Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello, I'm Anna Delaney with ISMG. I am with my colleagues, Mathew Schwartz and Tony Morbin, at the ISMG studios after a successful couple of days live at Black Hat, 2023. You've attended some of the sessions, Mathew. What were the highlights for you?
Mathew Schwartz: I'll emphasize the keynotes, and I'll preview that by saying I was here last year, and it was recovering still from the pandemic. This year, there are a lot more people than there were last year. It started with Ollie Whitehouse of the National Cyber Security Centre, talking about current challenges, what needs to be done? What his hopes are. Charging the audience with a bit of a mission about things that they could do, including working with engaging with the government, finding out where there are problems, highlighting those problems, and trying to build consensus solutions for them. We had a wonderful keynote from Joe Sullivan, the former CSO of Facebook, Uber and Cloudflare. The Uber tenure is what got him convicted of a data breach cover-up, and he went to the stage to share some lessons learned from the case against him, with a bit of a call to action to the cybersecurity audience saying, choose your own destiny, choose your own future here, you can't be technologists, you've got security in the title - when you're a CISO or CSO - in the title. We need to transform that into someone who's seen as shepherding technology to someone who is truly driving the board - not doing presentations in front of the board, but arguing with the board when necessary, helping drive the strategic direction of a company. So, two excellent keynotes that really engaged with the audience and said, here's where we are, here's where I think we need to be tomorrow, are you with me?
Delaney: Tony, you had a few interviews here in the studios, any that stuck out for you?
Tony Morbin: I would say Joe Sullivan. I thought he was excellent, and we were discussing the whole area of responsibility for the CISO. He was saying that he's had a couple of people saying to him, "do I really want to be a CISO?" That's both people who are looking at becoming a CISO and actual CISOs. That's on the back of not only his own experience but also the recent case with SolarWinds CISO and the new NIS directive, which is bringing in personal responsibility and liability. The issue he had, which reflects his experience at Uber, was you're being given this responsibility, but are you being given the authority to actually deal with it? So, it's good to be at the top table, and we do want management to be held responsible for these things. Does that mean only giving it to the CISO? Or, should the CEO or maybe some other members of the board be there alongside them? That really was the issue. It's good to have responsibility, but you've got to have the authority to do it, or you can't be accused of being negligent if you asked for controls and were denied them.
Schwartz: Jeff Moss, the founder and creator of the Black Hat conference, serves as the emcee and introduces the keynotes and does a closing Locknote each day. He had some very interesting things to say; he sees the appetite changing. For example, in the United States, people are sick of data breaches, governments are sick of data breaches, and he thinks we're going to see a regulatory focus on this. He thinks that congressional staffers and lawmakers are digital natives now. We've also got the cryptocurrency discussions that had been happening. He sees much more of an appetite there based on what has been happening with cryptocurrency, attempting to regulate it, perhaps discussions already happening with AI, not necessarily in an advanced state, but it's happening. He foresees greater regulations looking at outcomes, for example, stopping data breaches, perhaps some tough measures to make that happen. When that happens, the CISOs are going to have to have more power or companies are going to be in big trouble.
Morbin: Long term, the regulation is going to be there and we are going to get the government and private sector reaching that level where they should be. However, it could be very rough along the way, and there may be a few sacrificial lambs.
Delaney: Were there any surprises that came up for you?
Schwartz: From a research standpoint and going to some of the briefings at the conference, there were no sessions outright about ransomware, which has been a huge topic in recent years. There was only one session on artificial intelligence being used to train side-channel attacks in tactics that we've seen before. However, the AI was doing it in a very useful - if you're an attacker - kind of way. It was interesting that we didn't see more of that; I think we will. I don't know how the research comes in. Some of the members of the review board told me they're not seeing much on the application security front, which is a big surprise to them. Thus, it's hard to know what to reverse engineer from all this or how to deduce what is and is not happening. However, the lack of AI was a surprise for me.
Delaney: How about you, Tony, did generative AI come up a little bit?
Morbin: It was not so much the lack of AI and the AI did come up in every discussion; however, it came up as just a fact. The last ISMG event that we were at in London, there was a real buzz of excitement about how AI had transformed the industry. It's quickly become business as usual, "AI? Oh, it's just automation down the road from where we were with machine learning," "it's a little bit moved on. Plus, we already had AI anyway and now it's just that generative AI large language models are available." It was interesting that it has just become a norm, a part of automation, and the hype is lessened. But, it's still there.
Schwartz: Jeff Moss had a great point, "what do we mean when we say AI?" I had a conversation with a researcher who was talking about virtual kidnapping, where you SIM swap a target - a child - knock them offline, phone the parent, and say, "I've got your kid, you're going to transfer me some horrible sum of money, or bad things are going to happen as soon as I hang up this call." It's all virtual, thankfully, it's not real, but it's horrible! He was saying with AI - by which he meant the ability to spoof voice, perhaps video - you have techniques that can be easily brought to bear to create more industrialized approaches to fraud. That was the voice and the video aspect of it. Moss was talking about how you have AI as a probability engine, for coding, for example, or all sorts of applications. That is also AI. His big takeaway was "we need to mean what we say when we talk about AI," because if we're trying to regulate it, these are very different kinds of areas, and we don't want to confuse or unnecessarily water down the discussion. We need a lot more nuance for what's being lumped into AI now.
Morbin: I'll say one more thing on AI. Bugcrowd, ethical crowdsource hackers, were saying that 94% of attackers are using AI now. It has become part of the repertoire.
Delaney: I was talking to the CISO of Zscaler, he was saying most organizations are embracing AI. They're happy to do that. However, nearly 100% of them know the risks, and they are fearful of this technology. Thus, you get that that dichotomy there.
Schwartz: At the summit in London that we held, we had CISOs grappling with what does this mean? Where do I need to put guardrails inside my organization. If it's for insurance, we hope that we're training our system with ethical data, but we need to look at all these things before perhaps we do something that might get us in trouble as well.
Delaney: Something that was also reflected in the RSA Conference, "old is the new." Old vulnerabilities are the new vulnerabilities. We were talking to researchers here in the studios, about IoT devices and OT devices that have vulnerabilities there. The importance about security by design, continuously testing and monitoring these products.
Schwartz: One of the discussions I had was on quantum computing, and there's concern about what we're going to need to do. There was a project for which the research was presented here to help organizations figure out where they have cryptography now, so that if they do need to go to quantum, they have a better idea of what to swap out. However, it identified a more pressing concern, which is if something happens to your current cryptography library, even before we get to quantum, having the ability to switch that out. We've seen unexpected events occur previously in the cybersecurity realm, and having an increased amount of agility there would be helpful.
Delaney: Some of the biggest surprises I discovered here was some research from Omdia about decision makers. Europe is faring better when it comes to their overall security posture compared to other regions of the world. However, staffing shortages and skills challenges are still up there, and ransomware, as concerns for European companies.
Schwartz: Thank you for that ransomware quote. I felt after all of the focus on crypto blocking malware in the last few years, they could've used a little bit here at the conference. However, it'll weave its way back in, as it always seems to!