In 1991, the first RSA Conference brought together cryptographers to share advancements in Internet security. Leading up to this year’s conference, members of our advisory board took some time to reflect on this milestone anniversary, the past 25 years of the security industry and how RSAC can continue to keep pace with the rapidly expanding cybersecurity world.
“The Internet was really just a concept when the conference started, and now it has become a global phenomenon. In 1993 we were counting the millions of people on the Internet, in 2015-16, we’re counting the billions of things on the Internet (including people, of course),” Director of Commercial Consulting at Booz Allen Hamilton Todd Inskeep says. “The way these elements interact tends to evolve. No one was thinking back in 1993 that a billion people would be using Facebook. The number of collaborators on research has gotten bigger and bigger since the creation of the Internet.”
Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center, commented how systems used to be simpler and there were fewer ways to get in. She adds, “With the proliferation of hardware, software and communications methods, hackers have adapted to explore all vulnerabilities and opportunities. Twenty five years ago, we didn’t have as many people using such a wide variety of technology as we do today – from non-technical professionals using smartphones and tablets to the CISOs. More people using more devices means more potential targets.”
Dmitri Alperovitch, CTO and Co-founder of Crowdstrike, comments the conference is “massive compared to where it was 25 years ago, and the availability and variety of topics and discussions through the conference’s existence has grown. Now, because the security industry has evolved, you find not only technical professionals, but executives including CISO, CIOs and sometimes even CEOs frequenting the conference. As an opportunity to network, it has become indispensable – literally anyone who is anyone in security makes it a point to attend every year.”
That’s not the only shift Aperovitch sees at the conference. There is also a change in thinking—from using tools to stop the “bad guys” to realizing we need to get to the root of the problem.
“We’ve realized we need to be more proactive about leveraging intelligence to identify potential adversaries,” he adds. “The realization about the importance of attribution and knowing the enemy has increased tenfold just in the last few years.”
The cybersecurity industry has clearly evolved to match the growing need for enterprises and individuals alike to protect against cyber attacks. But what if we could go back in time? In hindsight, is there anything that could have been done early on to provide a more secure environment today?
If Nather could have her own “Marty McFly” moment, she would stop the creation of antivirus products.
“This invention started the whole tendency to be reactive instead of proactive when searching hardware and software. It’s a key event that spawned a multi-billion dollar industry,” Nather says. “The security industry today is like a cake without sugar. It’s as if we’ve forgotten to add the sugar, but we can’t tell it’s not there until we start eating. We can put icing on the cake, but it doesn’t make a difference. We’re in a multi-billion dollar icing industry.”
Both Benjamin Jun, CEO of HVF Labs, and Hugh Thompson, CTO, CMO and SVP at BlueCoat Systems, would use their time traveling abilities to fix email, which has “caused no shortage of headaches” according to Jun.
“It takes more than secure messaging to secure a business, but history shows that security improvement in one component drives upstream and downstream improvements,” Jun adds. “Secure email would have accelerated adoption of user credentials and keys, enabled more secure data storage, and improved how we partition user data. We’d be 5 to 10 years ahead of where we are today in these critical infrastructure building blocks.”
Thompson adds the premise under which we designed email was fundamentally flawed as we modeled electronic mail after physical mail: “You can write anything you want on the return address, but there’s no way to verify it. The number of problems this has caused us is unfathomable, and we can’t get rid of it.”
The challenge for RSAC moving forward? According to Inskeep, it’s maintaining a clear vision as more specialized conferences continue to grow.
“RSAC was basically alone when it was started. There’s significantly more competition now, and it’s a real challenge to determine what RSAC is and what sets it apart. One thing that sets it apart is the interaction—like the Birds of a Feather and Crowdsourced Sessions. RSAC really does the best job at picking the best talks. This conference is judged in a way that no other conference is judged,” Inskeep says.
Ed Skoudis, Founder of Counter Hack, agrees and adds: “Both the conference and the industry have broadened and deepened in terms of the types of disciplines, the diversity of topics and people, and the methods of interaction. The kinds of experiences at the conference have diversified too, as we’ve moved from just lectures and sessions to real immersive and interactive programs and displays.”
So what does this all mean for the next 25 years and beyond? Will RSA Conference continue to be where the world talks security?
According to Thompson, yes.
“There’s a misconception about the security industry that it’s shrouded in secrecy like a government intelligence agency (e.g., CIA) and that no one talks to anyone else or collaborates with others. However, it’s one of the most collaborative industries and there is a sense of unity. There has been no bigger testament to that idea than RSA Conference with people from different industries getting into a room together and talking and challenging each other.”