QUICK TAKES: What I learned about Cybersecurity

The below is a personal brain dump from The Washington Post Cybersecurity Summit, October 1, 2015. This is not intended to be coverage of the event. Quick Takes are intended to record questions that deserve further exploration. For coverage by the professionals and to see video, visit http://www.washingtonpost.com/blogs/post-live/wp/2015/07/09/live-oct-1-2015-cybersecurity-summit/.

Cyber cliches. Love ’em. I’m not a cybersecurity expert – or even a novice – but I’ve been listening to cybersecurity discussions in some form or another since 1993. It’s interesting how the conversation has evolved from elaborately shocking audiences with the concept of “hackers” in the early ’90s to a sophisticated, structured discussion about the many facets of this topic.

Each year as the conversation evolves, the focus shifts a little bit. After 4 hours of in-depth discussion by members of congress, technologists, corporate leaders and national security professionals, I observed a few recurring themes – many discussed at the beginning of the day over a breakfast discussion with AT&T Chief Security Officer, Ed Amoroso and GW Cybersecurity Policy & Research Institute head, Lance Hoffman (who is credited as the first person to teach an accredited computer security course).  Here were my takeaways from that discussion:

Liability is on everyone’s minds. Probably the most frequently raised topic this year was liability — who’s to blame for an intrusion. Usually, when liability becomes a top-tier topic, the issue at hand has become accepted as a prominent risk. The topic has always been a peripheral discussion, usually driven by an insurer who wants to sell cyber-insurance. The constant, high-profile headlines about data thefts have made this discussion mainstream at the board level for a lot of companies. It’s not just about “how do we protect our information assets.” There’s also a heavy focus on “how do we protect the company when [not if] our data is compromised?” A portion of the discussion covered the idea that it’s a bit silly to expect the public sector to be responsible to prevent intrusion into corporate systems, unless the intrusion comes from a state-sponsored source. Even then, how does one identify or define state-sponsored hacking? Later in the day, Washington Post CTO, Shailesh Prakash suggested that rather than focusing on threat vector immediately after an attack [as in – “how did they get in?”], it’s more productive to focus on shutting down other buckets of data to protect as possible.

Maybe policy solutions are so difficult because we need to deal with the core issues first. Cybersecurity discussions are filled with cliches to illustrate the challenges. Ed Amoroso used a good one — “The roof is leaking. Fix that first. You don’t call someone to fix your fence if the problem is that water is pouring in through your roof.” The point being there are some basic IT architecture issues begging to be fixed. There is sloppy code that needs to be rewritten (another great cliche repeated all morning – “good code can’t be hacked”). Instead, we often focus on compliance. A focus on stringent security audit compliance does not fix architecture or code. Perfect behavior within a porous perimeter does little good. Legislation might offer some short term stop gaps, but the roof needs to be fixed before we get to the fence building. A great bit of advice was that good security policy “trusts no one” – in other words, most companies have low levels of security once someone is in the data center – as the person has passed through levels of security outside the data center that earned them “trust” while inside. If all are treated equal, then authentication and other security protocols apply to everyone.

Oddly, many small businesses are more secure than large corporations. Another great cliche – “Large company IT departments put all data in one place. If you puncture the balloon with a dart, the whole thing explodes.” The billions spent on corporate IT have lead to highly-centralized data centers, making everything vulnerable if the perimeter is breached. The trend in many large corporate environments is to create “private clouds” to distribute data assets in multiple places. Many small businesses already store their data in many secure places across the cloud. Each bucket of information stored in the various cloud locations is secured with the highest level of security and encryption, given that many cloud providers are fairly young companies and have invested in the most modern security tools. Therefore for businesses like these, if you breach the perimeter of a cloud location, it’s “more like a dartboard – you only hit one section, rather than bursting the whole thing. The rest is intact.”

Cliches become cliches for a reason. They’re also fun — and in this case, informative. What will we talk about next year? I’m sure we’ll still be talking about state actors (one of my other favorite quotes of the conference came from a congressional leader discussing the recent accord struck by the U.S. president and the Chinese president — the congressman referred to “that which [Chinese] president Xi Jinping has promised to stop doing [cyber intrusion for economic gain] … but hasn’t admitted to doing …”). We’ll probably still assume that intrusions will happen. Hopefully we’ll be talking about progress toward minimizing the impact of these intrusions (another great cliche from a past conference – “Some people pretend they can keep the intruders out of the house, meanwhile they’re running rampant inside. We need to be able to close all the doors in the house to minimize what they can steal.”)

Meanwhile, it’s nice to hear that each year, there’s more sharing of ideas, solutions, even a few answers. That’s a lot of progress from the days when one could spend an entire day listening to nothing but increasingly dramatic tales of the horrifying possibilities.