RSA chief Art Coviello had a lot to cover at his RSA Conference
keynote this week. In fact, he had so much to say that he tossed out his
original talk and got straight to the point: his organization’s involvement
with the NSA, the urgency of the cyber threat landscape, and how we should all
be doing much, much more to collaborate as a security community.
Coviello came out of the gate with the first direct issue by
denying the allegations that his company took $10 million from the NSA to build
a backdoor into its software and noted that their joint projects were never
secret. He says that, like other commercial organizations who work with the
government, RSA used the (flawed) encryption algorithm that they named in order
to meet their certification requirements, then took it out when NIST said they
should. He also spent a few minutes discussing the dual nature of the NSA—the difference
between its two purposes of intelligence gathering (offense) and information
security (defense)—and reiterated a call to separate the two into different
agencies.
Most of Coviello’s keynote, however, addressed the fact that all of us who work in security—within corporations, agencies, and technology companies—need to step up to the plate and start collaborating. (Something we at Guidance Software have been saying for a while, as well.) In essence, he said that we are failing as both an industry—and as a society—through our inaction. And he laid out four grand, aspirational goals for us all to work towards.
#1 - Ban cyber
weapons: We have to think of them on a scale with weapons of mass
destruction, Coviello claims. Because cyber weapons have an impact that goes
well beyond the people or organizations whose data is targeted (for example, by
migrating into the wild and providing a shortcut or “template” for malware
developers), governments around the world should confer and collaborate. Only in
a forum like this, he said, can an effective “rule of law” be created for
protection from what will only become increasingly disastrous and far-reaching
attacks.
#2 – Cooperate in
investigation and prosecution: If we are the “white hats,” we have to
protect more than our own organizations—we must help law enforcement prosecute
cyber criminals. This will involve treaties between nations like those
developed for addressing the nuclear threat, as well as laws and processes
related to extradition and prosecution of cross-border cyber criminals.
#3 – Safeguard
intellectual property rights and support e-commerce: Everyone stands to
benefit if we can work together to make e-commerce and innovation more secure
for the people and organizations involved. “The rule of law must rule,”
Coviello said.
#4 – Ensure the privacy
of all individuals: Personally identifying information is the new lingua
franca—the increasingly literal currency of the modern age. Fundamental
freedoms must be protected, but freedom always comes paired with
responsibility. While leaders in U.S. government agencies increasingly claim
that they would like leadership on this complex issue to come from industry
while they support us, Coviello says that they have a responsibility to create
and enforce a balance, “a balance based on a fair governance model and transparency.”
In 2014, we all claim to see that the cyber threat is real.
My fear, however, is that it will take another dozen Target hacks (or more!) before
we are ready as a society to take definitive action. The good news is that
awareness is higher than ever before, and I think we’re closer to pulling the
trigger.
Are You Collaborating
with Other Good Guys? Have a Comment? I welcome your thoughts in the
Comments section below.
Jason Fredrickson is the Senior Director, Enterprise Application Development at Guidance Software.
Jason Fredrickson is the Senior Director, Enterprise Application Development at Guidance Software.
No comments :
Post a Comment