News & Releases
|Cybersecurity expert Howard Schmidt on ‘computer security done right’|
|Posted on Friday, May 1, 2015 at 9:55 AM|
Howard Schmidt, former cybersecurity advisor to President Obama and a headliner at this year’s Global Intelligence Forum, talks about “accountability” in the Year of the Mega-Data Breach.
SAN FRANCISCO — The annual RSA security conference here is one of the largest gatherings of computer security professionals and companies in the world. It is also an opportunity for complaining and perhaps just a bit of navel gazing.
Where is the accountability? If 2013 was the “Year of the Breach” and 2014 was the “Year of the Mega-Breach,” 2015 may be the year that we run out of adjectives and start demanding real accountability from security vendors.
“The largest enterprises with the most sophisticated, ‘next-generation’ security tools were not able to stop miscreants from making off with millions of dollars, personal information, and sensitive secrets and damaging reputations,” Amit Yoran, the president of RSA, said in his keynote speech Tuesday.
In the cyber security industry, accountability has been in short supply, but there are hints of change. Several months ago, WhiteHat Security, the web security company, said it would start offering clients $250,000 in the event their website was breached using an attack technique the WhiteHat missed. Recently, Jeremiah Grossman, WhiteHat’s founder, said they had bumped up their guarantee to $500,000. This marked the first time a security company has done anything of the sort.
Mr. Grossman said he hoped others would follow suit, and foresaw a world in which insurance premiums would correlate with the security vendors that companies use, and one in which underwriters would start suing security vendors to recoup losses from a breach. “How else are cyber insurers going to recoup their losses?” said Howard Schmidt, the Obama administration’s former cyber security coordinator. “There needs to be accountability in the industry.”
The National Security Agency can forget about that encryption “front door.” In a talk earlier this month at Princeton University, Admiral Michael S. Rogers, director of the N.S.A., suggested that the intelligence community and Silicon Valley might reach some sort of technical compromise on the question of whether intelligence agencies and law enforcement would still have access to the data that Facebook, Apple, Google and others recently resolved to encrypt.
Adm. Rogers said he was not looking for a “back door” but a “front door” with “multiple locks — big locks.” Government officials are toying with the idea of key escrow, in which the government might hold onto part of an encryption key, and a company could hold onto the other. But security experts at the RSA conference say that, in reality, no such secure mechanism exists.
“Technically speaking, there’s a serious misunderstanding about key escrow,” Ron Rivest, one of the inventors of the RSA encryption algorithm said during a cryptography panel at the conference on Tuesday. “The head of the N.S.A. is misusing this idea.”
Others agreed. “There is no sane argument for weakening encryption,” Mr. Yoran said in an interview. “Period.”
Should threat intelligence be free? The latest darlings of the security space are companies like Norse and iSight Partners that provide threat intelligence to companies about people behind the attacks. But this year, there were grumblings that such intelligence should be offered for free.
One chief information security officer said that he paid a subscription fee to a threat intelligence company, only to find out that some of the data he paid for had been recycled off his own network. Another big problem, security practitioners said, is that — not unlike antivirus products — threat intelligence is inherently reactive. It takes time for security researchers to find an attack, learn about the bad guys’ methods, and package that information into something useful. By then, it’s often too late for a juicy target, like a bank, to do anything about it.
Nobody argues that threat intelligence is worthless. Some point to the United Parcel Service, which discovered malware on some of its in-store cash registers after a government advisory advised companies to check their systems for point-of-sale malware. The problem, critics say, is that such intelligence should be dispersed as widely, and as cheaply, as possible.
Should Homeland Security be welcomed in Silicon Valley? In a speech Tuesday, Jeh Johnson, the secretary of the Department of Homeland Security, said his agency would be opening up an office in Silicon Valley. The goal, Secretary Johnson said, is threat sharing. Companies like Amazon, Facebook, Google, Microsoft, CloudFlare and Akamai see as many, if not more, cyber threats traveling through their networks than government agencies.
The government wants access to that data, but the companies aren’t so sure they want to give the government anything they don’t need to, even if the data is just about hackers methods and malware, even if its anonymized.
Three information sharing bills are currently under consideration on Capitol Hill, but technologists and some legislators say each bill goes too far. But in his keynote Tuesday, Secretary Johnson said it was time companies started sharing threat data with the government and vice verse. “Government doesn’t have all the answers and we definitely don’t have all the talent,” he said. “It has to be a partnership.”
Who is minding the gap? The biggest buzzword in cybersecurity these days is “defense in depth,” a multilayered approach to security that relies on various security products from various companies. The problem with this approach, however, is that hackers are busy exploiting the gaps in these systems to break into corporate networks. As security vendors battle it out for a slice of the $665 million that companies spent on data loss prevention last year, security practitioners say, they should also be fighting less, and talking more.
Is tweeting about hacking planes a bad idea? Chris Roberts, the hacker and founder of One World Labs, was detained for four hours of questioning at Syracuse Airport last Wednesday after tweeting about hacking into the flight Wi-Fi systems to get oxygen masks to deploy. When he tried to board another United Airlines flight to the RSA Conference on Saturday, he learned the airline had banned him from its flights.
nytimes.com, April 22, 2015