RSA Conference 2019
Inaugural Launch Pad highlights three early-stage start-ups.
In what emcee Hugh Thompson called "an opportunity to see inside the start-up pitch room," three early-stage companies each received five minutes to sell themselves to a panel of venture capitalists. The event is expected to become a regular feature of the RSA Conference.
The three companies were NuID (which uses zero-knowledge proofs and a blockchain to deliver trustless authentication), Spherical Defence (which offers an alternative to rule-and-signature-based systems), and Styra (whose solution provides "guardrails" for developers working in kubernetes). The pitches were all fluent and attractive to at least one or more of the panelists. The principal lessons on display were the importance of showing differentiation and of offering hard evidence for a solution's ability to deliver on its promises.
Cyber conflict, as seen from Fort Meade.
Yesterday, near RSAC, we were able to attend a breakfast session sponsored by Maryland’s Department of Commerce. Their speaker was Rob Joyce, who currently serves as Senior Advisor for Cybersecurity Strategy to the Director of the US National Security Agency. Joyce outlined a shift in cyberattcks: they’ve moved from theft of secrets, cyber espionage, toward becoming a means of imposing national will. He sees four trends. First, high-end threat activity has become more sophisticated. Second, the level of expertise needed to operate as a significant threat is declining. Third, cyber conflict is moving from exploitation to disruption. And fourth, information operations increasingly leverage what Joyce called a “cyber grey space.”
To survive in this emerging world, Joyce advocated building on a sound, solid foundation of the basics. We need good cyber hygiene, sound configuration, effective patching, those sorts of things. And laying this kind of foundation is in his view a long-term investment that requires coordinated investment in education and training.
It's not all about enterprises attending to the basics. In response to a question, Joyce discussed a place for offensive cyber operations, which he said were and must remain an inherently governmental responsibility. The US Government has now taken what he called a “more proactive, aggressive” stance with its doctrine of continuous engagement. The US is now willing to introduce some friction into the adversaries’ operations, and has shown the ability to do so.
Cyber conflict, as seen from CISA.
Christopher Krebs, who leads the Cybersecurity and Infrastructure Security Agency (CISA) at the US Department of Homeland Security shared his agency’s perspective on the current state of the threat nation-state adversaries pose in cyberspace. CISA is focused on (“of course,” as Krebs said) on the big four actors: Russia, China, Iran, and North Korea.
CISA functions, Krebs explained, as “the nation’s threat advisor,” not its threat manager, because most infrastructure in the US is owned by the private sector. CISA seeks to “understand, share, and act."
And the difference between a hurricane and climate change.
There is no shortage of warnings about all four of the major nation-state adversaries, but both NSA’s Joyce and CISA’s Krebs were agreed on which of them was the biggest threat to the US. It’s China, they said at a joint appearance moderated by Columbia University’s Jason Healey.
We worry about Russia using its cyber power to degrade others, Joyce said. But China projects power to build itself up. If Russian cyber operations are like a hurricane, China’s are like climate change. Beijing is playing a long game, and we know its goals: Made in China 2025 has outlined them with some clarity.
The US and China are now clearly competitors, having moved beyond several decades of economic engagement in which both countries perceived advantages. “Forty years of engagement,” Krebs said, “have just expanded the attack surface.” The threat to the US is poised to increase with the coming deployment of 5G technology and the pervasive connectivity it will bring. The risk that will accompany 5G, Joyce said, isn’t fundamentally a risk of the confidentiality of the information that technology will carry. It’s much more extensive: the risk lies in all the devices we’ll connect to it, and in the unforeseeable ways in which we’ll innovate on that new fabric.