Tim Weston had to miss his son’s baseball game the night Colonial Pipeline was hacked. His son hit his first-ever home run that spring night, while his dad dealt with the fallout from the biggest-ever hack to hit a U.S. critical infrastructure provider.
Though most of us may not be as involved in cybersecurity as Weston, who is the cybersecurity coordinator for the U.S. Department of Homeland Security and the U.S. Transportation Security Administration, his story sums up the general sentiment at this year’s RSA Conference: Cybersecurity is no longer just an industry concern. It’s affecting ordinary people in real and direct ways.
Tens of thousands of people descended on San Francisco the week of June 6, 2022, for the big show, which has been hosted by RSA Security, the Massachusetts-based security giant, since 1991.
With more than 350 sessions and 600 speakers (some sessions have multiple speakers. I know, it confused me at first, too) the event covered a lot of ground this year.
First and foremost, there was no shortage of chatter about the major breaches of the past 12 months. In addition to Colonial Pipeline, JBS and the Log4J vulnerability got a lot of attention.
At least a half dozen presentations and keynotes were devoted to ransomware. Derek Melber, the chief technology and security strategist at Tenable, for example, caused the audience’s jaws to drop when he described “quantum ransomware,” a new threat that many people are still unaware of.
He cited a recent incident in which quantum ransomware was deployed on an organization just 3 hours and 50 minutes after that organization’s network was initially breached. That’s frighteningly quick, considering attackers can be inside a company’s networks for weeks or even months before being discovered.
Other themes on display this year included:
- Phishing, and how it’s still the top way for hackers to breach a network, since human beings are, well, imperfect.
- The ongoing threat of malware.
- The proliferation of dark web marketplaces, where criminal specialists of all varieties can easily buy and sell log-in credentials and other personal information.
- The commonly held belief that, no matter what we do, no one will ever be able to fully protect every device that’s connected to the internet.
On that last point, there seemed to be general agreement that human eyes are not enough to monitor an increasingly chaotic threat landscape. Automated technologies that incorporate artificial intelligence and machine learning are sorely needed.
Josh Saxe, a chief scientist at Sophos, spoke on this topic during a presentation titled, “Assessing Vendor AI Claims Like a Data Scientist, Even If You Aren’t One.” Saxe noted that cybersecurity is focused on looking at data to identity signs of suspicious activity. “Machine learning is an obvious tool for that job,” he told the room, which was fairly packed for the 8:30 AM Monday morning session.
Hundreds of Millions of Signals a Day
You can’t talk about security without also talking about privacy, and one of the most popular keynote addresses at the conference this year was led by privacy executives at Google, Apple and LinkedIn.
During the panel, Jane Horvath, the chief privacy officer at Apple, discussed the need to balance risk and innovation — two priorities that, she suggested, stand in opposition to each other.
Horvath said the reason Apple has been so strong on protecting users’ privacy is that no single person “owns” privacy at Apple. “It’s cross functional, and we all work together. It’s embedded in every product, and we build it in from the start.”
Both Horvath and her counterpart at Google, chief privacy officer Keith Enright, spoke forebodingly of federal privacy laws during the keynote panel. “With antitrust, a lot of bills are being considered that we should have grave concerns with,” he said.
One of the legislative initiatives requires open sharing of information with third parties, which could present new privacy and security risks. “We are looking at hundreds of millions of signals a day in order to protect users,” said Enright. “And the challenge with some of the proposed laws is the restrictions [they place] on our ability to act on that information, without, maybe, opening ourselves up to legal claims from third parties.”
‘It’s the Same Fight, But We Have a Bigger Army’
The talent shortage is another cybersecurity industry threat that was on peoples’ minds at RSA Conference this year.
Information technology professionals, whose job is to protect the networks we rely on every day, are burning out in large numbers. Losing the workers who operate on the front lines of security day in and day out, is, in part, the reason attacks like Colonial Pipeline can happen. Essentially, it’s easier for criminals to break in when there are fewer guards on patrol.
Every day of the conference saw at least one session or workshop devoted to finding ways to solve the cybersecurity talent shortage. There were frameworks offered to “hack the workforce gap” and sessions on how to discover new ways to unearth and grow talent.
But it wasn’t all gloom and doom on the talent front. Enright said he and his team are seeing a stronger talent pool than ever before. “That trend is going to continue,” he said. “So it’s the same fight, but we have a bigger army.”
Interested in chatting about the latest trends from RSA Conference 2022? Get in touch with our cybersecurity marketing team.