2014 RSA Keynotes: Juniper, Microsoft & RSA on Security Today
I’m in sunny San Francisco, attending the ongoing 2014 RSA Conference, where all of the keynotes seem to center around the major elephant in the room - NSA surveillance, the industry, and public trust. Read on for a summary of my takeaways from a few of the talks this morning:
Redefining Identity in the Age of Intelligence-Driven Security
Speaker: Arthur W. Coviello, Keynote Speaker Executive Chairman, RSA
I came in at the tail end of this talk, but Arthur articulated what we all know to be true - as new technology emerges and gains popularity, we have to find new ways to ensure security is not only accessible to everyone, but designed to fit our needs. “Personal information has become the true currency of the digital age,” he stated.
With cloud, social and mobile technology increasingly connecting our lives online (much like the Internet of Things), he’s right in acknowledging that we’ve reached a breaking point when it comes to identity management and protecting our personal data.
“We don’t need more security, we need better security,” he insisted. With new technology comes the aggregation of tons of data - big data, as we’re all fond of saying. While there will always be concerns about what kind of data is being collected, the data also informs us about users and how they’re using new technology - which in turn, can inform us when it comes to security innovation.
Making security better can mean a lot of things. One is making it easier to implement - although people know what the right thing to do is, if it’s not easy and seamless to work into our everyday lives, we don’t do it. That includes IT professionals, administrators and others that run our operations and dictate what the security norms are in our society, more namely in organizations that control access to critical infrastructure and our online identities.
Conundrums in Cyberspace: Exploiting Security in the Name of, well, Security
Speaker: Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft
Trust in technology has been badly undermined by public disclosures of widespread government surveillance programs. As the important public debate over the limits of government access to private data continues, customers, governments and others need to know where technology providers stand.
Scott Charney gave a talk more focused on how public trust in technology has been undermined and broken by the disclosures of the NSA’s surveillance programs. With competing interests in society between citizens, the industry and the government’s role and responsibility in securing those users, he talked about how security often gets overlooked.
“The city never fixes a pothole until it breaks an axle,” he stated.
Scott went on to state that there was a need for governments to establish normative ways to investigate data breaches, as the growth and spread of data past domestic boundaries into a truly global society raises questions about how governments ensure data privacy.
He insisted that citizens must engage in the role of government when it comes to establishing data norms, but that industries lie somewhere in the middle, acknowledging the reality of those in the industry that have to make quick decisions about security in order to deliver to consumers and the government.
“You can choose to encrypt things or you can choose not to encrypt things - it makes the government’s life easier, but there’s a data privacy tradeoff,” he said.
This again goes back to innovation vs. security, and the responsibility of vendors to deliver not only advanced technology to meet our data and Internet demands, but also to protect us by ensuring their products and services have been vetted by security vendors for any glaring vulnerabilities that could put them in danger.
Scott was careful to convey Microsoft’s stance on no backdoors for governments, stating that they didn’t care about the source or intention of malware, but that they were focused on information assurance only. If they were to cater to offensive technology, it would create a string of services for governments and industries to attack other countries.
They had never received orders for bulk data, he said, but if they were, for example, served orders to hand over data from their enterprise customers in the cloud, Microsoft would direct the government to deal with the organization to get the data directly, not through them.
The Next World War Will be Fought in Silicon Valley
Speaker: Nawaf Bitar, Senior Vice President and General Manager, Security Business Unit, Juniper Networks, Inc.
“Public trust is at an all-time low.”
Nawaf’s talk was heavily analogous and hard-hitting, comparing early advancements in the medical field to that of innovation in the information security industry.
He led with the reason for our lack of security innovation and integration, namely, apathy. He claimed that we’re only moved to action when our real, not just stated, actions are at stake, defining real actions as the things that we actually care about, like when the safety of loved ones are threatened.
Nawaf even coined a hashtag, #firstworldoutrage, to define the way society pretends to care about things that don’t truly touch us in the first world, including injustices like water outages or inhumane practices, claiming we substitute real care and action for “liking” a cause on Facebook.
Similarly, enacting actual security practices doesn’t become an issue until it actually threatens something we feel close to and care about. He cited the Semmelweis Reflex as another way society holds back security; the tendency to reject new evidence or knowledge simply because it contradicts our established norms, beliefs or previous way of doing things.
The Semmelweis Reflex is named after an early Hungarian doctor, Ignaz Semmelweis, that discovered by washing our hands, we could greatly reduce the death rate of mothers that died during childbirth, simply because doctors didn’t realize they were operating in an unsanitary way. Physicians in the 1800’s rejected the notion on no real grounds, except that it was a novel idea that changed the way they worked.
The same goes for security innovation - by implementing simple security behavior and making it the norm, we could potentially greatly reduce our risk of a data breach or worse. The changing threat landscape can mean possible attacks on our power grids and threats to the intellectual property of companies, more often conducted by nations seeking to exploit weaknesses in the cybersecurity of other nations.
Ultimately, it’s up to us to take action or passively wait for the next world war in Silicon Valley.