RSAC: Opening Keynote and a Whitrospective

The RSA Conference on cybersecurity took place in the middle of May. This year, the 30th RSAC, the theme was Resilience. It is a good choice since the start of 2021 has been terrible for security with both the SolarWinds supply chain attack, and the ransomware event on the Colonial Pipeline. There have been several more attacks, only marginally less high profile. Not a great start to the cybersecurity year.

Two highlights of the event are the opening keynote on the state of security, and the cryptographers' panel. The opening keynote is usually by someone from RSA (the company) and this year it was Rohit Gai, the CEO. His keynote was titled A Resilient Journey. RSCA 2020 was the last conference that I attended in person, and various people on the first morning pointed out that it was their last in-person conference, too. Since then, we have all been wearing what one presenter called "cotton firewalls". RSAC this year has been completely virtual, of course.

Rohit's Keynote

The heart of his presentation was that he talked about three aspects of making security more resilient: tigers, airplanes, and sewing machines.

As Rohit put it:

March 2020 was unforgettable. The start of lockdown...and the start of Tiger King.

In 2011, Rohit reminded us, Netflix was preparing to move from its own data centers to the cloud. So how could they ensure that their 200+M subscribers can stream what they want ("Tiger King") when they want it. They invented "Chaos Monkey". Most groups, when they want to test their resilience, set up some sort of sandboxed toy clone of the system and try things. Chaos Monkey doesn't do that. It literally shuts down running servers of the live production system. It doesn't literally chew through cables, but it shuts them down as if they had been. This approach, simulating chaos, worked so well that it inspired Netflix to create what is known as the Simian Army ("simian" means monkey-like) with other products Latency Monkey that adds latency at random, Janitor Monkey that looks for unused resources, and many more. And yes, there is a Security Monkey, too.

By being prepared for chaos, we will fall less often. But we will stumble.

Rohit suggested that you should attack your own network and see if you even notice, and how much you record. And no cheating, test your own capabilities live. One other area to test, that gets little attention, is going North. East-West traditionally means networking within the data center itself. South is traffic coming into the data center from the outside world (usually just internet traffic). North is going out of the data center. South traffic is the most obvious to analyze since it is the perimeter defense. East-West is now clearly regarded as important in a zero-trust security environment, where you don't just want to protect the perimeter but every system needs to protect itself even from other systems inside which might have been compromised. And North traffic is exfiltrating data and, perhaps, propagating a breach to other data centers or other companies.

Next, airplanes. In World War II, the allies faced a problem of working out how better to protect their bombers. The military looked at the returning aircraft and their damage and assumed that they should reinforce the areas that bore the most damage. They worked with the statistician Albert Wald. He pointed out that the military were suffering from survivorship bias and that, counter-intuitively, they should reinforce the areas that sustained the least damage...on the planes that returned. He reasoned that usually if a plane got hit there, it didn't return. Those were the most vulnerable parts of the aircraft.

The challenge is that there is only so much armor to go around, just as there are only limited resources (and personnel) that can be dedicated to cybersecurity. We have to focus on the most important areas, and be sure that we choose wisely. As the CEO of Cisco pointed out later in the morning, there are 2.8M cyber professionals in the world...but 4M open jobs.

The third aspect of resilience is rising up stronger when we inevitably fail. SEWA is the Self-Employed Women's Association, that started in India 49 years ago. When lockdown forced everyone indoors, SEWA members used their own sewing machines to create masks and other safety equipment.

The SEWA story shows that those that belong to a community rise up stronger because they rise up together.

Rohit wrapped up with the Japanese technique called "kintsugii" which means golden seams. It is an approach to repair broken bowls using gold, making beautiful objects from what would otherwise be waste. It is a celebration of resilience.

His final conclusion from the three references Rohit had used:

• Fall less often
• Withstand the fall
• Rise up stronger

A Whitrospective

Later in the morning, RSA's Chief Digital Officer Zulfikar Ramzan interviewed cybersecurity luminary Whitfield Diffie in a round of snap questions.

What was the most surprising thing this year?
Being inducted into the NSA hall of honor. It was surprising since I've been seen as an enemy of the NSA.

Best practice?
I don't think people know how to practice cybersecurity.

Worst breach?
The worst was the bureau of personnel management (BPM). But the most interesting was an aspect of SolarWinds. FireEye and lots of others had been broken into but FireEye were the only people alert enough to notice that they had been.

Resilience?
That's the opposite of what we have today.

Advice you could fit on a bumper sticker?
Unplug it, baby.

Biggest problem?
To get industry interested in security.

One-word biggest challenge to security?
Companies.

What does the future hold?
It is impossible to believe that the problem of security cannot be solved. But can it be solved consistent with a free society. For a long time I have been saying that human freedom cannot stand in the face of increasing communication capabilities. We are less than a decade from brain interfaces and you will have to use them or you will not be competitive.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.