Aspen Tech Policy Hub Demo Day

transcript

Search Transcript

hi everyone it’s wonderful to be hereand I’m so glad to have all of you hereto join us for the first of our Aspentech policy hub demo days I hope you’reall well first of all in these difficulttimes normally we’d be hitting the roadwith our panelists we’d be going fromWashington DC to San Francisco to showoff and person all the amazing thingsthat our fellows have done but in thesedifficult times as you know that’s notpossiblebut we’re turning lemons into lemonadebecause we’re able to bring this amazingprogramming to so many people across thecountry and so we’re extremely gratefulto you for being here so just to giveyou a little sense of how this wouldwork we have two amazing fellowshipteams that are going to be presentingtoday throughout the presentation youare welcome to use the Q&A button at thebottom of your screen to ask questionsplease feel free to ask those questionsany time we’ll make sure to answer abunch of them at the end of the programand also note and keep an eye on thechat function during the chat functionwe will actually be able to release toyou the products that our fellows haveproduced that you’ll be able to checkthem out in real time we’re doing thisin a true digital form todayfinally this is a brand new team doingthese webinars while espen digital hasbeen doing an amazing job puttingtogether webinars we’re totally startingfresh and so please forgive us if thereare any technical difficultiesthroughout I’m sure there will be and Iguess that’s part of policy at the speedof tech so with that I’m excited tointroduce our first fellowship team LivEricksson is a senior manager at Mozillaand she worked with Cecilia Donnellycrumb who is a developer at theMinnesota Senate and the two of themhave worked together thinking about howto protect your digital afterlife whatshould we do in order to prepare for theeventualities how to handle our digitalassets after we die I’m excited to havethem release all the amazing work thatthey’ve done to you today and with thatover to Cecelia Angela yes Betsy andthanks everybody for comingso once again this is the digitalafterlife project both live and I aresoftware engineers with a background inopen-source live has spent her careerworking on virtual identity and I’vebeen trained in pastoral care so we boththought this would be an interestingdifficult project to tackle together solet’s start with a storyLucille and Bill are an older coupleunfortunately bill passes away so whatnextwhat’s the seal to do which you the sealknows bill has online accounts but shedoesn’t have the passwords you can’t seethis yet we feel knows that bill hasonline accounts but she doesn’t have thepasswords so what is she to do how doesshe how can she manage bills digitalafterlife first of all what is thedigital afterlife so the online accountsdigital photos messages emails and datain general that are left behind whensomeone passes away since we live a lotof our lives online especially now thisis a lot of information and much of itsurvives us this leads to a fewconsequences according to the AARP about800,000 newly deceased Americans in thefirst year after their deaths have theiridentity stolen existing privacypolicies might mean that loved onescan’t access photos or other data so forexample if bill put photos of his 50thanniversary in iCloud Lucille wouldn’tbe able to get them back from Appleunless she had a court order someplatforms do have management optionsnotably Facebook has legacy contact andGoogle has an inactive Account Managerlegacy contact lets users choose someoneto steward their account after they passaway dick remain as a memorial site fortheir community and inactive AccountManager will transfer your account tothe person you choose so your spouseor your child’s after a set period so ifyou don’t log in for a month then Googlewill less would let say Lucille knowthat she can now access bills accountjust for some context the concept of thedigital afterlife came up for us in abranch conversation at the hub one ofthe other fellows had this questionabout how data could be used for good orfor ill after death and live and I boththought that was a really interestingproblem and wanted to pick it up and gofurther isn’t so here’s the crux of iteven when an acting pretty Cyrano’saccount information link Lucille knewthat bill had photos and iCloud gainingaccess to it or closing those accountscan be a difficult or impossible processthis is the big problem we set up toaddress in this project there iscurrently no one simple enforceable wayfor bill to tell Lucille what he wantedto happen to his online accounts even ifhe thought of it which many people don’tand even if you did all that there’s noway for Lucille to easily carry out hiswishes we’re talking about Bill andLucille in this presentation but this isa major problem because it affects allof us at some point we share in storeinformation about ourselves online andthe laws and policies that we have arenot clear about what happens to theinformation after it passed away thereisn’t a clear and definitely not anenforceable way for any of us like Belleto express our wishes but what shouldhappen to our online information when wedie the ways that do exist like legacycontact an inactive Account Manager ourpiecemeal I’m still not very well knownin the general public so Lucille evenwith the best of intentions will have areally hard time closing Bill’s accountsand removing any needed data like photosand making without saying butbereavement is a difficult and painfultime of life managing a loved ones asting it can be overwhelming and one ofour goals of this project was to make itslightly simpler so we took athree-pronged approach to solving thiswith the three prongs being individualawareness data privacy laws and betterdesign by companies that owned onlineplatforms I’ll hand it over to live totalk more aboutthanks Cecilia the first pillar of ourproposal with the digital afterlifeproject is to raise awareness of thevalue of an need to secure these digitalassets as part of end-of-life planningthis includes making records of whichaccounts exist and the informationthat’s stored in each of those accountsas well as how a loved one can getaccess to them once they pass away andit’s important to note that some digitalassets might have a monetary value likea virtual property that you own ordigital currencies but others might besentimentalfor example messages or digital photooblems and depending on the type ofasset that exists in a digital accountthe laws governing how someone may beable to get access to them might bedifferentso consider a conflict that could arrivebetween grieving next-of-kin forsomething over a sentimental value likea Facebook account suppose a privacyconscious family member decides thatthey don’t want their parents account tostay active once there a lot once theypass away so they close the accountusing process through Facebook to closethe account which is maybe in directcontrast to how other survivingbeneficiaries may want that account tobe handled perhaps throughmemorialization we think it’s importantthat individuals can make thesedecisions about what they want to havehappen to their accounts before theypass away and by setting explicitinstructions for what can be done withaccounts individuals can help guidetheir loved ones through making thesedecisions after their deathbut as Cecilia mentioned recognizingthat these accounts exist and have valuewhether monetary or sentimental value isjust the first part of the challenge soif that we in addition to collectingresources for how people can approachtheir own digital estate planning turnto the second pillar of our proposal onhow digital assets can be better managedand that’s incorporating fiduciaryrights into data privacy laws moststates in the u.s. now are eitherputting data privacy laws into practiceor considering writing them and becauseof this we look at these regulations asa potential vehicle for fiduciary rightsmany states proposals or the laws thathave been passed regarding data privacythe concept of an authorized agentincluded in these laws which means thatif an individual or consumer grants oneperson or an agency the authority tomanage the access and deletion of theironline data on their behalf thatauthorized agent can then go and shutdown accounts or get access andunderstand what data has been collectedand stored about that user the CCPACalifornia consumer Privacy Act doesthis but it requires that the consumeractually signs the directive giving thatagent the ability to have the authorityto go and delete their data we thinkthat by expanding the definition of whatan authorized agent is to include alegally recognized beneficiary orfiduciary agent for a deceased user thatmore people will be able to have someoneact on behalf of a deceased user inorder to get accounts closed moreeffectively and efficiently but as we’rethinking about these two approachesthere’s still a power player that has alot of responsibility and potential tomake this whole process really seamlessand that’s the platforms themselveswhich brings us to the third pillar ofour approach the digital afterlifedesign toolkit the design toolkit wascreated to help companies that haveonline accounts and store informationdesign features that would allow theirusers to set digital directives Ceciliamentioned a couple of these earlierFacebook has a legacy contact where youcan choose who is the person who willsteward your account after you pass awayand Google has the inactive AccountManager and these types of tools giveusers the most granular control over howeach of their accounts and the specificinformation in those accounts arehandled it gives the most agency toindividuals to handle their informationand decide how they want that to pass onafter they do which allows for a lotmore security of those accounts as wellas reducing the amount of emotionalangst that family members may need to gothrough in resolving this without anykind of directive from the individualthemselves we also are calling on morecompanies to better handle the processof reporting a death this isn’t standardsometimes you would just go through anormal support channel sometimes there’sa dedicated email address or a form onanok on a platform but the process andthe information that’s required to closeaccounts isn’t standardized which meansthat platforms may ask too little or toomuch information which could involveeither putting a lot of burden on thesurviving family members to close downwhat may be upwards of 300 onlineaccounts or it becomes very easy toimpersonate somebody’s family member andhave accounts closed in an unauthorizedway so there’s not a lot of designresearch being done in this area but wethink that it’s really important becauselike Cecelia said it’s going to impact ahundred percent of users of any onlineplatform at some point and we think thatcompanies can start taking these actionsnow to make a really big difference thedesign toolkit the advocacy resourcesand our draft regulatory language is allavailable online digital afterlifeonline and we recognize that thinkingabout this and talking about theend-of-life with regard to technology isa difficult conversation but we thinkthat it’s time that it starts beingincluded in how platforms are handlingtheir user accounts thank you and backto you Betsythanks so much live in Sicilia amazingwork and I really urge everybody to gofollow through the link that livesuggested and also we’ll post a link inthe chat that will take you to our homepage and will enable you to go dig inthere’s some pretty amazing work beingdone in the space and so we’re veryexcited to see how this can all pulltogether and I think you know what’sreally unique about this project is thatit focuses on an area that a lot ofpeople don’t want to talk about andtherefore it’s really an innovativespace in which there hasn’t been a lotdone and so I hope all of you watchingwill take that into account as you startthinking about areas where you couldhave policy impact like our fellows aretrying to do here so next we want toswitch gears a little bit well first Iactually do want to remind everybodyfirst use the Q&A button to askquestions throughout for any of ourspeakers towards the end we will getinto Q&A time and we’d love to receiveyour questions and reallymake this conversation with everybodyparticipating today and so with that I’dlike to turn to our second team we callthis the team of Matthews so we haveMatthew Schroeder who is a securityengineer at Salesforce and then Mattsevers who has a long career in cybersecurity largely in the military and thetwo of them are taking their expertiseon cyber security and applying it to thecyber security of small businesses andso they’re gonna share with you today issome new and innovative tools to helpsmall businesses especially in thesetough times help shore up their digitalassets so with that over to you Matt andMatthew great thanks Betsy so ourproject is big security for a smallbusiness and for our team we have myselfMatthew Schroederso I’m information security and privacyprofessional I am currently atSalesforce working on security assuranceand I have had a variety of roles andsecurity and privacy throughout mycareer and worked at companies likeFacebook ISA and Booz Allen and I’ll letmy partner Matt introduce themselvesabout 10 years doing cyberspaceoperations and it was a specializationin cyber security and other members areour team or Liv Ericksson who youalready met in the presentation thanksMatt all right so how did we get to thistopic so so we just discussed Matt and Ihave a background in informationsecurity and we’re thinking about whatgroups are particularly high risk andwho we can help in this fellowshipspecifically so we came across in aresearch small businesses and we askedourselves okay well do small businessesreally need help with cyber security solet’s look at some of the stats so firstof all about two-thirds of seniordecision-makers small business ownersthink that they’re not a target forcyber attacks we’re not really at riskyet more than half a small businessessuffered a data breach within the lastyear and a significant amount of thosethat suffered a data breachhad trouble staying in business or evenwent out of business after the databreach due to the impacts so going backto the question we figured yes smallbusinesses do need some help withcybersecurity and then we’re thinkingthe next step for a project was whoreally has a vested interest partnerwith small businesses that really wantthem to stay secureso government government needs smallbusinesses to be secure governmentcommonly participates in commonlypartners with small businesses so let’stake California for example Californiahas a nice tight budget of about 220billion dollars for 2020 2021 and theyhave a target spending for smallbusinesses they want to help smallbusiness out and give them opportunity alot of states do thisso California’s targets about 25 percentor even more so when you do the maththat’s billions of dollars that theyspend in small businesses and overallthat equals to us a very hard risk tostay in local government if smallbusinesses are not secured so next I’llturn it over to Matt to talk about ouroverall problem statement so we lookedat those ideas we ended up coming withhow do we get the small businesses whoare at risk to actually do something andhow can we get governments to help themtake those actual actions and we did upwith two solutions the first solution isfor governments to drive change on theirend by updating their own policies inthis case procurement policies this ideais based on a program that the DoDadopted a few years ago where everycompany that does a contract with theDoD has to have minimum cybersecuritystandards so as we grow the solution weget with for four different products thefirst is a policy brief for state localtribal and territorial governments onhow to actually implement this and howthey can get value from this kind ofprogram our second is a actual policyfor them to adopt they can either dropright into their own procurementpolicies or to tailor to their specificjurisdictions third we have contractlanguage and they can drop right intotheir contracts and fourth we have acybersecurity template a plan templatethat businesses can use in order tocomply with this policy our second I’mgonna solution I’m gonna turn it overback over to Matthew in order to talkabout that great thanksso now that we’ve really set the bar forthe small businesses try to give themsomething to provide guidance what kindof standards what kind of requirementsthey need to meet to be secure weactually need to help them to meet thatbar so that’s where the second part ofour solution comes in which is to createsecurity resources that are tailored tosmall businesses so we have a websitethat we’ve used to centralize all theresources and outputs that we createdfor small businesses which call our bigsecurity for small businesses websitewhich we have the URL here and alsoshared and the general approach that wetook madnes I did a lot of research totalk to stakeholders like small businessthemselves people that help out smallbusinesses thing government and ourgeneral approach was basically toprovide small businesses veryfoundational foundational activitiesthat have a kind of a high bang for yourbuck or higher security return oninvestment things are simple thatactually doable instead of kind ofdropping you know there’s 200 pages ofeverything you need to do and just go toit because that doesn’t really work thatwell for small businesses so example tostart out with in our small businesswebsite we have some motivation whatcould actually motivate small businessesbased on a research so this is justexample excerpt of an infographic weprepared one big thing that we found ina research is that being able to showthe impact of real-world small businessattacks is a big motivator and then inour first interactive output we createda security awareness campaign which wecalled eat hackers for lunchso while lunch well goes back to youroverall approach which is you know thesesmall foundational security activitiesthat small businesses can actually doand these are things that they could doeven during your lunch break so forexample we just have an excerpt of a fewactivities like secure in your networkpassword protection two-factorauthentication and for each of thesethese are very simple activities to helpto really take the right steps to securenetwork things that are achievable forsmall businesses so right now it’sself-guided on our websitebut we also create a operational plan sosomeone like a state local government totake it and create a interactive sessionor someone like a small business likethe Small Business Administration or asmalldevelopment center as well so our nextoutput called laserit’s our lightweight assessment ofsecurity risk so it’s meant to be likeset plate lightweight so takes 50minutes or less no registration requiredyou don’t need to be a cyber securityexpert to take it you can just have ifyou know your business well and how ifyou have very basic background IT youcan answer the questions no problem sothat’s just an example of a few thequestions are going through and then asoutput based on your risk level so lowmedium high you get a set of tailoredrecommendations in addition to your restrisk level they’ll also give yourecommendations based on the questionsyou’re answered so let’s say if you saidI don’t know much or I don’t haveanything in place to protect myfinancial transactions we’ll give you aresources to help you with that so itgives you a really good starting pointand that’s a goal of laserall right I’ll turn it back to Matt totalk about where we go next now that wehave these two components we have thegovernment driving change within theirprocurement policies and theirprocurement processes and we had theeducational resources to help businessesactually take action where we where dowe want these resources to go and on thepolicy side we really hope that CityCouncil’s state and local governmentlocal government she’s organizationchief information security officers arethe ones that adopt these and drive themand put them into place in their ownorganizations jurisdictions if they cando that they’re going to drive changeacross the organization even those thatdon’t do business would be with theirorganization themselves they’re gonnaset norms within their own organizationsand drive change across the area afteryou go and talk about where theresources are going to go sure sure yesso the resource to this really could fitinto a lot of different places the waythat we set it up small businesses canuse it directly today but also statelocal government can use it kind ofadopted tailor it send it out use it tointeract with small businesses help themto be secure and stay in local areas aSmall Business Administration from afederal perspective and small businessdevelopment centers which are often thestarting pointfor all small businesses when they wantto start up a really good place to forthese resources to go we’re also talkingwith some nonprofits that are focused onproviding secure cyber security to smallbusinesses as wellso overall there’s just a lot ofopportunity here there’s a lot ofchallenge for a small businesses to skewthemselves and we saw a lot of that whenresearch to really dove into this hugearea and cyber threats are going tocontinue increasing so it this is areally important problem if we want tosupport our small businesses so men areboth excited to continue trying to trythis part of this project forward workwith other people collaborate and we’rereally excited to see what the futureholds for us thanks thanks so much teamwere really excited about this project Ithink this is a unique moment which youcouldn’t have anticipated when youstarted this project in which so muchhas moved online that companies reallyneed to respond in a new way toprotecting their cybersecurity and manycompanies that didn’t think ofthemselves as digital companies now needto think about this as well so we’reextremely excited please go to the linkthat has been shared in the chat if youwant to see some of the amazing toolsthat Matt Matthew and their team haveproduced and of course if you have anyquestions for them for live in Siciliaor for other team members please submitthem through the QA and we’ll get tothem after the programming I now want toturn and I’m extremely excited to dothis to both a great friend of a hub anda wonderful leader in this space RajaRajas the chairman and co-founder at ourcoa i and he’s the former head of thedefense innovation unit experimental sohe’s been working right at theintersection of issues of cyberinsurance issues of cybersecurityprocurement has come up I know a lot soI’m extremely excited to get Rajasreactions to these projects so with thatover to you Raj for for a short keynotespeech on the issues great thank Betsyand thank you for having me herewhat you’ve done here with the aspiringroup in this tech policy it’s a muchneeded endeavor so thank you for whatyou’re doing and and the opportunity tocome in and speak and share someperspectives I might have on these onthese projects both of which I thoughtwere very interesting and very relevantso maybe what I’ll do is I’ll share somesome some thoughts on on both some ideasto ponder and then we can turn this intomore of a discussion with Q&A with thewith folks and with you Nancy so thefirst one the digital and legacy orlifetime as I said custody and transferare super important right particularlyas we unfortunately have gone throughthis COBIT period you know there’s awhole new framework both legally as wellas practically that all of us need toembrace where everything our personalinformation and just critical employeesis hosted and in hosted in third partyplatforms with a variety of differentprivacy and custody and user agreementsand so how do you make sense of that andhaving some centralized resource forpeople maybe it’s driven by governmentwould be would be immensely immenselyhelpful so I applaud the group for doingthat I’ll talk a little bit more lengthon the second one because the smallbusiness cybersecurity cuz that’s atopic that I’m very involved with rightnow with one of my current currentcompanies so you know first off I’d echowhat the team says small businesses aresuper important with cyber cybersecurity if not even more important thanlarge companies so there’s over 30million small businesses in in the US itrepresents nearly half of the u.s. GDPand employs 60 million people so it is avast portion of our of our economy andit’s not one that’s well set up to besecure there’s certainly not enough highend the CEOs for 30 million businessesand you know most small business ownersare you know day in day out trying togrow and maintain their there arebusinesses and they don’t necessarilyhave the time to spend and devotecybersecurity they don’t have access tothose resources but the consequences ofan attack are are really really grave oftheir the stat I think the team showedthat said 60% of certain companies thatcome under attack particularly theirretail I could go out of businessit’s a serious wrist or certainly somevery specific anecdotes but even moreimportantly small businesses sometimesare or even at a greater risk of beingattacked then the large companies andI’ll give you a specific example andthat attackers well oftentimes targetsmaller businesses because they justknow they don’t have the same level ofsecurity to be a vector to attack theirlarger businesses so there’s a veryfamous example of the target breach thatoccurred six seven years ago now inwhich the attackers and knowing thattarget itself had pretty strong androbust security practices actuallybreached a one of their vendors it was aheating and air conditioning monitoringcompany in New Jersey and much weakersecurity broke into their found apathway from that company into a targetsystemonce they got into the target networkthey were able to bridge over to thepoint-of-sale systems and you know stoletens of millions of credit cards and soagain there’s many many ulterior motivesso let’s then kind of think about whatare some of the solutions becausethere’s no easy easy answer to how doyou protect these small businesses andso in my mind I’ve kind of categorizedthree ways to maybe help smallbusinesses so one is to just outsourceyour security to big companies so bythat I mean if you can entirely hostyour system on AWS Microsoft or Googlethey have great security they have amuch stronger security team than anysmall business or startup could couldaspire to have and then some of thethings that I think the team highlightedtwo-factor authentication and and havinga secure becomes in place but that’s notan option for all companies noteverybody can just move entirely to thecloud and bepost infrastructure some people willhave to have some physical systemsretail in-person things so so if youcan’t outsource it you can outsource isgreat but that’s not relevant for allthe second one is to engage in techsolutions or platforms that try to bringthe capabilities that are available tolarge companies down to the smaller onesso you know one of the things that Ithink large companies get to benefitfrom is the concept of herd immunity inthat one if you have a vendor where oneof their customers gets breached theyquickly understand the cause of thatattack the vulnerabilities and then cansend signals and patches to protecteverybody again most of those platformsthere were larger more expensive thingsthere are a slew of new companies tryingto bring that down to the small businesslevel but again that takes a little bitof effort and time spent on the IT andCCO so again not not always applicableand then the final one which you know inall full disclosure is an approach thatI’m taking with a company is to combinecybersecurity with insurance meaning heycan I buy an insurance policy that willprotect my small business from an attackfinancially but in order to get thatinsurance they will the insurancecompany or entity will require a certainlevel of cyber security protection andthey continuously monitor it’s just likeyou know all these small businesses havecertainly have fire insurance and ifthey want to have fire insurance policyfor their retail store on Main Streetwhich you must have right by regulationthe the insurance company says well youhave to have a sprinkler you have to usefire resistant materials can’t put yourhouse out of hay right there’s a wholeset of series of standards that you haveto abide by to get fire insurancethere’s a corollary I think coming incyber where people who require cyberinsurance and if you get it you’ll haveto have some level of standards sothat’s an emerging area and there’s acouple of company but Iall of that really comes down to I knowthe team touchdown at the end is theissue of incentives what incentive canyou give to a small business that theydevote the time and energy to findingout which one of these three buckets ofsolutions they want to want to implementto protect themselves right becausetheir main focus again day in day outthis is how do I stay in business and sothere’s probably a category of things onthe carrot side and category things onthe stick side so they’re almost on thestick there’s regulations there are bothcommercial vendors as well as thegovernment that are trying to enactstandardsI know DoD was mentioned there’ssomething called CMM C which is makecyber maturity model certification thatworked but basically says hey if youwant to be a vendor to the US governmentyou have to have these series of cybercontrols in place I think that’s comingout soonthere’s vendors that require the same sothere’s kind of a stick standpoint thenthere’s a the carrot side right which isif you have a certain level of cyberhygiene and protection are you becominga preferred vendor are there costsavings but your insurance policy goesdown if you have a better security so Ithink there’s incentives on that sidebut this is I think early days of areally important topic and so I’m gladthat the team tackled it so with thatBetsy I’ll turn over to whateverquestions and topics you want to diveinto deeperfantástico I’m gonna start with a fewquestions for you ROG and then we’regoing to get to a bunch of the audiencequestions so first you know sort ofgoing back to the digital afterlife youmentioned the big focus on insurance andyou’re looking at the cyber insuranceindustry have you come across anythinking about insurance in the digitalafterlife space has that been aconversation that started and if not whydo you think it hasn’t happened yetwhat’s really interesting I haven’tthought about it but that’s just cranksis my lack of imagination so I don’tknow what what is is available theinsurance world but I think there areend-of-lifetypes of insurance that are coming tomarket so there are funeral insuranceproducts that folks can buy such thatthey can reduce the burden on their youknow next of kin when people pass andthat’s actually a very fast growingbusiness I could see one where there’ssomething similar for your digitalfootprint where your policy that perhapswould cover any services costs and otherthings that to transfer and just kind ofdo some of the manual stuff becauseagain we have so many differentdifferent platforms so I think it’s agreat idea Betsy it may be one of yourteams will go and launch that again moreprojects excellent that’s what we’realways looking for at the hub and thenon the cyber side you know I know thatyou spent a lot of time thinking aboutgovernment procurement so I cannot letthe moment ago have you given anythought to procurement questions forsmall businesses cities you know localjurisdictions I think many of us whoused to work at the federal governmentunderstand that federal procurement hasbeen really big small businesses oftenare working at the state and local levelany thoughts on tips such as bestpractices what should people be doing inthe procurement space to help move thething forward front from the from thegovernment for the buyer side yes oractually from both I’d be interested inbut you know both what small businessescan do to help themselves get contractswith state and local governments and howto ensure that cyber security is takento account and both the supply and thedemand right right well let me speak tothis in the buyers side because I thinkthat’s where the majority the reformneeds to happen you know I did I justthink that the the federal governmentand even parts of state and local havehave procurement and buying philosophiesand processes that were designed for abygone era right so the the DoD does areally good jobbuying long life lifecycle productsso think about aircraft carriers orfighter jets something you’re gonna keepfor 30 40 even 50 yearsthey have a very good process in termsof making sure it meets requirementsthat meet certain standards to go andpurchase and that you know that cyclecan take 3-4 years but if you’re buyinga piece of software that’s going to beobsolete in six months you spent fouryears buying it right you alreadyalready behind the curve so trying tobalance you know speed with fiduciaryoversight because you’re you’re ifyou’re spending taxpayer dollars youwant to make sure you’re doing themright and not having fraud and abuse orwaste but you know I think again whenyou think about new technologies if youknow exactly what you want to buy from asoftware standpoint a year in advanceyou know it’s probably wrong to beginwith because it’s going to it’s going tochange so I think my Mel’srecommendation for the smaller statelocal governor’s that you know find waysto accelerate your process and and andmore specifically no need to reinventthe wheel right there are lots of greatexamples out there of acquisitionmethodologies and processes that youcould you can copy that have been triedand true that allows you to have thatright balance between missioneffectiveness and risk reductionfantastic and so we’re now going tobring all the panelists back and we’regoing to open it up to Q&A from theaudience I’m excited that we’ve gottenso many questions and so before wecontinue I just want to remind you toplease make sure that you use the Q&Abox to ask any questions that you haveof the group I don’t think we’re goingto be able to get to them all but I’mextremely excited to ask questions ofthe panelists and to move theconversation forward and so the firstquestion is for Cecilia and Liv and thatquestion is what government entitiesshould I be reaching out to as aconsumer to help get more companies tomake digital afterlife options availablesure thanks so we think of the thecompanies and the governmentand the things that those things thosedifferent groups can do is slightlyseparate so in terms of who you couldreach out to in the government you cantalk to regulators essentially so yourstate legislatures and particularlyregulators who are determining how toimplement the data privacy laws thatyour state already has one method fordoing that is via public comments weleft simple language for a proposal tochange some of the language in theCalifornia Consumer Privacy Actregulation so that’s one method that canbe used and it’s something you can kindof stay up-to-date with with your ownlocal and state legislators as well likeCecilia mentioned emailed them send themmessages say hey this is something weshould think about when we’reconsidering data privacy and how that’simplemented in our state I think justgiving a little plug so the hub istrying to provide opportunities forpeople to learn about policy impacts andhow to do this sort of work so we’rehoping later in the summer not just tobe releasing products but actually to bedoing webinars training members of theaudience and others on how you can getengaged you should also think aboutother stakeholders that you can approachpersonally your state and localrepresentatives people who are workingfor the governor people who are you knowin the state of California you it’sactually quite surprising howinfrequently the public reaches out topublic servants and how likely they areoverall to respond to you so I don’tknow ROG if you had any experience withthat with the public actually reachingout and getting the chance to engage Iknow you did a bunch of public eventsbut but I definitely encourage people toget involved in thatso the next question is for the Matt whoI will use for shorthand my companyusually recommends the individuals andmarried couples that they have a securepassword and note sharing applicationpersonally I use LastPass with a sharedfolder with my wife in that folder allmy accounts she would need to access ifI pass is this the solution you exploredand what would you recommend in additionto this from a personal level soactually that question could go to bothteams I’ll open it up first on thecybersecurity side is that a goodcybersecurity practice and then I’d loveto hear from Liv and Cecilia is that agood digital afterlife yeah thank youfor that question and it’s actually itis funny how that kind of spans bothprojects which is great so yeah lastposted password managers in general forone of those solutions have looked intoand password managers can be very usefulfrom both our small business side andfrom the personal side of being able tomanage and make sure that your passwordsstay secure so there one of the thingsthat are on our website of you knowrecommendations and solutions that youcan use from a from the side of beingable to share you know their passwordsafter someone’s passed away likeSicilian live talk about that a littlebit more in detail but they do have thatoption is not necessarily set up Ibelieve for at least for LastPass notsure about other password managers butLastPass is not necessarily set up forkind of the you know if you pass awayit’s more so allow someone to take overyour account if if for whatever reasonbut I’ll hand it off to live and Ceciliato talk a little bit more about that onesure so yes but I guess I would say umthis is actually what most people do whohave thought about it at all a lot ofpeople put a list of passwords in theirwill or they say like all of my stuff ishere even if they don’t have a passwordmanager there’s some issues with that ifyou put it in your will it becomespublic and obviously it’s not a securepractice in general to share passwordsand also you’re violating Terms ofServiceso most terms of service will say thatyou can’t share your password you can’tlet you can’t share your account withsomeone else there I think a couple ofother things too that companies can doto improve the software design aroundsome of these instead of sharing accessto an entire vault maybe they get a onetime code that you have to like hash outa certain amount of time elapse beforeyou validate like yes this code like ifyou don’t respond to approving ordenying the request maybe it assumesthat like Google is an active AccountManager you’ve been inactive you didn’trespond to this request for somebodyelse to access your vault after a weekthen you have access to it there aretrade-offs and one of the reasons wecall for more research of the space isbecause the there’s no one very cleardesign for how to share really sensitiveinformation make sure that the personthat you’re sharing it with only getsaccess to what they need at a specifictime in addition to what Ceciliamentioned great thank you and I guessthe one thing I’d add on the cybersecurity side is that historically I’verecommended that well you should use apassword manager for most passwords howtheir managers are key targets soespecially if you are somebody who forwhatever reason might be highly targetedby nation states or others might be bestto keep your most important passwordslike your email health banking recordsyou might just want to memorize a few ofthose and that way even if your passwordmanager gets breached the keys to yourentire kingdom are not present all inone place so our next question withkeeping with Cecilia and live my motheris 88 and very active on Facebook isthere any risk to keeping her profileactive when she passes away after I’vesecured it with new passwords andretrieved any photos I want it reallywill depend if you’re activelymonitoring it the way you might withyour own account that the activelykeeping it alive in and of itself maynot be the risk but like Ceciliamentioned about a third of people whopass away in Americatargeted for identity theft so there isa risk that someone else may report theaccount belonging to a deceasedindividual I know Cecilia has done alittle bit more research specificallyinto Facebook’s instantiation of thisfeature and it depends you knowplatforms are always changing andevolving so what’s true today may not betrue a couple of weeks or months or evendays from now but as long as it’s beingactively secured the greater risk comesin the account is being completelyignored and abandoned there is thequestion of memorialization and thebenefits of acting on that user’s behalfrather than just putting the profileinto a state where people can’t signinto it unless you’re the accountmanager for that account which isn’t avery common feature for a lot ofplatforms that Facebook does offer whichmay be another consideration it keepsthe profile in the state that it was youcould make some minor changes to it butit prevents other unauthorized usersfrom signing in down the road which maybe which is the risk vector to targetthere as well I don’t know if you wantedto add anything to that Cecilia yeah Iwould talk to your mom about who shewants to take over her what she wants tohave happen and who she wants to be incharge the account after she passes awaybecause she can choose one person to bethe official steward and Facebook likeI’ve mentioned is pretty advanced inthis area compared to almost every otheronline platform so they have ways toindicate on the platform that she’spassed away so it’s not confusing forpeople so it would say remembering hername and you can pin some information atthe top if you have that stewardshipposition about like where she might wantpeople to donate or something like thatso using the tools that the platform hasspecifically for Facebook is actually agreat plan which isn’t true for mostgreat so the next question is Farajturns out we’ve got some folks reallyinterested in cyber insurance and someof the details here so the question isdo insurance companiesuse a common gas analysis methodology orcybersecurity underwriting process or isit particularly Praia Terry to each andthen if there is no common methodologyis there a way that one could be builtwell again not to have a commercial butthat’s kind of what my company is tryingto do so there is not a commondata-driven nor dynamic view ofcybersecurity underwritingparticularly for the small businessesright so if you think about insuranceand and insurance pricing its frequencytime severity and you build an actuarialtable problem with cyber is both ofthose types of data are opaque and notclear so we know frequency of breachesbut we don’t always necessarily know thetrue causality right on what part of thethe the cybersecurity stack failed andthen severity again sometimes it’s veryhard to to pin down especially if youthink about business interruption andrecord so I think trying to build outthat methodology there’s I think severalplayers trying to to get that to getthat right it’s gonna take both somedata sharing as well as well as expertopinion and and I think one of the otherchallenges has been particularly ease isagain because these policies are smallhistorically it doesn’t take a lot ofreal data to underwrite those policieswhich then means most policies arelimited you may have exclusions theyhave size limitations and so it it’scurrently I would say the industry looksat at cyber insurance as a complianceitem to accomplish so you know I need tosay I have it for a for a vendoragreement or something rather thanlooking at it as a core part oftransferring once cyber risk and so Ithink that’s where it’s going to theindustry’s going to evolve as thesethese products get and more mature so Ithink it’s early days but the veryinteresting onesawesome thank you guys so I want to turnthe next question to the math so we havea questioner who asks how do you definesmall businesses that is at what pointis a company too big for your solutionsto work how does a company know whenthey need to invest in the higher costoutsource professional securitysolutions this is a very insightful sothe government actually has a 50 pagespreadsheet on how they define a smallbusiness depending on your industry andsometimes it depends on the number ofpeople that you employ and sometimes itdepends on the actual revenue that yougenerateso a really industry dependent and someof the manufacturing it’s up to 1,500employees we think that these policiesthat we put together on the procurementside it can apply to any business it’snot going to be just a small business onthe resources side the larger companiesare going to do these things they’regoing to have in-house experts thatimplement them for them where thoseresources are really much more targetingthe small business you might even saymicro businesses I which are under 20 wewere thinking businesses under about ahundred people after hiring somebodyeither internal external to manage thatfor you I think you dad yeah yeah tothat for our risk assessment tool laserso if you’re in the medium or the higherrisk side we do recommend consideringoutsourcing or getting external healthand we actually provide some guidance onhow you can start to find that healthlooking at different local managedservice providers or managed securityservice providers so that’s definitelyconsideration so if companies are goingthrough and do something a little bitmore complex and they have a little bithigher risk and take the assessmentthey’ll see probably a recommendationthat they might need to get someexternal house help because they mightnot have the resources to do all thisin-housefantastic Thanks so back to live inSicilia how do you plan to engage thelarger companies that are storing datathat could be affected in the digitalafterlife you have any idea whetherthey’re going to resist or embrace yourtoolkit we have a couple of companiesare starting to explore these featuresand that was one of the principles thatled us towards a design toolkit being animpactful way of helping guide thatbecause very few platforms have donework and published work on how thesetypes of features can be implemented andit’s pretty specific to different typesof accounts one of the things that we’vetalked about doing with the designtoolkit is having a design workshop sothat if you work on at one of thesecompanies as a user interface designeror a product owner or an engineer thatwe would actually do a hands-on workshopto lead people who are working in thetech industry through some of thesedesign guidelines so that it would bemore collaborative and engaging with thecompanies for their individual needs alot of companies will have their ownprocesses for implementing differentaccount features and how that those thatwork is prioritized so as outside twodifferent companies we were limited inwhat we can do directly to influencethem and we’ve been looking at thedesign toolkit and workshop as a waythat we can engage folks who are workingin this base more generally in order totake some of these principles as newplatforms are being developed or aspeople are going to work on account tothe existing platforms and share thatknowledge more widely as a whole thatwas sort of the positive spin thenegative side is uncertainty as aliability there have been lawsuits aboutpeople’s data after their death so therewas a big one in Yahoo against Yahoo inMassachusetts several years ago liveKiley remembers more of the details buta family wanted access to the emails oftheir son who’d passed awayand Yahoo had private privacy rules thatthey didn’t want to share those with thefamily it was a pretty long and costlycourt battle and it’s basically aquestion of if you let people makedecisions before you pass away thenyou’re reducing your uncertainty andyour liability down room fabulous well Idefinitely don’t want to end on thatnoteso we are going we are getting close tothe end of our time so I’m going to askthe lightning round to our panelists sowhat is the bumper sticker that you wantpeople to take away from this panelwhat’s the one or two sentences that youthink is most important and I’m gonnacall on you in the order that I see youso first mask fever do something sothere are lots of different things thatbusinesses can do the big takeaway is toactually do something take action take alunch and actually make a change on yourbusiness to make it more securefantastic Cecelia ahead it’s helpful foryour family and for yourself if you’vemade some decisions about this beforeyou pass away great Matthews rotor kindof similar to Matt’s start today just dosomething today a little thing can helpto improve your secure you never knowwhat might prevent an attack live make aplan and tell someone about it that’s anational bumper sticker so she getsbonus points Raj I’d say that thegovernment and large tent companies arenot coming to save you so you need totake matters in your own hands if youhave a business or information that oneday you want to pass along and I guessfrom the Hubbs perspective the answerfor us is that you can actually make animpact you don’t have to wait to be youknow in government have a job at acompany working on policy as our fellowshave shown here today you can buildstuff even you know as a private citizenthat can really help others in thesereally difficult really complex spacesand so I hope all of you will take amoment to think about where you can getengaged as we go forward in thedifficult time so since we’re almost outof time I’d like to remind you all thatthis is a regular webinar series we’regoing to be doing these webinars everytwo weeks on Wednesdays at 9:00 a.m.Pacific time at noon Eastern Time so asit’s a brown-bag lunch except we’resorry we’re not providing the lunchright now our next session will be onalgorithmic bias and emerging technologywe’ll be featuring our fellow Samaratrilling who’s done a bunch of work ondiscrimination and mortgages as well ason Jenna virgin who is focused on howcan we get witnesses and bystanders inthe Counterterrorism space to shareinformation more effectively I’d love tothank the team well to put this alltogetherdaveed David Connor Maddy we’ve got anamazing team that’s really been doingamazing work so far and I’d also like tothank Xavier Ben and the whole team andof course Davila who’s been producing inthe background the whole time I’d loveto thank our fellows this is a hugecongratulatory moment for them as theywrap up their time at the hub they sothat ago pitch their projects in theoutside world but we’re glad thatthey’re finally public and out there andI’d love to thank garage for taking thetime today to join us so to all of you Ihope you see some inspiration for impactand we’d love to move forward with youall and hope you’ll join us for our nextwebinar please check out the links inthe chat and we hope to see you againsoon thanks so much and have a great day

The COVID-19 pandemic has heightened the cybersecurity risks for everyone, including large companies, small businesses and individuals. What steps can individuals take to help protect our digital realities?

Watch four Aspen Tech Policy Hub Fellows as they showcase their projects concerned with Protecting Your Digital Reality. Following the presentations of the projects, Raj Shah, Chairman at Arceo.ai, gives further remarks.

projects presented

Big Security for Small Business: How are small businesses supposed to keep their cyber assets safe when they do not have the resources of large companies? Matthew Schroeder and Matt Sievers present their work to tackle this challenge. They recommend the adoption of curated tools designed to help small businesses meet a minimum standard for cybersecurity and help business owners protect their digital assets.

Digital Afterlife Project: How can individuals recover, access, or delete the digital lives of their loved ones after their passing? Olivia Erickson and Cecilia Donnelly Krum teamed up to recommend how state governments and technology companies can change their laws and products to help facilitate this painful process. The COVID-19 pandemic has heightened the cybersecurity risks for everyone, including large companies, small businesses and individuals. What steps could individuals take to help protect our digital realities?

Speakers

Cecilia Donnelly Krum

developer, Minnesota Senate

Cecilia Donnelly Krum is a developer at the Minnesota Senate. Previously, Cecilia worked at Open Tech Strategies as an open source consultant for clients such as the American Red Cross, the Centers for Medicare and Medicaid Services, and the World Bank. She graduated from the University of Chicago. Cecilia enjoys Minneapolis’ parks in all seasons, particularly for canoeing and cross-country skiing.

Olivia (Liv) Erickson

Senior Product Manager, Mozilla’s Emerging Technology group

Olivia (Liv) Erickson is an open source engineer and Senior Product Manager in Mozilla’s Emerging Technology group. She has spent her career developing virtual and augmented reality software applications with a focus on exploring shared 3D environments. Previously, she worked at Microsoft and co-founded a virtual reality educational non-profit. In her free time, Liv enjoys SCUBA diving in Monterey Bay and snowboarding at Lake Tahoe.

Matthew Schroeder

security engineer, Salesforce

Matthew Schroeder is currently a security engineer at Salesforce. Previously, Matthew served in a variety of Security engineer and management roles at Facebook, Gap Inc., Visa, and Booz Allen Hamilton. Matthew has a MS and BS in Systems Engineering from the University of Virginia. In his free time, Matthew enjoys escaping the digital world (briefly) to go on long runs.

Matt Sievers

cybersecurity and network operations Specialist

Matt Sievers recently finished 12 years of military service where he specialized in cybersecurity and network operations. In his last position, he taught and developed curriculum for the undergraduate computer and cyber science programs at the US Air Force Academy. Matt has a MS in Cyber Operations from the Air Force Institute of Technology and a BS in Computer Science from the US Air Force Academy. He can often be found running the trails around Pikes Peak and other Colorado mountains.

Raj Shah

chairman of Arceo.ai

Raj Shah is the chairman of Arceo.ai, a cyber-security start-up. Raj is also a visiting fellow at the Hoover Institution at Stanford University. Most recently he was the managing partner of the Pentagon’s Defense Innovation Unit Experimental (DIUx), reporting to the Secretary of Defense. Raj led DIUx in its efforts to strengthen U.S. armed forces through contractual and cultural bridges between Silicon Valley and the Pentagon. Previously, Raj was senior director of strategy at Palo Alto Networks, which acquired Morta Security, where he was chief executive officer and co-founder. He began his business career as a consultant with McKinsey & Company. Raj serves as an F-16 pilot in the US Air Force and has completed multiple combat deployments. He holds an AB from Princeton University and an MBA from the Wharton School at the University of Pennsylvania.