The Cumulative Effect of Victory in Cyberwarfare

I have to first start by stating that cyberwarfare is one of those terms that tends to evoke mixed emotions from those who see or hear the word.  There are those who roll their eyes and accuse anyone who mentions it of fear-mongering, insanity, and everything short of bad breath and body odor (and perhaps there are some accused of those as well).  Others pause and listen, and still others (and a growing number at that) shake their heads and say "Yup, it is real."

The recent exposure of the hack of the US OPM records serves as a clear indication to some (if not most) that, whatever you want to call it, there exists at least one person or organization out there brazen enough to take a shot at our Federal Government and walk out with whatever he, she, or they deem interesting (in this case many millions of Federal employee sensitive records).  This was announced while the US was still reeling from the IRS records hack announced a few weeks earlier, which was announced a few weeks after we learned of a cyber attack on the White House, and, as many of my cybersecurity oriented colleagues like to point out to me, there are a few more peppered in between.

You can call this whatever you want, but I am going to go with Cyberwarfare.

So what concerns be about warfare in general is that if you are not on the side of victorious party, you are indeed a victim, and are forced to react in a situation where the victor has gained enough intelligence and purchase to send you reeling into a temporary abyss of confusion.  A determined warrior uses this moment to mount his next attack, provided he feels confident enough in his abilities to succeed.  A good way to come to this determination is to start with smaller attacks, and determine how successful they are over time.  A really clever way to prevail in the next battle is to ease up a bit, hoping that the target lets their guards down a bit, and then come in for the next big kill.  If that proves successful, it is a good time to turn up the heat and take full control.

That, dear reader, is what I fear we are now facing in the US, and perhaps the rest of the free world.  I have been working in security research for many years now, and I do not see anything that resembles progress commensurate with the mounting threats.  I have had the pleasure of spending many days visiting multiple factions of our Federal government tasked with addressing cybersecurity (as in the term is in their job title) who are completely dumbfounded when I show them vulnerability data (not theory, actual data) about products they are using in government facilities.  I am rather stunned to discover that the vast majority of our nation's cybersecurity government task force is unaware of the fact that we have a National Vulnerability Database that contains over 70,000 entries as of 2015, and had to change the numbering system from the 4 digit format in 2013 to allow for more than 9,999 entries per year.   

Moreover when I point out to government officials that these known vulnerabilities are not only accumulating in the products they use in their networks at an alarming rate, but are also being delivered in the software they are receiving that accompanies the brand new shrink-wrapped systems they are currently deploying, their mouths hang open in disbelief.  When I explain that the current system we have in place simply does not require any product manufacturer to assume any liability for security issues in the products they market EVEN IF THEY KNOWINGLY MARKET THEM WITH KNOWN VULNERABILTIES they simply do not believe me, until I ask the room full of lawyers I am addressing if they can cite a single case where a networking equipment or software manufacturer has ever been held liable for a cyber attack that occurred due to an unpatched cyber vulnerability.

This, dear reader, is basics.  Cyber researchers know this.  After decades of attempting to address these issues, we still live in a world where our government lacks basic awareness at the highest levels, and are still convinced that software companies are going to voluntarily agree to pick up the slack just because an executive order tells them to "pretty please" do so.

In the meantime, the attacks continue to come in, and the victories are becoming bigger, and more frequent.  The victim is steadily becoming demoralized, and the victor has all the tools he needs to keep bringing home the wins.  Moreover, he is far more aware of the vulnerability landscape than the victim is, and the victim remains apathetically confident that volunteerism and collaboration will somehow prevail.

Let me know how that works out.

Layoffs at eBay - The Indirect Economic Impact of Heartbleed and Other Cybersecurity Issues

???

It sometimes takes a lot longer than it should for society to fully grasp the impact of cybersecurity issues on real human lives, and just how far it extends.  In fact, nobody can claim to know just how serious cybersecurity issues can be from the standpoint of a societal impact, but once it hits home, we pause for a moment and say "Wow!  I get it."

Soon after we discovered the Heartbleed bug, I got a few requests (perhaps demands) from websites I frequent to change my password, and one of them was eBay, who, while they claimed they were not affected by Heartbleed, suffered a major breach of their password database due to attackers gaining access to employee login credentials.

It is perhaps only coincidental that this happened so close to the Heartbleed discovery, but what got me thinking about this, and a potential connection, was the breach of Community Health Systems 6 months after our discovery of Heathbleed, where millions of patient records were stolen.  According to a story that came out later, the breach was caused by an attacker who decrypted some traffic on an affected OpenSSL connection with an unpatched router, and then used discovered passwords and login information to access other systems. 

Again, the eBay situation may be a coincidence, but keep in mind that attackers are very clever, and it does not take an enormous amount of effort to find out who works at eBay, then simply cyberstalk the person who may very well use login credentials on other sites, which may indeed be affected by Heartbleed, to access systems at eBay.  We all know that, while we have all (hopefully) gotten better at choosing longer passwords with numbers, letters, symbols, and such, that we still end up reusing passwords on multiple systems.  That is why password-based attacks are so scalable.  You break it once, and you break it just about everywhere.

Yes, this is all theory, but certainly a reasonable hypothesis.  Regardless of the verity of this, however, eBay has announced that they will layoff 2,400 employees (7 percent of its global workforce), and, in part (quoting the CEO, John Donahoe) "The core auction site eBay runs has not recovered from the negative effects of asking all users to reset their passwords last May...eBay's loyal customers are back, but our more occasional customers have not returned, Donahoe admitted."

That really sucks big time for eBay, and the employees.  Granted, they will find new jobs in a bustling technological economy, but what is striking is that a company that is quite well established is clearly affected...as in losing significant numbers of customers affected...by cybersecurity issues.  Ultimately, a growing concerned citizenry, many of whom are just beginning to emerge from under the covers because the big bad boogie man they have feared in an Internet fraught with cybersecurity challenges has caused them to panic at the mere mention of stolen financial information, are now reconsidering their emergence from the cozy comfort of their luddite-yet-secure existence.

I am reminded of some discussions I have had with friends who have worked in airline safety for many years, who spoke of the value of the FAA forcing safety requirements down aircraft manufacturers throats so early on in the growth of air travel.  In the earliest days, soon after the Wright Brothers faithful first flight at Kitty Hawk, people emerged from all sorts of places with crazy ideas of how airplanes should be built...and, died trying to convince the world of their ill-conceived airborne deathtraps.  If the aircraft industry had not been reigned in and forced to build safe and effective air machines, it is not likely that air travel would have become a reality.  The same can be said for the nuclear industry, automotive industry, pharmaceutical industry...and many more.  Safe and effective was (and is) the key to growth and adoption.

We are now at a very significant crossroad in the information age.  We now rely on it for our everyday existence, and the emergence of rich applications and experiences as the Internet of Things continues to grow means that we will continue to see lots of growth...but it also means that we will have lots of choices when it comes to what we choose to include in our technologically dependent lives...and competition is good...no doubt.  What the eBay layoff is now telling me (us) is that, despite being a longtime player in the world of online commerce, users will indeed drop you like a hot potato if they perceive cybersecurity risks being too high...and there are indeed plenty of choices out there...and perhaps those choices that do not have cybersecurity issues associated with them may be more enticing.

The bottom line is this: businesses cannot afford the risk of not being secure anymore.  It's time to take this a lot more seriously, and perhaps it will ultimately take regulatory and legislative pressure to force businesses to get in line...and especially if it starts affecting economic matters.  That is ultimately what had to happen for the airline, nuclear, automotive, pharmaceutical, and several other industries.  While many try to argue that regulation stifles growth, I really have not seen any empirical evidence supporting that claim, and all of the industries I mentioned have managed to not only grow, but grow very quickly and make lots of money doing so.

I am sorry about the layoffs at eBay.  Perhaps this may be the first of many hard economic lessons regarding cybersecurity.

Heartbleed, Pneumonia, NyQuil, and Healthcare

It has been a while since I wrote a blog post.  This past Tuesday, April 22nd, I celebrated my first year with Codenomicon.  Yes, that same company that named the Heartbleed bug, created the Heartbleed.com website,  and created the snazzy logo that we all recognize as the first logo ever created for a computer bug.  It has certainly been an interesting year, to say the least.

I was brought into Codenomicon because of a few reasons, and carefully considered their offer before joining.  The biggest draw for me was their new focus on health care and control systems testing. One thing I immediately took note of was the vast applicability of their testing tools in the emerging medical device security space.  After spending some time getting to know some of the team (mostly headquartered in Finland, but with a very significant US presence) I quickly came to the conclusion that these were some very brilliant people doing some very interesting work.  I had no idea to what extent they would continue to hold my interest at the time, but I have to say that one year later they still continue to amaze me.

Not long after I joined, the FDA decided to purchase our Defensics fuzz testing tools as the first tool in their planned cybersecurity testing lab.  This was great news for us, as it immediately caught the attention of the medical device and hospital communities.  At the time we were a relatively unknown niche player (and in fact, still are to most) that was suddenly on their radar screen.  This created a lot of opportunity for us to show off what our testing tools can do, and got us into the doors of several major health care organizations, including both hospitals and device manufacturers.  They all wanted to see what we could do, and we happily demonstrated how our tools could render their devices non-functional.  Some like to say we broke the devices with our tools, but we really broke nothing.  The devices (or more specifically the code running on the devices) was already broken.  Our tools simply found where it was broken.  We literally discovered zero-day vulnerabilties right in front of the prospective customer, and have to say it was often quite quick and easy to do. We saw quite a number of concerned looks.

It has been a busy year...as I said.  First one medical device customer bought our tools, then another, then another, then another...and it kept going like that...and is still growing almost as fast as we can keep up with it.  I spent a lot of time on the road speaking at medical device events on the topic of security, contributed to article, book chapters, and the list goes on.  I did a lot of traveling in the last year, and I must say that despite being very interesting, it was quite exhausting.

This past March (and going into April) ended being a crazy month of travel for me.   Between March 1st and April 9th I was on the road around 30 days.  It was really exhausting most of the time, including several trans-contintal flights, and one trip to the Czech Republic (which, by the way, is really beautiful).  All of it was business travel, except for one trip back home to Cleveland towards the end of March to deal with a family matter.

Ahhh yes, Cleveland Ohio.  The semi-frozen tundra I call "home".  I spent 21 years there growing up, then lived in Florida for 13 years, then went back to Cleveland for 1 winter, before deciding to move to Northern California.  I felt I made a wise choice...at least the moving out of Cleveland part.

Don't get me wrong!  I enjoyed my years in Cleveland, despite hating winter after about the age of 7. My family lives there, as well as my friends, and the wonderful Case Western Reserve University, where I attended college.  Despite living in the hugely Asian populated San Francisco Bay Area my favorite Chinese restaurant is still in Cleveland.  My all time favorite Kosher Half-Sour deli pickles can only be found at the famous Corky and Lenny's deli in Woodmere, and I make sure to stock up on the rare occasions I go home for a visit.  I like to hang out at my favorite cigar store in Mayfield Ohio, where the 80+ year old owner (who I have known for over 25 years) still sits around with a bunch of old Italian-American curmudgeons, puffing on cigars and yelling at whatever talking head shows up on the widescreen TV, while he asks us if we would like an espresso to go with our favorite smoke.  Heck!  It IS home.

Yet after all that business travel, I found myself going back for personal reasons.  Not fun personal reasons either.  It was a family death, and I was tired, a bit stressed, and it happened to be snowing when I landed.  Yes, it was snowing in Cleveland at the end of March.  That happens a lot.  In fact, I can remember many 80 degree days in early spring that were followed a few days later with blizzards.  The last one I remember was in the year 2000, about 3 weeks before I decided to move to California.  It was a sort of confirmation that I had made a wise decision...or so that is how I took it.

The snow was only a day long, and I was in Cleveland for only 5 days, but managed to catch a nasty chest cold while I was there.  It was on the last day I was there, so I flew back home and spent the next several days downing some shots of Nyquil and sleeping.  A few days later I felt much better, and was thankful because I had an upcoming trip to Boston (yet another trans-continental flight) and did not want to travel sick.  All seemed well until the weekend came, and my nasty cough came back.   It continued to build up over the next few days, and I found myself flying to Boston feeling very under the weather.  It was while I was on the plane that I got the first message from our R&D team about Heartbleed.  We were not calling it Heartbleed then, mind you.  It was just an email saying our team had discovered this bug in OpenSSL while testing a new feature in our Defensics testing tools (the feature is called SafeGuard), and we were going to change all of our certificates, and we all would have to change our passwords, and to NOT change anything until they said to do so, because it would do no good until the bug was fixed.  They also told us that the bug had been reported to the Finland's national CERT, which is not something I can recall having seen before in the year I had been there.

Now please understand I work for a security company that literally spends all of their time finding bugs (well, almost all of their time, they also like to sit around and sweat in saunas in Finland, as I understand).  We find literally THOUSANDS of bugs every year as a matter of course.  So when I get an email from our company telling us of a bug that affects us, it means something more than normal daily news from the trenches.  I figured this must be serious, but had no idea how serious it really was.

A few hours later I got another message telling me of a website we had launched for the bug we had now dubbed Heartbleed, and was also shown the bleeding heart logo.  The message announced that we were hosting this site to inform the public, since OpenSSL had gone public due to a report they had received from someone at Google.  I was semi-lightheaded at the time, since my own personal bug was taking hold, so I was more than a bit confused by all of this.  I dozed off with visions of bleeding hearts dancing in my head.

Once I landed in Boston I had lots to do in preparation for a big meeting the next morning.  I got some dinner and went to bed, at this point feeling quite nasty from the cough.  I got up the next morning and took some daytime cold medicine (Dayquil as I recall) and had some breakfast.  I managed to get through a day of meetings without passing out, but by the time it was all over I was feeling some chills, and knew I had a fever.  This was not good.  Thankfully, one of my work colleagues had some Nyquil.  I took some of it back to my hotel room and also got some other cold medicine.  I had a nasty cough and it was not getting any better.  I got a bowl of clam chowder for dinner (after all, I was in Boston), and then decided to do a little reading and go to bed.

Well, as I perused the news I started to notice all this talk of Heartbleed.  It was right there front and center on every computer website, news site...it was everywhere.  Again, I was partially delirious from the chest cold, but I started reading the news, our internal messages, and our newly minted website.  I quickly realized that this was a lot more serious than I first imagined. Moreover, I noticed our company name showing up everywhere.   Things were definitely NOT like they had been before.   As I continued to read I began realizing that Heartbleed affected everything that had the affected version of OpenSSL/TLS on it, and that was a LOT of systems and devices.   I read about patches being available, and other ways to mitigate, but also realized that it would be a long time before every device that is affected was fixed.

I took the Nyquil and other cold medicine, and was still dealing with the nasty cough, which was making it impossible to get to sleep.  Back home I remember I had some great codeine-based cough syrup which, despite making me really sleepy, was great at stopping coughs.  I had nothing of the sort with me in Boston, but did have a leftover Vicodin from a prescription given to me when I had a car accident back in October (not my fault, by the way).  I knew that contained codeine, and took that.  It worked.  The cough subsided, and I drifted away into lala land.  My doctor late told me that was a wise thing to do.

I was awakened soon after drifting by a phone call from a reporter with a medical journal, who wanted to know how Heartbleed could possibly affect medical devices and healthcare systems in general.  I managed to deliver what turned out to be a fairly cogent interview, which he published immediately.  I drifted off to sleep.

The next day I had another meeting, and managed to get through it with some Dayquil.  I went to the airport feeling quite ill at this point, and while waiting for my long flight home, I got the first call from one of my contacts at DHS, asking if we could do a webinar, as everyone at DHS and upward was very concerned.  I said I would make it happen for them, and took my long flight home.  I went to the doctor the following day and was informed that I had Pneumonia...and put on heavy doses of antibiotics, which, I am happy to say, seems to have worked.

During the downtime at home I was asked to put together some informative webinars, which I and my team did very quickly.  It occurred to me as I helped deliver the message that the community of those affected did not seem to all get just how serious an issue Heartbleed really is.  The attack is ridiculously simple to mount, is completely undetectable, and affects EVERYTHING that is running the affected versions of OpenSSL.  That means small handheld devices, phones, VPNs, routers, mesh network equipment, general networking equipment...just about everything.  Again, I want to emphasize that an attack is UNDETECTABLE.   Most users are likely completely unaware if they have an affected version of OpenSSL.  Some users that may be aware cannot simply patch devices right away.  An example of this is health care.  Although the FDA allows patching of devices for security, the device manufacturer must still test the patch for any regressive behavior, and that is no small task.  Once the patch is deployed all certificates must be revoked, public and private keys must be re-generated, new certificates must be deployed, and then (and only then) can users change usernames and passwords.  While websites can potentially do this all quickly, any one of those steps can take a very long time in healthcare.

Well, I continue to deliver webcasts, as well as field lots of inquiries, and review multiple requests to sit on panels and in meetings to discuss Heartbleed.  I never expected to be part of the team that discovered what some have called the biggest bug to ever hit the Internet, but here I am, and I have to say I expect things to get more and more interesting as time goes on.

Perhaps I might also consider building a sauna.  When in Rome...as the saying goes.

Fuzzing Medical Devices...The FDA Certainly Will Be

In August of 2012 the US Government Accountability Office (GAO) released a report titled "Medical Device - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices", which essentially stated that the FDA should do something to address the growing cybersecurity issues researchers had uncovered in medical devices.  While the Food and Drug Administration (FDA) was essentially told what they were expected to do, they were not told how they had to do it.

While it may seem, to some, that the FDA was falling short in their need to address cybersecurity, it is important to note that the FDA does indeed provide guidance (and has for many years) related to cybersecurity from a functional perspective.  In fact, with all issues related to safety (and we are talking about cybersecurity as it relates to safety here), the FDA is quite thorough in addressing safety as it relates to unintentional misuse of functionality.  What is different today is that the FDA is now tasked with addressing intentional misuse...and that is where things become complicated.

The reason this is so complicated is because intentional misuse (or all the ways something can be used incorrectly...malicious or otherwise) is infinite.  That is why hackers, researchers, or malicious actors have so much to work with.  Moreover, hiring a hacker to constantly try to constantly hack away at your medical devices during the 18 month to 2 year development phase can become quite cost prohibitive.

In conversations I had with the FDA, who happen to be a very busy and underfunded agency, it was clear to me that they wanted to figure out a way to shrink this infinite space into something reasonably manageable, and they began seeking the advice of the security community...and the security community was happy to help.  What is particularly great about having discussions with the FDA is that they are, by and large, scientists.  Security researchers...despite the rather underground nature they have worked in for so long...are also scientists.  While some may argue against that assertion...others will agree.

Scientists like empirical evidence, and are driven more by curiosity than by dollars.  I am not saying they are not budget conscious...because they must be in order to conduct research.  What I am saying is that they are more concerned with "what if" than "how much does it cost".  This, as many of us our painfully aware, differs from the corporate world.  If you talk to a hacker for any length of time, you will see the similarities to scientists pretty quickly.

In late April of this year I joined Codenomicon, which is a company that is arguably the world leader in fuzzing technology.  For those who do not know what fuzzing is, I strongly suggest you do some "Googling" and read about it.  In short, it is the practice of exercising (some may say bombarding) a target with malformed data until it produces an error...or simply dies.  The malformed traffic that causes the error is thereby deemed a vulnerability.  A good fuzzing tool keeps track of what causes the error, and allows it to be replayed as needed to help developers remediate the error.  

So let's get back to the FDA.  Codenomicon demonstrated their fuzzing tools (known as Defensics) to the FDA, and they were more than a little impressed.  As we were informed, they had decided to build a cybersecurity testing lab, and wanted to bring in our fuzzing tools as the first of many tools to come.  It took a while to get from the initial conversation to the final award, but on July 12, 2013 the FDA posted a solicitation for Codenomicon Defensics, and we were awarded the contract on August 13th, 2013. 

Needless to say, this has certainly generated a lot of buzz in the medical device industry.  The FDA released draft guidance in June, 2013 stating they are expecting vulnerability assessments as part of the documentation submitted to the FDA, then states they are building a test lab, and will incorporate fuzzing into their lab.  This, of course, is part of the answer to how they are going to address cybersecurity.

I look forward to working with the FDA in making sure our medical devices are secured.  This is a great first step toward that goal.

The Archimedes Medical Device Security Group

The illustrious and ever so articulate Kevin Fu, who has emerged as the premier academic in the world of medical device security in the past several years, held his first Archimedes workshop at the University of Michigan this past May 9th and 10th.

This invitation-only event (which I was proudly invited to participate in) brought together 65 top security professionals, medical device manufacturers, health care system representatives, academics, doctors...and just about everyone else who has a stake in medical device security (except regulators and patients).  I do not recall ever having been around so many PhD's in my life.

The purpose of this event was to have an open discussion of the challenges associated with securing medical devices, and what we might all do to help resolve the issues.

The key points that came out of the event are as follows:

• Health care organizations and medical device manufacturers are making assumptions about the issues without looking at the whole picture.
• We simply do not have enough data about what the real issues are and what everyone is doing to address the issues to determine how serious the problem may be...or how far along we are...or are not.
• Trying to come up with new ways to address security may not be as prudent as re-purposing what others have already done in other industries (particularly the Industrial Control System space).
• It is difficult to get anyone to take responsibility for the issues.  Everyone hands it off to someone else (some more than others...some not at all...to be fair).
• Viewing security in terms of return on investment is pure folly...and will get nowhere.
• Vendors are not ready to provide what customers (health care providers) are not demanding, and health care providers are not ready to demand anything.

There were certainly others that came out, but most importantly the people at this event REALLY cared about talking about the issues...and were fully engaged.  This is what I found most important, because I have been working on medical device security for nearly 6 years, and for at least 4 of those 6 years I was often the only person in the room who had anything to say about the subject, and had to deal with a lot of blank stares, or comments like "Oh yes, privacy is very important in health care."  It is finally dawning on the health care community at large that we are NOT talking about privacy any more.  We are talking about safety.

Did we solve any problems?  Probably not...except for the problem of open and honest communication, which seems to have been resolved for at least this small event.

I'll take my baby steps and be quite content with them, and thank Dr. Kevin Fu (and company) for making something like this happen.  Getting smart people who really care together in a room with a common goal is often not a bad thing, and can move things forward in untold ways.

Why Huawei and ZTE Are Potential Red Herrings

A Red Herring can be described as a distraction or scapegoat to divert attention from bigger issues by focusing on a smaller issue.  Sometimes those who try to divert the attention to the Red Herring issue do so intentionally, sometimes it is done out of ignorance.  In any case, it generally has the same net effect of prolonging the solution.

In a recent 60 Minutes episode, Huawei was portrayed as a massive Chinese networking equipment manufacturer that was making great strides in the marketplace globally, initially in Asia and Europe, and working their way towards our shores in the USA, with some early market wins in the American Breadbasket.  The 60 Minutes story talked about how Huawei was very secretive about what they do, and because they build the communication equipment that will ostensibly be the backbone of global communications, that gives them free range to potentially put in back doors, or otherwise take control of global communications.

This was followed by a US House Intelligence Committee Report that articulates that Huawei and ZTE  (another Chinese networking equipment maker) are bonafide threats to our national security.  It pulls no punches as it lays out the gory details.

I have to say that all of this is true, in my opinion, but by no means addresses the much bigger issue at hand.  Consider, if you will, that nearly ALL communication equipment used globally today (certainly in the US) is made in China, and ALL of it can be provisioned with the same back doors.  That popular smartphone you and all your friends carry around and carry on conversations with, send emails with, submit documents through is likely made in China.  That wireless router that your laptop, tablet, desktop, phone are all communicating with, attached to that switch in your office or home network are all likely made in China.  We have literally MILLIONS and MILLIONS of communications devices where we have little to no visibility of the supply chain.  Even the "US Makers" of networking equipment have significant (and often ALL) components made and provisioned in China.

I bring this up because I have worked on projects to address some of these security issues with companies that provided components to communication equipment manufacturers.  While some manufacturers have taken some steps to address these issues (mostly ones who have been breeched and shamed), others have done nothing at all.  In at least one case I am aware of a major manufacturer only addressed a very small subset of their equipment, which was essentially their high end networking equipment, and all but ignored their lower end (and far more popular and prevalent) devices.

The American public, not knowing any better, may indeed believe that the US Government is doing us a great justice by performing this study, issuing this report, and taking some steps to address this issue.  I would have to say that this may be a good first step, and an eye opener, but we are FAR from addressing the real issue.

Let's hope we all wake up and take notice.

Our Government, The TSA, and Medical Device Security

Let's face it...we deal with security in a very reactive way, and we often end up with some real progress on the security front, along with some very real screwups.

I want to step back to 9/11 for a moment.  It is vivid and clear in most (if not all of our minds).  After the 9/11 attacks happened, we witnessed a time when our government had a lot of power (and most of it remains today) to do almost anything they wanted to do in the name of securing our nation.  For the first time in my life I witnessed a Congress the passed sweeping laws that created a somewhat muted police state, cloaked as "The Patriot Act".  Those that chose to defy our leaders were labeled as miscreants (in some cases), or told that they were being unpatriotic.

Some things that came out of 9/11 were pretty good.  Locking of cockpit doors is one of them.  Another is a heightened sense of awareness by airline passengers, who are not likely to sit idly as terrorists attempt to mess around on an airplane.

Other things...not so much.

Anyone who travels today must now be subject to the circus we know as the security line at any major airport, which is a barricade often manned by everything from well experienced and concientious agents, to agents that find their absolute power quite satisfying, and not in a good way.  We are forced to relinquish event the tiniest pocket knife, but are permitted to carry our laptops on the plane, which has a glass screen that could easily be broken, leaving us with a razor sharp length of glass that could do far more damage in the hands of a would be terrorist.  There have been instances of agents who have become so attentive of water bottles, that they miss handguns in carryon items.  Elderly people in wheelchairs are often forced to go through lengthy searches, and in at least one case I have personally witnessed several agents taking someone out of a wheelchair who could not stand up, and forcing him to go through a search while he totters on the brink of falling.

One would hope, after more than a decade of dealing with security issues post 9/11, that we would be better at this than we are, and I certainly do not feel more secure.  I am simply more annoyed.  I don't fear terrorists at the airport.  I fear TSA agents who routinely search checked bags, and sometimes steal the contents.  I saw a story last week about a TSA agent who routinely stole iPads out of checked bags.  The TSA response was something like "We are looking into it."  Try as you will, but you are not likely to win an argument or case against the TSA.  They are, after all, supremely powerful in this day and age.

This brings me to the issue of medical device security.  I am seeing a lot of news stories lately where our government is being pressured to do something about medical device security.  Without question, it is an issue that has to be addressed.  The FDA is currently being pressed upon to act on cybersecurity issues, and it remains challenging, to say the least.

We face a situation today where Congress is likely to require the FDA to take a more active role in cyber security, and I am concerned that if this is done in a reactive and hurried manner, we face the possibility of overreaction.  Cyber security is not complicated, but it is a constant learning process that requires immersion to fully understand.  The FDA is currently one very busy agency, and in my conversations with the FDA, I have discovered that they are very challenged in keeping up with the workload they are presently facing, which would lead me to conclude that they are going to be very challenged in  properly consider all the nuances of any cyber security decisions they may be forced to make.  As someone who has worked with (and continues to work with ) medical device manufacturers, I have learned that patient safety, reliability of therapies, and ease of use are of utmost importance to manufacturers and patients alike, and decisions made about how to implement security must be tested to the nth degree before proceeding with implementation.  Congress must understand that if anything is mandated, there will indeed be manufacturers who will focus more on compliance over creating a security culture, and what the FDA (and Congress) should focus on is first understanding what a security culture should look like, and how the risk profile  changes with any security related decision made by a device manufacturer.

It is important to understand that, as a traveller, I often have alternatives to dealing with air travel, and the repercussions of the inconvenience are generally limited to a specific instance (a trip).  The repercussions of bad decisions made on the medical device front are far more serious in nature.

I am off my soapbox.