Some Musings on the RSA Conference

A great RSA Conference in San Francisco concludes today. Attendance was down noticeably compared to last year, no doubt because of fears related to COVID-19 and the pullout of several key exhibitors, including AT&T Cybersecurity, IBM, Verizon, and six of the nine Chinese vendors. That said, there were 614 vendors exhibiting this year compared to 624 last year, so without the (possibly) overblown fear of the Coronavirus, there would have been a year-on-year increase in exhibitors.

Here are a few takeaways and comments:

Wendy Nather gave a very interesting keynote that discussed the need for democratizing security instead of continuing the current top-down, somewhat autocratic security model that is in place today. As noted in a Dark Reading article on the topic and reiterated in the keynote, Wendy said, “I’m going to argue that we should be teaching kids not to comply with somebody else’s security system, but to make good security decisions on their own from an early age — which means we have to get rid of parental controls. We should be teaching kids to make the right decisions with the devices that they are using.” She applied more or less the same thinking for corporate users.

While I am completely on-board with teaching good cyber security practices to users, we need to keep in mind that security is not just about doing the right things. It’s also about defending against a sophisticated, well-funded, malicious, very intentional, and sometimes just plain mean adversary. This is not just about users making good security decisions, as important as that is, but it’s also about enabling security teams to have autocratic authority when it best serves the needs of the company footing the bill and taking the risks. IMO, the best security model lies somewhere between autocracy and the democracy that Wendy proposes.

One of the more interesting products discussed at RSA was Anomali’s Lens+, a web content parser that uses natural language processing to highlight cyber threat information. Lens+ is a browser plug-in that can be configured to highlight text in web pages based on various criteria. It enables threat researchers and others to view web-based threat bulletins, social media posts, articles and other web content and have highlighted for them information related to threat actors, attack techniques, malware families, and other relevant information. Plus, it enables researchers to understand if their organization has instances of these threats already present in their network, and it supports the MITRE ATT&CK framework by showing the TTPs discussed in the content they’re viewing.

Lens+ has the potential to significantly reduce the amount of time that threat researchers spend reading threat bulletins and other content related to their work. Plus, I can see enormous applicability well beyond this space, such as enabling employees to gain additional information about the content they’re reading across a wide variety of subject areas.

There was a very interesting — and fairly contentious — keynote panel led by Craig Spiezle, founder of Agelight Advisory and Research Group entitled, “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei”. The panel members included Katie Arrington, CISO of Acquisitions for the Department of Defense (which can no longer legally purchase from Huawei); Andy Purdy, the CSO of Huawei; Bruce Schneier from the Harvard Kennedy School; and Kathryn Waldron, a Fellow at the R Street Institute.

Craig, who would have been well served in this session had his former career been that of boxing referee, did a good job at managing the group and keeping panel members more or less on topic. While the session shed more heat than light on supply chain management, with personal political preferences leaking through at times, it highlighted the importance of prioritizing where security dollars need to be spent, since there is no way to make everything secure. As Schneier noted, securing the supply chain is an “insurmountable” problem. Whether that’s true or not is certainly up for debate.

All in all, a great RSA and probably the most enjoyable since I started attending 16+ years ago.

Coronavirus Taking Its Toll on Industry Conferences

Here’s a partial list of the impact that the Coronavirus, known officially as COVID-19, is having on tech industry conferences worldwide as of Friday afternoon, February 21st:

  • RSA Conference, San Francisco
    Verizon today pulled out of next week’s event. They were preceded by AT&T Cybersecurity yesterday and IBM on February 14th. In addition, 10 other exhibitors — three from the United States, six from China, and one from Canada — have pulled out of the conference. Of the nine exhibitors from China that were scheduled for RSA, six have pulled out; the three remaining will be staffing their booths with individuals from the United States. RSA is expected to draw up to 45,000 attendees this year.
  • Mobile World Congress, Barcelona
    This conference, scheduled for February 24-27 and which normally draws about 100,000 attendees, was cancelled on February 12th. The announcement followed LG, Google, AT&T, Airbus, Sony, Cisco, Facebook, Nvidia, Amazon and several other exhibitors announcing that they were pulling out of the show.
  • DEF-CON China, Beijing
    This conference, scheduled for April 17-19, has been put on hold for six months because “China has announced a six-month hold on events like ours as part of the effort to combat the coronavirus outbreak”.
  • Facebook Global Marketing Summit, San Francisco
    The March 9-12 summit, expected to draw 4,000 participants, was cancelled by Facebook’s management “out of an abundance of caution.”
  • PAX East 2020, Boston
    Sony Playstation pulled out of this major video game conference because of fears over the virus.

In addition to these, more than two dozen trade shows in Asia have been cancelled because of the Coronavirus outbreak.

Some Examples of Security Problems in Government

State and local governments, municipalities, city councils, local law enforcement agencies, federal government agencies, and other government entities – collectively the government sector – are under attack from cyber criminals and nation-states. Threats from ransomware, business email compromise, phishing and other security threats are relentless, and 2019 was a banner year for various types of attacks against government.

A few examples:

  • Ransomware
    Successful attacks hit four municipalities in Florida in April and June 2019, more than 20 local government organizations in Texas (August 2019), and two power utilities in India (August 2019). Two-thirds of more than 70 ransomware attacks in the United States during the first half of 2019 had local and state government organizations in the crosshairs. The ransomware attack on the City of Atlanta in March 2018 compromised approximately 150 applications, including mission critical services such as the court system and police. The Atlanta’s Attorney Office lost 71 of its 77 computers and a decade worth of documents in the attack. 
  • Phishing
    The City of Naples, Florida was the victim of a spear-phishing attack in July 2019 that netted $700,000 for the cybercriminal(s); this occurred after Collier County suffered a similar attack in December 2018 that netted $184,000.
  • Business Email Compromise
    A public school in Portland, Oregon almost lost $3 million to a successful BEC attack, and a county in North Carolina was tricked into paying $2.5 million into the wrong bank account for a contractor working on a local project (some of which it was able to recover through quick action by the bank).
  • Data Breaches
    Mega-breaches include the US Office of Personnel Management in mid-2015 with 21.5 million sensitive data records breached, and the US Justice Department in 2016 with a data breach exposing contact details for more than 20,000 FBI and Homeland Security employees. A White House audit in 2015 discovered a cumulative 77,000 cyber incidents across government, with theft of data a common occurrence. In late October 2019, hackers breached the City of Johannesburg and claimed they had exfiltrated sensitive financial and personal data. The hackers said they would publish the data if a ransom payment was not made.

We have recently published a white paper focused on cyber security in government that discusses the problems in depth. It discusses a number of important best practices that government decision makers should seriously consider. You can download it here.