The 24th annual RSA Conference is underway at San Francisco’s Moscone Center and, depending on your personal level of background paranoia, it’s either a dream or a nightmare.
I’m posting this from the Press Working Room on the open WiFi network, so there’s every chance the security experts in attendance will have read these words before my editor does. Still, the conference is a far cry from DefCon or the Black Hat Conference — more collared shirts for one thing, and fewer unkempt beards. What’s absolutely familiar, though, is the concern amongst attendees about the current state of cybersecurity.
As RSA President Amit Yoran put it in his opening address: cybersecurity is broken.
Without a doubt, we are at an inflection point for humanity, where technology will control its own destiny, the results of which we cannot predict.
Simply put, and for all practical purposes, we can neither secure nor trust the pervasive, complex, and diverse end-point participants in any large and distributed, computing environment; nor the combinations of protocols and transports through which they interact. That is the situation we are in today.
If the host of a massive cyber-security conference is worried about the difficulty in securing data, the rest of us should be fairly shitting ourselves.
You wouldn’t guess the dire state of the industry after loitering in the exhibition halls, though. Corporate spending on network security is clearly in fine shape after successive years of increasing corporate mega-breaches. In North America alone, new cybersecurity spending is expected to reach $ 2.4 billion this year.
Selling security software requires mastery of a sweet tension between paranoia and complacency. Too much of either one is bad for business. Sure enough, Yoran’s frank appeal to paranoia was balanced out by later presentations made by U.S. Secretary of Homeland Security Jeh (pronounced “Jay”) Johnson and Federal Communications Commission Chairman Tom (pronounced “Tom”) Wheeler, who reassured a crowd of security professionals that the federal government, throughout its varied fiefdoms, “gets it.”
The combined gist of both men’s speeches was that if the government and the security industry can manage to work together effectively, the future will be more secure.
Secretary Johnson spoke first. He stressed the increasing importance of cybersecurity issues to his department, and encouraged private security companies to feel confident that sharing their expertise and real-time information with the DHS is a crucial and mutually beneficial line of defense against cybercrime.
He detailed a chain of executive orders issued by the Obama administration which address cybersecurity, including one from February seeking to establish clear guidelines for that information sharing under the aegis of the DHS’ National Cybersecurity and Communications Integration Center.
On its website the NCCIC describes it’s responsibilities:
The NCCIC Vision is a secure and resilient cyber and communications infrastructure that supports homeland security, a vibrant economy, and the health and safety of the American people.
According to Johnson, one of the biggest problems facing the NCCIC is the increasing sophistication of cryptography.
“The current course towards deeper encryption based on the demands of the marketplace makes defense and counterterrorism more difficult. Our ability to access encrypted information to assess cyberthreats is a national security risk,” he said. “We need your help to find a solution.”
That help could mean corporate cooperation with the the NCCIC’s cyberthreat assessment and response efforts. Or, for those feeling inspired by duty, there is a more direct option.
“Please consider a tour of service for your country,” asked Johnson. If you’re interested in reporting for duty, Johnson announced today that the Department is opening a satellite office of the NCCIC in Silicon Valley.
FCC Chairman Wheeler’s talk presented many of the same themes to a significantly smaller audience. Though Homeland Security takes the lead on cybersecurity issues — because, you know, terrorism — Wheeler insisted the FCC’s cybersecurity role is written into its DNA.
“It is part of our statutory charge to protect communications security for the public,” Wheeler said.
Like Jeh Johnson, Wheeler urged the importance of private security companies working in tandem with the government, and sought to reassure squeamish executives.
“We need open honest dialogue between the government and the private sector, on matters of national safety. The information that private companies provide to us is protected from public disclosure, and will not be used to develop future regulatory proposals. Our interviews are not depositions, we are not trying to extract embarrassing information about vulnerabilities … and the FCC’s role is not to second-guess business decisions.”
Wheeler stressed his and the FCC’s business friendly bona fides.
“The FCC has a proven record of partnership with the communications industry,” he said, as executives from Verizon dropped their jaws like cartoon wolves.
“Security requires real commitment from the loftiest levels of industry. I have been on enough corporate boards to know that things can only happen when the C-Suite makes it a priority. Corporate leaders need to become cybersecurity leaders.”
He went on to speak to the need to develop the cybersecurity workforce. “The largest single investment in cybersecurity is people,” Wheeler said.
Yes, cybersecurity might be deeply broken. No matter, it remains highly lucrative. The entire industry was spun out of mid-century defense research and Johnson and Wheeler made the government’s message to the security industry clear: Phone home.
Up next: Alec Baldwin.