It was mostly sunny outside RSA Conference 2018 in San Francisco during the opening keynotes on Tuesday.
Inside? Well, there were some sunny breaks, but plenty of clouds as well.
It started sunny, when RSA president Rohit Ghai acknowledged the clouds but chose to focus on “Three Silver Linings.”
“I’m not in denial,” he said. “Let’s not forget about the clouds, but to protect our great adventure, let’s double down on our silver linings.”
To do that, he said, the industry should first “eliminate the silver-bullet fantasy” and concentrate on “getting a little bit better every day, rather than unbeatable someday.”
Second was what he called the “quicksilver law of cyber defense,” in which cyber security defenders could take a page from the legendary Boston Celtics teams of the 1960s, who said one of the reasons they won was because they anticipated what their opponents would do. The same has to be true in cyber security. “You need to get to the ball before your opponent,” Ghai said.
And third is “the magic of sterling teamwork.” He quoted the journalist and author Malcolm Gladwell, who said, “You can’t win unless everybody contributes,” but for that to happen, he said, requires “trust and communication” within any IT team.
By comparison, Microsoft president Brad Smith focused a bit more on the clouds, acknowledging that if things are going to be brighter in 2018, “we need to start by learning from last year,” which featured the catastrophic WannaCry and NotPetya ransomware attacks, and which prompted some in the media to label it “Cybergeddon.”
He also noted the ominous reality that both attacks were attributed not to criminal gangs or opportunistic hackers but to nation-states—North Korea and Russia respectively.
Smith said when World War II ended, government leaders across the world came together and agreed to protect civilians in times of war. “But now we are seeing governments attacking civilians in times of peace,” he said.
And while the attacks may be on machines, they end up “endangering people’s lives.” He noted that in the U.K. and Ukraine, entire hospital systems were taken down, which meant surgeries had to be canceled and other treatments either delayed or canceled. “Maybe that machine is keeping somebody alive,” he said.
Smith has been talking for several years about establishing what he calls a Digital Geneva Convention to get even hostile nation-states to agree not to target civilians with cyber attacks.
And while it doesn’t include governments, he announced a move in that direction—34 companies, including Microsoft, Facebook, Cisco, GitHub, Arm, Cloudflare, LinkedIn, HP, Dell, SAP, Oracle, and VMware, have signed on to what he called the Cybersecurity Tech Accord.
Among the core principles of the accord is that the signatories agree never to provide material support to government-backed cyber attacks.
“We need to do more, and do more together,” he said, noting that with the continued proliferation of IoT devices, “we are entering a world where everything is connected. Every child’s toy, refrigerator, heating system, and car is connected.
“That offers great promise. But anything can be disrupted, which means everything needs to be protected.”
Other principles of the agreement include these:
For McAfee CEO Christopher Young, the clouds are the increasing weaponization of the devices consumers use every day, which can be exploited for everything from identity theft to ransomware to being conscripted as part of a botnet.
But he said the security industry can rise to the challenge in much the same way the airline industry met the challenge of the “golden age of hijacking airplanes 50 years ago.”
“There’s a lot we can do to get results we need,” he said. “If you look to the air travel industry, they are obsessive about safety and security.
“There are more than a million people in flight right now, and 10,000 flights will take off and land today. We have safe freedom and movement, and we need to secure digital freedom.”
Young said to get that result, “we need to go out and drive a culture where cyber security gets the prioritization it deserves. Despite breach-a-day headlines, CyberSec still hasn’t reached the level of priority to address the attack landscape. It’s still a sidebar conversation in too many arenas.”
Indeed, in a later morning session titled “The Cryptographers’ Panel,” those on the panel were a bit hard-pressed to come up with reasons for optimism.
In a moment of dark humor, Adi Shamir, professor of computer science at the Weizmann Institute in Israel, noted that given the reality of the cyber risk landscape, “our job security is guaranteed for a very long time.”
Which was a reminder that every silver lining has a cloud in front of it.