RSA 2010 Keynotes - Dealing with Sophisticated Threats in Cyberspace without Creating Big Brother

This panel featured Quentin Hardy (moderator), National Editor, Forbes Magazine; Marc Rotenberg, Executive Director, Electronic Privacy Information Center (EPIC); Michael Chertoff, Former U.S. Secretary of Homeland Security; and, Richard Clarke, Chairman, Good Harbor Consulting.

[refresh regularly until 2pm PST for live updates from the conference floor; please note that any errors of transcription or attribution are omissions due to the nature of this live blog]

[Mr. Hardy made a slip of the tongue and talked about "this great concert" instead of "this great conference."]

Mr. Hardy discusses information security issues related to boundaries, privacy, responsibility (govt vs industry)

Discussion of "Cyber Shockwave" by Mr. Chertoff. Counterpoints by Mr. Clarke: there is little difference between attacks from governments vs organized cyber-criminals.

Mr. Clarke: 20-30 nations have cyber warfare capabilities, including the US. Hackers "are stealing anything that's worth stealing," and later said "and we can't stop them." Mr. Clarke then points out the potential of cyberspace activities to increase tensions between countries.

Mr. Rotenberg: points to the need for a debate about what we (government) can and should do. "We need to come up with solutions that are smart." Later, he said "transparency and openness is very important."

Mr. Clarke: "the problem is that the government has discredited itself in the last decade. [...] The cyber command that's being stood up is NSA." Mr. Clarke said that the NSA is "the right organization to defend the military, the wrong organization to defend the public." He then mentioned that the government should not be in the business of snooping; however, it could, via regulation, ask the private sector (tier-1 or backbone ISPs) to do it.

When Mr. Rotenberg said this could be a slippery slope (my words) that would lead to commercialization, Mr. Clarke returned that that would be a role for government, to ensure that ISPs are not simply mining packets with deep-packet inspection (DPI) for pure commercial benefit.

Mr. Clarke: "The stuff [the IT & security technology] is obviously not good enough." Points back to how ISPs can help check for malware on-the-wire, before it hits the enterprise or the home.
[...]
Mr. Clarke: "Cyber-crime is not script kiddies anymore." He then argues the need to talk to other countries specifically about information security.

Discussion about whether the US is engaging in cyber-war activities. Mr. Clarke argued that it would be foolish to think that we are not. More discussion about attribution, preparation, and response.

Mr. Clarke: "Why is the electric power grid connected to the Internet?" He then points to FERC not having enforced regulation.

Mr. Rotenberg: "Privacy ends up being the collateral damage in the cyber-war battles."

Mr. Chertoff: "We are really bad at educating people at operational security." Points to the need to take into account the way people behave (not security people, the average person).
[...]
Discussion about the cyber pearl harbor, and Mr. Clarke said that we should not wait to act until a major event happens because instead every day, we have mini pearl-harbors. Mr Clarke: "We're prosecuting a very tiny percentage of cyber-crime."

Mr. Chertoff: this is a field in which "we need to attack the problem in multiple ways simultaneously."

With respect to cyber-espionage, Mr. Clarke said "we are losing our competitive advantage."

1 comment:

Peter J. Hillier, CD, CISSP said...

Sounds like a futile discussion, since Big Brother is already created, alive and well!