In a way, I failed.
A conference had a call for papers open. I hemmed and hawed about doing it; I wanted to, but I wasn’t sure I had the time to write the talk. Conveniently, the CFP deadline was in May, with the final presentation submission in July, if accepted. This was plenty of time to figure out my schedule.
A friend encouraged me. Making writing the talk a problem for future-me, I submitted.
The conference did not select my talk. I was fine with that! I was nervous about the framing of what I’d planned, since it deserved justice. My time was still a factor; the now-present-me was wondering what past-me had gotten us into now.
Then I starting getting other emails. One of them was offering a spot on a podcast, specifically Cybellum’s Left To Our Own Devices about product security.
The episode is available here: https://cybellum.com/podcast/62-heather-vermillion-paccar-security-personal-growth/
I took a scroll through their past guests and became intimidated immediately. Fortunately, they sent the questions in advance so I could prepare.
David and Shlomi were fantastic hosts. I’ve been in survival mode for so long it was nice to look back and take stock of my professional life. Leaving the Department of Defense was a desperate Hail Mary, and it has taken some time (and mistakes) to settle down.
I’m pleased to be part of the greater industrial-automotive security community. It’s been like a firehouse with all the new information to learn. It’s also exciting, because the Jeep hack wasn’t all that long ago and everything is still so fresh. That’s where the challenges come in, I think, because there is a lot of work to do. There’s a lot to balance between not-even-a-deity-stops-the-production-line and that-attack-was-a-little-close-to-home. That combination demands a lot of collaboration and creative problem solving. Mostly, it works.
One of the major problems I see is the sheer lack of requirements. Vehicles — and I’m sure other devices — have a long design time. Production planning for a model year starts about 5 years prior. Chipsets take about a decade.
Tossed into the middle of this production cycle are security people. We’ve been figuring it out as we go and experimenting in real time. Security requirements are getting baked into new stuff, sure, but practically speaking, it’s going to some time before that’s ready. Meanwhile, it’s extremely obvious in the media if something goes wrong.
FIRST Robotics is a program near to my heart. David and Shlomi must have dug through my barebones LinkedIn to know to ask about that — some Department of Defense habits die hard. The kids really keep me coming back year after year; I am proud of every team. I love refereeing but I am disappointed I see less of the projects. It’s a world-wide program that was founded on the idea of inclusive engineering and creativity. I can’t seem to talk about it with sounding like an ad; there’s a great documentary on Disney+ called More Than Robots that’s worth checking out.
It is absolutely a pipeline for the automotive industry. The younger kids get Lego robots with a Mindstorms controller and it must be autonomous. The older kids get remote-control, but their robots have a CAN bus. I can’t think of a more perfect way to prepare the next generation.
So, I didn’t fail. I got different opportunities instead.
Cyber security Story teller 