RSA 2019 RECAP: TOP TAKEAWAYS AND TRENDS TO WATCH

In early January, The Chertoff Group released a series of predictions around key cyber threat, policy, and market trends shaping the landscape in 2019. On the tails of the RSA conference, here are our thoughts on how those predictions are faring and highlights of important trends to watch:

1. How Do I Make Sense of the Cybersecurity Tradespace? Help Is on the Way
   • Many organizations struggle to understand whether their security investments provide an effective defense, and a key RSA theme was the need for greater transparency on security tool coverage for different threat behaviors; knowing this helps organizations understand what impact proposed investments will have on risk reduction.
   • The security community is embracing the MITRE ATT&CK model, and new products and services are emerging to provide better, more transparent alignment to actual threat behavior (note: the ATT&CK framework defines major threat actor groups, maps them to their known tactics, techniques and procedures (TTPs), describes their preferred target operating systems).
   • This trend toward more sophisticated threat modeling will drive product and service differentiation based on the ability to address threat actor campaigns, suggest mitigation strategies and validate the people, processes, and technologies that mitigate these TTPs.
   • The Chertoff Group leverages the power of MITRE’s ATT&CK framework to help ensure that clients derive maximum risk reduction value from their security strategy, build confidence in program effectiveness, and achieve resilience, all while streamlining organizational resources towards top priorities.

2. Supply Chain Risk Management Gains More Traction but Efforts Are Needlessly Disaggregated
   • For decades, adversaries have used the defense industrial base supply chain to target the Pentagon; that same approach has now expanded across other critical infrastructure sectors as a mechanism to target banks, electric utilities and other companies.
   • Government agencies and companies are working to gain greater visibility into security performance of their suppliers (and trustworthiness of sub-suppliers), but the lack of standardization on third party risk management means this vetting process is unnecessarily painful for many suppliers.
   • On a technical level, the increasing sophistication, diversity and speed of code development continues to expand the software supply chain risk surface. Threat actors exploit the opacity of the software supply chain to subvert traditional security controls and compromise networks. Impacts can be broad and severe as demonstrated in notPetya and other recent attacks. There were a number discussions at RSA on how to build greater transparency and trust into software lifecycle management “ expect to hear a lot more about “software bill of materials” and application security orchestration technologies in the coming year.
   • See also TCG’s podcast on software supply chain risks: “Weak Links: Managing Risks in the Technology Supply Chain” for further perspective on how to mitigate these risks.

3. Effective Risk Management Is Becoming a Differentiator for More and More Customers
   • Trust was a key theme at the conference this year – RSA President Rohit Ghai emphasized that restoring trust in the digital world is not about eliminating risk, but about understanding, prioritizing and managing it.
   • The concern over security and privacy is more prevalent than ever before. Industry and government must collaborate to build a more secure environment, mitigate risk, and build citizen trust in government and consumer trust in business. Trust is fundamental to sustaining growth while properly addressing security and privacy concerns.
   • Customers will, therefore, not only increasingly look for assurance that service providers and their government have cybersecurity programs in place but will also be looking beyond compliance-based measures to proof of actual effectiveness. As predicted, this remains a key differentiator in the commercial space.

4. Federal Data Privacy & Security Legislation Are Top of Mind for Big Tech
   • Many technology companies agree that a federal law governing the collection and use of consumers’ data is essential.
   • While there are several points of disagreement on what the law should cover, interest is high on both sides of the aisle in Congress to do something on the federal level to protect consumers, said a panel of policy executives from Google, Microsoft, and Twitter at RSA Conference.
   • Our Executive Chairman, Michael Chertoff, has outlined a few principles to help ensure the United States protects its citizens from the loss and misuse of their personal data while incorporating the United States’ own unique understanding of constitutionally-protected privacy and free speech.

5. Increasing Threat of Nation-State Attacks Highlights Lack of Forum for Private-Public Coordination
   • Three of the industry’s largest incident response vendors — IBM X-Force, FireEye and CrowdStrike — shared troubling developments about nation-state threats during a panel discussion at RSA.
   • Leon Panetta, the former secretary of defense and former director of the CIA, warned that Russian and Chinese state financed hackers are starting to work together and share technologies to produce sophisticated cyber weapons.
   • As we highlighted in findings from the Cyber-Enabled Economic Warfare exercise, unless government and private sector decision makers begin developing CEEW-specific procedures and trust now, the United States will find itself flat-footed during a major cyber event. 

6. Application of Biometric and Facial Recognition Technologies to Operational Security Environments
   • Biometric and facial recognition technologies have reached a level of maturity that has led private sector and government entities to apply the technology in operational environments, including at the US border and at major entertainment events.
   • In a session entitled “Use of Facial Recognition to Combat Terrorism,” Jonathan Cantor, Chief Privacy Officer (Acting) for the Department of Homeland Security, Debra Danisek, Privacy Officer for US Customs and Border Protection, and Michael Hardin from the Office of Field Operation from Customs and Border Protection discussed the Department of Homeland Security’s use of these technologies for border entry and exit as well as the accompanying privacy and security concerns.
   • These technologies are also being deployed at concerts and sporting events to identify potential criminals, terrorists, and individuals who have been banned from particular venues.
   • These deployments come amidst the recognition that such technologies continue to deal with in-built biases, often the result of the samples being used to train algorithms and some of the technological limitations of the current generation of technology.
   • Deployment of these technologies will only increase given the potential value of these technologies to identify potential threats, speed security screening processes, and allow for automated entry/exit tracking in the border, but technologists and policy makers must move to address issues of bias, privacy, and false-positives in order for these technologies to be successful.