Every industry has its rock stars and celebrities. IT security is no different, and I got to meet one of security’s biggest rock stars on Monday.
Backtracking just a bit here, I attended the Computer and Enterprise Investigations Conference (CEIC) 2013 over the past few days, where I not only learned a lot more about cybersecurity, but had a lot of my own personal assumptions and concerns verified. (I’ll be talking more about what I learned in the coming days.)
The keynote speaker for the conference was General Michael Hayden, former director of both the NSA and CIA, as well as one of the country’s pre-eminent security experts. He’s one of these people who, when I see him on a talk show, I stop what I’m doing and watch, even if I’m just flipping channels.
His talk, as I expected, was engaging and enlightening. One of our biggest security problems, he said, was that security was never baked into the development of the Internet, possibly because it was not initially intended to be an open network. The original Internet, after all, was connected only between trusted sources. We know that is not the case now. So now we have to take this newly invented domain and figure out how to create security for it. Oh, and because security was an afterthought, all advantage goes to the attackers, or as Hayden said, the offense has all the advantage. Using my own analogy here, imagine a football game where the offense got to be on the field alone for the first half and then the defense was allowed to take the field in the second half. Serious damage has been done, but all the defense can really do at this point is prevent any more damage. That’s cybersecurity.
Hayden also talked about one of the major reasons why cybersecurity is so difficult to achieve – we the people aren’t quite sure who we want solving the security problem. Should government step in? Oh yes, of course, especially if we are put into danger by cybersecurity attacks. But oh no, government needs to stay hands off if there is any chance that this will affect my right to privacy. It is, Hayden said, the dilemma of cybersecurity, this Zone of Conflict (protection from attacks) versus Zone of Communication (protecting privacy and personal communications). His opinion is that government will not be at the center of solving cybersecurity, largely because of political culture.
During the talk, I got a text message from one of the people involved with my attending the conference in the first place: “Would you like to meet the General after the keynote?”
“Sure!” I wrote back, thinking that this would just be a simple meet and greet, the kind I’ve had with other celebrities and important people. I’d be introduced, say hello, great speech, safe trip home, and shake hands.
What actually happened was the chance for a one-on-one interview for 15 to 20 minutes. What I wanted to know – well, I wanted to know a lot of things, but what I wanted to know from his speech was this: When he said political culture, did he mean the current political climate or the culture of the First Amendment? He smiled and said, “Blame this one on James Madison and George Mason and the other important Virginians. Privacy is an American right, and we aren’t sure how to give that up, even in today’s unsecure Internet society.”
I agree with him, by the way, that until we can reconcile privacy versus protection, we have a long way to go to master cybersecurity.
(Oh, and for the record, I asked him his opinion about CISPA, and he agreed with me that we need to pass something.)