Art Coviello at RSA: Time for All of Us to Step Up on Cyber Threats and Privacy

Jason Fredrickson

RSA chief Art Coviello had a lot to cover at his RSA Conference keynote this week. In fact, he had so much to say that he tossed out his original talk and got straight to the point: his organization’s involvement with the NSA, the urgency of the cyber threat landscape, and how we should all be doing much, much more to collaborate as a security community.

Coviello came out of the gate with the first direct issue by denying the allegations that his company took $10 million from the NSA to build a backdoor into its software and noted that their joint projects were never secret. He says that, like other commercial organizations who work with the government, RSA used the (flawed) encryption algorithm that they named in order to meet their certification requirements, then took it out when NIST said they should. He also spent a few minutes discussing the dual nature of the NSA—the difference between its two purposes of intelligence gathering (offense) and information security (defense)—and reiterated a call to separate the two into different agencies. 

Four Critical Calls to Action

Most of Coviello’s keynote, however, addressed the fact that all of us who work in security—within corporations, agencies, and technology companies—need to step up to the plate and start collaborating. (Something we at Guidance Software have been saying for a while, as well.) In essence, he said that we are failing as both an industry—and as a society—through our inaction. And he laid out four grand, aspirational goals for us all to work towards.

#1 - Ban cyber weapons: We have to think of them on a scale with weapons of mass destruction, Coviello claims. Because cyber weapons have an impact that goes well beyond the people or organizations whose data is targeted (for example, by migrating into the wild and providing a shortcut or “template” for malware developers), governments around the world should confer and collaborate. Only in a forum like this, he said, can an effective “rule of law” be created for protection from what will only become increasingly disastrous and far-reaching attacks.

#2 – Cooperate in investigation and prosecution: If we are the “white hats,” we have to protect more than our own organizations—we must help law enforcement prosecute cyber criminals. This will involve treaties between nations like those developed for addressing the nuclear threat, as well as laws and processes related to extradition and prosecution of cross-border cyber criminals.

#3 – Safeguard intellectual property rights and support e-commerce: Everyone stands to benefit if we can work together to make e-commerce and innovation more secure for the people and organizations involved. “The rule of law must rule,” Coviello said.

#4 – Ensure the privacy of all individuals: Personally identifying information is the new lingua franca—the increasingly literal currency of the modern age. Fundamental freedoms must be protected, but freedom always comes paired with responsibility. While leaders in U.S. government agencies increasingly claim that they would like leadership on this complex issue to come from industry while they support us, Coviello says that they have a responsibility to create and enforce a balance, “a balance based on a fair governance model and transparency.”

In 2014, we all claim to see that the cyber threat is real. My fear, however, is that it will take another dozen Target hacks (or more!) before we are ready as a society to take definitive action. The good news is that awareness is higher than ever before, and I think we’re closer to pulling the trigger.

Are You Collaborating with Other Good Guys? Have a Comment? I welcome your thoughts in the Comments section below.

Jason Fredrickson is the Senior Director, Enterprise Application Development at Guidance Software. 

No comments :

Post a Comment