Lots of industries, from insurance to firearms to some presidential campaigns, use fear to sell their products. But it’s hard to find one that lays it on thicker than the information security business.
Nowhere was that more apparent than at the industry’s biggest annual shindig, the RSA Conference in San Francisco, which drew more than 40,000 attendees and hundreds of exhibitors this week. Conference sponsor RSA Security LLC even hired actor John Lithgow and his best portentous voice to kick off the conference’s opening keynote Tuesday with an over-the-top dystopian vision.
“Imagine a hacked planet,” he intoned. “Imagine what the world would be like without security. Without trust, you cannot bank or trade and the economy collapses. Power grids fail. We’re back in the Dark Ages.”
This marketing strategy must work to some degree. After all, Gartner Inc. reckons information security spending will more than double globally from $76.9 billion in 2015 to $170 billion by 2020. But judging from what a wide range of industry leaders said at the conference, fear is no longer going to be enough, either to protect companies and consumers or to keep the information security industry humming.
One big problem is that fear has prompted enterprises to buy every security product in sight. One company, said RSA Chief Security Officer Zulfikar Ramzan, has 84 companies providing it security products and services. That’s good for suppliers, but not so good for customers trying to make them work together, or work at all.
Ramzan said the complexity has actually made companies less secure. They’ll be better off if they consolidate their supplier base and integrate the ones left. “Don’t adopt a ‘No vendor left behind’ policy,” he said.
That advice no doubt wasn’t received well in the exhibit halls of RSA’s own show. But such a consolidation was coming anyway, thanks to the cloud. It’s becoming apparent to customers that far from being a greater risk, cloud computing actually provides a potentially more secure alternative to individually managed data center security software. Two recent studies, in fact, indicate concerns about cloud security starting to fade.
All this is not to say fears of security breaches and hacks are unfounded. There’s seemingly major new kinds of attacks every day, from the Mirai botnet last year, which took down a sizable chunk of the Internet by hijacking devices such as digital recorders and cameras, to new mutations of attacks such as “ranscam,” or ransomware that destroys the data even if a ransom is paid.
And more are coming, thanks to rapidly developing new technologies. In the Internet of Things, said Intel Security Group chief Christopher Young, “the target has now become the weapon.” U.S. Rep. Michael McCaul, chairman of the House Homeland Security Committee, said companies and governments also need to prepare for the security implications of the imminent arrival of the quantum computer, which may be able to crack the toughest encryption algorithms. He called it “the digital atomic bomb.”
The bad guys aren’t just trolls in a basement or even organized crime rings anymore, either. The U.S. presidential election exposed how sophisticate nation-states such as Russia are becoming at hacking and then turning that data into propaganda in a way that can even sway elections. “Data landmines, properly placed, can make it truly difficult to tell truth from fiction,” said Young.
Then there’s potential attacks on critical infrastructure such as power plants. Essentially, said Microsoft Corp. President Brad Smith, “nation-state hacking has evolved to attacks on civilians in times of peace.”
Those civilians could protect themselves with some common-sense practices. “Every company has at least one employee who will click on anything,” Smith said. “We each need to do more” to prevent such behavior, he added. Even today, too many people also never change passwords of devices from “admin” and the like.
For their part, companies would do well to go back to basics, namely figuring out the top two or three threats first and how they will respond, rather than focusing too much on prevention of all threats — because it’s a given that attacks will occur. “This whole scene is way too obsessed on prevention,” Daniel Miessler, director of advisory services for the security consultancy IOActive Inc., said of the RSA Conference. “We’re at peak prevention.”
Even more fundamentally, said Whitfield Diffie, a pioneer in public-key cryptography, simply improving programming quality to prevent security gaps in the first place would have a far greater impact than virus screening and all the other tactics pitched at the show.
But depending on a sudden change in human nature seems unwise. The lesson coming out of all these new threats is that neither the information security suppliers nor their customers can work in isolation anymore. They need to share much more data with each other on attacks, many experts said. “I think the more we talk, the better off we are,” Mark Nunnikhoven, vice president of cloud research at Trend Micro Inc. told theCUBE, SiliconANGLE Media Inc.’s video streaming studio.
The Cyber Threat Alliance, for instance, is a group of companies such as Fortinet Inc. and Cisco Systems Inc. that formed three years ago to do just that. This week, the CTA appointed its first president, former Obama administration cybersecurity coordinator Michael Daniel, and rolled out an automated threat intelligence-sharing platform that can update all the members’ products in response to new threats. But McCaul believes information sharing is still far too weak. ”Our current cyber plans just won’t cut it,” he said.
That’s why even more sweeping agreements may be necessary. Microsoft‘s Smith called for a “Digital Geneva Convention,“ run by an organization something like the International Atomic Energy Agency, to reduce the impacts of state-sponsored hacking on citizens. “We need to call on governments to come together,” he said.
It’s a bit counterintuitive that people and companies trying to secure their digital borders need to be more open. But it’s becoming clear that to be more effective, security can’t be practiced in the shadows of corporate secrecy anymore. It’s going to take a village, or at least an ecosystem, to keep the digital world safe.