Privacy During COVID-19

In the past four months, we’ve had to adjust the way we interact and how we think about our health and well-being. This shift has drastically changed our vision of the future (what will life look like post-COVID? How much will it change?) and it has many wondering how technology will make a difference in this fight.

With the government and big tech companies rapidly coming up with new solutions to help flatten the curve, the unflattering spotlight is again focused on the privacy and security concerns surrounding new technologies. It seems that with every new solution comes another privacy infringement.

But in these scary times, when lives are at risk every day, do people really care about the increase in surveillance technology? What are we willing to give up to be safer? What will we sacrifice for a return to normalcy?

Where the Privacy Battle Began 

This isn’t the first time a major event has shifted our view on privacy and surveillance. It’s not even the first time this century. September 11th was the first major challenge and has defined the struggle between privacy and “safety” since. As the nation worked to implement a quick response to the attack, many ignored their fear of mass surveillance to help the nation rebound.

Post 9/11, privacy has dominated the conversation as the amount of surveillance made possible by new technology, like social media, smartphones and more, increases. As we moved into a new era of “surveillance capitalism,” the more people — from the infosec community to privacy and human rights advocates — began to shine a brighter light on what was really happening behind closed doors. They  pushed for the implementation of GDPR in Europe and the California Consumer Privacy Act. While these laws are far from perfect, they are a start to regulating an industry that has seen very few boundaries set by legislation.  

Yet, despite the growing concerns around surveillance from Facebook and other Big Tech companies, 2.6 billion people still used Facebook in the first quarter of 2020. Facebook’s reputation may have taken a hit in the small — but growing —  circles that are worried about privacy, but for the wider population the services social media and internet-based technology offers seems worth the tradeoff.  And this was before a global pandemic really hit.

The New Era of COVID-19 Privacy

As people began to quickly adapt to life during COVID, so did Big Tech. With everyone hunkered down at home, our computers and internet connections became the only ways we could  interact with people outside our homes. Never before has being connected been so important. 

Enter Zoom, a video conferencing platform that blew up at the beginning of the pandemic. From virtual happy hours to birthdays to almost any event plus daily meetings, “Zoom” became a synonym for all video conferencing. Just as we were getting comfortable with Zoom, issues started popping up. From Zoom Bombing to the lack of end-to-end encryption that led to credential stuffing attacks. Then it came out that Zoom was allegedly sharing personal data with Facebook. Suddenly Zoom’s was in a privacy crisis.

Zoom almost immediately hired Alex Stamos, former CSO of Facebook, as a security advisor to help with its security image. It also acquired Keybase, an end-to-end encryption company.  Thanks to quick action during a crisis, the seas quieted down for a while. But another storm seems to already be brewing — around who gets end-to-end-encryption and how much it costs. 

Just as the Zoom headlines started to dwindle, another privacy issue took its place. Apple and Google released a contact tracing app. As soon as the partnership was announced, there were vocal concerns about another Silicon Valley scheme to monitor and possibly monetize the data of our daily lives. When faced with the option of using technology for contract tracing, many European governments are tied into knots about how the information and data collected is stored (centralized v decentralized). They aren’t too keen on private California companies being in control of citizen data and dictating policy decisions

But this conversation goes much further than Google and Apple. With governments running contact tracing apps, many fear that things could get dangerous quickly. What would happen if governments were to start releasing people’s COVID status, as has happened in Cook County, IL? Will governments use this data for other purposes? Are government networks secure enough to prevent a hacker getting a hold of  all our sensitive health and personal data?

COVID-19 has brought the privacy debate to the forefront again. The loudest voices right now may be privacy advocates, but what does the general public think? Let’s look at the numbers.  Zoom still has 300M daily meeting participants. In terms of contact tracing, a recent study by Axios/Ipsos found that the majority of Americans are likely to cooperate with contact tracing as long as it doesn’t involve handing over their cell phone location. People seem  at the very least too distracted with just the basics of living their lives to really pay close attention.The silent majority just wants its life back.

As contact tracing and other tech solutions are developed,  privacy concerns will only grow. However, it’s likely that the public won’t know the full extent of what we’ve compromised until COVID-19 is in the rear view. It’s worth noting that it was only in the years after 9/11 that the realities of government surveillance finally began to turn public opinion. It’s wise for companies now to take privacy seriously and build protections into the foundations of their tools, if they don’t want to see heavy backlash in the future. Crises — and the forgiveness we give during them —  don’t last forever.

Tech Policy, Politics and Power in the Era of COVID-19

We are at least four months into an unparalleled global crisis. And yet, instead of industry collaboration and federal cooperation, the world seems to be lurching from one month to the next with very little sense of a unified plan. Some countries have responded well – namely South Korea, Taiwan and New Zealand. Some countries have not. For the first time in a long time, there isn’t a global leader spearheading a global response to a crisis. It’s every country for itself (in some places, every state or region). So, who is filling this leadership void? 

Forbes argues it’s female leaders, like Germany’s Angela Merkel, Taiwan’s Tsai Ing-wen and New Zealand’s Jacinda Ardern, who are paving the way for some of the world’s best responses to the ongoing coronavirus pandemic. STAT News notes that Singapore could teach the U.S. a thing or two. And Silicon Valley – in typical Silicon Valley fashion – believes its big tech leaders (think Bill Gates, Marc Andreessen, Mark Zuckerberg, Jack Dorsey, Marc Benioff and many others), and the technology behind big tech, will be at the forefront of the global economic reopening and the large scale eradication of the COVID-19 pandemic. 

More than ever before, the lines between tech leadership and national leadership have been blurred. Over the last few decades, the Tech Industry has become one of the most powerful entities in the world. But COVID-19 is testing whether that power can be applied to global leadership in a crisis. Companies like Facebook and Twitter are setting a new global standard when it comes to remote work, with both companies recently announcing plans to keep their workforces largely remote for several years to come (and in Twitter’s case, ‘forever’). Tech giants like Apple and Google and Twilio are developing and releasing new coronavirus contact tracing software, enabling state and local authorities to trace and mitigate the spread of coronavirus in major metropolitan areas. Data moguls like Splunk are developing solutions that allow organizations to innovate with and optimize the information they have on hand. And more individuals, providers and physicians are turning to telehealth platforms, like Zocdoc, to monitor symptoms and optimize healthcare services remotely than ever before.

But is tech leadership really making a difference? Can we say it has made the response better, particularly in the United States? Amazon warehouse workers are dying because of the ongoing COVID-19 outbreak. Ransomware attacks on global healthcare organizations are through the roof. And, lest we not forget about the one and only, Elon Musk is threatening to take Tesla out of California. Some tech leaders have been arguing for years that they could successfully fill the void of federal leadership. But, COVID may prove that there is simply no replacement for old-fashioned government during a public health emergency.

Every assertion is precarious these days, but it does appear like the tech industry is doing some good in the eyes of the public. Facebook recently pledged $100 million in grants to small businesses, Amazon contributed $100 million to Feeding America’s Covid-19 Response Fund, and Twitter and Square CEO Jack Dorsey pledged to donate $1 billion to relief programs related to the coronavirus. Could it be that the techlash tide of the last decade is now turning

COVID-19 has made the shortcomings of our society painfully obvious.  None of our leaders – whether it be in government or tech – have been able to lead effectively on their own. The solution to remediating this crippling public health crisis is for everyone to work together. . he tech industry needs to connect, collaborate and empathize — instead of simply falling back on its machines and coding capabilities. . Big Tech has far too much power to bury its head in the sand and focus simply on business outcomes. 

Check back here for regular updates on the trends driving the tech industry. 

The Showdown: Big Tech’s Inevitable Clash with Washington

big tech

Picture this: It’s the winter of 1996. Gene Kelly has just died, Happy Gilmore is newly in theaters, Tupac just released the groundbreaking All Eyez on Me album, and yours truly is about to be six months old. But February of 1996 was also an impactful month for policy that would go on to affect the course of the internet forever. 

Section 230 was essential to the internet’s adoption in the ‘90s, leading to social media, video streaming, and cloud computing as we know them. The law states that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Basically, this means that platforms and providers are deemed intermediaries of content and aren’t liable as long as they take reasonable steps to delete or prevent access to inappropriate content. 

Legal experts note that amending or removing the Section would change social media as we know it. Why are legislators going after the Section now? Well, both political parties have increased scrutiny on social media companies in recent years: Republicans with accusations of censorship and Democrats with complaints that social media companies aren’t doing enough to block misinformation and violent content.

In recent weeks, this law has been on blast from President Donald Trump and Republican senators, who have asked the FCC to examine the Section following the President’s publishing of an executive order to limit the legal protections that tech companies currently have.

In fact, it’s been a pretty zany last few weeks when it comes to social media policy and developments. If you haven’t been paying attention, you’re not the only one; there have been a lot of other important news topics to focus on of late. That being said, I’m happy to break it down for you.

Snapchat Restricts Promotion

In early June, Snapchat announced that President Donald Trump’s verified account will no longer be promoted in the app after the company concluded his activity on Twitter promoted violence. In response, Trump’s campaign accused the company of “actively engaging in voter suppression.”

This development from Snapchat came shortly after President Trump’s comments in reaction to protests nationwide following the horrific murders by police of George Floyd, Breonna Taylor and needless other Black Americans. Twitter promptly restricted the president’s tweets, noting that they ‘glorified violence.’ 

Twitter Introduces New Labels

This warning label feature from Twitter was the newest development after the organization also added a ‘fact-check’ label to one of the president’s tweets about the 2020 election, as well as labels to two tweets from the Chinese government. 

Both Twitter and Snapchat enacted these developments in an effort to limit the spread of misinformation and inflammatory content on their platforms. As noted in Axios, “When the coronavirus pandemic hit, nearly every platform made clear that they intended to take strong action to police misinformation surrounding that crisis.” 

But ongoing misinformation about national protests and social posts glorifying violence didn’t receive the same attention from YouTube and Facebook that the companies promised. Facebook left similar posts to those deleted by Twitter up on its site and YouTube also has taken a more converative approach in its labeling of misinformation and inflammatory content.

Facebook Does… Something?

big tech washingtonIt seems like Facebook’s infamous “Oversight Board” isn’t actually as independent from the company as once implied. The board recently noted, “posts like Trump’s fit the scope of the type of content that it will review, but the board is not yet operational and cannot review any cases at this time.” 

The questions we have to ask now are: Will an oversight organization like the one Facebook is promising truly be independent from the company’s creator? How can we ensure these policies will be truly objective? 

One thing’s for sure: Facebook employees have had enough with the lack of labeling. Nearly three dozen former Facebook employees called out Zuckerberg’s decision to leave Trump’s posts unaltered and nearly 5,500 employees in a recent Facebook town hall called for reform in the organization’s policies. Even scientists think the company’s current policy is not enough.

Clearly one of these people (or the backlash in the press) got through to him because no less than a week later Zuckerberg announced that the company will review a number of its policies and decision-making processes, including for violent content and the company also shared that it removed over 900 white supremacy groups from the platform. But new research reveals that in order to truly be able to moderate content on the site, Facebook will need at least 30,000 people specifically dedicated to the job, something unlikely to happen anytime soon.

What’s next for 230?

big tech washingtonAs Trump continues to criticize social media giants for ‘censorship,’ policymakers question the steps he will legally be able to take to stop the companies. Free speech experts have said that the companies have the right under the Constitution to refuse to promote Trump’s account and censor content under their liability protections. As mentioned above, in response to this, the president signed an executive order tasking regulators with evaluating whether online companies’ liability protections should be narrowed, singling out social media. 

What are the responsibilities of tech companies? Should organizations be monitoring free speech or should the government be in charge or regulating? What should they be liable for and what shouldn’t they be? If we just let Big Tech do whatever it wants, will it all be OK in the end? Ars Technica recently posed many of the same questions (and even posited what a new world with amendments — or the flatout repeal — of the legislation would look like).

It’s twenty-three years after 230 passed and while I’m close to being able to legally rent a car on my own, Section 230 has remained largely unchanged. There are a lot of opinions about how this will all play out, but no one can be certain.  What does seem obvious is that Big Tech, in particular social media companies, are in the midst — maybe just the beginning — of a showdown with the federal government that could change the industry forever. 

To learn more about our policy expertise and the work we are doing for clients, feel free to reach out to me at jillian@highwirepr.com.

Image Credit: Black phone photo – Rami Al-zayat; Facebook – Kon Karampelas; Capital – Louis Velazquez

The “Cyber Scoop” from Kelly Jackson Higgins 

With the current media climate, it’s more important than ever to understand reporters’ news beats to make sure the precarious reporter to PR professional relationship remains mutually beneficial. I had the privilege of speaking to a long-time media friendly of Highwire, Kelly Jackson Higgins, Executive Editor at Dark Reading. Kelly has been a member of the Dark Reading team for almost 15 years covering security, and was recently selected as one of the Top 10 Cybersecurity journalists in the U.S. 

In the Q&A below, Kelly shares helpful insight into how she’s seeing the coronavirus pandemic shape the cyber media landscape and tips from her remote team on how to balance work and life. Oh, and one fun fact that you didn’t see coming! 

Courtney: How are you seeing COVID-19 shape the cyber media landscape? What kind of cyber stories are you interested in covering outside of COVID-19?

Kelly: It’s actually really hard not to see the influence of the pandemic on the industry as a whole now and all of the new challenges it poses to security teams – work from home security, possible budget cuts as the economy suffers, and an exacerbation of already-tight staffing issues. Even so, we want to keep it in perspective and also stay on top of how the attackers are crafting, targeting and evolving their campaigns and where the weak links are for defenders, and any new technologies that emerge.

Courtney: How are you staying sane while working 100% remotely? Any advice to share on how to properly manage work-life balance? 

Kelly: I have had a home office for more than 20 years, and all of our staff and contributors are remote, so there hasn’t been any adjustments there for us. I will say, the biggest challenge in working from home is knowing when to turn it off – it’s always there, and you work longer hours because of it. The key is creating boundaries, both physical (a separate room for your office) and mental. Sure, it’s harder now to go out and do something to decompress, but go outdoors or to another space in your home where you can relax, get some fresh air, or exercise both before and after work.

Courtney: Do you have any tips/tricks for PR folks as they try to engage with security reporters during such a chaotic time? Any PR horror stories? 

Kelly: Please don’t pitch us on stories we have already covered. Our inboxes are already overflowing, so please take the time to see what we have written about before you pitch us about something “new” that we have already posted.

Courtney: Do you look up to anyone in the security industry?

Kelly: My mentor and boss Tim Wilson, a gifted writer whose sharp reporting skills inspired my path, and who always keeps us one step ahead with his vision for Dark Reading. I’d say my security professional role model is Window Snyder. She is one of the smartest and most accomplished experts in the security industry.

Courtney: Do you have a favorite story you’ve worked on? 

Kelly: That’s a tough one — there are articles I was proud of when they were the most timely or telling. If I had to pick one, it’s “The Morris Worm Turns 30” because it was really fun to work on, and it truly was a historic moment for security. 

Title: The Morris Worm Turns 30 “How the historic Internet worm attack of 1988 has shaped security – or not.”

Courtney: One random fun fact? 

Kelly: I was a Division I soccer player in college, and my dream was to be a sports writer. =)

Overall, my interview with Kelly shines light on why investigating reporters’ previous coverage and familiarizing yourself with their news beat is so important before clicking send on that pitch. Reporters’ inboxes are jammed now more than ever due to COVID-19, so be mindful. To Kelly’s point, take the time to find that new story rather than pitching something already covered – it will go a long way in building a trusted relationship and securing that coveted piece of client coverage. 

Ditch your bland COVID-19 security product pitch, reach out to reporters to see how they are doing in this difficult time and build a genuine narrative that will be useful for you and your client. 

Cybersecurity best practices for your new home office

Image source: Unsplash, Luke Peters

 

As Highwire, and other businesses across the U.S., transition to a remote workforce, it’s never been more important for us to consider our personal cybersecurity. Understanding the steps needed to take your security into your own hands is critical to protecting your data, and your company’s data against cyberattacks. We’ve compiled a list of our top five best practices for your easy reference below.

1. Beware of Phishing Attacks

Phishing attacks, specifically on work emails, have dramatically increased as more people work from home because of COVID-19. Phishing attacks often take the form of emails coming from someone posing as a trusted person, like a coworker, attempting to obtain sensitive information like usernames, passwords and financial details. All employees should be hyper-aware of any email that asks you for personal information. Some ways to spot phishing emails include looking at the email of the sender. If it doesn’t have a recognizable email address, it’s probable a scam. If the email uses a generic greeting or has spelling errors, it is probably not from a verified sender. If you’re ever unsure about an email you receive, it’s always better to pick up the phone and call that person directly to confirm before giving away any sensitive information. Another best practice is to never click on anything in an email without checking the sender and instead type the web addresses into your browser yourself.

2. Use Two-Factor Authentication

Now that businesses have gone completely digital, all employees should have 2-factor authentication (2FA) for any company logins to ensure that only the right people are accessing certain sensitive data. 2FA only grants a user access once they have successfully presented two (or more) pieces of evidence that they are the person they claim to be. This could mean logging into your account on your computer with your password first, then entering a code you received on your cell phone to confirm it’s you. That second form of identification should always be something that you have on your person, whether a code sent to a cell phone, a security key, or a one time generated code from an app. You should enable 2FA on all of the devices and applications you use for work.

3. Separate Work from Play

As our two worlds, home and work, become one. It is important to keep your work and play on separate computers. When people are at home, it’s easy to mix the two, as you click on links or do things at home you may not typically do in the office. This can lead to major security issues. For example, if your device is stolen and you have your work accounts linked, it may be easier for malicious actors to gain access to sensitive information.

4. Update, update, update

One of the best ways to ensure your devices are secure is to stay up to date on all settings. Users should make sure that all privacy settings are updated across their devices. Updating to the most recent softwares is also important. For example, most online tools like Zoom have been updating their settings during the pandemic to ensure user safety. In addition, we should all remember to update our passwords every 90 days. If you’re currently using a password that your cybersecurity team would laugh at, you may consider a password manager like Dashlane. A password manager stores all login information and helps you create and store complex passwords. Updating your passwords and making sure they are complex will make you less vulnerable to sophisticated cyber criminals.

5. Use a Virtual Private Network 

Hopefully, your new home office has password-protected Wi-Fi and uses at least WPA2 security protocol. But in this new remote workforce, where home Wi-Fi passwords may not be as strong in favor of making them easy to remember, employees may consider using virtual private networks (VPNs) to keep themselves, and the company IP, safe and secure. For those who may not know, a VPN extends a private network across a public network, helping to secure your devices. 

Overall, we know there’s a lot going on for you right now and security may not be at the top of priorities, but we hope these simple tips will show you how easy it is to stay protected during this pandemic and that instilling these best practices across all your  devices will help keep you, your family, and your company safe. 

Have any best practices you follow and would like to share? Reach out to jillian@highwirepr.com to share your best tips and tricks. We’d love to hear from you!

Women’s History Month: 5 Ways Cybersecurity Companies Can Create an Equitable Workforce

When it comes to representation of women, the cybersecurity industry has actually improved somewhat in recent years — the percentage of women in the industry jumped from 11% in 2013 to 20% in 2019. Still, 20% is hardly a stat to celebrate, and it’s clear that the security community has a lot more work to do to achieve an equitable workforce. 

The theme for International Women’s Day (IWD) this week was #EachForEqual, and the IWD organization is encouraging everyone to celebrate female achievement, raise awareness against bias, and take action for equality. In honor of that and Women’s History Month, Highwire has gathered recommendations for prioritizing diversity and creating more inclusive work environments.

Here are a few ways cyber companies (and all companies!) can join in on #EachForEqual:

    1. Establish a Diversity & Inclusion Committee

  • At Highwire, we’re proud to not only prioritize diverse hiring, but to have systems in place to educate everyone at the company about various races, sexual orientations, and religions throughout the world. Our D&I committee is dedicated to teaching every employee something new about minorities and global cultures each month, with the goal of creating a more inclusive culture. Committees like this help keep companies accountable for D&I and ensure employees from underrepresented groups feel celebrated and supported.

     2. Bring Your Daughter to Work Day

  • A new twist on an old tradition, “Bring Your Daughter to Work Day” is a great way to show young girls that they have a place in the cybersecurity industry from an early age and help them understand their freedom to choose whatever career they want. Hosting an all-girl hackathon is also a fun way to cultivate the next generation of cybersecurity pros. 

     3. Partner with Women and Minority Empowerment Organizations

  • Another way to highlight your company’s dedication to diversity and inclusion is by partnering with a nonprofit focused on the same. For instance, the International Consortium of Minority Cybersecurity Professionals strives for the consistent representation of women and minorities in cybersecurity with programs designed to foster recruitment, inclusion, and retention. Encourage your employees to become a mentor in their Mutual Match Mentor-Protégé Program, or host a lunch or dinner for those involved.

     4. Implement Unbiased Hiring Solutions and Practices

  • There are many systems for bias-free hiring, and it’s important to consider them all to determine what works best for your company’s needs. One option is anonymizing the resumé review process, because even something as simple as removing the name from a resume can reduce bias. A work sample test is a good next step in ensuring the candidate is evaluated on skill instead of gender, race, or another protected class. In addition, having women representation at the c-level and in the boardroom is a great way to attract more junior female candidates. 

      5. Offer Benefits that Support Women and Families

  • If you haven’t already, it’s time to make all employees feel equal through pay equity and benefits such as parental leave and daycare options for those who choose to become parents. These seemingly basic offerings can be the biggest considerations for top candidates.

As Beyoncé once sang, girls run the world…but not the cybersecurity industry just yet. Attracting more women to the industry will take time and commitment from industry leaders. Implementing strategies like the above is a good first step in creating a more equitable cybersecurity workforce.

VIDEO: Meet the #HWCyberSquad & get a firsthand look at top RSA trends

This year’s #RSAC2020 was one for the books. I’ve been attending the show for 14 years and I’m always on the lookout for what’s different or unique year-over-year. This year was more of the same in terms of the outcry for stronger security leadership and a different approach, attribution debates and the promise of a million and one new security tools that will “stop” the latest cyber attack. So, I focused on something different this year. The sheer awesome-ness of my #HWCyberSquad was striking. I have never been more inspired by my team, our clients, the depth of expertise, and the strength of our partnerships.

See below for a few of this year’s highlights:

  • We kicked off the week with some incredible news — the #HWCyberSquad was named 2020 PR Team of the Year by Info Security Products Guide for the second year in a row. This team represents the true power of collaboration, creativity and drive.
  • Our detailed and thoughtful daily recaps (see Day 1, Day 2 and Day 3) captured RSA keynotes and all of the smart sessions hosted by our clients. We even got some standout coverage of our clients’ talks (see WIRED story featuring Chris Wysopal, founder and CTO of Veracode).
  • We connected with reporters that we respect and feel grateful to be able to work with day-in-and-day-out on top security stories (e.g. see our Q&A with Reporter Alyssa Newcomb/Fortune and recap of our Cult of the Dead Cow Book Club with Joe Menn/Reuters).
  • We hosted the annual Security Comms Happy Hour with our partner Meredith Corley and our friends at Offleash PR, W2Comms and Chen PR.
  • We had the largest team of talented cyber security professionals to-date onsite and took some time to celebrate our win with our annual Cyber Security Appreciate Dinner (six years running!)

What separates the #HWCyberSquad is our passion and dedication to our team and our clients, and to honing our craft as cybersecurity PR professionals. We are grounded in our Highwire values (passion, curiosity, creation, balance, and collaboration), and they guide us in everything we do. We pride ourselves on our ability to identify timely trends and topics that shape and inform our clients’ PR programs. After all, it’s a crazy-crowded market so you need practitioners that are always thinking two steps ahead.

With that, I am so excited to share this incredible “RSA Top Trends ” video produced by our very own #HWCyberSquad team. You don’t want to miss it.

Cheers to RSA 2020 and we look forward to seeing you all at Black Hat! 

Stay healthy!

Christine 

P.S. After the first conference of 2020, one thing is clear: Politics and policy continue to impact cybersecurity in almost every way. We’re investing time and talent into our policy expertise (you can check out an example here) and will be rolling out some exciting policy projects this year. Keep an eye out!

RSA Day 3: How To Successfully Apply an Enterprise Cybersecurity Mindset to Other Industries

Welcome to the final RSAC 2020 daily recap. Today’s keynotes encapsulated how what we know, as security professionals, can be applied beyond the enterprise security industry and where we go from here. 

To get caught up or refreshed on what happened during Day 1 and Day 2, please see Highwire’s additional blogs: 

RSA Day 1: Why Cybersecurity Isn’t Working and Where We Go From Here

RSA Day 2: Finding New Ways to Explore the ‘Human Element’

Securing Critical Infrastructure

Today’s keynotes kicked off with Dragos’ CEO and founder, Robert Lee’s deep dive into what enterprise security professionals need to understand about how to support the security of critical infrastructure. He noted that industrial security is vastly different from enterprise security, and applying the same software across the field can have negative implications. 

In looking back at 2019, Lee noted that 55% of industrial control systems vulnerabilities had a patch but no alternative remediation. He mentioned that in the majority of these cases, simple recommendations would have made the vulnerabilities not hackable, but IT professionals are used to focusing on the patch. The hyper focus in enterprise security on endpoints “doesn’t really apply” to ICS. In fact, from Lee’s research, more than 50% of vulnerabilities are ‘useless’ and don’t deserve time wasted attempting to create a patch. You can read Dragos’ full 2019 year in review report here.

The most critical takeaway from Lee’s talk is that, from his research, 91% of clients had the opportunity to increase security in their environments but were blocked by vendors. His advice to OEMs as they leave the conference? “Your opportunity in 2020 is to figure out the barriers for your clients and help them figure out the easy hardenings” in their environments. He shared resources and next steps for OEMs here.

Hacking Your Life

Next, we heard from Bruce Schneier, a security technologist and lecturer at the Harvard Kennedy School, who discussed how “our expertise in security [can be transmitted] to other activities.” Case in point, security skills are becoming more broadly applicable. 

A great example of how security terms and concepts can be applied to other areas of our lives? Junk food. It represents one instance of how a change in the threat model (the introduction of new food processes and chemicals) produced a new vulnerability (our cravings for sugar). But it’s not the only example of how security frameworks can be applied to other areas of our lives. 

Schneier’s biggest examples were political. How is a tax code like computer code? Why is election spending hacking our democracy? His ideas are still in development but he mentioned he will likely further develop the framework through a book or essay soon. 

The Triangle of Information Security

During Akamai CSO Andy Ellis’ talk, he compared his company to the “shopping mall of the internet,” laughingly dubbing himself their “Paul Blart” (mall cop). Ellis dove into the three pillars of information security: Integrity, Availability and Confidentiality. 

While starting with the integrity of the system is the foundation of security, both the availability of the technology and protecting the confidentiality of its users are equally important. 

Ellis ended his talk noting that while IoT and 5G are new challenges that will affect how we approach each of these pillars, new challenges also guarantee that the security industry will continue to expand, and that it will continue to be crucially and increasingly important to other industries.

The Future of Cybersecurity and the Future of Auto

In the final keynote of the morning, General Motors’ CEO and Chairwoman, Mary Barra discussed the future of transportation. She discussed how “there are virtually no industries today that are invulnerable to cyberattacks,” the automotive industry being no different.

For GM, eliminating car crashes, carbon emissions, and traffic in cities are the three priorities for the next 20 years. In order to do this, Barra knows cybersecurity is essential, mentioning that she believes safety and cybersecurity go hand-in-hand and “a company’s defenses are only as strong as [its] weakest link.” 

To achieve this goal, GM has invested in the future of cybersecurity talent, connecting with 300,000 students and teachers nationally, calling back to a critical point: For us to invest in the future of cybersecurity, we need to focus on the talent gap and on filling IT positions with women and minorities, expanding our demographics. 

Where Do We Go From Here?

As the conference wraps up, I’ll leave you with my biggest takeaway. While an enterprise mindset can be applied to other sectors, from industrial security to politics to automotive, to reach the next level, our knowledge of the information security triangle needs to spread to educate wider demographics. The future of cybersecurity requires more voices. 

While I loved that at RSAC, and for the first time in my life, I didn’t have to wait in line for the women’s restroom, it was just another example of our need to continue to grow as a community. We’ve made leaps and bounds, but it doesn’t stop here.

RSA Day 1: Why Cybersecurity Isn’t Working and Where We Go From Here

The #HWCyberSquad is on the ground at RSA 2020, and we’ll be recapping each day’s highlights right here in one place! Tune in all week for the latest from our award-winning security practice.

This year’s RSA theme is The Human Element, which certainly came through in today’s opening keynotes. Speakers and panelists kicked off this week’s conference by critically examining the past, present, and future of cybersecurity, and how we can better secure not just technology, but the people behind it. 

People At The Forefront

We kicked off the day with RSA Security President, Rohit Ghai, who recapped what cybersecurity has looked like in the past, what it looks like now, and how it should ideally evolve and shift as we head into 2020 and beyond. He led by saying that in order to change the future of cybersecurity, we need to do three things — examine and analyze the stories we have, imagine the story we want, and strategize a way to realistically achieve it. He argued that right now, cybersecurity professionals are living in a state of cognitive dissonance. They understand that humans need to be at the center of what they do, but are not doing enough to consider humans when creating cybersecurity strategies. Ghai noted that leaders are being too technical in their approaches to cybersecurity, and that “preparing for the worst does not prepare you for the likely.” By putting humans at the forefront of cybersecurity, organizations will be better equipped to stop emerging threats. 

Designing Cybersecurity For The Everyday Individual

Another theme highlighted in today’s presentations was the need for cybersecurity that the everyday individual can easily digest — not just the experts. Wendy Nather, Head of Advisory CISOs at Cisco, highlighted three ways that we can do this — shifting from a control model to a collaboration model, simplifying the cybersecurity controls we use, and opening up cybersecurity culture to everyone. By designing cybersecurity to be adopted rather than for it to be enforced, organizations can make cybersecurity something that users would rather choose. If security was designed in a digestible, consumer-grade fashion, humans could more easily adapt in their everyday lives. 

Cybersecurity At A Global Scale 

Of course, some of the hottest global issues were also discussed, including the pros, cons, and practicality of quantum computing, and what is being done around election security as we approach voting day. 

Steve Grobman, Senior Vice President and Chief Technology Officer at McAfee, made the case that our current practices are far too similar to what we’ve employed in the past — particularly as it pertains to quantum computing. Quantum computing is a real risk, even if it isn’t completely here yet. Panelists on the annual Cryptographer Panel shared similar sentiments, noting that currently, quantum computing is nowhere near safe enough to protect against nation states. All agreed that quantum computing needs to be designed cyber-smart if it will ever be a possibility. 

The same goes for election security – panelists on the Cryptographer Panel compared our election security to a “cyber pearl harbor” and spoke to how we need to engineer our voting systems to be inherently secure. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency, noted that 2016 was a clear wakeup call, but reassured audience members that federal leaders across agencies are working diligently to make sure the 2020 election keeps voters protected.

Overall, there’s one thing that all of the speakers agreed on today — the current model for cybersecurity just isn’t working. Business leaders and security practitioners alike need to implement smarter cybersecurity measures that put more focus on the people. How humans — both benevolent and malicious — act and think need to be at the forefront of everything we employ if we want to protect against emerging threats at local and global scales.

Stay tuned for tomorrow’s keynote recap, and be sure to follow Highwire on Twitter and Instagram for more RSA 2020 insights at @HighwirePR.

Navigating Your Way Through RSA 2020

The week we’ve been planning, preparing and fretting over is finally here! RSA Conference 2020 takes place at Moscone Center this week in San Francisco with more than 40,000 attendees expected. 

Tradeshows can be hectic, so we’ve outlined some key events, parties and sessions to have on your radar as well as a map highlighting some important things – food, water, transportation, good meeting spots and more.

Interested in connecting with Highwire at the show? Reach out to SecLeads@highwirepr.com. 

 

+++

 

Highwire Sponsored Events:

Security Comms Happy Hour

  • When: Monday, February 24 from 6-7p.m PST
  • Where: Tres Restaurant (130 Townsend St. San Francisco, CA)
  • What: This is a great way to network with cybersecurity comms professionals, share stories and talk about best practices in this dynamic industry. Register via eventbrite

Disaster Recovery Breakfast  

  • When: Thursday, February 27 from 8-11a.m. PST 
  • Where: The Metron TableTop Tap House (175 4th St, San Francisco, CA 94103)
  • What: Network, eat, and most importantly relax. Attendance is free, so register at rsvp@securosis.com and see this blog post for additional details.

 

Highwire Client Locations, Events & Speaking Sessions:

Client Booth Locations

  • Akamai: Booth #6153, North Expo
  • BitSight: Booth #1167, South Expo
  • Code42: Booth #6079, North Expo
  • Forcepoint: Booth #5965, North Expo
  • GitLab: No booth but see above for details on speaking sessions
  • Illumio: Booth #5459, North Expo
  • Intel Security: No booth but see above for details on speaking sessions
  • Interos: No booth, but will be on the show floor
  • MobileIron: Booth #1727, South Expo
  • One Identity: Booth #6271, North Expo
  • Qualys: Hosting QSC 2020 at Four Seasons on 2/25
  • SonicWall: Booth #5559, North Expo
  • Splunk: Booth #5865, North Expo
  • Veracode: Booth #5553, North Expo
  • vArmour: No booth, but will be on the show floor

Events/Parties

  • Forcepoint RSA Welcome Reception 
    • Location: The St. Regis San Francisco, 125 3rd St, San Francisco, CA 94103, Yerba Buena Terrace, 4th Floor
    • Date: Monday, February 24
    • Time: 7:00 – 9:00 p.m. PT
  • vArmour Concert Party with Nothing But Thieves
    • Location: The Grand, 520 4th Street, San Francisco, CA 94107
    • Date: Monday, February 24
    • Time: 8:30 p.m. – 12:00 a.m. PT
  • vArmour + Digital Shadows Security Leaders RSA Party
    • Location: City View at Metreon, 135 4th St #4000, San Francisco, CA 94103, USA
    • Date: Wednesday, February 26
    • Time: 6:00 – 9:00 p.m. PT
  • Qualys QSC Private Reception
    • Location: Veranda Ballroom on the 5th Floor, Four Seasons Hotel, San Francisco
    • Date: Wednesday, February 26
    • Time: 6:00 – 9:30 p.m. PT

Speaking Sessions

Tuesday, February 25

  • Veracode’s Javier Perez Talk on “Time to Spell Out Open Source Software Security”
    • Location Moscone West, 3022
    • Date: Tuesday, February 25
    • Time: 1:00 – 2:00 p.m. PT
  • Qualys Security Conference 2020 San Francisco
    • Location: Veranda Ballroom on the 5th Floor, Four Seasons Hotel, San Francisco
    • Date: Tuesday, February 25
    • Time: 8:30 a.m. – 4:00 p.m. PT
  • Splunk’s Oliver Friedrichs, Jac Noel, and Lee Peterson Talk on “Modernizing the Security Operations Center: A Security Leader Panel:
    • Location: Moscone South
    • Date: Tuesday, February 25
    • Time: 3:40 – 4:30 p.m. PT
  • Code42’s Talk on “The Insider Threat: You’re Flying Blind”
    • Location: Moscone North Expo
    • Date: Tuesday, February 25
    • Time: 4:20-4:50 p.m. PT
  • One Identity’s Talk on “Security Starts Here…Identity”
    • Location: Moscone South
    • Date: Tuesday, February 25
    • Time: 2:10 – 2:30 p.m. PT
  • Intel’s Casimir Wierzynski Talk on “Protect Privacy in a Data-Driven World: Privacy-Preserving Machine Learning”
    • Location: Moscone West
    • Date: Tuesday, February 25
    • Time: 1:00 – 1:50 p.m. PT
  • Intel’s Rahuldeva Ghosh and Dr. Zheng Zhang Talk on “Nowhere to Hide: How HW Telemetry and ML Can Make Life Tough for Exploits”
    • Location: Moscone West
    • Date: Tuesday, February 25
    • Time: 3:40 – 4:30 p.m. PT

Wednesday, February 26

  • Forcepoint’s Homayun Yaqub Talk on “Modern Strategies for Protecting Users and Data in a Borderless World”
    • Location: Moscone South, 207
    • Date: Wednesday, February 26 
    • Time: 2:50 – 3:40 p.m. PT
  • Veracode’s Chris Wysopal and Jay Jacobs Talk on “8 Million Findings in 1 Year: Fresh Look at the State of Software”
    • Location: Moscone West, 3014
    • Date: Wednesday, February 26
    • Time: 9:30 – 10:00 a.m. PT
  • SonicWall’s Brook Chelmo Talk on “Mindhunter: My Two-Week Conversation with a Ransomware Cell”
    • Location: Moscone North Expo
    • Date: Wednesday, February 26
    • Time: 10:30 – 11:00 a.m. PT
  • GitLab’s Cindy Blake Talk on “Best Practices for Adding Security to DevOps”
    • Location: Moscone West
    • Date: Wednesday, February 26
    • Time: 9:20 – 10:10 a.m. PT

Thursday, February 27

  • GitLab’s Cindy Blake Talk on “How to Harness Dev and Their Native Tools to Accelerate DevSecOps”
    • Location: Moscone West
    • Date: Thursday, February 27
    • Time: 1:30 – 2:20 p.m. PT
  • Akamai’s Andy Ellis Talk on “20 Years In: Security’s Grand Challenges, Then and Now”
    • Location: Moscone West Street Level
    • Date: Thursday, February 27
    • Time: 10:35 – 10:55 a.m. PT
  • Illumio’s Talk on “More Powerful Segmentation for More Powerful Threats”
    • Location: Moscone North Expo
    • Date: Thursday, February 27
    • Time: 10:30 – 11:00 a.m. PT
  • Veracode’s Ryan O’Boyle Talk on “A Security Pro in Developer’s Clothing”
    • Location: Moscone North Expo
    • Date: Thursday, February 27
    • Time: 12:40 – 1:10 p.m. PT
  • BitSight’s Jake Olcott Talk on “Do Investors Care About Cyber Risk?”
    • Location: Moscone West
    • Date: Thursday, February 27
    • Time: 2:50 – 3:40 p.m. PT

Friday, February 28

  • Veracode’s Chris Wysopal and Katie Moussouris Talk on “Coordinated Vulnerability Disclosure – You’ve come a long way baby”
    • Location: Moscone South Esplanade
    • Date: Friday, February 28
    • Time: 8:30 – 9:00 a.m. PT