On Tuesday, June 20th, 2017, SINET held its annual Innovation Summit at the Times Center in New York City. The New York version of SINET's well-known, well-attended conferences brings together security technology innovators with cyber policy leaders and (particularly important in New York) major investors and buyers of cyber products and solutions. We have some detailed coverage of the Summit today, and more will appear tomorrow.
The financial services sector was heavily represented among this year's panels and speakers. Among the topics pursued were trends in Internet-of-things ransomware (specifically the rising threat of "jackware"), modeling third-party risk, the development of meaningful cybersecurity metrics, enterprise mobility as a megatrend, sector-specific information-sharing initiatives, how and why enterprise website security measures fail, managing privacy risk, and positive disruptions that are improving security.
The conference also includes insights into public-private cooperation (with updates from longstanding SINET sponsor and partner, the US Department of Homeland Security's Science and Technology Directorate) and the perennial challenge of communicating cyber risk issues to a corporate board.
One recurring theme in the day's proceedings was the centrality of trust to all aspects of cyber security: why it matters, how it's lost, how it's gained, how it's maintained. Given the Summit's location and its audience, issues of trust were refracted through a financial prism, but they appeared in various forms throughout the day. The effects of growing demand for privacy (driven most obviously by the European Union's coming GDPR, set to take effect next year), the increasing pervasiveness of the Internet-of-things in consumer durable goods (and how trust in their reliability is likely to be reflected in the market), the uncertain but inevitable emergence of standards of care with respect to cyber security, and the ways in which boards of directors come to rely on specialized security expertise they themselves don't possess, were some of the topics taken up.
The foundation of trust on which the global financial system rests was on clear display in the keynote delivered by Gerald Hassell, Chairman and Chief Executive Officer, BNY Mellon. In an address that revealed a clear appreciation of the implications cyber security has for that system, he noted the sheer volume and value of the transactions that cross his bank's networks daily. BNY Mellon's Government Securities Services unit settles $1.5 trillion daily in Wall Street trades of US Government debt. The figures are staggering; the transactions highly automated. The keynote left no doubt of how crucial security is to the entire system.
The interplay of markets, regulation, and litigation in software quality and security provided the Summit's second common theme. All three of these forces will continue to prove powerfully influential in the evolution of consumer expectations and standards of care; no one of them is likely to dominate.
"Jackware," a term coined by ESET researcher Stephen Cobb shortly after Miller and Valasek's Jeep hacking demonstration for WIRED in 2015, refers to "the use of malware to take over a vehicle, whether to extort a ransom from the owner, or to take the car somewhere other than the destination intended by the legitimate owner or operator." So jackware is ransomware with strong physical effect. (The concept's haute vulgarisation may be found in the most recent emanations from Vin Diesel's Fast and Furious franchise, Fate of the Furious.) William Beer (EY Principal, Advisory Cybersecurity Services) chaired a panel consisting of James Beeson (Chief Information Security Officer, Cigna), Randy Miskanic (Americas Regional Head, Group Information Security Office, UBS), Yonesy Nunez (Senior Vice President and information Security Leader, Wholesale and International, Wells Fargo Bank), and Mario Vuksan (Founder and Chief Executive Officer, Reversing Labs). It remains unclear whether IoT manufacturers will come to lead with security as a differentiator, or if consumers will come to expect it. Security as such will probably be a difficult sell (consumers may not even be aware, let alone care, for example, whether their proverbial networked refrigerator is roped into a distributed denial-of-service botnet). Vuksan noted a growing convergence of cyber security features with device safety and reliability, and those are things about which consumers care. But manufacturers ought to take the prospect of jackware seriously, he added. Jackware may not be common, but it's been demonstrated at least in proof-of-concept form, and its effects could be severe, threatening both lives and organizational survival.
Third-party risk has also emerged as a significant issue for businesses. Michael Johnson (Senior Vice President and Chief Information Security Officer, Capital One) moderated a discussion vendor risk management models among Edna Conway (Chief Security Officer, Global Value Chain, Cisco), Lisa Humbert (Chief Information Risk Officer, Bank of Tokyo Mitsubishi), Fred Kneipp (Chief Executive Officer, CyberGRX), and Christopher Porter (Vice President and Chief Information Security Officer, Fannie Mae). Usually framed in terms of supply chain risk, as the panel pointed out, the problem is even more complex than that. The third-party risks a business must manage aren't confined to those posed by its vendors. Conway framed the challenge as "knowing who touches your stuff." Given the notorious difficulty of simply knowing one's own network, reaching a comprehensive understanding of every third-party who legitimately interacts with an enterprise, and what risks they bring with them, is a tall order indeed.