Despite the enormous amount of attention that has been directed to software security in recent years, relatively little attention has been given to hardware security. More than ever, the devices that are critical to everyday life and to the larger infrastructure are dependent on increasingly sophisticated integrated circuits (ICs). As the complexity and size of these ICs continue to grow, so does the risk of “Trojan” attacks, in which malicious circuitry is hidden within a chip during the design and manufacturing process. The circuitry could be triggered to launch an attack months or years later, with very significant consequences if carried out on a large scale. This presentation will explain the increasingly global nature of the semiconductor industry, and identify technology and policy steps that can be taken to minimize the likelihood of a successful, large-scale, hardware-based cyberattack.

John Villasenor is a professor of electrical engineering at the University of California, Los Angeles and a nonresident senior fellow in Governance Studies and the Center for Technology Innovation at the Brookings Institution. His work addresses the intersection of technology, policy and the law . He holds a B.S. degree from the University of Virginia, and an M.S. and Ph.D. from Stanford University, all in electrical engineering.

5:30 pm - 6:30 pm: Registration/Reception (Manning Faculty Lounge, second floor breezeway fo Stanford Law School)

6:30 pm - 8:30 pm: Panel (Room 290)

An evening panel to discuss behavioral advertising and privacy law, including:

+ Evolving legal, technology and business practices
+ What companies and individuals need to know
+ How the international landscape differs from the U.S.
+ Long term trends and developments
+ Corporate best practices

Speakers:

The advent of ubiquitous networking and computation and deepening globalization since the 1990s has eroded traditional international security architectures by multiplying conflict surfaces and empowering new actors. This talk describes research in the context of track 1.5 dialogues with Russia and China that aims to develop shared frameworks for understanding escalatory models of cyber conflict, sources of instability, and feasible approaches for risk mitigation. It will argue that cyber has made deterrence much more complex, and now, increased information assurance and new legal or normative constraints on state behavior are likely necessary for effective cross-sectoral deterrence. Finally, it suggests three tasks for cyber norms or confidence and security building measures to attenuate instability.

John Mallery is a research scientist at the Computer Science & Artificial Intelligence Laboratory at the Massachusetts Institute of Technology (MIT). He is concerned with cyber policy and has been developing advanced architectural concepts for cyber security and transformational computing for the past decade. Since 2006, he organized a series of national workshops on technical and policy aspects of cyber.

Industrial Control Systems (ICSs) are used throughout the industrial infrastructure and military applications. These systems are designed to be highly reliable and safe, but were not designed to be cyber secure. Moreover, many of these systems do not even have cyber logging or forensics. Consequently, these systems, which constitute the “soft underbelly” of the American economy and defense, can enable a “cyber Pearl Harbor” to occur without having the capability of even knowing the impacts were cyber-induced. Stuxnet and Aurora have demonstrated that cyber can be used as a weapon to damage or destroy engineering equipment and systems.

To date, there have been more than 225 actual control system cyber incidents worldwide affecting electric power, water, chemicals, pipelines, manufacturing, mass transit, and even aircraft. Most of the incidents have been unintentional. Selected unintentional incidents will be addressed at the ICS Cyber Security Conference (http://www.icscybersecurityconference.com/). However, there have been a number of targeted cyber attacks. The Stanford presentation will focus on Stuxnet and Aurora. It will address the lack of air-gaps, insecureable legacy ICSs, lack of cyber forensics, and cultural issues between IT and Operations that can enable these attacks to occur and evade detection.

Joseph Weiss is an industry expert on control systems and electronic security of control systems, with more than 35 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI) where he led a variety of programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program and, the cyber security for digital control systems. As Technical Manager, Enterprise Infrastructure Security (EIS) Program, he provided technical and outreach leadership for the energy industry's critical infrastructure protection (CIP) program. He was responsible for developing many utility industry security primers and implementation guidelines. He was also the EPRI Exploratory Research lead on instrumentation, controls, and communications.

Location-based services from are quickly gaining popularity. Many such services track the user's location and make use of it as needed. While tracking raises privacy concerns, it is believed to be unavoidable if users want the benefits of location-based services. In this talk I will give several examples of services that provide location-based functionality without learning the user's location. Our goal is to show that privacy and functionality are not always in conflict. We will also discuss our experiences with deploying these mechanisms in the real world. This is joint work with Arvind Narayanan, Mike Hamburg, and Narendran Thiagarajan.

About the speaker: Dr. Boneh heads the applied crypto group at the Computer Science
department at Stanford University. Dr. Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, security for mobile devices, web security, digital copyright protection, and cryptanalysis. He is the author of over a hundred technical publications in the field and a recipient of the Packard Award, the Alfred P. Sloan Award, the RSA award, and the Terman Award.