It is a world of great turmoil and considerable fear amidst incredible human progress. No wonder the RSA keynotes seemed bi-polar - mixing fear one moment, hope and inspiration the next.
RSA opened with a somber act from rapper poet Kevin Olusola to the conference theme: "Now Matters"
“Together we rise, together we fall
Now matters, for one and for all”
Rohit Ghai, President of RSA Security, introduced the conference with the message that - despite the headlines - cybersecurity is getting better, not worse.
Why better? The world reads about breaches, not protection successes. You don't see headlines about the complex, often confidential work performed by many members of RSA’s audience. You don't see how multi-factor authentication, privileged access management, and other layered security measures prevent or mitigate breaches of so many systems.
Ghai continued in a positive vein; we paraphrase him below as he advised the industry to focus on the following “silver linings” of security:
1. End of the silver bullet fantasy
2. Quicksilver law of cyber-defense
3. Magic of sterling teamwork (inside and outside the boat)
End of the Silver Bullet Fantasy
The industry has finally abandoned the idea that ultimate security can be provided by some new silver bullet solution. Like the highly-successful British cycling team in recent Tour de France events, security teams must get the big things right, and work incrementally to improve the little things. Getting the big things right is all about risk management - understanding the company's business context and learning to protect its crown jewels. Only by hardening or denying a small number of key outposts can one finally create defenders' asymmetric advantage over attackers.
Don't ignore the little things. Use threat intelligence and vulnerability analysis to learn where the vulnerabilities are and patch them.
Quicksilver Law of Cyber-Defense
Like basketball, cybersecurity is a high-velocity sport. Players must anticipate the next offensive move and get protection in place first. With new technologies, there is always a learning curve; Ghai called it the “cybersecurity afterthought gap." The only way to counter Murphy’s Law of new technologies is to develop an ability to adopt security measures sooner and better.
Ghai asserted technologies like Intelligent security operations centers (SOCs), automated orchestration, and user behavior analysis (UBA) are working well. We have state of the art visualization in the SOC - “beautiful security” delivered through Slack-like UIs and chatbots. We are getting better at getting to the ball before our opponent.
The Magic of Sterling Teamwork (Inside and Outside the Boat)
Continuing with athletic metaphors, Ghai recalled the US women’s eight rowing team, which had an 11-year winning streak. In the long boat, only the cockswain can see ahead, but the team digs in with trust and coordination. For the crew, teamwork isn’t just needed in the water, but also in other areas such as university programs to recruit a depth of talent.
In cybersecurity, protection must also go beyond the SOC and all the way up to the Board room. It requires contributions from executives, users, and business stakeholders. Regulators must set the tone. Ghai praised GDPR for putting privacy front and center, and The U.S. Cloud Act for balancing tech sector needs with public sector anti-terrorism concerns.
We need to build diversity and inclusiveness into security programs, or we’ll struggle to get security right. We need to build in, not bolt on. We should move security up the software development life cycle (SDLC) and engage developers long before the first pen test of the finished system.
Ghai acknowledged there are major issues. Cybersecurity is impacting financial results of breached companies. Breaches of trust have moved beyond loss of personal information. In the wake of the U.S. 2016 election, purveyors of “fake news” continue to shake citizens’ faith in the media, each other, and democracy itself. Trust in technology is tenuous.
Still, Ghai argues that across the social spectrum cybersecurity is getting better not worse. Cybersecurity provides the protection underlying technological breakthroughs in AI, robotics, and other fields. He highlighted the importance of inclusiveness and noted (to applause from the audience) that twice as many girls, and three times as many ethnic-minority students are enrolled in advanced computer classes.
Ghai closed with: “To protect – it is our great adventure!”
Taking Protection to the Next Level
It was left to Brad Smith, President of Microsoft, to recall the darker moments of 2017 with videos depicting scenes of Wannacry ransomware causing chaos on UK National Hospital Service (NHS) floors, and Notpetya ravaging Ukraine.
Both Wannacry and NotPetya are suspected of being state-sponsored attacks. If so, the world has gone backwards from the days after World War II when states came together to codify civilian’s rights to safety from government attacks. We need a Digital Geneva Convention, Smith said, that stops governments from attacking private sector technology and technology companies. For all this doom and gloom, Smith too had words of encouragement, announcing a new Cybersecurity Tech Accord in which 34 major vendors pledged to uphold principles of civilian protection in cyberspace.
Two Steps Forward, One Step Back
It seems the Cybersecurity Gods delight in irony and don’t appreciate corporate Presidents saying cybersecurity is getting better. News of an apparently minor breach broke toward the end of the conference. Per Paul Ducklin from Sophos: “Well, it looks as though it’s happened again: another insecure app published as part of an RSAC cybersecurity event.” In a late-night tweet, RSA Security acknowledged that 114 first and last names of RSA Conference Mobile App users were improperly accessed. I suppose it is easier for executives to talk about paying attention to the little things and moving security up the SDLC than for the company’s developers to actually do it.
Many feel the Clarifying Overseas Use of Data (CLOUD) Act does not represent the good balance Ghai described, but tramples privacy rights. McAfee CEO Christopher Young’s keynote, which compared the state of cybersecurity to the state of skyjacking in the wide-open skies of the 60s and 70s, seemed (at least loosely) to imply an increasingly centralized and regulated future. If our Internet user experience is to become like U.S. Transport Security Agency (TSA) lines in the airport, many might oppose that, and centralized systems might not be safe or resilient enough. Other paradigms, such as decentralized blockchain-based solutions, were barely mentioned until the Cryptographer’s Panel took the stage.
Conclusion: We Need Not Agree with Everything the RSA keynoters Said to Welcome a Positive Message
Despite RSA’s closing contretemps, a reasonable argument can be made supporting Ghai’s premise that cybersecurity is getting better. It may not seem this way with 2017 logging 45% more breaches than the previous year. However, 2017 also saw vastly increased digital utility and digital transformation in the world. Did the increase in economic value of the Internet exceed the value of cyber-losses? I would have to say “Yes!”
What about the equally reasonable argument that cybersecurity is getting worse because losses are increasing at an unacceptable rate? Losses are going beyond the economic: If many are losing faith in democracy due in part to the cyber-abuses and cyber-conflicts that divide us, could we ultimately face the incalculable loss of democracy itself?
To that also a positive message is the only answer. Per John F. Kennedy: “We have nothing to fear but fear itself.” For the professionals among us: We can go to work each day and make our living, knowing that we stand for safety and privacy. Let that inspire us to work a little harder, do a little better, and do it ethically. We are living the life of making cybersecurity better.