I attended the Georgia Tech Cyber Security Conference in Atlanta, GA last Tuesday. It had been a long time since I was afforded the opportunity to attend a cyber-conference/discussion. The keynote speaker was Ret. Admiral James Fallon and he was followed by a panel of security leaders from various companies.
Adm Fallon’s speech focused on how much the threat had changed from a physical nature to a faceless digital threat. He also expressed concern about the lack of cooperation and teaming between organizations, both private and public, to address the increasing security threat.
The panel addressed some scripted questions, presented by Tony Spinelli. There were some interesting characters on the panel, with a couple who seemed overly paranoid and doomsday prognosticators. I get the fact security pros are somewhat paranoid by nature, but calling for the end of days is over the top. This type of nonsense makes us all in the professional sound like deranged shamans.
One of the questions I had for the panel, but did not get a chance to ask, was how to address the challenges faced in getting C-staff employees on board to support security initiatives. We see data breaches occurring, and there is some activity from peers in the same vertical markets to take precautions. However, the out of sight out of mind mentality still persist among company leadership.
I know this is a bold statement and politically incorrect, but it’s not like I give a shit about being PC to begin with. I believe IT security professionals like things just the way they are. Thing about it, if it wasn’t for hackers, cyber criminals and state sponsored attacks we would all be out of a job. Well, maybe not out of a job but definitely doing something else. Would you rather do anything besides your security work? Didn’t think so, and don’t believe anyone in the industry who says otherwise since they spend nearly every waking moment preventing, detecting, reacting, mitigating, correcting or researching. Don’t forget playing too at how exploits or tools work. I work with some real psychos, but they are valuable and way smarter than me.
Dmitri Alperovitch from McAfee was on the panel and was one of the two most interesting speakers. He was really focused on the cyber-criminal threat and really dismissed the term APT. I could tell he was irked every time someone used the acronym which was comical. Dmitry also commented on how we all have failed collectively at stopping cyber-attacks. Have we failed, or are we experiencing a type of evolutionary change? I think Cisco came up with great marketing when they took advantage of the phrase “the human network”. Their marketing video explains the virtual connection we have with virtually any spot on the planet, and off if you consider the Space Station. http://together.cisco.com/#/view/intro
While it is not conceivable to believe everyone wants this connection the rest of the human network, it is happening. Securing the connection and compartmentalizing (to steal a concept from the spook world) is the real challenge. Thomas Friedman, while I believe he is a liberal whack job, nailed the concept with his book “The World is Flat”. When the human network laid trans-oceanic fiber we were laying arteries and nerves to establish connections with various parts. Obviously, these connections pose a risk and concern for privacy. For example, HHS is attempting to protect electronic health records with this moronic Meaningful Use bullshit, or Meaningless Use if you prefer. In case you didn’t know, you can be best practiced to death and both providers and payers are scrambling to understand what Meaningful Use is and how it affects them. HIPAA is already pathetic and now they add in Meaningless Use requirements.
Dmitry also spoke briefly on the state sponsored threats and purposefully called out China. If anyone in the security industry denies China is involved in this activity, they should receive 20 lashings with a console cable.