Sorry I talked too much, but I just wanted to give you a little background of what I do and set the tone for at least my discussion. Thank you.

>> DAN CAPRIO: Thank you. Thank you for that discussion. Lots of food for thought and lots of things that we can come back to. So having heard that, so how are you?

>> MICHELLE RICHARDSON: Yeah, I have to say, city IoT is one of my favorite uses and I think it has some of the biggest rifts but also some of the best potential for influencing both privacy and security practices, and we have to start from recognizing that government actors are just different. They're different from the private sector, they have very different responsibilities in the ecosystem of what they owe citizens, right.

We can't walk out of our government. We may be able to choose a different product or different service if you don't like it, or if there is a mistake, but we're stuck with our governments, right. There is only one way to get your water, only certain streets you can drive on, and so the stakes are much higher when there is a failure at the government level.

That responsibility of the public, too, is about a smart use of their tax dollars, right, how important it is to get these systems right on the front end, how long it takes to change government systems, right, they can be notoriously slow and can't always turn on a dime like some of the rest of the tech industry, so they might be stuck with what they purchase and set up for a very long time, and have a very hard time fixing it if there are mistakes, and then there is constitutional issues, right. The government collects information, it's not just about statutes. Very few often this information, it's the constitution itself, and actually we had a huge change in the last few weeks with a Supreme Court case that is probably going to revolutionize the types of information that can be collected and the process of how to get it. Just a little background on that, usually the legal system says that if you do something in public you don't have an expectation of privacy, right. So the government does not have to track you, and basically by participating in the public sphere you're foregoing your right to privacy and that had been the rule for many decades until just a couple of weeks ago. There was a cell phone tracking, and there was a robbery and they didn't get a warrant, but police got four months of the cell site location. And beautiful quotes about we don't lose your fourth amendment rights when you step outside of your front door, and there are things that are even unreasonable in the public space and there are times where the government does have too afford you privacy rights, and they looked at things like the nature of the information, right. They found location being uniquely sensitive in revealing a person's behavior and beliefs and associations and the volume of information, is and finally they looked at when you can meaningfully opt out of using the technology.

So to the extent that the government is going to be collecting this data and it might reflect personal information, those are the types of question you're going to have to ask especially if you want to share it with law enforcement or other parts of the government.

You know, the other exciting thing though too about government IoT is that it does have the ability to really influence the market, so we're hoping that if these best practices, both in privacy and security, are adopted at the city level, it's going to raise all votes, especially at the consumer sector. There are things that happen in the industrial space because they're regulated, right, for other reasons, and cities are accountable but we're seeing consumer devices are kind of just out of control, and so we're hoping that this will actually influence, you know, to the extent that sometimes these cities are buying consumer off the shelf products or are making traditional security and privacy controls more widely accepted.

The types of things we should be asking about when we want to consider the types of IoT that the government is incorporating into its systems, and so the basic question is what personal information is collected and for what purpose is it going to be used? I find that often people will talk about city IoT in sensors, right. They say so many of the things that we buy don't collect personal information, but the temperature is this point so you have to turn on the air conditioning, right. This is how your cars go through the intersection, right, and that's great and you might need different privacy rules for that or maybe none at all. But there is going to be a subset that will collect personal information, and the question is whether that information should be collected at all, what it's going to be used for, and whether the value is there. There might times when you actually might look at it and say, you know, this is actually a very simple process we can do with real people at a time that doesn't collect the same information and so we'll forego the IoT device or connected process.

And the usual questions are like how long information will be kept, who is going to have access to it, and we're also sees cities trying to make the information publicly available so researchers can use it to find things out about populations and offer better services, but that kind of gets us into that 2018 problems, right, of privacy and finding that even aggregate data released can reveal some important things, maybe not an individual person, but like we saw in the Strava case, right, when they released information with heat maps of their activity trackers, they revealed the location of a military base overseas and you could see where everybody walked, and actually outlined the military base, right. So there is risks in releasing aggregate data too, and you know I think we also need to think about artificial intelligence and machine learning.

I think we've seen a lot in the last year or two about how we think about this as not being a fix for everything. At the beginning we thought, well this is sort of a value neutral way to make decisions based on objective information, but we're finding a lot of times that it's actually just double sounds on disparities that already exist in cities. Examples you often see are in the law enforcement space, right. So information where you base where you want to send your police officers on live time data about where crime happens. First time it just sent them right back to the police station because that's where all the criminals are in the city, right. And then when they did it again, they found it went to the same neighborhoods, and meaning the same people were being arrested, which fed the same information back into the system, right.

I think we need to also think about how we're going to involve the public on the front end. I think what we've seen in places like Seattle is an upset that the technology was ruled out before there was a public discussion and people truly understood what was at stake, and they were able to course correct, but you know, they had to put things on hold and go back and spend a couple of years talking to citizens and, you know, city governments are very different, right. It's incredibly hard to change policy at the federal level or sometimes even the state level, but our city decision makers are really accountable to local people and that's how we've seen the move in advocacy on the privacy in this area move from the federal level to the locals because people were learning quickly that your city council member is easy to reach and very easy to remove if they make bad decisions. They're just much more responsive, and to that extent, you need to involve people on the front end.

I find that usually everyone has the word "privacy" in policies, we're going to respect privacy. But that's pretty much the end. What privacy means quickly gets complicated and a huge amount of time is spent trying to convince people that their ideas of privacy are wrong, not just government but companies. There is an incredible effort to say, gosh that's silly, don't worry about it; and instead, we should be recognizing that privacy values are changing, changing quick, and sometimes we can't always see what's going to resonate with people in advance, and I think that's something that we can learn from the Cambridge Analytica debacle over the last year. That information was public for several years but someone finally presented it in a way to people that really resonated with them and kicked up a privacy debate here in Washington DC that we have never seen. So there is always going to be that gap between what people understand and how they feel about it, and if you get on the front end of the process by including citizens and explaining to them how it's actually going to work and respecting their concerns, we're going to be able to minimize the fallout for the long term.

To the extent that we want to convince people that they don't have privacy rights in public, that is just not how people feel about it. It's really interesting, we often work on high tech issues, like Internet records, right, cell site location, but if you look at the privacy laws over the last 15 years that states and localities have passed, they have been about drones, license plate readers, red light cameras and things that are in the public sphere, and these are the things that do raise very sincere concerns for people, and they are going to only continue to the extent we put out more devices that are collecting information.

I think the great thing though is that we can be responsive to these concerns. A lot of the privacy engineering principles that NIST has been putting out will address a lot of these concerns, right, to make sure you're only collecting the information that you need, that there is a good reason for it, that it is destroyed when it's no longer necessary, and really including people on the front end. I think that's going to solve a lot of our problems to the extent that privacy is being a hurdle to the adoption of IoT in cities.

>> DAN CAPRIO: Great. Thank you. Thank you very much. Jeff?

>> JEFF BRUEGGERMAN: Thanks, Dan. It's great to be here, and you know I do want to start by noting that I really do think we're seeing a lot of momentum behind the smart communities and the technology has been emerging for a while, and to some extent as others have said, it's really just reusing Internet of Things technology that is already being deployed, but it has taken a little while for cities to get to this point.

At AT&T, we provide connectivity for a full range of Internet of Things devices, whether it's related to smart communities and I want to talk about how some of the cities are managing issues that we talk about today because I think we are really seeing some progress in some of these areas.

We have worked with seven cities on pilot projects and part of the idea here is to give some good examples out in the real world to show others how it can be done and to kind of set a good template, and so we thought that by focusing with some partners and really pulling together all of the things of what Internet of Things could really do for a community, that could help to really show a community and issue how issues can be managed successfully.

I think a common theme of my fellow panelists is these issues cut across horizontally, so if you're going to really deal with Internet of Things in a smart, strategic way, you've got to think comprehensively across the individual vertical silos, and it is really no different than the way a company would deal with this.

So your chief technologist, you don't want to have the water department separate from transportation separate from your public safety. You really want to think about how can we use the same Internet of Things devices to serve all of those needs, and increasingly, you know, the technology is there to do that so you can have a device on a lamp post that provides WiFi, tracks pedestrian and car traffic, and possibly listens for gun shots, right, something like that. And they even have a video camera with it, so you don't have to deploy four different types of devices in four different departments of your community to get the benefits of that.

And then what we see is we've begun offering smart city's operation center to try to put together the data from all of those different places into one, and Miami, Dade County is one of leaders in deploying that, and so just like in a company you want to have full visibility across the data and devices across your network, and that's not only going to give you the benefits of think being new interesting ways to use that information, right, but so I may want to know for traffic planning what the traffic patterns are, but now I can give citizens of my city much better realtime data of traffic and adjust lights to help the situation or reroute buss in a way that is serving the needs of the community better.

So there is (audio cutting out) that's also going to have huge security and privacy benefits, as Michelle and Eddan were talking about, you can't secure what you're not aware of, so you need to have a chief security officer type who can look across all of the data that you're collecting and think about. We call it defense in depth, you got to think about securing the devices, you have to think about securing the connectivity, and you have to secure any information that you collect.

And the good news is, you know, because the public sector has somewhat lagged here, you know, there are services and technologies that are on the market, and so you know what I would say is this isn't a technology issue so much as a governance and a financial issue, as is there someone in the community thinking about these issues and prioritizing it so that it gets built into the plan from the beginning, and you know the concern that we always see is if you, you know, if you try to pick the cheapest option, usually that's the one with very poor and little to no security, and that's the same at home, but also applies at the level of a smart community. So having a commitment to security from the beginning and building that in, that's going to be really important.

And then I completely agree with privacy, I think it's the same way. And we do see some cities, you know, really trying to be proactive about this, and a recent example is the City of Portland, we are a part of a consortium with GE and Intel to deploy smart lighting devices throughout the city, but they also wanted to use that to track pedestrian and other traffic and reduce injuries and fatalities in that area.

And the city decided that they could do that without collecting any of the actual data, so they, you know, we have the devices that can store video if you want to do that, but they decided that we want to do realtime analysis at the device level, don't even send the video over the network, and you know we were able to build that for them. And to Michelle's point, they're kind of minimizing the data upfront because they made a strategic decision that the cost or the benefits didn't outweigh the cost there.

So I think again, the technology is there, it's flexible, there are controls and decisions that can be made about what data you collect, how you collect it, and how you use it, but somebody has to be thinking about that upfront.

And then I think Seattle is an interesting example too because, you know, while they had some issues initially, they ended up working with Future Privacy Forum in what I think is forward looking privacy plan for open records. It doesn't answer all the questions, but it asks all the questions that you need to think through in terms of, you know, what am I collecting, what data would be made available, what happens, and what are the privacy risks as you said once you have a public dataset of it being able to be combined. But that's a really new issue for someone in municipal and city government to be looking at.

One of the challenges with Internet of Things that we see is that it's basically creating every sector of the economy is becoming involved in IT, right, or ICT, and that means that they all have to worry about privacy and security in a way that's in a way they haven't before, and so that's going to be, I think, you know, maybe part of the Smart City's Challenge. It's not just the technology and how do you have the right program, but how do we get people who are, you know, educated and capable of doing these things, and work with the communities to deal with these issues.

But I have to say, we've seen a lot of progress, and as these pilot projects continue, I think that will be an opportunity really to set a template that can be used by others to show that there are solutions here.

>> DAN CAPRIO: Great. Thanks, Jeff. I think we've there are a lot of common themes that I'm hearing with best practices, risk management, scale, and a couple of others. But, Eddan, I want to go back to you. You started off and mentioned agile governments and I think Jeff did just a little bit too as well. You highlighted in one of your categories of governance, risk management. And so how in your framework, or as you're thinking about this, what do you and I think we've heard from others that there is sort of an enterprise risk issue here, and how do you think about risk management as it relates to the industrial IoT or smart cities? Is there a better or worse way to communicate that? Because that's new (audio cutting out).

>> EDDAN KATZ: Well, one part in regards to the IoT protocol, one aspect of dealing with the risk management is to see it not as, you know, one part of the story but that it exists in different aspects, and so the document is sectioned off into, as I mentioned, a device safeguards part which are technical rules that you would want to have employed beforehand, the security by design relevant to that. But also, it has to do with internal governments and what the corporate structure is and who is responsible in laying it out and having a process. And so it involves that as well. It isn't just about devices.

And then finally, a more collective notion of sharing information and being able to leverage that information generally. And outside of most significantly, outside of any individual entity, to collectively be able to understand trends and to be able to be aware of vulnerabilities and to be able to address them in that way.

And so one thing in regards to risk management and agile governance as we're thinking about it is to understand that there isn't just one aspect of it being about technological specifications or about principles or about operating procedures, but that it's a combination of all these things as one aspect of that.

The other aspect that's really vent here in regards to risk management is engaging the insurance industry directly. Cyber risk insurance is now fastly developing, very quickly developing, not only in the ability to offer liability and protection products, but also as a service along the way of being able to assess and audit risks beforehand, either through the insurance companies themselves or through entities such as the Industrial Internet Consortium and their membership and this document is actually housed with them as well.

And we also, you know, have worked with, under UL to try to get this to be something that is ongoing, I think, in terms of risk management, rather than just be after the fact as to address this as it's unfolding. So those are some aspects of how to think about it, but overall, I would say that in regards to the process that we're engaged with, and in particular if there is something about the World Economic Forum and how we're going about this protocol design, is for it to be truly multistakeholder, for it to engage the different concerns, both in the short term and the long term economic and the social, have those aired out and be part of a process that really enables agreement and cooperation, and so thinking through given the complexity and wide breadth. And as I mentioned in the beginning, the remoteness of some of the harm, even though it's great, it does require there to be some structures to focus on how to deal with the risk management.

>> DAN CAPRIO: Do you find this as a conversation within it itself? So among your CEOs and board members, are they beginning to are you beginning to have the conversation that our constant concern is about sort of how to frame and manage risk?

>> EDDAN KATZ: Right, so part of that is that bringing the group together and understanding that some of the concerns from each of the industries is that this is a classic collective action problem, and so each of the different sectors and industries and, it's not entirely within their capacity to solve this problem, and it has to be done together, and so bringing they will together and airing it out in a way that leverages some of the levers that can be pushed on the economic end and on devices, I think that helps the shared responsibility point I was trying to make about that being something that is very much appreciated, so not only is there guidance in the example, in the IoT protocol example, some of the manufacturers of software have dealt with cybersecurity a lot and are accustom to the debate, but manufacturers who, you know, have not been part of cybersecurity discussions before usually relegate it to the IT department, and part of what we're saying, and part of the agreement, and part of what was understood is this has to be shared across different parts of the company to help lead along.

In the cyber risk insurance, they're also looking for some guidance and how to piece this together, which these are new, the actuarial science isn't fully determined on it, and so being able to do it in a cross sector way and in a discussion that tries to find points of agreement, I think is a key part of being able to address the risk management in a way that it's non threatening and also something that can lead to actual implementation. So the conversation doesn't just end as far as our initiatives are concerned with the publication of this document, but through the implementation and then long-term stability of its relevance with entities, you know, such as the ISC sheparding that long term sustainability.

>> DAN CAPRIO: Right, and IGF.

>> EDDAN KATZ: And IGF, of course.

>> DAN CAPRIO: And, Sokwoo, you mentioned, I knew there were a lot of municipalities and local governments, but 19,000, that's a lot.

>> SOKWOO RHEE: That's roughly the number.

>> DAN CAPRIO: And, Sokwoo, you also mentioned sort of scale and best practices in your Global City Team Challenge, and you highlighted New York City. Are there others or sort of in terms of boots on the ground, kind of what's happening in practice. You know, and this is a little but in terms of are you optimistic I mean, so New York's doing its thing with best practices and scale, and so if so kind of name names.

>> SOKWOO RHEE: Yeah, so New York City was just one of the examples of one of the 200 cities and so there are many other examples I can think of starting from the large cities like LA, San Francisco, and believe it or not, Washington DC has a lot of smart city projects going on. Maybe you wouldn't even perceive it or notice it. Go out, smart parking solution, public WiFi solutions, street lighting, it's out there.

And Portland is you know, AT&T is one of the leading cities in terms of trying to push this forward, so there are two different things. There is the cities that are on the level more already, and the cities that are trying to get there, and going fast and furious right now, and Portland is one of the cities that's going really fast and furious. Kansas City and it comes down to sort of like their leadership as well. Kansas City has a CIO that is extremely energetic and he's like a super star, and just himself he put together a coalition of multiple large companies and essentially turned one of the corridors in Kansas City into a testbed, and it brought in over 10 companies to install their best practices over there, which now which show the real impact and convince the city council to issue an RFP with a citywide deployment of this type of solution, so that's an example that a change maker, a change agent could actually really make a difference. And it's not just about the large scale or even middle scale cities. How many of you heard of a city called (?), Vermont?

Okay, a few. That's relatively small city, it's in Vermont, has about 12,000 people, but what they do is they actually installing sensors underground in their water to monitor the effectiveness and the wear and tear of the pipes, and so that's a great example of how smart city can actually save actual money. Because otherwise, the city has to go down and replace the pipes, without even knowing how much damage is done to the pipes.

And another example is a city in Idaho, great, it's about 10,000, and they have a shotgun detention technology, they developed not only with the city itself but with the companies, so it's not just examples for large cities is the point. There are a lot of smaller cities and towns and counties, and they're developing these technologies. And the point that will impact the scalability, I mean, having one city or one town developing this is interesting, but what are the really shared problems that many of these cities and towns and communities can employ and adopt, either standards or best practices.

One of the problems that, you know, Portland is also leading at the same time with Austin and other cities is, what they call first and last problem. And Greenville, South Carolina, it's a small town, they're part of this smart shuttle, they don't call it consortium, but there is sort of like a group that is trying to tackle the same problem.

Last is when there is a public transportation stop, they're a couple miles away in many suburban area, so if you want to commute using public transportation, you still have to walk a couple miles a day or more just to get to the bus station and come back and forth. That's a lot of miles if you think about it. But how do you feel about and New York City doesn't have this problem. I mean, you have a lot of subway stations.

But there are many towns in areas in the United States that that becomes a huge problem and that's the kind of problem that these can get to. I can go on and give you all of this information about more city, but I'm going to stop here.

>> I have a question then because it spurred a thought. Who is the repository of these examples of scale or best practices? Because you mentioned rightly so, you can't just do these one off. You can't just do ones and twos, you really got to get the scale. So who who is providing the directory or the repository, or is that something that, you know

>> SOKWOO RHEE: Yeah. Unfortunately, it's as fragmented as the installation themselves, so meaning there are a lot of bodies out there, nonprofits, they have like 10s or 20s or dozens of these repositories, and GCTC has our own repository has a Wiki, so we publish all the information on the Wiki that is under development, but we're about half way through to have a catalog the projects for the last three years.

The problem is you can public whatever you want, you can document whatever you want, but at the end of the day that's not what cities are looking for. Cities are looking for what has been successful for other city, and they want to understand which types of projects really worked, which solutions have worked. And so you need more of a historical perspective instead of a snapshot and see if over the course of the last three years, this project has generated this amount of impact, and plus one of the metrics of success for me is how many cities, number of the cities that actually shared the same solution, or same metric of success.

That's what they're trying to do, but to answer the question there is no single repository that has all of this. Everybody comes with a snapshot, but you really need to have a time series of this and that's tough.

>> DAN CAPRIO: It sounds like there is a real need. Interesting. Michelle, I'm glad you mentioned Seattle and kind of made the point about involving people on the front end. So for those that are less familiar with Seattle, talk a little bit about, I mean, some of the lessons learned. I think the lessons learned in Seattle were more related to privacy than security; but I mean, I think they got a little ahead of themselves and then had to reel it back. So what are some things that as we're thinking about this, that people need to keep in mind?

>> MICHELLE RICHARDSON: Yeah, well I think it's an example of what we're going through with the private sector right now, that there is a big difference between can and should, right. Our laws both in the private sector and in the government have been static for decades, right. They're incredibly permissive, and so a lot of these decisions are within the government's judgment, right, whether to put these programs out there. And we see that there are certain types of information or people that are especially upset about, and you know video recording is one of them, right. Especially if it's married with something that is seen to be sort of a high tech accelerator, like facial recognition, for example, right. Not just that you're scanning people's faces but somewhere where you're trying to sort them and make decisions about them, that people feel very uncomfortable with.

We see that this sort of recording, visual sort of recording people or even the sound is particularly upsetting to people, and you know that was the case in Seattle, and I think it's also a good example though that if you include people they can be reasonable, right. They came to something more reasonable in that situation, and I don't know if you ever sat through some of these community meeting, I've done that on things, everything from police body cameras, facial profiling, and people really do want a solution. They want meaningful information, they want to be part of the decision making process, and they understand the services they're going to get in return, right, but they want to be part of that process because they're the ones being served. Right. They're the client and not the government and not the companies. It's about the people. This is our topic here, how do we make these people centric and if they're not involved on the front end they're not going to be responsive to people's genuine concerns.

>> DAN CAPRIO: Right. Very good advice. So Jeff, I want to turn to you for a second. Kind of two questions. You mentioned connectivity, and I know Gail was going to talk about 5G and the importance of 5G, so if you could give a little if background on that.

And then the other question is kind of similar to the question I asked Sokwoo, talk a little bit more about some of your, you know, your pilots. You mentioned Portland, but what are some of the lessons learned in the other pilots, especially if there is not I know a lot of this is organic, but if there is not a repository, you know, what are the lessons learned from some of your pilots? Two questions.

>> JEFF BRUEGGERMAN: Yeah. So, I'm sorry. Your first question was about 5G, right?


>> JEFF BRUEGGERMAN: So 5G we announced we're going to do at least a dozen cities this year. 5G is coming, it's a new technology that is going to, you know, provide much faster speeds, but also much lower latency, and so for things like connected cars and drones that need instantaneous reliable connection, it's going to be a real facilitator for those types of things, so in the smart community context, you know, if you're going to have smart infrastructure that facilitated connected cars, right, so the car is not only communicating with each other but also communicating with sensors and the road itself to avoid accidents and provide the navigation, 5G is going to be a great enabler of that.

But also think about whether it be realtime video for police or firefighters, those are the types of things that 5G will be really well equipped for. (audio cut out).

So that density is important, and so, you know, the linkage to me of smart communities is that demand that the community can have can help pull 5G in, but cities can also do a lot by just lowering the barriers to make it easier to get permits to deploy these smart cell, and we can use some of the same as I said earlier, some of the same multi use infrastructure, if you're doing smart you know, you can employ this on a lamp post with other sensors and other things at the same time, so there are a lot of synergies that can be gained here, but ultimately, 5G is going to be one of the great enablers for smart communities.

And I should also mention, the FirstNet network rolling out that AT&T is building, and again I think that so far has been kind of separate from what we've seen with smart community, but to me it's really one of the main things that should be integrated in the community plan is to think about how public safety is going to benefit from all the other information that's being deployed. Yeah.

And terms of other cities, I was thinking about, Sokwoo, your comment that transportation isn't part of smart cities, that's very funny.

>> SOKWOO RHEE: Five years ago.

>> JEFF BRUEGGERMAN: Part of the application we're seeing the most.

>> SOKWOO RHEE: Exactly.

>> JEFF BRUEGGERMAN: Yeah, right. So right here in this area, we are working with Montgomery County and they wanted us to do enhancements to the bus service and can we offer WiFi hotspots and better transportation information to the users, and that's kind of one of the themes that we hear from the mayors and political leaders in communities is, yeah, cost savings are fine, but if I can't show to my citizens and the voters what they're getting out of these smart communities, then you know, this is going to be an uphill challenge, so I think things like WiFi kiosks or providing better transportation information to, you know, to the community, you need to show them the value. And it's kind of, to Michelle's point, they need to kind of see that they're getting something out of this too.

And you know, there is a lot they have to gain, but I think the cities really trying to think about how to make this, you know, kind of the citizen engagement actually being one of the planks I think are going to be more successful.

>> DAN CAPRIO: Right. Thank you. Well, we could continue talking among ourselves, but I want to open it up and take your questions. So right here in the front, but I think the microphone and, please identify yourself. And then we'll go back to you.

>> AUDIENCE MEMBER: I have a question I think primarily for Gabe, freelance technology provider, for Mr. Katz, a question regarding the Internet of Things and the right to repair, and there have been talks about farmers that might have a 300,000 dollar tractor controlled by software and if there is a problem they may wait for two weeks for the John Deere tech to come and work on it and they can't fix it. If you have a smart city where the entire traffic grid is being controlled by technology and between copyright law and Digital Millennium Copyright Act prohibits the city from actually working on the network until the vendor can come and get around to fixing it, there is a real problem. Internet of Things, things can be manufacturing, multi million dollar assemblies, tractors, they can be consumer devices. If there is no right to repair it, then people are at the mercy of the manufacturer. If you look at the difference between Android phones and Apple phones, Apple updates when they know there is a security risk. If you have an Android phone, the Android fix has to go to our carrier, the carrier has to bless it and decide to propagate it, and that can take a long time. How about the Internet of Things and the right of repair? There seems to be a prettied urgent requirement for people to be able to fix their own manufacturing facility, tractors, or home devices.

>> EDDAN KATZ: So thank you for that question. I think that's an insightful point. I think that is a large part of why transparency of the process is something that at least the IoT protocol that we were working on, at many different levels, is important. And the fact that it is a set of companies and a set of entities, made it so that the norms that we were addressing were more generally applicable and would lean towards transparency solutions as being the best means by which to improve cybersecurity best practices, and so I would say in regards to good policy, the ability to to support the ability for the right to repair is an important aspect of maintaining long term cybersecurity. I think in regards to your question on anti circumvention provisions, the way that 12.01 works is that there are every few years there are exceptions that are, that get taken up, and I think right to repair is prime on the list of those that need to be discussed and openly addressed to enable that kind of right to repair and that when it's a black box, it endangers cybersecurity rather than helps solve anything.

>> I would like to add one point from the technical perspective. What you mention is essentially upgradeability, that's essentially how we call it. And very technically, that's really a formula upgrade.

And as it may sound easy because you do that all the time with point and anchor points, when it comes down to a small device which is $5 per pop, that is not easy technology, and as of today doing this formula upgrade constantly with limited power sources and limited memory footprint, believe it or not, there is not really easy way to do that. So coming down to tractor is fairly large device that's probably going to be worth it, but there will be probably millions and billions and zillions of smaller devices spread around in your home and in your city.

Still, it's not very well understood or it's not very well agreed on how we're going to actually implement this up gradeability in all of those devices, yes, so that's a technical hurdle.

>> And I'll add, you know, something that we see now in more voluntary standards and international standards is that devices where the connectivity is sort of like a monitoring function or a value added that operates without the connection. I'm thinking of something like, I can't remember the city, but recently the stop lights were hacked because they were connected traffic lights. That would be an example of something that even if the online capacity failed, you would still be able to control it and it would work in some way. It seems like that would actually be, especially important to some of these city systems that have real physical consequences and offer services that aren't going to work otherwise.

>> DAN CAPRIO: Great. Question? Thank you.

>> AUDIENCE MEMBER: Thank you. Monique Tate with the Equitable Initiative. I'll forewarn you you're do you need me to repeat my name? With the equitable Internet initiative and I'll forewarn you that I'm speaking from a community activist perspective. Michelle spoke to it quite a bit, and I enjoyed hearing that because the people centric part is what I was focusing on, or what I'm focusing on. I want to understand how you really are trying to relate to the community, relevant to rolling out smart city technology because if you're talking about 5G and it's going to be rolled out, I'm presuming that's over an existing network and that's where there is already a lot of WiFi, but where people who excluded and don't have WiFi access or feel manipulated because if they're being overpoliced, and of course, rejecting a lot of surveillance things that are going on, but what community engagement is actually occurring so that perhaps conversations can be made where if you're going to say, for instance, the traffic lights, of course they're everywhere as well as streetlights. We know they could emit WiFi and increase access for various neighborhoods and be a combination of creating both a smart city and a better-connected city, so how are you really engaging in communities? I don't care who answers that.

>> DAN CAPRIO: Who wants to take that?

>> JEFF BRUEGGERMAN: I'm just going reiterate what Michelle said. I think cities need to figure out this. My dad was a city planner, and I grew up watching him on the monthly housing meetings get yelled at for, you know, very minor things about where a light was, a streetlight was or something, and I think these data issues are incredibly important, but our cities aren't necessarily designed to get that community engagement.

I think as you said, Seattle learned the hard way, but maybe the lesson learned is, you know, you need to bring people in early as you said, and have a plan yourself for, I need to think about what data I'm collecting, what the impact could be, and then I need to find a way to convey that to the citizens and get input on it.

So I think that's another example of how, you know, this is a data management issue that is much different than what a city has traditionally dealt with, and it needs to find a way to engage with people, and I see the same thing with student privacy in schools, right. Technology is a great enabler, but parents are incredibly concerned, and I think where we've had issues is where parents feel like they don't know what's happening, they don't have any input or control into it, and that has caused a huge backlash sometimes. And I think a lot of that can be avoided if there is kind of a process upfront to get that, but I think your point was so important about people are part of the process, they feel much more vested in the outcome than if they don't know what's happening, then they're going to be much more critical.

>> MICHELLE RICHARDSON: And one way communities have forced this is made it mandatory by basically passing regulations that say before the city or county can purchase certain types of technology, they actually have to go through a public process of notice and hearing, right, so you could maybe head something off that's particularly bad or you could scope it. And I see that mostly, I think, on the West Coast and it's usually organized by the ACLU or Electronic Frontier Foundation and I feel like they have a toolkit that you can use and put on your local decision makers and that might be a way to do it.

I mean, that's always the right thing to do, to have public notice in hearing, there should never be a situation where they invest a lot of money and making huge privacy decisions without that, and so that might be a way to kind of cut to the chase.

>> Just to add, the industrial IoT is less relevant to communities because it's dealing with manufacturers, but the process by which we do the norm setting, and thank you for the reminder, Dan, we work with the Dynamic Coalition on IoT at the IGF, and purposefully, publish it more openly as we're working on it to make sure that as much input and deliberate input from all sorts of civil society, community oriented civil society are part of the conversation, and even this IoT protocol being more relevant to manufacturing and production, the process by which we're going through the governance and economic forum should be inclusive and inviting to community input to the extent that it's possible.

>> DAN CAPRIO: Great. Michael?

>> AUDIENCE MEMBER: Yeah, I kind of have a privacy question here, Michael Kaiser. Privacy question here. All of these work on data, it's part of all smart cities. It's going to be data. There was a recent example where shopping malls in California had license plate readers, it was a private mall, they were collecting license plate information and sharing that information with ICE, and I think so that's a kind of extreme example, but I think what I see here, like we had in cybersecurity for so long, there are going to be third party providers of data into these smart city systems, and I'm just wondering how do we control for some of that on two fronts; one, the privacy front and then but also the integrity of that data? How do you know the data coming from the third parties or even the data being generated from the city for that matter, still is and has integrity? That because there is so much of it if the data is corrupt in any way, it changes the outcome. And so especially when you have get to the scale that we're talking about here, like one minor little glitch, you know, putting a car four feet forward into the intersection when it's not supposed to be there, has a radical impact across the whole system, and so how are we going to grapple with some of those bigger privacy issues?

>> DAN CAPRIO: Great question.

>> I can start?

>> DAN CAPRIO: Please.

>> Your question is actually the billion dollar question, and not just in terms of value, actually but that's probably one of the most popular questions that I'm being asked wherever I go. Data exchange and data governance platform issue. You're absolutely right. With all of this different data out there, especially the private sector companies sometimes with all the data, and there is already a dispute between municipal governments and the companies and who actually has access to what and who stores the data and owns the data and all of these kind of issues.

They typically right now resolve the issue by private agreement, but the agreement framework is not universal. It's all over the place.

The problem eventually is this. If it is a peer to peer, one on one agreement, if that's the only way to make it work, you're never going to see a hockey stick, you'll just stick to incremental growth. But the end of the story as you mentioned there is a lot of efforts going on right now to create some kind of data repository exchange mechanism, and the reason I call it a mechanism is it's a combination of technology and actually policy and governance.

And there are too many. I know of at least two dozen activities just in the United States to become the central source of the data exchange. And when you have that many out there, that many different frameworks out there, that means there is no standards, there is no agreement, everybody does their own thing, which is fine for now.

And at that point, we will need some kind of accepted best practices. It may not be about the code and technical level, but it has to be some kind of governance level, and the reason this is tough is because everybody wants to have their own thing and nobody wants to use anybody's else. Somebody told me IoT and data is like toothpaste. I want to have my own. It's like you or somebody he said that. I use it. (Laughing). And nobody wants to use anybody else's.

>> And once it's out of the tube you can't put it back in.

>> Exactly. Here is the original author of it. Anyway, but that's where I think the role of say an organization like WEF and NIST, for example, come in. I don't make money off of that. I work for Federal Government, we don't really do that, we help the field to get to that kind of consensus. So I don't have the answer to your question, but that's the extremely important thing that we all have to work toward. Right.

>> DAN CAPRIO: We have about 5 minutes. Other questions as we start to if you have a question, sort of raise your hand. Yes, sir, please?

>> AUDIENCE MEMBER: I have a question on the resiliency aspect of the smart communities. Can you hear me? My name is Will McKnight, if there are any steps being taken to a hack on the electricity grid, and if the entire electricity grid goes down, (?) using malware right now and I was wondering if there are any steps being taken in that direction?

>> Well, part of the proposal that this IoT protocol that we're proposing is intended to address that and to try to take one part of it, the industrial sector, and to have those to have an impact and have those practices then perpetuate in other context, but we look the group, the network of experts looked at those examples that have already occurred, as I mentioned just briefly as an aside in the Ukraine, and this actually happened not just the threat of it, but that for most of the day last summer and three summers ago, the grid went down in several parts of department states of the Ukraine, and so it is a very real concern and it's something that needs to, needs to have urgent attention. Some of the work that everyone on this stage is doing, and I'm sure many in this room as well, are trying to raise awareness of how crucial it is and that the as you pin pointed, the critical infrastructure impacts are enormous and exponential, so the urgency of being able to address that are important.

I would also mention that there is an international law level, which are IoT protocol touches, and which there is a security resolution. The UN Security Council did pass a resolution that enables governments and that places an obligation on them to find the vulnerabilities within their domestic contexts, and so there is that obligation and it's in the process of figuring out how that's going to happen in different countries, but there is awareness there. I think you're raising an important point, a very alarming one, but there is a lot of ideas and well meaning work trying to address it.

>> Can I just add, it's unnecessarily controversial too, and say CDT loves working with the private sector and slight touch on government regulation, but that's the type of situation that's going to force the government to finally decide whether they want to avoid a catastrophic event more than they want to avoid telling the private sector what to do, right. I don't say that's the right answer for many things, but I think bigger problems are that there are actual websites out there, I can't remember what it's called, right, where they put the actual pass codes from all the hard coded industrial and CI operations, and so as much as we want to talk about, oh, my gosh, ISIS, Russia, I mean, there is literally a website with the password that you can get now and hack into their system, if you want to call that a hack. I mean, the situation is so bad there is going to need to be something fundamentally different and maybe enforcing option, and you know it's going to be after something catastrophic or serious happening, and I don't think the industry is going to (?).

>> I was going to make the same point from the technical standpoint. You're kind of saying we got to rethink how we do governance and government regulation, but also technically (audio dropped) everything is so distributed now that we can't protect it like a mote around the castle anymore and we have to push security to every device and to think about how to manage things differently and think about what needs to be connected and what shouldn't be connected. So I think, you know, there is a lot of work happening in that area, but it's got to happen fast given the vulnerabilities.

>> DAN CAPRIO: Yep. I've got one last question for the panel, but sort of the so thank you very much for your time and attention and interest in Internet of Things and Smart Cities.

We have within IGF, we have a very active Dynamic Coalition on the Internet of Things, and as you see from representatives on the stage, we have a diversity of stakeholders, a real multistakeholder process, but we welcome involvement and so see me afterwards or find me on LinkedIn, and I'll be happy to get you plugged in. We've got a session at IGF in Paris, and so if any of you are planning to be in Paris, but there is also ways to contribute.

So, please be involved.

But related to that, so what we're doing within IGF is kind of a global, voluntary, policy framework. It's not technical, but it's meant to cover privacy and cybersecurity and standards. But just as sort of a quick closing thought, what are the kinds of frameworks and standards that you all believe will really that we need to be thinking about now to sort of be bringing scale and best practices to the Internet of Things and to Smart Cities? Let's start with you, Eddan, and we'll just go down.

>> EDDAN KATZ: Sure, so just again the IoT Good Practices Paper is up. It's been for a couple of years, and it's open for comment, and we've joined the Dynamic Coalition and see IGF as an important means by which to disseminate, but also invite feedback.

One thing that is not dealt with as much, and it was by the specific way in which it was designed and how we went about the IoT protocol, is that there is not much of a focus on the privacy aspects because there is less the privacy concerns are of a different nature when it comes to the manufacturing context and consumer and smart cities and others. But I would say that it's most definitely in that area of some of the privacy concerns and in particular, consumer privacy, that there is a lot of room for consensus to be built and need for the vulnerabilities to be addressed.

>> SOKWOO RHEE: Quick comment. Two points. First, the way that we think about the cybersecurity and privacy in IoT and Smart Cities cannot just give extension of existing IT enterprise cybersecurity and privacy. I'll give an example. We talked about a password, frankly, that's the bedrock of IT, enterprise IT security. Password you change every three months, 12 digits, special characters and all of that. If you remove that, which will happen in IoT, you cannot assign password to each small device everywhere in the world and change it every three months, that's virtually impossible, right. Then suddenly the thought process about security and privacy completely change, so you have to think from that perspective.

Second point is or option is I always come to this with a framework and with any discussion, well, writing a document by say 10 different players in one document is one thing, but really when it comes down to success, it has to be about adoption, so focus on adoption. The success metric is not about how many pages the document is, but it's about how many cities, how many companies, how many actual users and implementers adopt it and use it. That has to be the goal of success, and I hope that IGF and WF and this all work, and AT&T with the goal of that.

>> DAN CAPRIO: And civil society. Michelle?

>> MICHELLE RICHARDSON: You know, I would like to see a more honest conversation about what people care about. I don't want it to be box checking and people to go through FIPS and say what's the big deal. I want them to accept that people are concerned about the information and be responsive to it. And I think that's another level of detail that we can get into that might not be out there, right. There is always our placeholder for privacy, but accepting that certain types of information upset people, when the government collects it, and building the controls to minimize it. You know, ensuring that when they issue these contracts to buy these devices, that they are demanding the control over this information so they can protect privacy when necessary.

>> DAN CAPRIO: Jeff, final word?

>> JEFF BRUEGGERMAN: Yeah, I was going to reiterate some of what Eddan said about governance and risk management. I would say we need to push it up to higher levels where it's not a technical issue, or ICT, it's a C suite issues or community issue because these issues are too important to say my cybersecurity officer has it or chief operating officer has it, and I think finding ways to translate these to the non critical higher level, which I know the Dynamic Coalition has been working on is, you know, should continue to be an area of focus.

>> DAN CAPRIO: Great. Well, thank you. Well, thank you for your time and attention. Please join me in thanking our panel.


This text is based on live transcription.  Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.