RSA Conference and the dismal nature of cybersecurity (Reporter's Notebook)

The RSA Conference gets larger every year: cybersecurity industry is booming, and so is cybercrime. There's a disconnect here.
Written by Tom Foremski, Contributor

Walking around the giant show floor at RSA Conference (RSAC) I was struck by a thought: What a dismal industry this must be. If you are good at your job, you haven't created any new technology that makes processes more productive, or could be used to create new types of products -- you plug up the holes in the bucket that are known. You cannot reliably stop future attacks -- only the ones that are known. And all that work and cyber crime continues to grow and prosper.  

Also: Online security 101: Tips for protecting your privacy

The cost of cyber crime is the loss itself (predicted to be $6 trillion a year in 2021 by Cybersecurity Ventures), plus the cost of buying the cyber security needed to bolt the stable door, plus all the engineers involved in developing the software, and then, on the customer side implementing it, all the sales people, field support staff, marketing, VCs, etc.

It all seems such a dismal waste of human energies that could be used for other things rather than trying to frustrate computer hackers who seem to have no problem getting around those brilliant defenses and gallant efforts.


Leon Panetta, the former secretary of defense and former director of the CIA, is an Oracle board member. Speaking at an evening RSAC related event, he said that attacks by nation state hackers is a huge problem. "Pay attention. National defense is not just the responsibility of government, everyone has a role."

His biggest nightmare is of a computer virus that attacks and disables US infrastructure. He estimates that such an attack could result in millions of lost lives -- it would be a digital Pearl Harbor.  

Read more

He warned that Russian and Chinese state financed hackers are starting to work together and share technologies to produce sophisticated cyber weapons.

Panetta also warned about attempts to divide US society -- a reference to fake news in elections. But fake news is in the realm of cultural hacking. A meme acts like a computer virus, but it cannot be stopped with the same cybersecurity tools. I asked him if there were any defenses developed by US agencies against fake news, but he shook his head saying it was a different class of problem.


Oded Vanunu runs a team of more than 200 people researching product vulnerabilities for Checkpoint. He says that nation states are well ahead of the cybersecurity industry in terms of discovering new vulnerabilities. There's no talent shortage here. He says the governments pay well for the best talent and they have developed very sophisticated attack technologies. He believes that malware might already be implanted in many different places and could be triggered by a code. 

"There are also many online markets that will pay people huge sums of money if they discover a vulnerability. Plus the rise of cyber-currencies makes it easy for criminals to hide their money," are fueling cybersecurity losses. Vanunu says the industry is behind and needs to catch up. 



John Chambers (above), the former CEO of Cisco, is now a venture capitalist. He said computer security professionals had nothing to worry about from job losses due to AI and other technologies. He predicted that at least 30 million jobs would be lost over the next ten years because of AI. 

Also: Top security tips revealed by industry experts TechRepublic

He said the problem with cybersecurity is that CEOs don't know if they have spent enough money on protection and they don't know how much protection they have bought. One of his startups is helping companies figure out this question.


Oracle and KPMG released their "Cloud Threat Report 2019," and one of the many interesting discoveries was that cloud users seem to misunderstand their security risk.

Also: US ballistic missile systems have very poor cyber-security

The use of cloud-based IT has been boosted by the complexity of the security architectures and the difficulties in keeping up with the fast patching pace of new vulnerabilities. The report found that 73 percent believe the cloud offers better security than they can provide in-house.

But cloud users need to read the fine print, because, according to the report, they don't all understand that security is a shared responsibility:

"Confusion around the shared responsibility security model has resulted in cybersecurity incidents. A lack of clarity on this foundational cloud security construct has had real consequences for many enterprises, including the introduction of malware and loss of data."

These are the worst hacks, cyberattacks, and data breaches of 2018

Related stories:

Editorial standards