Why One Simple Concept Found its Way into Just About Every RSA Conference Keynote

From the opening keynote of this year’s RSA Conference in San Francisco Tuesday morning, one emerging theme spreading through the cyber security industry was made abundantly clear.

“We are not just protecting data and applications and infrastructures,” RSA President Rohit Ghai said. “We are in the business of protecting trust.”

Just to clarify, Ghai wasn’t suggesting that the industry has fully arrived at this conclusion today, but he did imply that it would soon. Ghai’s talk, during which he was joined on stage by cyber security strategist Niloofar Razi Howe, was set in the year 2049, with the underlying assumption that humans had figured out how to use technology to solve many of our pressing problems, from climate change and geological challenges to political discord and health care delivery.

What Ghai and Howe tried to get across was the idea that a trust crisis is coming because if something drastic isn’t done to ensure that trust is an underlying theme in human society, it will disappear.

“Humans have a way of taking things for granted until they’re taken away,” said Howe. “Trust is to the economy what water is to life.”

Sponsorships Available

Sponsorships Available

Sponsorships Available

Let that sink in for a moment: Howe was saying that the cyber security industry has evolved from a bunch of misunderstood geeks in the basement protecting a network perimeter to protectors of possibly the most important societal and economic concept upon which we rely.

The bad news is, they haven’t done a great job thus far. And as the lines between facts, misinformation and opinions blur, trust is steadily becoming a forgotten ideal. Today, it’s showing up as political chaos and skepticism about the entities we trust with our information. If that slide continues unchecked, eventually the consequences will be much more dire. Think increased income disparity, food shortages, infrastructure collapse, revolution and rampant fascism, and you start to get the picture.

And here’s the scary thing about trust in this age of advanced technology: It has to extend endlessly, because tech has enabled us to reach across the globe in an instant to connect with total strangers. Or, conversely, to pluck funds from their bank accounts or chip away at their reputations.

“If you let your kids have a party in your house,” said Ghai, “it’s the friends of their friends of their friends you need to worry about.”

Later in the morning, during the annual Cryptographers’ Panel, trust reared its head again, when independent researcher Paul Kocher, a fixture on the panel for years, suggested that in order for people to trust that organizations are being held to data protection standards, laws like Europe’s General Data Protection Regulation need to be enforced such that they have real impact.

“Are we going to see fines that are material, or are we going to measure them based on hours of revenue?” Kocher asked.

In other words, when Google gets hit with a fine of $57 million for violating parts of the GDPR, instead of a maximum fine in the neighborhood of $3 billion, it amounts to a slap on the wrist that isn’t likely to change much of what Google is doing, nor does it instill consumer trust that government has our backs.

Similarly, people (at least those in democratic nations) need to trust that government can ensure that elections are on the up and up, which clearly hasn’t been the case of late. And the way FBI Director Christopher Wray put it during a keynote talk later on Tuesday, the potential for foreign actors to influence U.S. election results isn’t a problem that’s going away any time soon.

Wray said the FBI has created a foreign influence taskforce, and has developed more collaborative relationships with social media companies, whose platforms have been a central tool of foreign manipulation, especially at the hands of Russia. But Wray has no illusions about whether such efforts will prevent Russia from attempting to sew divisiveness and discord during the next election cycle.

“We’re gearing up for it to continue and grow again for 2020,” he said.

The topic of trust reared its head again on Wednesday during a keynote panel discussion on the weaponization of the Internet. With executives from Facebook and Twitter on the panel, the conversation veered toward the Russian manipulation campaign on both platforms, and Robert Joyce, senior advisor at the National Security Agency, said law enforcement agencies have been uncertain how to react because of how important being able to sound off on social media has become.

“We value that First Amendment and being able to say what we feel and believe,” Joyce said. “It’s a hard place for Americans to go.”

We want our leaders to stop the Russians’ meddling, but not if it means we can’t rant about Washington on Facebook and Twitter. We need to trust them to protect us and simultaneously preserve our freedoms, objectives that often are at odds with each other. Which means that the security teams at social media companies may be our greatest hope at achieving that delicate balance.

Finally, on Thursday, trust emerged as a theme during the SANS Institute’s annual Most Dangerous Attacks keynote. SANS instructor Ed Skoudis, one of the world’s foremost experts on penetration testing and a fixture on the panel over the years, pointed out that companies increasingly are trusting their cloud providers as if those providers were part of their own infrastructures, despite ample evidence that this trust may be misplaced.

“Bad guys are taking advantage of this,” Skoudis said. “The attackers are disappearing into the fog of the clouds.”

The implied mandate is clear: Cloud providers need to focus more on earning trust rather than just telling their customers to trust them.

But perhaps the most important trust that’s needed is that between employers and their employees. This is a tough one because of the constantly expanding array of insider threats that result from employee carelessness.

Johannes Ullrich, SANS’ dean of research, suggested that such accidental opening of vulnerabilities, while clearly a huge area of concern, needed to be handled with a gentler hand.

The bottom line to Ullrich is simple: Just as cyber security teams have grown to trust in the practice of sharing security intelligence with their counterparts in other companies, they also need to engender similar trust among their employees. This will ultimately enable them to respond to those insider threats in a more timely fashion.

“Don’t be too hard on people who click on bad attachments,” Ullrich said. “You want people to report when they open vulnerabilities.”

Recasting Niloofar Razi Howe’s powerful words from Tuesday morning, trust is to cyber security what love is to a relationship. Without one, you can’t have the other.