15 Highlights: RSA Conference 2019Cybersecurity 'Things Can Only Get Better' as Conference Marks Its 28th Year
More than 42,000 attendees visited San Francisco's Moscone Center in March for RSA Conference 2019.
See Also: HIPAA Audits: A Revised Game Plan
The event celebrated multiple firsts, including a newly rebuilt Moscone Center for holding all of those attendees; a new full-day track, hosted by Bruce Schneier, focusing on public interest technology; as well as a public commitment by RSA and its sponsors to put more women front and center on the stage of what is arguably the world's most high-profile cybersecurity conference.
28th Annual RSA Conference
Not for the first time, the keynotes and briefings at the annual RSA conference - now in its 28th year - covered a massive array of topics. A grand total of 621 sessions offered insights on privacy, hackers, cyber extortion, machine learning, artificial intelligence, human psychology, legal matters, career advice and internet-connected device concerns and much more.
But first, the information security conference started with a bit of spectacle.
Prime Subject? No Mystery
One reason to get to the 8 a.m. keynote presentations on the Tuesday when the RSA briefings kicked off: The guest stars.
Enter Helen Mirren, star of stage and screen, who delivered an opening monologue praising the cybersecurity community for its collective efforts.
"Together you stop the cyber underworld from growing out of control. ... You are a hero," Mirren told the audience members.
'Things Can Only Get Better'
RSA turned up the British dial even more, as members of the cybersecurity community joined a gospel choir onstage to deliver their rendition of British pop singer Howard Jones' "Things Can Only Get Better."
Synergy alert: Better is also the theme of this year's conference, featured everywhere from the conference billboards to bags.
Women Own the Stage
One of the things the RSA conference strove to do better this year was to feature more women in speaking roles. Whereas previous years had many all-male lineups, often featuring executives from RSA, McAfee and Microsoft, followed by all-male participants in the Cryptographer's Panel, this year's program included much more female participation.
At the opening keynote presentations on March 5, Niloofar Razi Howe, a cybersecurity strategist and entrepreneur, was featured along with RSA President Rohit Ghai, looking at how cybersecurity must evolve to meet the needs of tomorrow's society, be it privacy or addressing energy and water shortages. But above all, security must be trustworthy.
"Trust does not require perfection. It requires transparency, accountability, honesty and reliability," Howe said (see: A Vision of the Role for Machines in Security).
Security Versus Dancing Cats
But it's 2019 and clearly, much about cybersecurity could be better.
"We suck at remembering passwords. We struggle to process large amounts of data. And yes some of us still click on dancing cat videos," RSA's Ghai told the audience.
Internet-Connected Device Challenges
Meanwhile, Matt Watchinski, vice president of the global threat intelligence group for Cisco Talos, contemplated the sheer number of internet-connected devices that will soon exist, estimating it will hit 250 billion by 2020. "Clearly I'm going to need more pockets for all of these devices," he said.
Liz Centoni, general manager for Cisco IoT, outlined the clear and present cybersecurity dangers. "It's not unusual for customers to tell me that they don't know 40 to 50 percent of what's in their environment," she said.
RSA: Something Missing
Something else that could have been better: The U.S. State Department getting its visa act together.
Notably absent from this year's RSA, including its annual Cryptographer's Panel: Adi Shamir, the "S" in the RSA public-key cryptosystem, which Ron Rivest, Shamir and Leonard Adleman developed in 1977.
Unbelievable. The Cryptographer's Panel at @RSAConference 2019 is missing Adi Shamir (the "S" in RSA), who was unable to secure a US visa.— Mathew J Schwartz (@euroinfosec) March 5, 2019
Adi in a video to #RSAC: "Perhaps it's time we rethink the question of how and where we organize our major scientific conference." pic.twitter.com/xBnKzEEFtG
Addressing the conference via a prerecorded message, Shamir, an Israeli national, said his request for a U.S. tourist visa had not been approved or denied. If the U.S. couldn't get its act together, Shamir suggested that RSA take the show somewhere else.
Shamir said he'd been planning to present new research on the security of AES. "I'll have to break the news at some other time and place," he said.
How's this for choice? Four days of briefings, more than 30 keynotes - including Tina Fey on the closing day - as well as choosing from 740 speakers, via presentations at Moscone Center - North, South, West - and the Marriott Marquis.
Of course, there are some things in life you can't control - namely, the weather.
Thankfully, RSA Conference 2019 avoided last year's unrelenting deluges. Mostly.
Moscone Gets a Refresh
The long-running renovation of Moscone Center North and South has finally concluded, resulting in new buildings that feature more open and well-lit interiors.
Unfortunately, the Marriott Marquis remained a construction zone, with hotel staff resorting to using paths of colored tape in an attempt to route conference goers and hotel guests alike past temporary walls.
RSA Conference 2019 also featured more than 700 exhibitors across the redesigned Moscone North and South exhibition halls.
Feds Focus on Chinese Counterintelligence
No information security conference these days would be complete without focusing on nation-state hackers. While the specter of Russia's ongoing attempts to interfere in Western elections ran throughout the show, FBI Director Christopher Wray used an opening keynote slot to hammer home the threat posed to the U.S. by China.
In a conversation with Lawfare's Susan Hennessey, Wray noted that nearly every FBI office has an investigation underway that looks into alleged Chinese counterintelligence operations. Wray said that after returning to the bureau from a private law practice two years ago, he was surprised by the sheer scale of China's counterintelligence efforts.
"There is nothing like it. I am not someone who is prone to hyperbole, but ... the thing that shocked me was the breadth, depth and the scale of the Chinese counterintelligence," Wray told the RSA audience.
Experts Dissect the Latest Trends
What's the best way to take the pulse of all the other topics that are on information security professionals minds? One proven strategy: See what they have to say. To that end, Information Security Media Group conducted video interviews with more than 150 information security practitioners, including numerous CISOs, as well as executives, threat researchers, leading legal experts and more.
On the agenda: Recent mergers and acquisitions, including NTT Security buying WhiteHat Security as well as what's in store for since AT&T just rebranded its AlienVault acquisition as AT&T Cybersecurity.
Meanwhile, practitioners paid close attention to matters pertinent to their role as CISOs.
Former CISO Thom Langford spoke about how he'd hit bottom and battled his way past burnout, while CSO Andrew Rose talked about how he'd been putting into practice many of the great ideas he gathered while serving as a Forrester analyst, most recently at Vocalink, which is a MasterCard company.
Beyond that, topics ranged far and wide, including the privacy imperative now facing organizations, lessons learned from GDPR notification and threat researchers reviewing why cyber extortion - and especially more advanced phishing - seems unstoppable, as does U.S. bank card fraud.
NSA Offers a Free Tool
"Psst - hey buddy, want a free reverse-engineering tool?"
So went the pitch from the National Security Agency's Rob Joyce, who took to the RSA briefing stage to announce the release of a home-built tool - Ghidra - from the agency for reverse-engineering software (see: NSA Pitches Free Reverse-Engineering Tool Called Ghidra).
"For the record, there's no backdoor in Ghidra," he said, prompting laughter. "This is the last community [to which] you'd want to release something with a backdoor."
Joyce said the tool has been built by the NSA to meet very particular requirements. "We use it across the two main missions of the NSA: cybersecurity and foreign intelligence," he said. The software helps with security validation - ensuring that a box or device does what it says it does, and nothing more - as well as malware analysis, discovering vulnerabilities and simply taking a deep dive into any type of software.
"Doing software reverse-engineering is like working a puzzle - you're given a binary and you're trying to get back to an understanding of what it is and what it does," Joyce said.
While the tool is now free and in the public domain, Joyce did admit to having some ulterior motives: The NSA wants to foster more skilled interns that it can turn into salaried employees.
First, however, it wants to help students learn to become better reverse engineers.
"If I go to a school and I see Ghidra, that [will be] a huge measure of success," Joyce said. "I'll be really transparent: That education also helps us."
More Cybersecurity Professionals Please
Better education isn't being demanded just by NSA. It's a truism of the field that more needs to be done, not just to educate professionals but to produce more of them.
For example, ISACA, the international professional association focused on IT governance, conducts an annual survey of cybersecurity professionals (see: The Future of Cybersecurity Education - Part 1).
No surprise about the findings: Businesses say they're desperately seeking more cybersecurity professionals.
Backdoors Are Still Bad
Word of warning to cybersecurity professionals: Be responsible.
That's because backdoors are back. Or rather, they never left. And the annual Cryptographer's Panel on the opening morning hit the topic hard, launching a broadside against backdoors and those who love them or facilitate them, on the heels of Australia having passed controversial legislation that can send developers to jail if they don't build government-mandated backdoors into software.
"The laws of mathematics may be all well and good, but the laws of Australia apply in Australia," said cryptographer Whitfield Diffie.
Paul Kocher said the matter involves a question of ethics: "If anyone should go to prison, It should be developers who sneak backdoors into their products. Secret backdoors are kind of like pathogens, and governments have done a terrible job of not managing them," he said, referring to how NotPetya was apparently a collection of exploits built by the NSA, which lost control of them.
"People in computer science are realizing more and more that this ability to draw on computation is giving us an immense amount of power, but also responsibility," said Shafi Goldwasser, director of the Simons Institute for the Theory of Computing.
"The road to hell is paved with good intentions," said Ron Rivest, the "R" in the RSA cryptosystem.
All photographs by Mathew Schwartz