News from RSA 2018
Private sector's pledge to renounce offensive cyber operations.
The Microsoft-led initiative in which thirty-four companies signed an undertaking not to engage in offensive cyber operations hasn't, for all of its good intentions, received uniformly positive reviews. The agreement was featured on the Conference's opening day. Some observers think it resembles other large-scale resolutions and legislation in that it fails to make necessary distinctions, and fails to do justice to the complexity of computer network operations.
One such complexity involves the familiar problem of dual use. Some security legislation and international cyber non-proliferation agreements (Wassenaar prominent among them) have come under criticism for the possibility that they might unintentionally criminalize legitimate vulnerability research, for example.
Other issues raised concern the undertaking's lack of teeth (it is after all a voluntary avowal of intentions) and the signatories' lack of involvement in delivering offensive cyber capabilities to governments.
A warning concerning state-directed cyber operations.
Early in the conference US Secretary of Homeland Security Nielsen, while expressing hope that nations would evolve some sensible norms to restrain them in cyberspace, made it clear that the US had offensive cyber capabilities and would be willing to use them in response to an attack. (In a conversation this morning the Chertoff Group's Adam Isles characterized Secretary Nielsen's speech as the Administration's way of laying down a marker that consequences would be imposed on nations who conduct cyberattacks against the US.)
Yesterday European Commission Vice-President Andrus Ansip described the real and current threat of nation-state cyber attacks with the hard-won, disillusioned clarity an Estonian official usually brings to the matter. He called out numerous examples of Russian offensive operations in cyberspace (and it's noteworthy that he included descriptions of that country's recent information operations, especially the disinformation surrounding the Salisbury nerve agent attacks). He offered a warning near the end of his presentation concerning the necessity of preparing for a full-spectrum of cyber conflict: "If we fail to do so, if the West fails to unify – we risk being exploited by those who would use cyberspace as a weapon to harm our free and open societies and economies. ."By not acting, we make ourselves an easy target."
Reflections on the sector's labor shortage.
We spoke yesterday with Booz Allen Hamilton vice president Chad Gray about his company's just-released Cyber Talent Survey. That survey calls out the pressure businesses feel from investors and boards to take ownership of their cybersecurity, and it observes that this pressure has in some cases driven companies into short-term solutions that can have long-term deleterious effects. Gray cautioned against thinking that technical solutions would be able to do more than augment human talent. Some functions can, and will be, de-skilled through automation, but the net effect of such advances will be to increase the efficiency of an organization's human talent.
That there is a talent shortage seems clear, but it's not simply a special case of some more general shortage of technically skilled workers. The shortfall, he said, "is driven by more frequent, more sophisticated attacks," and especially by "repurposed nation-state tools being used by criminals." It's the protean, adaptable quality of the threat that makes it difficult for security practitioners to handle. They need to stay current and engaged, since the opposition's tactics shift and require new skillsets of defenders.
"Top talent attracts other top talent," Gray observed. Experts in various domains cross-pollinate when they work together on teams. It's important to rotate experts to face different challenges, lest their skills grow stale. This isn't a mater of creating career paths, he noted. There's no reason a highly skilled analyst, for example, should have to become a manager. But there are many reasons to give that analyst fresh opportunities to work against new and emerging threats.
Booz Allen is a strong believer in the value of wargaming, not only in training and response preparation, but also in vetting talent. They make particular use of their game "BREACHED" in the course of executive training provided to their customers.