The Only Constant

Show video

>> ANNOUNCER: And now, please welcome Chief Executive Officer RSA, Rohit Ghai. >> ROHIT GHAI: This is our story. A story of change. Now, change is a constant, but it is not the only constant. And everybody wants change, but nobody wants to change.

We human beings reluctantly seek to transform in order to survive disruption. But I think we’ve come to use these terms loosely. Disruption is an unexpected external change. Unless it's a surprise, it's not disruption. Transformation is a rapid, intentional, internal change. Unless it's fast, it's not transformation.

Disruptions catalyze transformations. Simply stated, we humans are not very good at hurrying through change unless we get a kick in the pants. Vaccines don't get made in a year unless the specter of a million deaths looms. Friends, welcome to RSA Conference 2022.

It so great to be back in 3D, isn't it? Yes? Look, and we certainly should not take this for granted. And our theme this year is transform. And this conference that you love and power is going through its own transformation. Crosspoint Capital has joined existing investors Clearlake and Symphony Technology Group to invest in evolving and growing this platform for all of us.

And now it’s a 100% independent company and business and will be an enduring force for the cybersecurity community. Now, since we met in person, there have been countless disruptions in the cyber physical world. The 2019 World Economic Forum Global Risk Report had no mention of a global pandemic. The 2021 report did not say a thing about a war with Russia. Surprise. Disruption.

Now, what is not a surprise is that these physical disruptions created digital ripples. The pandemic triggered a massive acceleration of digital. We all know that. Now it's a digital transformation. Before that, it was a digital “I will take my own sweet time” kind of change.

The Ukraine-Russia war has a big cyber component to it. Did you know that the Ukrainian volunteer hacker army is three times the size of its physical army? Now on the digital front, last year has been the year of ransomware, supply chain attacks, and disinformation campaigns. And guess what? These digital disruptions have spilled over into our physical world.

You all remember the massive lines at the gas stations after the colonial pipeline hack? So, what does all of this mean for us? Well, despite all this talk about balkanization and about how far apart we are, we live in a hyperconnected world, where the physical and the digital is now indistinguishable. So even if you live in Taipei, you need to worry about what is happening in a classroom in Texas. And even if you shop in Santiago, you do need to care about the closure of eight hundred Swedish supermarkets due to the Kaseya cyberattack. Okay? So, all of this is pretty scary. And I don't know about you, but I have a teenager at home and I can barely keep up with the disruptions in the home front.

How on earth are we going to keep up with this torrent of global disruptions? Well, disruption is a tough but fair teacher in the Darwinian school of survival. Disruptions shape transformations in three ways. They show us what does not change.

The constants. They crystallize what matters most. The imperatives. And they debunk wrongly held beliefs. The dogmas. So, friends, over the next few minutes, let's review three simple insights we may learn from a global cyber disruption.

First, care about constants. So, in a world enamored with change, why should we care about constants? Well, constants are the basis for scientific progress. If disruption is a tough teacher, constants are that good friend that you can always go to for help to survive that class. Amidst change, constants anchor us.

They build – they help us build solutions. They give us a platform to build solutions. Let's review an example. When the global pandemic hit and a new pathogen ravaged our world, we needed a solution quicker than traditional vaccines to teach our bodies how to fight it. Now, there are new pathogens all the time.

What stays the same though are the capabilities of our human body. That's the constant. mRNA technology leverages our bodies to make proteins that look like the virus to train our immune system. And this technology has been around for many decades.

But in 2020, its time had arrived. The pandemic was the impetus and several enabling technologies like nanotechnologies had finally arrived. So, by leveraging a constant, we developed and distributed a vaccine at warp speed. Disruption catalyzed a transformation. So, what remains the same in cybersecurity? What is our constant? Well, in cybersecurity, we protect the ability of humans to use technology to access or create information.

Now, information changes all the time and is growing exponentially. In fact, just the last year, we have created more information than in all of the years of our existence. And technology powered by Moore's law is ever changing.

And until Siri or Alexa start writing code, I think technology remains vulnerable. So, there will be new technology. There will be new vulnerabilities.

There will be new exploits and there certainly will be malware that leverages those exploits. Don't get me wrong. Shifting left, creating a more resilient infrastructure, faster disclosure of CVEs, and faster patching, very positive. But we are playing whack a mole. The code we write and run, our technology, changes exponentially faster than the code that runs us, our genetic code.

What remains relatively constant is us humans and how we think and act. As a sector, we have been built for reactivity, chasing after the next vulnerability or the next threat or the next one. Or the one after that. Instead, to transform, we need to build solutions based on the one constant in cybersecurity.

Identity. And the case for this argument has also been staring at us for decades. Most cyber attacks occur due to compromised identity.

Most attacks can be blocked by multi factor authentication. And have you tried to buy cyber insurance lately? Today, they will not even sell you insurance if you don't have MFA. So, similar to mRNA, MFA was first commercially introduced several decades ago in 1986.

We at RSA would know, we pioneered it. And despite consistently being the number one recommended cyber resilience measure by the smartest amongst you, why are we still at 50% adoption of MFA even in the enterprise? Well, there have been several barriers to adoption. The lack of open standards, the user experience, the inertia around passwords have certainly held us back. But now with the maturation of passwordless technologies like FIDO and the evolution of open standards like Open ID Connect and SCIM, I think it is finally time to hold a requiem for passwords. How many cyberattacks are we going to tolerate before we adopt MFA for 100% of actors on the network? Look, while MFA is important, it is not enough.

In a zero trust world, we need to manage the who, the why, the what, and the when of identity in one platform. And while a best of breed strategy may work in other areas, in identity, the best approach is to use an infrastructure agnostic independent platform, a platform that delivers 360 degree coverage across access, authorization, identity, lifecycle, governance all of it. And as we look to the future, we have to worry about applications like Web 3.0 based applications, blockchain based applications. And in that world, we need to put the control of a user's digital identity back in their hands by decentralizing it. Identity is the one constant in the world of cybersecurity.

Okay. Insight number two. Identify the imperatives. Disruptions are great at differentiating the important from the imperative. They shine a light on what matters most. In 1960, life in Chile was disrupted by an 8-plus Richter scale earthquake and the death toll was more than 2,000 to 3,000 human souls.

Five decades later, in 2015, another 8-plus disrupter shakes Chile and several aftershocks of 6 and 7 follow. The death toll? Less than fifteen. So, how did Chile become the world's model for earthquake and disaster preparedness? General Ricardo Toro, who had, by the way, lost his wife in Haiti in an earthquake, led the charge based on two insights.

Number one, infrastructure damage, economic recovery, important? Absolutely. But the imperative, the most important thing you protect in an earthquake is human life. Number two, earthquakes don't kill people, buildings and tsunamis do. So, systematically, they changed their building code, implemented a clear evacuation protocol, and reduced human casualty by 100X. 100X relative to Nepal or Haiti.

So, what is the imperative in the context of cybersecurity? Well, during the pandemic, CISA identified sixteen critical infrastructure sectors that are, well, important. And critical. Even during a cyber pandemic, we must protect these sectors to ensure humans have access to their basic needs, food, water, healthcare, transportation, et cetera. Now, in cyber, while IT infrastructure is very important, it can be rebooted and replaced.

But if information is lost, it is irreplaceable. More significantly, though, if information is tampered or if misinformation is spread, we get lost. Hacked brains are way more dangerous than hacked systems. And our traditional mission has been the confidentiality, integrity, and availability of information. Addressing this is largely a matter of disciplined application of technology. The new frontier, though, is the veracity of information.

And addressing this will require invention. Take the recent and apparently still current Twitter saga. The intent of Mr. Musk to open source the Twitter algorithm to protect free speech, admirable. The focus though, has rapidly shifted towards identifying the number of identifiable humans on the platform versus bots or cyborgs.

This is pivotal to understanding the veracity of information on the platform and thereby the valuation of the company. Free speech, enabling different versions of opinions on the platform, very important. But it is imperative to not allow different versions of facts. Disinformation topples governments, it kills companies, it causes wars, it heats up hate until it boils over. And it can destroy the very fabric of humanity.

Let me clear some things up. Contrary to what several social media posts have claimed, President Zelenskyy has not surrendered to Russia. And when Maverick says "Don't think, just do,” it is the real Tom Cruise speaking, not his Deep Fake Doppelganger TikTok Tom.

And Kanye West, or whatever his new name is, is not giving out free Bitcoin or any other crypto for that matter. Ah, I so miss those days when crypto used to mean plain old cryptography. But I digress. So, how do we fight disinformation? Well, there is now active and amazing research in this field. Algorithms are being built to blunt the weaponization of information.

They analyze things like timing, frequency, tone coherence, and they triangulate information against verifiable sources. But even as these algorithms are developed, common sense, ladies and gentlemen, remains the most powerful – most powerful weapon, I should say, against disinformation. And one more thing. The best way to authenticate content is to authenticate the creator of it.

The brightest signal regarding if a piece of information is true or not is the source of the information. Who created it and what is the reputation of the creator? Identity to the rescue again. The veracity of information is the absolute imperative in cyber security.

All right. Third insight: Ditch our dogmas. Disruptions debunk dogma and legacy thinking. Sacred beliefs suddenly get upended and we somehow put up with things we never thought acceptable.

We don't bat an eye at not being able to carry a bottle of wine in our carryon luggage. After spending decades obsessing over privacy, we somehow get comfortable with sharing our most intimate medical data and allowing contact tracing. We give up our entitlements and our conveniences for the right reasons. But it took a 9/11 and a pandemic for us to accept those reasons. In cybersecurity, we have faced this tradeoff between security and convenience. And dogma tells us to prioritize convenience over security.

Maybe what a cyber disruption tells us is that we should always prioritize security over convenience. Look, I'm not saying convenience is not important. It absolutely is. What I am saying is that we need to stop sacrificing security at the altar of convenience. The level of digitalization of our world has crossed that threshold where the risk of doing so outweighs the rewards.

The gluttony of convenience sometimes obscures our ability to see its unintended consequences. We live in the time of the fourth industrial revolution. There are massive technological forces at play pervasive connectivity, artificial intelligence, decentralized edge computing.

For the first time perhaps, the rate of change of technology is outpacing the human capacity to adapt and consume it responsibly. The regulator and the innovator both have to help. And governments are certainly taking note. The regulator is working to ensure that we don't get ahead of our skis. The SEC recently made moves to demand responsible disclosure and board governance of cybersecurity.

The executive order here in the US, Australian Critical Infrastructure Uplift Program, France's Cyber Alert System, UK's Bug Bounty, very, very notable moves in 2021. But the most important role is that of the innovator. Let's take an example. An electric car.

These days, we don't think twice about spending thirty minutes to charge our electric vehicle on a drive from LA to San Francisco. Why is that? Well, we accept thirty minutes at the charger versus five minutes at the pump not just because we care about the climate. Instead, the innovator grows the pie and delivers new benefits. Autonomous driving.

Personalized, accurate insurance premiums. And my personal favorite, dog mode. The car detects that there is a pet in the car and turns on climate control. Innovation. Similarly, in cybersecurity, we need to reframe our goal as security and convenience and innovation. These could be personalized cyber insurance premiums, privacy, perhaps something else.

Let's grow the pie rather than debating how to cut it. We need to ditch the dogma of security or convenience. All right. So, friends, let's bring it all together. Let's bring it home. Let's review the three ideas we explored with our time together.

First, identity is the one constant in the everchanging world of cybersecurity. Second, what matters most and what we protect is the truth, the veracity of information. Finally, we need to stop believing that the security versus convenience is a zero-sum tradeoff. A crisis is a terrible thing to waste. Look, I don't know if these three ideas are the perfect lessons to learn from a cyber crisis.

But do we need to live through one in order to not waste it? I ask you, are we really going to wait for a cyber pandemic to transform security? Though a cyber crisis may not cost as many human lives, it would spread much faster, at the speed of light versus the speed of humans. It could have a massive and debilitating societal and economic impact as it takes out critical infrastructure. When our physical world got disrupted, we went online to remain productive and remain connected. If our digital world is disrupted, where would we go? What would we do? Transforming security will require us to reorient our thinking from being infrastructure centric to identity centric and information centric.

It will require us to be mindful enough to care deeply about constants, astute enough to identify and focus on the imperatives, and brave enough to ditch our dogmas. Transform we must, reluctantly or otherwise. Our survival depends on it. Let's be authors and not just readers.

This is our story. Let's not allow anyone else to write it. Thank you.

2022-06-12

Show video