ESET’s Senior Security Researcher Stephen Cobb reflects on RSA 2018 and the state of the cybersecurity industry
More than 42,000 people attended last week’s RSA Conference in San Francisco. If you were not in attendance, hopefully you saw the three reports filed by my colleague, Cameron Camp (Untangling the enterprise security mess, Hacking the grid, and IoT security comes of age). In this article I discuss how RSA 2018 reflects the state of the cybersecurity industry and the ongoing struggle to bring order to cyberspace.
Known for many years as the RSA Data Security Conference, this annual event began as a small gathering of cryptographers but has now become a huge convention, with multiple exhibit halls required to accommodate the more than 600 companies that want to showcase their cybersecurity wares. This year there were over 550 conference sessions, featuring more than 700 speakers, plus 17 keynote presentations, making attending RSA both exciting and exhausting. (I’m pretty sure it’s the world’s largest cybersecurity conference, but if you know of a bigger one, please leave a comment and let me know.)
Notes of caution?
In recent years, those RSA keynotes, particularly the ones delivered on the opening day, have provided some insight into how the cybersecurity industry thinks things are going. In 2017, the two main keynotes were optimistic, despite the growing realization that, as the CTO of RSA, Zulfikar Ramzan put it: “our problem isn’t limited to initial cyber-attacks. More, it’s the long tail of chaos it creates.” He expressed hope that the chaos could be tamed by increased collaboration within the industry and between public and private sectors. Michael Dell talked of “the thirst for digital transformation” and how there was “a lot of optimism for 2017” around IT becoming BT: business technology instead of information technology.
Then came May 12, 2017. That was the day on which WannaCryptor/WannaCry ransomware began to hammer organizations around the world, including some hospitals in the UK. The keynoters at RSA 2018 could not ignore that, and in fact drew attention to it. RSA President Rohit Ghai called it “our wake-up call” where “our” was presumably all of us who are trying to protect information systems and the data they process.
Microsoft President Brad Smith said WannaCry was “not just an attack on machines.” It was, he said: “An attack that is endangering people’s lives.” Smith repeated the call he made at RSA last year for “a new Digital Geneva Convention” (discussed in my article last summer).
Smith and Ghai both called for organizations to work together – presumably better than they did in the wake of RSA 2017, given that WannaCry happened, followed by Petya/NotPetya. But reading between the lines at RSA 2018, I got the sense that there is a growing realization within the industry that working together in the way we have been doing so far might not be enough.
I was surprised to hear Ghai openly acknowledge that, “There is a very, very fine line between tech love and tech lash, and it takes a lifetime to build tech trust, and only a moment to lose it.” In other words, the benefits of digital technology are in danger of being undermined if the world does not do a better job of reducing cybercrime and other self-serving abuses of that technology.
Ghai’s statement may be as far as a large publicly-traded company can go, in public, when it comes to admitting that the future is not all hockey stick growth curves and soaring stock prices. Bear in mind that the RSA Conference is held in a part of the world that was hard hit by the Dotcom Crash, arguably a case of tech lash, one that caused the Nasdaq Composite to lose 78% of its value (plummeting to 1,114.11 from 5,046.86, a drop from which it took more than 15 years to recover).
What I know for sure is that when you ask consumers their opinion about how much risk cybercrime poses, they register serious concern. We know this from ESET’s research on risk perception as it relates to digital technology. As you may recall, last summer we found that criminal hacking and exposure of personal information were of very high concern to the more than 700 Americans we surveyed.
The week before RSA, I decided to check the level of concern. Using Google’s survey tool I asked over 700 US adults this question: “How much risk do you believe criminals hacking into computer systems pose to human health, safety, or prosperity?” The possible responses were: Little or no risk; Moderate risk; Serious risk; and Very high risk. Here are the results:
As you can see, a lot of people – over 71%, in fact – consider this risk to be either serious (35.7%) or very high (35.6%). I plan to carry out more surveys to zero in on specific concerns, but it is not hard to imagine that election hacking and nation-state hacking are right up there.
Companies like Microsoft have a lot more money for surveys than I do, so I expect they are well aware of growing public anxiety about digital security. That may help explain why, on Tuesday April 17, 34 global technology and security companies signed a Cybersecurity Tech Accord, which they described as “a watershed agreement among the largest-ever group of companies agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states.”
The companies that signed the Tech Accord had their first meeting during RSA 2018 but they were not all tech firms, reinforcing the perception that the tech sector as a whole, and not just the cybersecurity industry, now accepts that action at the highest level is needed to deter all forms of what Cameron Camp calls “cyberbadness.”
That highest level includes the governments of the world and the various groups to which they belong, from the UN to NATO, APEC to the EU, and so on. It may well include novel forms of international public-private partnership, born of the need to bring norms and the rule of law to cyberspace (see, for example, the Global Commission on Stability in Cyberspace).
The point is that the status quo, in which bad actors sow havoc and reap ill-gotten gains with relative impunity, is neither acceptable nor sustainable. At RSA 2018, I got the impression that the cybersecurity industry is now more aware of this than ever. Hopefully that awareness will translate into backing for the hard work that must be done at the highest levels to change the status quo and enable the full benefits of digital technology to be enjoyed safely and securely.