Euro Security Watch with Mathew J. Schwartz

Breach Preparedness , Cybersecurity , Data Breach

Cybersecurity Chaos Dominates RSA Conference Discussions US Election Interference Highlights Ongoing Dangers, Industry Leaders Say
Cybersecurity Chaos Dominates RSA Conference Discussions
Actor John Lithgow celebrates cybersecurity professionals' contributions in a monologue opening the RSA Conference in San Francisco. (Photo: Mathew Schwartz)

Ask not what cybersecurity can do for you, but what you can do for cybersecurity.

See Also: The Cost of Social Engineering: 3.1 Billion Reasons to Pay Attention

Amidst the increasing security chaos facing individuals and organizations, one of the dominant themes at last week's RSA Conference 2017 in San Francisco was the need for information security professionals to do more, both for helping to bring order to that chaos, as well as by influencing public policies that could foster long-term relief.

"Chaos isn't just something perpetrated by the bad guys." 

But first, this year's RSA Conference launched with a riot of light and sound: a DJ, drummer, followed by hip hop duo Black Violin's dueling violins and conference-branded wristbands that pulsed colors in time to the music.

Actor John Lithgow next appeared on stage to deliver a crescendoing monologue celebrating cybersecurity professionals and their contributions to making the world a better place.

But if cybersecurity might have previously seemed to be an abstract subject for so many non-practitioners, last year the idea of using hacking "to disrupt a mainstream election became front page news," said Zulfikar Ramzan, the CTO of RSA, in a keynote speech.

"There is no doubt in my mind that the Russia government attempted to influence our elections," said U.S. Rep. Michael McCaul, R-Texas, the chairman of the House Homeland Security Committee and an original co-chair of the Cybersecurity Caucus, in a speech at RSA. "Frankly, it didn't matter to me that it was Democrats or Republicans being targeted. These were Americans, first, in the crosshairs of the Kremlin."

McCaul said that he'd previously "pushed President Obama and candidate Trump" to take a stronger stand in response to the Russian interference, "but I was disappointed in their response."

Rep. Michael McCaul talks cybersecurity at the RSA Conference. (All pictures: Mathew Schwartz.)

Push to Simplify

There are more than a few lessons to be learned from such interference. "It demonstrates our problem isn't limited to the initial cyberattacks we face," RSA's Ramzan said. "Our problem is the long tail of chaos they create. But chaos isn't just something perpetrated by the bad guys; chaos is something woven into the fabric of life, business, government, in nature."

Accordingly, Ramzan said organizations must attempt to simplify their IT operations - he's a fan of consolidating vendors - as well as attempt to tame chaos and finally to "plan for the chaos you cannot control." From an incident-response perspective, he said focusing on availability, budget and collaboration remains essential.

In a message that seemed tailor-made to address current political discussions in the United States, and reflecting the intense, historic link between Silicon Valley and immigrant innovators, Ramzan also called on the community to ensure that it doesn't "alienate people on the basis of gender, race and culture."

Policy Input Required

Multiple speakers called on attendees to use their information security expertise and experience to help actively make the world a better place, amid a backdrop of driverless cars, smart sensors everywhere and the so-called "going dark problem" facing law enforcement and intelligence agencies.

"We technologists need to get involved in policy," Bruce Schneier, CTO of IBM's Resilient Systems, said during a debate about whether internet-connected devices should be regulated to ensure they're secure. "We're never going to get the policies right if the lawmakers continue to get the technology wrong."

Getting involved doesn't necessarily mean having to change jobs, he said, but rather to provide expertise as needed. "We technologists need to get involved ... on Congressional staffs, in federal agencies, at NGOs, part of the press," Schneier said. "We need to build a viable career path for public technologists, just as there is now for public interest law."

Call for a 'Digital Geneva Convention'

The call for cybersecurity experts to help bring order to chaos - and for information security professionals to do more - continued in a speech delivered by Brad Smith, Microsoft's president and chief legal officer.

"We are the world's first responders," he said. Complicating that job, however, is the fact that "every company has at least one employee who will click on anything."

Smith said the solution involves - at least in part - individuals, governments and organizations all doing more, and said there is an opportunity for the new U.S. president to help drive such discussions. In particular, Smith called for a Digital Geneva Convention, backed by a new, international cybersecurity agency, modeled on the International Atomic Energy Agency, which seeks to promote the peaceful use of nuclear energy, while discouraging its military use.

Cryptographers Analyze Election Interference

Intel Security's Chris Young discusses U.S. election interference at the RSA Conference.

Numerous conference speakers pointed to the U.S. election interference as an example of why cybersecurity professionals are needed more than ever before, while noting that such interference was not exactly surprising.

Chris Young, senior vice president and general manager for Intel Security - a.k.a. McAfee - noted that at the 2016 RSA Conference, he'd posed the question of what might happen if a cybersecurity attack disrupted the U.S. election. Without contesting the results of the 2016 election, he noted that "cyberattacks played a role" and called out the danger for everyone when hacking could be used "to assassinate character."

Such interference has happened before. "Using stolen documents to influence an election is not a new development," said Israeli cryptographer Adi Shamir, the "S" in the RSA asymmetric cryptographic algorithm, during an opening day cryptographers' panel discussion. Both the United States and Israeli's national intelligence agency, the Mossad, have done so before, for example in 1956, when a speech denouncing Stalin was leaked, helping spark an anti-communist revolution that overthrew the Stalinist party and government in Hungary.

"That's why I'm shocked, shocked, by what the Russians are doing," said Shamir, who's a professor of computer science at the Weizmann Institute in Israel. "Let's remember that they're not alone."

Such attacks work better against some targets more than others. "As we know, the Hungarian Revolution wasn't very effective," said co-panelist Susan Landau, a professor of cybersecurity policy and computer science at Worcester Polytechnic Institute. "This type of attack works best against democracies, and against open societies and wired societies."

Professor Susan Landau of Worcester Polytechnic Institute.

Push for Paper Ballots

To defend against potential interference or voting machine hacking, co-panelist Ron Rivest - the "R" in the RSA algorithm, and a professor at the Massachusetts Institute of Technology - recommended that for future U.S. elections, every vote should generate a paper ballot.

Although there's no evidence that any 2016 U.S. presidential election voting machine results were hacked, having paper ballots would have allowed all voting results to be audited and verified. "Usually you try to convince the losers that they lost fair and square," Rivest said. "Now you're trying to convince the winner that they won fair and square."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network