Black Hat, DEF CON Founder Offers Insight Into Security Shows, Trends
Q: Is data privacy a myth? A: No, no. The problem is, much like that defeatist attitude, we've just assumed that everybody will already have our private data, so we don't try. For example, I don't use Facebook's app, but I use the Web browser. There I am; I'm having the same experience without giving them access to the microphone and camera on my phone. I can still see what my friends are up to. You can approach your day-to-day operations in a more private manner if you just think about it. Consumers have this false choice where they want to participate in the economy, [and to do it] they think they have to give up a lot of privacy. They're told that if they do this, they'll get a lot of value out of it. But I don't believe they get a lot of value out of it. The companies that do sales and advertising, they get a lot of value out of it. I think what's going to happen in privacy is that privacy will improve behind the scenes. Email will be encrypted between Google and Yahoo; so maybe the government can't snoop, business competitors can't snoop, but it will be transparent to you. Some of the plumbing of the Internet is going to get more secure.A: There's no overhead [in encryption] now. If you're not encrypting everything now, the question is, why aren't you? You're just going to see that trend accelerate. It solves certain problems; if you do data at rest on a laptop, you won't freak out as much if you laptop gets stolen. Same thing with phones. Risk managers and lawyers like that. I think what's going to happen is that once it starts becoming encryption in motion versus encryption of data at rest, that's where it gets a little more complicated, but it's still doable. On a scale of 1 to 10 [with 10 being the highest importance], it's about a seven. Having the right employee mix is more important; if you have the right employees you can make the right decisions, buy the right technology ... having the right people is the most critical thing, because everything flows from them. Q: Will big data-based risk assessment projections -- of employees, customers, partners and so on -- through data analytics continue to get traction as a major security tool? A: This is just another tool for managers to use. The question is: What is the manager going to do with it? He can sit around and have a beer and get to know his people, or you can sit at a console and read a report. Would you rather have your boss get to know you, know you're under pressure, or read a report? Q: How do you spend your time now: consulting, working for a company, working for yourself? A: Sort of all of the above. I volunteer time, I advise some companies, I consult for some companies, I have my own business. I'm involved in various policy groups. It's difficult to describe what I do now, but as I find that people are getting more and more involved in security, and more importantly in the cyber area, whether it's about political consequences or the economic or the military, everybody is viewing it through their own lens. And I try to act as a translator from my perspective. Being in this industry for so long, what does my perspective mean? There's a lot of self-interest in people in this area because they're trying to sell you something. So generally my value is I'm not trying to sell you anything, and that allows me to have interesting conversations -- it just doesn't allow me to make any money! (laughs) Q: I interviewed (well-known '90s hacker and now consultant) Kevin Mitnick recently. Do you know Kevin? He's now running his own consulting firm in L.A. A: Yes, I know Kevin. I don't hang out with him much, but I see him at the cons, and he and I are friends. He's doing speaking (engagements) and a lot of things. I don't pursue speaking, but every once in a while I get asked. For example, I'll be speaking at the NATO Cyber (CyCon) conference in Tallinn, Estonia. That'll be interesting because that's not an audience I normally speak to, so I want to learn from that audience, and they want to learn from me. Those are the kinds of things I find interesting. I just came from the GCS 2015 in The Hague, the fourth annual summit on cyber-space. There were like 27 ministers from different countries, and they're all trying to figure out things like 'What do we do about vulnerability disclosures?' 'What's considered an active war in cyber?' 'What are the norms for international behavior?' and 'How do we govern disputes?' And so they're working through these big, thorny issues, and it's nice that they're starting to have some technical people involved in the conversations; it's not purely theoretical. Q: How much of your work now involves the IoT (Internet of things)? A: It's like a sub-chapter heading underneath 'We Can't Manage Our Existing Risks, and Here We're Adding a Whole New Pile of Risks.' You could say the same thing for connected automobiles, home automation, or access control systems. The market drivers are going to be so great, and everything's happening so fast, that we're just going to have to clean up the mess behind it. We've been doing this for so long that it's too bad that as we approach a new sector that we don't already have some best practices figured out. The market drivers are like, 'We'll figure that out later.'" The IoT stuff is interesting, because it's going to have such a long tail: You'll attach your connected smoke detector and it'll be there for a decade -- you'll never have to patch it. You may go through four more iPods and five iWatches and six iPhones, and you're still going to have that one connected smoke detector.
Q: Companies are encrypting more data all the time, whereas previously it was tedious, complicated and slow to do, and people avoided it if possible. Will this trend continue?