Best of times worst of times? Check. Age of wisdom age of foolishness? Check. A look at this year’s RSA Conference and some of the big take-aways from the show.
Charles Dickens began his 1859 masterpiece about the French Revolution, A Tale of Two Cities, with one of the most famous and oft-cited opening sentences. It starts: “It was the best of times, it was the worst of times…” The sentence is actually much longer than that: a series of observed contrasts expressed as independent clauses and strung together with commas. Among them: “it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity… it was the spring of hope, it was the winter of despair.” And my favorite: “we had everything before us, we had nothing before us.”
That now famous description kept popping into my head as I moved about this year’s RSA Conference in San Francisco, the information security industry’s biggest gathering. I’m going to take a few moments to tell you why and what I think it means for the industry.
Versailles by the Bay
Let’s start with the obvious. It’s impossible to find yourself in the city of San Francisco, California in 2018 and not ruminate on the Paris, France of the late 18th century. The City by the Bay used to be where you moved to live cheaply and explore your creative passions. Today, it is a mecca for money and a magnet for bright young things and new ideas from all over the world. It’s a playground for 30-something software millionaires and billionaires, but it is also ground zero for endemic social ills like homelessness, drug addiction and eroding public infrastructure.
Walking down Mission Street, a friend who lives in the Bay Area summed this dynamic up nicely as he described for me a discern-able, if invisible line drawn on the blocks around Twitter’s Market Street headquarters. On one side of the line: the grinding poverty and despair of San Francisco’s Tenderloin district. On the other side lay what he called “TwitterVille.” On the one side, bodies lie strewn on the sidewalk and un-housed men and women, many in physical and mental anguish, gather in doorways and on corners. On the other side, bright, young and well-dressed Twitter employees dine in cafes and splurge on $6 mochas. There are countless, unrecognized acts of kindness and generosity that cross this line every day. I personally witnessed strangers handing containers of left-overs and carry out to their fellow homeless and hungry San Franciscans. But clearly, those individual acts of humanity are unequal to the problem. “Let them eat scones,” if you will.
I’m hardly the first person to notice the contrasts. Countless articles have been published on the topic. In fact, Douglass Rushkoff wrote a book length meditation on the problem, Throwing Rocks at the Google Bus. But that was two years ago. Since then, the problems and dynamics Rushkoff lamented have only worsened. ‘If everyone in this city is so damned smart,’ you find yourself asking, ‘then why haven’t we figured out how to house, feed and care for the most vulnerable among us?’ And then you remember that, alas, not all problems can be solved with technology, or at least that technology must be matched with a desire and will for change. Spring of hope, winter of despair, indeed!
Mind the pivot
Inside the Moscone Center, of course, the mood was decidedly more upbeat – despite large scale and disruptive renovation of the facility that is entering its third year. A thousand miles of maglev track and a couple new cities will have sprung up in China in the time it takes The Moscone Center in San Francisco to get its nip and tuck. See also: crumbling infrastructure.
Like the industry it caters to, The RSA Conference has grown at a breathtaking pace in recent years. Last year’s show attracted more than 40,000 attendees.* And my guess is that this year’s show will at least match that mark (official numbers are not yet out). The conference, which started as a gathering of cryptographers in a hotel ball room, now takes on a circus-like atmosphere with games and give aways and endless virtual reality simulations that send goggled adults bumbling into walls and displays.
I’ve been coming to RSA for 15 years (and have the commemorative button to prove it). The energy and investment in the information security sector has never been higher. That’s a good thing for many of these firms and I heard plenty of talk about fat pipelines, robust sales and revenues that have popped by double digit percentages over last year. In the startup space, firms are landing healthy rounds of venture funding especially in areas like cloud-based security, machine learning and artificial intelligence and security for critical infrastructure.[
But…but…but: big changes are on the horizon (or lurking below the surface, depending on your perspective). There are hundreds of companies exhibiting on the massive exhibition floors at the Moscone Center, but many of them are selling software, hardware and services that were designed to solve security problems in what we now refer to euphemistically as legacy IT environments. These are the kinds of business environments we’ve grown used to over the last three decades: the kind that outfit big, commercial spaces in office buildings with data centers containing physical IT assets managed by a company’s IT group. Employees working on desktop or laptop systems in cubicles in central and branch offices, connected over a LAN or WAN.
That computing paradigm is fading -fast. If you ask founders of new start-up firms what kind of IT infrastructure they’re building and investing in, as I did on numerous occasions at the show, they’ll tell you “none.” Their employees have laptops. Everything they need to do their job and collaborate with co-workers is in the cloud and hosted on a platform like Amazon AWS, Microsoft Azure or Google’s cloud. Slack is displacing (if not replacing) email and employees may be scattered over the globe working from home offices, coffee shops or coworking spaces like WeWork.
Among security start ups, by and large, the tools and technologies these firms are working on take that kind of cloud-based, Dev-Ops driven environment as the norm. More and more, companies are looking for technologies to help them span the gaps between the growing number of cloud based applications, legacy infrastructure and a growing population of diverse endpoints that includes – increasingly – secure “things” and embedded systems.
In the long term, the risks and threats facing decentralized, mobile-first cloud based, Dev-Ops driven environments are very different from those facing legacy IT environments- and many of those risks and threats are only just becoming clear right now. (See some of the writing we’ve done on the research by Chris Vickery at UpGuard as an example.) Very few of the firms at RSA have a clear answer to the question of how their technology will secure the enterprise IT systems of the future versus those of the past. In the short term, some of that technology will be rolled into existing cloud-based platforms. (And we’ve seen firms like Qualys snapping up smaller players like Nevis and NetWatcher). But there are only so many possible buyers. Absent big changes- many of the firms exhibiting at RSA in 2018, selling into a shrinking market in the years ahead, may find that they’ve failed to ‘mind the pivot’ and have missed their exit.
GDPR U Ready?
At long last, the United States is finally getting comprehensive data protection regulation. The problem is: its coming from Europe and its going to cost a lot more than the $13 Italian Chianti you can pick up at the supermarket. I’m speaking, of course, of the EU General Data Privacy Regulation or GDPR.
Speakers at the RSA Conference have been calling for more action to protect consumer data for years. In just a month, we’re finally going to get that action. So it is not surprising that GDPR is a big deal here at the RSA Conference, as security and data protection firms look to capitalize on the strict requirements of the law, including a 72-hour mandated breach notification provision. On the sidelines, there is a lot of talk about what form enforcement will take after the May 25th deadline and whether prominent, US based firms may be in the crosshairs of EU regulators.
High profile firms here don’t seem to want to take their chances. Facebook, Google and others have already made changes to their privacy policies and notifications for customers to take into account the law’s provisions. Though the law applies only to EU residents, many of those firms are applying the changes across their entire user base. Facebook, going the other way, has sought to cordon off EU from non-EU users. We’ll likely see responses all along the spectrum, from a hearty embrace of GDPR’s many requirements to a shrug. Pending enforcement actions, firms will be wondering whether GDPR is a paper tiger, or whether this could be the dawn of a new era with stricter, cross border privacy and security regulation.
The big change, Cisco Chief Privacy Officer Michelle Dennedy told me, is that companies will need to think critically about the data they collect and the risk that goes along with collecting it. “The old timey wisdom is that more is more,” she said. And now, in the post GDPR world? “Data is similar to any other asset,” she said. “Its a nuanced change in everyone’s business responsibility. We’re starting down the road where everyone will understand that when you’re being observed when you are collecting observations you are transacting in data. And so we’re going to slowly teach every employee what their data budget is and how to protect it.”
Securing all the Things
Another clear message of this year’s conference is that The Internet of Things is here and it matters. That’s easy to say. But the truth is that this is a new and challenging puzzle for the security industry, which has been laser focused on protecting desktops, laptops, servers and (more recently) cloud and mobile devices.
IoT brings with it the challenge and confusion of the embedded device industry: all those electronic gadgets piling up around you that are of unknown provenance. RSA Conference this year, as in years past, is hosting an IoT security sandbox and the focus there is on learning the new skills that securing IoT demands: things like how to extract firmware from embedded systems and analyze it for software vulnerabilities, or how malicious actors may remotely attack connected things or move laterally from things to more traditional IT assets. These kinds of attacks aren’t hypothetical. They’re already happening, as the attacks on the Ukraine power grid or the TRISIS malware that attacked facilities in Saudi Arabia illustrate. The challenge for the security industry is how to secure an incredibly diverse and entrenched population of connected devices – many of them with the potential to cause cyber and physical damage.
Beyond that, securing the Internet of Things increasingly means looking past the particular thing the device is and considering the entire software and hardware supply chain that created it. The advent of the Mirai botnet showed us that devices as common as CCTV and IP enabled surveillance cameras have very little in the way of security features to protect them. BUT there are very few incentives, currently, to improve the security of embedded software and hardware that makes up connected devices. Companies here are looking to solve that problem, either with technology to assess firmware, or to secure it from tampering.
We can see already at this year’s show that larger firms, are looking to the future: introducing new hybrid hardware, software and cloud based platforms with security baked in versus bolted on that will allow future generations of connected systems to leave behind the legacy of weak and insecure stuff. Microsoft, among others, released a new IoT device platform this week that, of all things, was based on the open source Linux operating system.
If anything could convince us that IoT is forcing changes in the way established tech and security companies do business, I think the image of MSFT releasing and promoting a linux distribution is it! And its with that thought that I leave you.
(*) Correction: an earlier version of this story misstated the number of attendees at the 2017 RSA Conference. The story has been corrected. PFR April 21 2018