I was honored to be selected as one of the 50 cybersecurity scholars from around the world to attend the annual global RSA cybersecurity conference. It is a gathering of 50,000 cybersecurity professionals and researchers held in San Francisco. The theme this year was “Now Matters” and cybersecurity issues certainly something that we need to address “now” rather than in the future.
The overwhelming theme that I saw was that cybersecurity has gotten over the “silver bullet” fantasy. We realize there will be no killer app or magic formula that will ultimately solve cyber insecurities and protect networks, systems, and individuals from attack. The human factor has often been cited as the weakness of cybersecurity; however, it was refreshing to hear that many leaders are realizing that humans are also the strength and core of cybersecurity. Many sessions discussed how cybersecurity needs to be holistic, a long-term commitment, an imbedded culture and an overall mindset.
Chris Young, CEO of McAfee spoke on the importance of building a cybersecurity culture- part of a “sustained cycle of measures, rewards, and advocacy.” Even though technical advances make systems stronger than ever, the attackers also are intelligent and adaptive, making it important for us to work as a team. He quoted Christopher Painter, former coordinator for cyber issues at the U.S. State Department, “The failure to ‘mainstream’ cyber issues into larger national security and policy debates has real consequences” (Click here to read more from Mr. Painter ). Mr. Young went on to compare the current Facebook issues as the Exon of today. After the oil spills people start to re-think the costs and benefits that cheap energy policies had on the overall environment. Even though cheap oil prices had caused a boom in the economy, there was a price to pay. Now, people are starting to re-think the costs and benefits of “free” social networking services that facilitate networking and the exchange of information. The surveillance economy has caused an economic boom also, but there are long term implications that we are just beginning to understand.
This cybersecurity mindset takes a team mentality. Brad Smith, the president of Microsoft used the metaphor of a crew rowing a boat together. Stakeholders need to learn to trust each other and communicate well in order to navigate the uncertain waters ahead. He also shared about the human impacts of the recent WannaCry ransomware attacks. This was a cyber based state-backed attack on citizens during a time of peace. It crippled the national health service in Great Britain, shutting off access to critical health records and blocking individuals from all but critical emergency care. As a result, Microsoft, and many other companies are working together at unprecedented levels to help build resilience against similar attacks in the future.
The hundreds of possible sessions ranged from technical training on the latest penetration testing techniques to policy discussions. Several sessions discussed the implications of artificial intelligence and the growing concerns about how human bias and discrimination are magnified by these systems if not guided by policies and standards to protect individuals. An entire track of sessions was dedicated to the human dimensions of cybersecurity and the importance of policy. The recent congressional meetings with Mark Zuckerberg illustrated the challenge ahead to reach policy makers so they understand the basics of cybersecurity, privacy, and what can or can’t be done to help improve our current systems.
One of my favorite sessions was led by Bruce Schneier (Schneier on Security and of the Berkman Klein Center at Harvard University). He spoke of the urgency to build policy and regulations for the growth of the Internet of Things (IoT). It used to be that cybersecurity threats were ultimately losing control of files of data, now threats are physical, real and imminent. Instead of just attacking one self-driving car and taking it over, what will happen once hackers take control of all the self-driving cars of a particular make or model? He spoke of the complexity of keeping a device up to date as systems become compromised and updates may have unintended consequences. To check updates before rolling them out to car owners, car manufacturers will have to keep track of all the makes and models to test updates and make sure systems don’t fail as patches are rolled out. Beyond cars being basically computers on wheels, many of the devices in our homes and factories are now IoT devices. In today’s marketplace consumers have no idea which IoT devices are safe, have backdoors, or if they are even updatable. His upcoming book, Click Here to Kill Everybody, should be very interesting.
Overall, this conference was encouraging and overwhelming all at the same time. It was encouraged to see progress in viewing cybersecurity as a cultural and mindset issue rather than just a technical problem. It was encouraging to see so many young scholars, educators, and technologists working tirelessly to make the world a better place. It was discouraging to see so few women in the conference. Yes, there were special “Women in Cybersecurity” sessions -and there was some tremendous mentoring going on- but there are few women and minorities in this field. The telling point was during session breaks where the men’s bathrooms had long lines going down the hall, at the same time the women’s bathrooms had no lines at all. However, seeing the mixture of young cybersecurity scholars I am hopeful that in the future we will see a representation that is more diverse, bringing with them the insights and experiences that will help build a cybersecurity mindset that can be widely embraced and core to our culture.
Ruth Shillair
PhD Candidate and Quello Research Assistant