Another day of the RSA tradeshow is in the books. I knew there would be a lot of cloud discussions but had hoped for a little sunshine in San Francisco. While sunlight has been elusive, the light has dawned on me in many vectors…here are a few:
I can finally explain to my family what it is that I do! Sure, I can rattle off my elevator pitch, but I still get the “huh?” looks from (as Deputy Secretary of Defense William Lynn III confessed membership to this week) “non-digital natives” (read “those who love iPads but don’t know how they work”) in my family. You see, none of us have ever seen a bit or a byte, and some folks have a hard time envisioning what all the fuss of securing and protecting them is about. But thanks to the evildoers who wrote the Stuxnet code and launched it last July, this is now a concrete piece of malfeasance. Stuxnet was the first masterpiece of malware designed to deliver physical damage to equipment. Done are my days of explaining how information is both an individual’s and a corporation’s most vital asset. Now I can talk real collateral damage, and moreover, what we as information security professionals are doing about it.
Stuxnet was targeted at a set of Iranian uranium (say that 3 times fast!) enrichment centrifuge facilities, or more directly, the programmable logic controllers that dictated how fast these sensitive and expensive enrichment devices would spin. Stuxnet in effect told the PLCs to spin far faster than their design limits would allow, causing catastrophic damage to 20% of the devices and setting the entire program back several years. With the line between digital and traditionally analog (or even – gulp- mechanical…remember the internet enabled refrigerator a few years back?) lines being ever blurred, I think I am better prepared to answer something other than “I am in high tech” at my next family reunion. Maybe I can just post my status on Facebook. Social media has leapfrogged search engines as a web destination!
And speaking of infiltration, I was able to penetrate the inner sanctum of an informal hackers’ chat at one of the after hours parties in SOMA. While finding the back room with velvet couches and 8X10 glossies of the club owner hanging out with Carlos Santana and James Brown wasn’t easy, identifying this group was. Even without any keyboards or network access, these folks were practicing their dark art of getting into things that were supposed to be secure (in this case a locked cabinet). This time the Schlage bolt ruled the day but I wouldn’t bet against this group’s ingenuity in the long run. Fortunately this group is on the side of Infosec, but it doesn’t take much to defeat even the most modern protection measures. Today I learned that current antivirus solutions run about 10 million lines of code (up from 1 million lines of code 10 years ago). And even the best A/V solutions can be defeated by just 150 lines of malware code, according to Symantec’s Enrique Salem. So I am glad to have this group on my side. I just wish there were more of them. The DOD’s Cyber Command now recognizes cyberspace as a new domain of warfare, and that it is just as deserving of proactive defense as the air, land or sea. We need these fertile minds now more than ever. According to Lynn’s keynote, Al Qaeda has vowed to launch a cyber attack, but hasn’t yet. I will sleep better tonight knowing the information and infrastructure that we depend on for national security, the power grid, and our financial institutions are not taken for granted and are codified under the five pillars of US Cyber Command Lynn described.
Beyond the megatrend of cloud computing, Wikileaks is another common denominator. I can’t wait to hear the lecture (when did this word take on a positive connotation?) on the breakdown of perimeter security with Julian Assange’s wispy profile providing the sinister backdrop.
Tomorrow is another day with the promise of illumination of a different kind…the storms are passing and I hope to see my shadow before returning to the Pacific Northwest and its promise of 6+ more weeks of winter.