The Dismal Nature Of The Cyber Security Industry ... And Other RSA Conference Notes
Leon Panetta's nightmare; Cyber-currencies are boosting cybercrime; Jobs for life; Outsourcing security to the cloud
Walking around the giant show floor at RSA I was struck by a thought: what a dismal industry this must be. If you are good at your job, you haven't created any new technology that makes processes more productive, or could be used to create new types of products -- you plug up the holes in the bucket that are known. You cannot reliably stop future attacks -- only the ones that are known. And all that work and cyber crime continues to grow and prosper.
The cost of cyber crime is the loss itself-- predicted to be $6 trillion a year in 2021 -- plus the cost of buying the cyber security needed to bolt the stable door — plus all the engineers involved in developing the software, and then on the customer side implementing it, all the sales people, field support staff, marketing, VCs, etc.
It all seems such a dismal waste of human energies that could be used for other things rather than trying to frustrate computer hackers who seem to have no problem getting around those brilliant defenses and gallant efforts.
SECURING THE NEWS
Leon Panetta, the former Secretary of Defense and former Director of the CIA is an Oracle board member. Speaking at an evening RSA related event he said that attacks by nation state hackers is a huge problem. "Pay attention. National defense is not just the responsibility of government, everyone has a role."
His biggest nightmare is of a computer virus that attacks and disables US infrastructure. He estimates that such an attack could result in millions of lost lives -- it would be a digital Pearl Harbor.
He warned that Russian and Chinese state financed hackers are starting to work together and share technologies to produce sophisticated cyber weapons.
Panetta also warned about attempts to divide US society -- a reference to fake news in elections. But fake news is in the realm of cultural hacking. A meme acts like a computer virus but it cannot be stopped with the same cybersecurity tools. I asked him if there were any defenses developed by US agencies against fake news but he shook his head saying it was a different class of problem.
CYBERCURRENCY BOOSTS CRIME
Oded Vanunu runs a team of more than 200 people researching product vulnerabilities for Checkpoint. He says that nation states are well ahead of the cybersecurity industry in terms of discovering new vulnerabilities. There's no talent shortage here. He says the governments pay well for the best talent and they have developed very sophisticated attack technologies. He believes that malware might already be implanted in many different places and could be triggered by a code.
"There are also many online markets that will pay people huge sums of money if they discover a vulnerability. Plus the rise of cyber-currencies makes it easy for criminals to hide their money," are fueling cybersecurity losses. Vanunu says the industry is behind and needs to catch up.
JOBS FOR LIFE
John Chambers, the former CEO of Cisco is now a venture capitalist. He said computer security professionals had nothing to worry about from job losses due to AI and other technologies. He predicted that at least 30 million jobs would be lost over the next ten years. He said the problem with cybersecurity is that CEOs don't know if they have spent enough money on protection and they don't know how much protection they have bought. One of his startups is helping companies figure out this question.
CLOUDY SECURITY ISSUES...
Oracle and KPMG released their "Cloud Threat Report 2019" and one of the many interesting discoveries was that cloud users seem to misunderstand their security risk.
The use of cloud-based IT has been boosted by the complexity of the security architectures and the difficulties in keeping up with the fast patching pace of new vulnerabilities. The report found that 73% believe the cloud offers better security than they can provide in-house.
But cloud users need to read the fine print because according to the report they don't all understand that security is a shared responsibility.
"Confusion around the shared responsibility security model has resulted in cybersecurity incidents. A lack of clarity on this foundational cloud security construct has had real consequences for many enterprises, including the introduction of malware and loss of data."