BALTIMORE, Md. -- We all love data points. These are ostensible truths, backed by research or other references, that are analyzed and made into bite-size pieces that everybody hopefully can understand and use.
CyberMaryland 2014 wrapped up last week at the Baltimore Convention Center with sessions devoted to technology transition, infrastructure security, business development and entrepreneurship, leadership roles for women and veterans in cyber security, cyber insurance and risk mitigation, cyber education and work force development, and, of course, perspectives on the cyber threat.
Several nationally- and internationally-noted security experts addressed attendees at the two-day conference, held Oct. 29 and 30. More than 1,000 stakeholders registered.
Why was this held this in Maryland? Because more than 250 companies and service providers are located in the Maryland-Virginia-Washington D.C. Beltway region, it is fast becoming global Ground Zero for the cyber-security business.
Why Maryland is Ground Zero for Cyber-Security Business
Another reason: While Silicon Valley also has its indigenous security companies, it also has so many other IT-related players that it simply cannot specialize the way Maryland can. Gov. Martin O'Malley, who also spoke at the Oct. 29-30 event, started the Cyber Maryland coalition initiative five years ago.
Following are some of the most relevant takeaways from the event, which eWEEK was invited to attend as a panel moderator and to cover for our audience. Only a handful of journalists were in attendance.
--The overall message at the conference, as eWEEK saw it, was that securing personal and enterprise data over the long haul cannot be accomplished in piecemeal fashion; it's going to take a concerted, widespread coalition among government, military, law enforcement, enterprise and software development community stakeholders to create new solutions to keep data safe as it moves from endpoint to endpoint through the cybersphere.
Users, too, are going to have to become more aware of how they send and receive data and other content and will have to be using encryption a lot more as time goes on.
Another takeaway message was that in the world of Internet users in general, this type of concerted effort is only beginning to ramp up, and that we're probably years away from improving security to the level it needs to be for trust to become better established.
There's No Accounting for the Human Element in Security
Of course, there is yet no answer for the actions of malicious humans, whose ability to gain illicit access to classified business, government and military data by stealing or buying credentials is very difficult to stop.
--Admiral Rogers: "We're literally preparing ourselves for a possible cyberwar. We need to build the partnerships now that we need to defend ourselves. Securing the IoT is a huge issue for all of us. Literally every person on earth is a sensor. We have billions of devices. It's a daunting task. People on average have 3 to 5 or more connected devices; we will see many more in the future. How are we going to make this work, how are we going to secure them all? That's for all of us to work toward.
"As companies, governments and individuals continue to fear and deal with theft of their property by cyber-criminals, we have got to find a framework that we can use to bridge all the different players and bring them all together into one integrated team.
"The Congress is looking at legislation right now on this, and I think it's critical for us as a nation. We need to adopt the great capability for both the private sector and the government to share information both ways, in near-real time, at machine speed, to fix our security apparatus," Rogers said.
--Phillip Zimmermann, creator of PGP email encryption and developer of VOIP encryption protocols, noted that the law firm Venable was a sponsor of the conference and recalled his own defense (pro bono) by a Venable attorney in the 1990s, when Zimmermann was under threat of indictment for his crypto work.
When he asked why the lawyer had taken his case, the answer was: "I believe you should be able to whisper in someone's ear from a thousand miles away," and those words have stayed with him ever since. In the 1990s, Zimmermann said, "you had to explain yourself if you were using strong cryptographics. Now you have to explain yourself if you aren't, and that is at it should be."
Why Security Needs to Be Incorporated into the Operating System
--Steven Bellovin, professor of computer science at Columbia University and a major contributor to encryption and network security, described his realization that insecurity arose from increased system complexity, and that security must be understood and approached as a system problem -- and not as a bolt-on solution.
--Richard Clarke, former U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, principally responsible for the first National Plan for Cyber Security, said he agreed with the current Chairman of the Joint Chiefs of Staff that the U.S. needs a new strategy for cyberspace. He also urged those present to accept the invitation of Admiral Rogers to help explain the work of NSA, and to foster the dialogue for which the admiral advocated.
--Vint Cerf, co-designer of TCP/IP and one of the architects of the Internet, spoke via video. His main message was to simply counsel everybody to "think twice when we roam around the Web, and to always remember that our failures in cyberspace often can place others at risk."
Cyber Maryland promotes partnerships among government agencies, security software and services providers, educational institutions and security experts in an effort to drive innovation -- and create jobs -- in the sector.