2014 Converge Detroit: How the Surveillance State Changes IT Security Forever
The 2014 Converge Detroit conference did exactly that; it brought together business professionals, developers and hackers in the information security industry for two days of keynotes, sessions and networking at the COBO Center in Detroit, Michigan.
Keynote: How the Surveillance State Changes IT Security Forever
Speaker: Richard Stiennon
Kicking off the conference early Thursday morning, the Chief Research Analyst of IT-Harvest and infosec expert Richard Stiennon gave a keynote speech on How the Surveillance State Changes IT Security Forever. The theme centered around NSA surveillance, of course, and how recent government activity affects security vendors today.
He emphasized why metadata matters - in many different scenarios, the metadata can infer the identity of people involved in communications between Congress and stockholders; calls between acquirers and targets; communication between journalists and whistleblowers; and interactions between CEOs and CFOs.
He also referred to how the surveillance state turns the intelligence cycle policy on its head - which, according to the CIA’s site for children in grades 6-12, should be:
- Planning and Direction
- Analysis and Production
Instead, the NSA’s apparent mode of intelligence cycling mixes up the steps a bit by first collecting data, then planning their direction, processing the data, analysis and production, and, finally, dissemination of their findings.
Destruction of Trust Around the World
Another aspect of Richard’s talk includes the perspective of trust around the world of American security and products due to the ‘surveillance state.’ According to Richard, the NSA had a backdoor into Chinese firewalls, and had hacked into the Chinese headquarters of a certain firewall company in order to implement surveillance software.
The de-Americanization of Chinese devices is underway, meaning local companies are being persuaded to not use American devices or gear for Chinese installations, which also happens to be the biggest market for the security industry.
Another example of the destruction of trust is last year’s headline, Brazil Snubs Boeing in Fighter Jet Deal, detailing when Brazil chose the aircraft maker SaaB in a $4.5 billion, 10 year contract over American aircraft manufacturers (reportedly, for financial and technology intelligence-sharing reasons, although it had recently leaked that the NSA had been spying on foreign heads of state including the Brazilian president, Dilma Rousseff, according to the NYTimes.com).
Surveillance State for Security Vendors
Richard also pointed out the fact that government projects have more budget than most typical cybercrime budgets - $632 million - to break into foreign networks and put in surveillance technology. So, what are the implications for security vendors, with the emergence of a surveillance state?
He stated that security vendors must treat the state as a threat actor, similar to any other type of potential cyber attack; claiming that the NSA is a bigger threat and driver of IT security investments, outpacing hackers, cyber criminals and even espionage by foreign governments. He advocated complete transparency, urging security vendors to research NSA malware and publish their findings, same as any other type of malware, in order to inform and prepare the security community.
With the security industry growing from a three billion industry in 2003 until now (17x in 10 years), he predicted that the industry will grow to a nearly $639 billion in another 10 years, at a CAGR of 24 percent. That kind of rapid growth requires organizations to invest in security, as the proven adversary (NSA) is bigger than any hacktivist or cyber criminal.
The biggest threat is the NSA’s ability to outspend us when it comes to resources used to decrypt and store tons of data. Some vendors have successfully curtailed government budgets and spending with security vendors in order to keep the agencies in check.
The balance between living in a nation state and maintaining real security and growth in the industry is a delicate one, but by working together as a security community, it’s possible to achieve.
Richard Stiennon, Chief Research Analyst, IT-Harvest
Richard is a technologist and industry analyst. He was an ethical hacker for PricewaterhousCoopers early in his career. Now he focuses on industry trends, global cybersecurity policy, and threatscape.
Richard Stiennon is Chief Research Analyst for IT-Harvest, the firm he founded in 2005 to cover the booming IT security industry. He is the author of Surviving Cyberwar (Government Institutes, 2010) and UP and to the RIGHT: Strategy and Tactics of Analyst Influence (IT-Harvest Press, 2012). He writes the Cyber Domain column for forbes.com and is frequently quoted as a cyber security expert in mainstream media. He advises his clients on cybersecurity strategy. Richard is also the Executive Editor of securitycurrent.com and the Senior Fellow at the International Cybersecurity Dialogue. He was Chief Marketing Officer for Fortinet, Inc. and VP Threat Research at Webroot Software. Prior to that, Richard was VP Research at Gartner, Inc.
Stiennon has presented on cyber security threats and defenses in 28 countries on six continents. He is known for his iconoclastic analysis of the security industry and always challenges his audience to question accepted practices in the face of changing cyber threats. Richard has a B.S. in Aerospace Engineering and has his MA in War in the Modern World from King’s College, London. He is writing his next book on cyberwar and military affairs.