7 RSA Takeaways: 'Human Element' Meets COVID-19 ConcernsSupply Chain, Zero Trust and Coronavirus Among Topics Dominating 2020 Conference
The world's biggest pure-play cybersecurity conference remains RSA, which ran this year from Feb. 24 to 28 at San Francisco's Moscone Center.
See Also: What is next-generation AML?
The event remains a must-attend gathering for many information security professionals, not just to bring together prospects, customers and vendors, but also for its top-notch briefings and chance to strengthen and expand your professional network.
"We have new adversaries in the upcoming elections - it may not be the Russians, it may be the coronavirus."
Topically, sessions I attended - and interviews I conducted - touched on a number of themes. My back-of-the-envelope top 10 would have to include: the security of elections, applications and supply chains, plus AI, zero trust, cybercrime, and threat intelligence. Compliance and regulatory issues - as well as frameworks - were also hot, as were discussions about the role of the CSO/CISO, including their technical aptitude (see: 10 Hot Cybersecurity Topics at RSA Conference 2020).
Here are seven of my biggest takeaways from the themes and events that dominated this year's conference.
1. RSA by the Numbers
RSA 2020 featured more than 700 speakers, 650 exhibitors, 500 sessions, 75 sponsors and 40 media partners, as well as what industry watchers such as PR firm Calysto estimate was on the order of about 36,000 attendees, which was down from the nearly 45,000 attendees seen for the 2019 edition of the event. (More on that in a moment.)
The week's keynotes featured a who's-who of cybersecurity, with the roster including a much better cross-section of women in the industry than was seen - across all such conferences - even just a few years ago.
2. Highlight: Women in Information Security
Kudos to RSA for moving to redress the industry-wide gender imbalance that plagued so many technology conferences, at least until recently.
Women appearing on the RSA keynote stages this year included, among others, cryptography expert and blockchain fan Tal Rabin; Katie Arrington, the Pentagon's CISO of acquisitions, discussing Huawei; Jessica Barker talking about the psychology of fear and trying to blame users; computer scientist and human factors expert Celeste Paul of the National Security Agency; coordinated vulnerability disclosure queen Katie Moussouris; and Wendy Nather of Duo Security - now part of Cisco - who sadly wasn't allowed to arrive on the opening morning's keynote stage via skateboard.
But Nather did arrive packing a spoon, telling the audience that until security tools were as easy to use as that utensil, designers and developers shouldn't expect mass buy-in from users. "You don't have to have annual spoon awareness training - so wouldn't it be great if we could design security to be as easy to use and as difficult to get wrong as a spoon," she said (see: Wendy Nather on Democratizing Security).
One positive example: Only 35 percent of Apple's users of iPhone enabled a four-digit PIN on their device, until Apple began building Touch ID into its devices, at which point use of this "seamless technology" surged to 80 percent, she said.
Nather urged attendees to democratize security and recast it with a pro-user point of view. "I much prefer collaboration to 'zero trust' - sorry, John Kindervag," she said (see: Zero Trust and the Battle to Block Data Breaches).
3. Coronavirus Concerns Bite Attendance
RSA went ahead despite mounting concerns over the coronavirus SARS-CoV-2 that causes the severe acute respiratory syndrome COVID-19. While initial infections appeared to be highly localized in China, by the time of RSA, COVID-19 concerns had already led to the cancellation of Mobile World Congress in Barcelona, scheduled to happen at the same time as RSA, and which would have ordinarily drawn 100,000 attendees. On Thursday, meanwhile, next week's Healthcare Information and Management Systems Society Conference, which would ordinarily have seen at least 45,000 attendees, was also canceled.
How big a bite did COVID-19 concerns take out of this year's RSA attendance? Conference organizers have so far declined to share final attendance figures. But this year's footfall was noticeably reduced. In the days leading up to RSA, 14 exhibitors - including IBM, AT&T and Verizon - announced they would not be exhibiting on the show floor, while organizers said that about 1.2 percent of attendees had canceled their reservations in advance (see: IBM Exits RSA Conference 2020 Over Coronavirus Worries).
On the upside, multiple vendors exhibiting at the conference told me that while they were seeing fewer people at their booths, the quality and caliber of many meetings they were having with customers and prospects remained high quality, which suggests that many diehard attendees did still attend.
4. Vulcan Etiquette: The Future is Now?
With COVID-19 concerns looming large, conference organizers saw to regular wipe-downs of all surfaces, and antibacterial gel-dispensing stations were located at all entrances/exits as well as alongside escalators and public gathering places throughout the Moscone and Marriott Marquis.
But unanswered questions persisted. Lacking was a Miss Manners guide to cybersecurity conference social etiquette in the age of COVID-19. To wit: hugs, handshakes, hand on heart bows, fist bumps or to attempt an elbow bump?
In fact, more attendees should arguably have taken a page from actor George Takei, who portrayed the Star Trek character Hikaru Sulu in the original series, and delivered this year's opening RSA monologue, signing off with the iconic Vulcan "live long and prosper" salutation. Cue contact-free tech joy.
5. 'We're From CISA, and We're Here to Help'
The opening Tuesday keynotes at RSA follow a regular format: a musical act (missing this year); a guest actor who delivers a monologue; the president of RSA to kick things off; and an array of sponsoring vendors who deliver spiels. That gets followed by The Cryptographer's Panel - a world-class group of crypto experts debating the top issues of the day - and then a U.S. government official or lawmaker who's well-versed in cybersecurity.
So spot the fed: This year's government slot was ably occupied by Chris Krebs - "the other Krebs," as he's been known to say - who runs the U.S. Cybersecurity Infrastructure and Security Agency.
"We like security so much we have it in our name twice," Krebs said in an on-stage interview with Heather Dahl, executive director and CEO of the Sovrin Foundation, who dived deep into the challenges and goals facing the new agency (see: CISA's Krebs: 2016 US Elections Were Cyber 'Sputnik' Moment).
CISA's role, he said, is to advise American organizations, ranging from states trying to protect voter registration databases - an easy target for cybercriminals seeking easy shakedowns - to any organization that is a potential ransomware target, not to mention anyone involved in election security.
"We're hoping to engage across particularly small and medium size businesses, state and local governments, left of boom" - meaning before they next get hit - he said. But it's still up to those organizations to better protect themselves.
"We're the nation's risk adviser," Krebs said. "We're not the nation's risk manager. You own and operate the systems; you own the risk."
6. Debate: 5G Security and Supply Chains
Speaking of risks, one of the biggest global policy debates at the moment that has a cybersecurity impact concerns the rollout of national 5G networks, and questions over whether Chinese-built gear can be trusted. The perceived risk - at least according to the White House and some allies - is that Chinese manufacturers are beholden to Beijing, which could force vendors to adapt or tailor their gear for espionage purposes.
The question of whether Huawei should be trusted loomed large throughout the conference. Fielding both sides of the debate, I conducted interviews with both Michael Chertoff, who was the second-ever U.S. Homeland Secretary - running the Department of Homeland Security - and who's one of a number of policy experts advancing a Chinese-gear-free approach to building out telecommunications networks for the U.S. and its allies (see: America Seeks 5G and Supply Chain Security).
On the other side of the fence, former DHS official Andy Purdy, who since 2012 has served as the CSO of Huawei USA, told me that no vendors should be trusted - or not - based on country of origin. Instead, he urged all vendors to become much more transparent, to give potential buyers the information they would need to come to their own decision (see: Huawei CSO Responds to 5G Security and Espionage Concerns).
Purdy advanced that perspective in a "How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei" panel discussion that included security experts Bruce Schneier and Kathryn Waldron, as well as Katie Arrington - the aforementioned Pentagon CISO of acquisitions - and Online Trust Alliance founder Craig Spiezle.
"Are we going to consider a vendor trusted because they're not headquartered in China?" said Purdy. "I'm starting to learn from you all that we can't trust anybody."
Schneier sees multiple hurdles. "Supply chain security is an insurmountable problem," he said, adding that unless a vendor controls its hardware, software and assembly processes - and today, many U.S. technology vendors build their wares in China - then they cannot guarantee that their products are secure.
"The internet was invented to answer a specific question: can you build a trustworthy network out of untrustworthy parts? The answer is yes," Schneier said. "Can we build a trustworthy network out of untrustworthy parts? I don't know the answer yet."
In the meantime, the White House has said what it won't do, by banning government use of Huawei gear, although Arrington said the full picture on that decision remains partially classified. "There's a reason that we did what we did; backdoors being what they are, that isn't the problem," she said. "It's when you're able to convey control to another country, it's a problem in the United States, period."
7. Potential Pandemic Puts Cybersecurity in Perspective
Control, however, can be a fleeting concept. During The Cryptographer's Panel on Feb. 25, MIT Professor Ron Rivest - the "R" behind the RSA asymmetric cryptographic algorithm - looked at the last 20 years of changes in the industry, highlighting that two decades is often the time it takes to get a product from white board to widely adopted.
But unexpected events can have a massive impact not just on products but processes, some of which cybersecurity might touch. With coronavirus in particular, arguably not since 9/11 has a non-digital event cast such a large shadow over the RSA conference's cybersecurity focus.
"Quantum computing is coming online, maybe. We have new math. Smartphones have really changed the game," Rivest said of the past 20 years. "We have new adversaries in the upcoming elections - it may not be the Russians, it may be the coronavirus. We'll see."
All photos by Mathew Schwartz.