Security Convergence: Hackers, Gurus and the Military
September 1, 2009
I just returned from Las Vegas and the Black Hat and DEFCON security conferences. Upon registration at DEFCON, a hacker convention originally started in 1993, I received some unique instructions that read: “Don’t use the wireless network at the hotels (Caesars Palace / Riviera) and definitely don’t use the cash machines; they’ve been compromised.” So began an interesting week of sessions and meetings. It was an intriguing mix of gifted programmers (good and bad), leading edge vendors (Black Hat), military, government and intelligence agency leaders, venture capitalists and industry luminaries. John Stewart, chief security officer at Cisco Systems, summed up the environment well at an early panel when he said, “We need a simple security hand book so everyone can understand this cultural transformation.” That is security convergence in a nutshell.
Rod Beckstrom, the recently departed Department of Homeland Security director of the National Cyber Security Center and chief executive officer of ICANN, introduced “Beckstrom’s Law” as a principle to align security spending with risk management. In short: “The value of the network is equal to the net value-add of each user’s transactions, summed for all users.” The example was a private golf club where players pay a certain amount (membership dues) to limit the number of critical transactions (tee times). This is not a social “Facebook”-type model where many numbers of “friends” may provide no value at all. If the key is to measure a security investment with the goal of reducing losses, one must identify the critical transaction priorities and spend accordingly. In fact, firewalls were discussed as a budget item that protects a perimeter that no longer exists. The message? Some security wastes money and security requests must use a business model (transactions).
From a priority standpoint, corporate espionage was a recurring theme effecting companies of all sizes. More so than cyber attacks against systems, this involves traditional insider theft. The Venture Capital panel focused on “security services” (enterprise integration) as a key area of industry demand.
Aligning with this trend, “Cloud Computing” was highlighted in numerous sessions. Bruce Schneier, the chief security technology officer of BT, London, and an author and industry visionary who was described by The Economist as a “security guru,” mentioned that the Cloud is a new model of timesharing (1960s) and client/server (1980s) architecture. According to Schneier, the fundamental issue at its core is trust. He added, “This is the future of computing. Don’t think for a minute this will not be the model in a few years.”
Deputy Assistant Secretary of Defense Bob Lentz, chief cyber officer for the Department of Defense, had some advice for integrators when he said, “Physical and logical security must converge around identity assurance. This is the most important issue we are working on at the Department of Defense.” Successful integrators understand that technology cycles originate in government (and specifically military) programs and represent an excellent indicator of pending business cycles.
The next step in the process of holistic security solutions evolves beyond physical and logical security convergence and integrates cyber protections. This involves software and hardware solutions along with human intelligence and security investigation work. The “espionage” issue cuts to the core of a company’s bottom line and industry reputation. It is very much a national security issue.
Lentz concluded with a question that all security integrators must ponder when he asked, “How do we leverage Web 2.0 and Cloud services?” If you don’t know, I suggest you Google “Cloud Services,” understand Beckstrom’s Law and subscribe to Bruce Schneier’s blog (www.schneier.com) or free monthly newsletter, the Crypto-Gram, which is in its 10th year of regular publication.