It’s now over a month since I boarded a flight back to London from Las Vegas, following four roller coaster days of meetings, presentations, parties and, unfortunately, for the first time in my life, jet-lag. As the haze lifts and my mind begins to absorb the vast amount of information I gleaned at Black Hat and B-Sides, I’ve started to reflect on what I took away from two very different events.
Privacy versus convenience
Privacy was, perhaps not unexpectedly, a major theme at both Black Hat and B-Sides, and was highlighted by two high-profile keynote speakers. During his opening presentation at Black Hat, Dan Geer drew attention to the ‘right to be forgotten’ ruling recently passed against Google in Europe. Geer is an advocate of the ruling but feels it doesn’t go far enough – he stated that there is something very important about being able to reinvent yourself and that individuals should be able to misrepresent themselves should they wish. In a surprise appearance at B-Sides, John McAfee took to the stage to lament the fact that we have sacrificed privacy for convenience –with Facebook, Google and the NSA knowing more about us than those people who are close to us. Both presentations provided an uncomfortable reminder that our technology driven lives really are causing us to continually ‘leak’ personal information about ourselves, and that as individuals we should be focusing on developing our own information security policies and procedures.
It’s good to share
The challenge of information sharing within the information security industry was another important issue that frequently came up, in both the individual conversations I had and a number of conference sessions I attended. We all know that the cyber adversary is increasingly agile and sophisticated, but the cyber security industry is only sharing breach information on an ad hoc basic, limited by a fear of reputational damage, impact on the bottom line, legal prosecution…the list goes on. Dan Geer raised the questions of mandatory breach disclosure and compared the information security industry to the aviation sector, where information is shared openly; ensuring the entire industry learns lessons and gains access to detailed information about what went wrong. Informal networks for information sharing certainly exist within the information security sector, and reports like the Verizon Data Breach Investigations Report provide valuable insight into cybercrime threats. But is it enough? Whether it’s collaboration between government and industry, or between businesses, open sharing continues to be a major challenge. Surely, until businesses and governments are able to share information openly, the cybercriminals will continue to have the upper hand. With information sharing legislation pending on both sides of the Atlantic it will be interesting to see how this challenge develops.
Infosecurity skills
I also heard a great deal of discussion around the skills shortage in information security and how to engage the next generation. In a chat with James Lyne, he highlighted the fact that although young people today know how to use devices and apps, they don’t know how that device or app actually works – in comparison with previous generations who spent time tinkering around with the mechanics of computers and operating systems, developing core skills and understanding that provided a foundation for a future career. Today I have yet to meet a parent who would encourage their child to take their iPad apart. So how can the information security sector engage children at an early age? I would argue it’s already happening. Anecdotally, I was thoroughly grilled about my Facebook privacy settings when I asked my 10 year old god-daughter if I could post a picture of the two of us – her class had been discussing privacy and social media. The UK computing curriculum will include a greater focus on programming, providing youngsters with essential skills. Initiatives such as the Cyber Security Challenge are already doing much to raise awareness of cyber security career opportunities. The UK’s National Cyber Security Programme is focused on developing the UK’s cyber skills and capabilities, demonstrated by GCHQ recently certifying six Master's Degrees in Cyber Security. So much is being done that, whilst it might not solve the short term problem, will certainly do much to produce the information security practitioners of the future. As security is increasingly recognised as a ‘social’ issue, I expect that interest in the varied and interesting opportunities a career in information security can provide will naturally grow.
The vibrancy and creativity of the information security industry was clearly evident at both Black Hat and B-Sides. These are challenging times for the information security sector however the enthusiasm and passion for the industry of the professionals I met is infectious. It’s no secret that the cyber adversaries have the upper hand at the moment, but I suspect that a collaborative, highly-skilled information security community will fight back with vengeance.