Security Needs and the Markets They Create
The SINET Showcase offered a variety of perspectives on what many of the symposiasts called the cyber innovation ecosystem. Some of the experts shared the perspective their decades-long work in security disciplines had afforded them; others expressed the challenges customers wanted the security industry to help them address.
Past, present, and future challenges in cryptography.
Robert Rodriguez held a fireside chat with Taher Elgamal, Salesforce CTO and "father of SSL." Elgamal described his arrival at Stanford (from Egypt), his meeting Martin Hellman, and the beginning of his cryptological work. He attributed SSL's widespread adoption to the fact that it wasn't patented, "not because it was the coolest" crypto technology.
Elgamal recalled that every security professional has always expressed the wish that security could have been designed into software tools at the outset. SSL was in a way designed with this in mind. It was developed with the intention of securing e-commerce. But, Elgamal observed, it was impossible to anticipate then what hackers might come up with, and "it still is." "I don't believe we're more safe," he said. The level of virtual physical connectivity we now have is something we never planned for. "We thought about attacks on banks—that's well understood--but not attacks on, say, a bridge."
As we move forward, Elgamal stressed the importance of communication. "Understanding the audience is the most important thing. What matters is what people want to listen to." He also offered his opinion that it's more important to be able to talk effectively with the business-level and policy-level people than with the technical people.
To Rodriguez's question about the state of the crypto wars, Elgamal said he thought that people don't generally "put themselves in the others' shoes." if Apple and the FBI had put themselves in on another's shoes, we'd have had a happier outcome from the dispute over the San Bernardino jihadist's iPhone.E "Compromise is the key to arriving at common ground and solving these problems."
Rodriguez closed the fireside chat by asking for some advice to entrepreneurs. "You learn from failure," Elgamal answered. "Founding a startup is an awesome experience. Pick good partners, and attend to your customers—don't fall in love with your technology. Listen to your customers."
What some of the bigger customers are saying.
SINET's Robert Rodriguez several times over the course of the sessions expressed his gratification at the way the US Government is reaching out to centers of innovation lying outside the familiar precincts of the Beltway. He was also pleased to see the participation of the other four members of the Five Eyes—Australia, Canada, New Zealand, and the United Kingdom—as well as allied nations like Germany and Israel, in the cyber innovation ecosystem.
One of the largest buyers of cyber security services, products, and solutions in the United States is, of course the Department of Defense. Major General Sarah E. Zabel (Vice Director, Defense Information Systems Agency) noted that it had taken some time for the Department of Defense to fully understand the value of information, and the operational capabilities that flow from information. This realization has increased the Department's appreciation of the importance of information security.
As a customer, the Department of Defense is concerned with overcoming challenges inherent in interoperability, and in finding ways of making it easier for companies, particularly small ones, to do business with the Department. Among the specific observations made and advice offered by senior Department of Defense representatives at the SINET Showcase were:
- The Department wants software solutions that can help avoid costly hardware replacement.
- The Joint Regional Security Stack (JRSS) is a way for small businesses to engage with DoD.
- The Department and its units say they're committed to staying within budget, and this means "It's a zero-sum game" according to John Bergin (Business Technology Officer, Office of the Department of Defense CIO). Challenge the norm, he advised, and show how your offering can displace, not merely add to, older solutions.
- Clouds (or, as Bergin wished to call them, "shared multitenant infrastructure") are important for a number of reasons. They tend to force automation, orchestration, and economy.
- The Department is looking for help with IT rationalization. The US Army, Lieutenant General Robert S. Ferrell (CIO/G-6) said, is dropping from more than fifteen hundred data centers to ten, "and we need help with this."
- Data sovereignty is and will remain important to the military.
- Finally, observing that innovation comes from rapid trials and failures, Bergin observed that many startups fail, and that the Department of Defense needs to become more failure tolerant. He applauded both the Air Force and the Army for their willingness to take on untried ventures.
Alex van Someren of Amadeus Capital offered a European perspective on the market. He sees, in the European Union, a great many government initiatives, but more talk of inspiring spending by others than actual commitment of funds by the governments involved. The United Kingdom is a recent exception to this, especially in the budgetary commitments expressed in the UK's recently published strategy document. The UK is also beginning to support the spinout of programs developed within its intelligence community.
And of course there's a great deal of corporate commitment to cyber security. As Man Tech's Bill Varner pointed out, some ten percent of IT spending generally is marked for security.
Observations on information sharing.
The challenge in information sharing isn't so much overcoming resistance to the idea of doing it, or of surmount regulatory and legal barriers, not anymore. The Department of Homeland Security's Assistant Secretary for Cyber Policy, Robert Silvers, set the panel's discussion up by alluding to the challenges the developing information-sharing ecosystem continues to face. And the panelists reviewed the various obstacles that persist: classification, relatively immature or primitive sharing technology, and, above all, issues of trust.
Marcus Sachs (SVP and CSO, North American Electric Reliability Corporation) saw a fundamental difference in interest between Government and industry, and that a convergence or at least coordination of such interests would be essential to moving forward in information sharing.
ThreatConnect's CEO Adam Vincent offered a different way of looking at the challenge. He saw the central issue as content creation. Citing the growth of Facebook, and characterizing its success as lying in the way it induced people to create and post content, Vincent said the issue with sharing cyber information is that "everyone wants to take." Moving toward more effective collaboration through information sharing will require developing incentives to create and disseminate content. His experience, after long pursuit of technology for information-sharing, has led him to conclude that the important things to share weren't in sensors, but instead were in human minds.
David Hahn (VP & CISO, Hearst Corp.) closed with a related observation: the ability to provide context for shared information is the essential missing piece.
Closing thoughts: innovation is necessary to stay ahead of the cyber threats.
Robert Rodriguez took the last word. After expressing special thanks to the judges who selected the SINET 16, he offered some reflections on the importance of innovation. Attacks are showing an increasing sophistication, and are being made against new targets. He saw the attack on Sony as the pivotal moment for the future of security. "Now we see hacking as an instrument of policy and political intervention," he said, and he noted the vast expansion in attack surfaces the Internet-of-things has produced. Thus continued innovation is more critically important than ever.