Cleveland bSides 2012 - Rockie Brockway - Business Ramifications

We ready to go? Oh, yeah. All right. Next talk here, we got Rocky Broadway and he's going to be talking about the business ramifications of the internet's unclean conflicts. Thank you very much. So, I've been told I should stand here and not wander around like like Mick and some of the other guys. Um, so hi, my name is Rocky. Uh, I've been uh in the infosc community for about two decades now. And, uh, I I do business risk these days. Um, what I'm uh what I'm going to be talking about is a lot of weird stuff that I'm not really sure I've completely convinced myself that I can connect all the dots here, but I'm going to give it a going to give

it the old college try. So, yeah, what am I talking about? Okay, actually, sorry. Disclaimer. Um, this talk is not a box popper talk. It's not a cool tool talk and I'm actually going to do something odd which is going to venture into some generic politics while we talk about uh the overall business environment and how that relates to how we've been kind of over the last several decades from a business perspective kind of trained to think. I fully expect arguments and uh I I welcome them. And I I think what I'm going to try to do at the end of this is perhaps go through an exercise where we kind of maybe talk about some suggestions about

what I'm actually going to end up uh from a results perspective talking about. So off we go. June 5th, 1942. Uh, does anybody know what this date actually represents? No. 1942 was the last United States declaration of war. Okay? And it was against Bulgaria, Romania, and Hungary. Since then we have been involved as a country in what we call unclean conflicts. No declaration of war. So obviously Korea, Vietnam are very, you know, we know lots about those. But the the whole point here though is that all of these kind of conflicts um you know were never really officially sanctioned from a from a declaration of war perspective and therefore are considered unclean. Now since then

this event happened on this day. Does anybody know what this date represents? Yes. Christmas. But the year Christmas. Go ahead. Excellent. Thank you. Yeah, this date represented the official dissolution of the Soviet Union. Now, again, I'm I'm I'm going to be I'm I'm going to be talking about lots of vicarious things and I'm really going to try hard to to time all in. Um but since that has happened, we've been involved in even more unclean conflicts as a country. Okay. What basically happened after the fall of the Soviet Union is this mindset that we as a country was so strong that at that no viable there was no real viable threat. Okay, at least from the terms of global

conflict. Okay. And what I've kind of come to the realization of over the last couple of decades is that this mentality has really filtered into the DNA of all of our business culture and environments. Okay? And we think about things in a specific manner without thinking outside of the box and realizing that the way we are actively um you know the way we expect things to behave and to act not only from a international perspective but more importantly from a business perspective. We're not seeing the big picture. And what that leads to is this organizational entropy. The natural result of assuming you are smarter than your adversaries. Okay? And that in and of itself is a lazy

but b dangerous. Right? So when we apply this concept of organizational entropy to business, we now have business culture that basically assumes that we're smarter than our competition. But the net result is similar to what has happened where not only do our corporations basically are defining how the world conducts business, right? It's the same way the the ramifications here realistically is that the rest of the world doesn't see it like that. Okay? And I'll give a really easy example, China. Okay, it's it's it's a big target, but when you talk about China, I found this out recently that 18 out of the 20 last centuries, China has been the world's largest economy. We're kind of a blip on the radar right

now as far as they're concerned. And we don't really kind of consciously think about things like that. Um I know India was in there a little bit as well, but in China there's there's there's very little difference between um corporate business culture and actual government ownership. It's so intermingled where we in this country we have our corporations we have our you know this infrastructure is our business infrastructure and this infrastructure is our is our actual government infrastructure again that from a strategic perspective when you are tasked with protecting the assets of your business if you're not cognizant of how other people think differently than you, you're going to have a really bad day. The traditional

concept of spies where we think of the spy, Chinese don't think like that at all. They have an entire population of very educated people that come over to either this country or other vicarious countries that um you know if they just happen to have access to even nonsensitive information there's kind of a nationalistic duty to take that data and get it back to the mother country. That's not spying. That's not the way we think about spying. That's that's a nationalistic culture and we don't have that in any way, shape or form. Our version of nationalism Oh, okay. Absolutely. See, I knew arguments were going to be expected. Say that again. Sure.

Yeah.

Um, oh, no, I don't buy it. And here's why, right? Um, you you can take entities, all right, business entities that produce things that, you know, the innovation that comes out of our country that basically makes our economy as, you know, what it is today, right? You can say that there's funding for some of that stuff, but the differences here are that in you know and again the example being China, right? That you know you can't separate the government you know the government involvement and there's no distinction. There's literally no distinction.

Right.

Interesting.

to a degree. No, to a degree. Absolutely. Yeah. I mean, I I I totally I I see what you're getting at. Absolutely.

That's a good point. You We're absolutely talking about apples and oranges. But that's my point. We're talking about apples and oranges. I Yeah, I don't

Absolutely.

And it doesn't even have to be groundbreaking either, Dave.

Right. Yeah. I mean, comparatively, compared to that level of nationalism, okay, our version of nationalism is what? Uh, building a wall, you know, in Mexico, right?

Sure. I'm glad this is going this way because I really expected Good arguments, sir.

I know where he worked for the government in the government.

Absolutely. Yeah. and and and that's this is the environment, right?

Right. Y and and and you can't call it uh state sanctioned either. the stuff that's going on that, you know, the majority of the stuff that's I'm gonna go out on a limb and say the majority of the stuff that's going on right now isn't necessarily state sponsored. It's hey uh in response to uh the bombing of whatever Chinese embassy, I forget Serbia or something like that a number of years ago, uh we're going to DDoS this government website. That's not state sponsored. Okay, that's that's that level of nationalism that I'm referring to. And it's gig it's huge. It's gigantic. And and the other thing that we don't have is this in our DNA, this whole concept of, you know, they've

been living and breathing the art of war for thousands of years now, right? So the flaw in the logic in our logic is is basically what country in their right mind would actively come up you know from a global war perspective when you can achieve when you can achieve probably better goals through small-cale conflicts espionage andor terrorism from a business perspective. There you go. Why spend billions of dollars developing the technology when you can purchase stolen technology for a million dollars? It's a business case. You know, our role in information security clearly, you know, we all know what we do here. But ba, you know, let's put it down into into a little elevator statement. Our role is to prevent loss

of both replaceable and irreplaceable data. Josh Corman, if anybody knows who he is, he's a he's a security guy. I think he's at Akami, but I'm not positive. Uh I'm not sure if he originated this concept, but I'll attribute to him because I didn't do it. Uh replaceable versus irreplaceable data. Okay, you have this concept and and and he he poignantly points out that in in our country the majority of our um compliance frameworks are focused on protecting replaceable data, right? Social security numbers, they're replaceable. Credit card numbers, they're replaceable. Okay, the innovations and intellectual properties, you know, that's irreplaceable data. Once that's out, it's not coming back and you can't replace it. So, there's there there's a

really I agree with this. It's the wrong focus. we're focusing on the wrong data type data sets and data types and and and that applies then obviously to all of the businesses that fall under any one of those various frameworks. We're not protecting the right data or at least we're not being legislated from a compliance perspective. And when you when it when you go ahead

Say that again.

Are you asking if I would assume that's the case? No. No. I mean, and and I think it was Mick the uh Mick Douglas. I think it was Mick the the the previous presentation where you know his point is look how many organizations have actually gone out of business when some of you know when this replaceable or irreplaceable data has actually actually been taken. Yeah. I mean there there's a couple. Okay. Right. Right. Yeah. So, there's a bis there's a cost of doing business here that something like that, especially if you're investing in whatever type of data insurance may exist that is relevant. Uh, you know, hey, that's an acceptable business cost. It's Yeah. I mean, I'm I'm not saying I I

necessarily agree, but it it kind of is what it is, right? From a legislative perspective. I I heard an interesting uh interesting point the other day. Uh the our adversaries who are developing all these great tools like like well, you know, and Dave's not an adversary, but you know, tools like that, right? technically um are two years away from [Laughter] the adversaries who are developing these tools to to get a lot of this of of our you know business innovation technology um are two years ahead of the developers. The developers are typically two years ahead of um the buyers, people who want that. Okay. And the buyers are typically two years ahead of uh legislation.

There's there's another two years and I forgot something. But basically, there's a there can be up to a 10-year gap between the time something is actually uh you know developed for for potentially nefarious purposes to by the time it actually gets through and gets noticed enough that oh wow now we need legislation on it. And again going back to that point that well our legislation is focused on all the wrong data and the the real big one here you know from a from an elevator pitch perspective is our role is to protect the brand. Okay. And we all understand the ramifications of not doing this and there are different levels of you know of ramifications identity theft monetary

loss. Um it I think it was Richard Clark who came up with the acronym CHW in terms of addressing and identifying threat vectors, right? You've got criminal, you've got activism, you've got espionage, and you've got warfare. Okay. I mean, that's that's probably a decent, you know, uh 30,000 foot picture of the threat, you know, the actual threat vector. Um, but even recently I've I've seen the introduction of even a new vector where organizations in order to potentially purchase I'm sorry, potentially win gigantic billion dollar bids from from China. This this one was from China. So I'm an American company and I'm go I I want to win a two billion dollar whatever bid uh to to perform work in

China. I'm actually going to give them classified information to show them that we know what, you know, what we're doing and potentially, you know, to a degree bribe them to give them a billion billion, you know, whatever two billion dollar contract that just that popped up in the news last week, right? So I mean you know from a vector perspective yeah it's not static and we're seeing new ones all the time but I mean I you know I've done a couple of times now a talk on security economics and how all of this from a business perspective all of this theft of innovation all of this you know especially manufacturing especially science and research uh I'll talk about

it in in a few slides but you know we are not doing a good job of protecting data that's being developed before it gets into let's say military classified type technology, right? All that stuff that's being developed at the university level, right? Who is anybody in here involved in any type of higher ed from a security perspective or network perspective? Anybody? Yes. So um how how secure is your network? Just you know roughly

you got to think about it. It's those types of those your your types of networks though are you know just a a brutally hard uh environment to to really secure. You can't you know Yeah. Yeah. And that's but that's you know where a lot of this technology is being developed and and so you know again focusing not on the right places. All of what we deal with it from an infosc perspective and a business risk perspective are really you know subsets of a of a big information problem which includes things such as um I don't know you know the transparency of government. I mean it's all related. Okay. And especially when I'm trying to, you know,

connect these dots between, look, you know, we we became such an egotistical country after the fall of the Soviet Union and that all that filtered into the way we conduct business, you know, and now we're like, oh wow, why are we being attacked from these different weird vectors and how are we losing all of our all of our intellectual property? So all of this especially this environment today you know policy and I talked about policy earlier you know from a compliance perspective but policy is dictating society which is completely backwards and and and I don't really have I don't really have a solution for this one because that's a big big problem but you know

we're not addressing the real issues you know to a degree when when we are accepting this type of policy defining how society acts as opposed to society defining policy. I'm not sure if that made sense. Did that make any sense whatsoever? That's Yeah. Is all right. Um, you know, and and this is where I probably going to get in the most trouble where I'm I'm I'm going to get into like from a generic and and look, you know, I I don't do any type of bipartisan politics or whatever, right? There's no political party for me. But from a generic politics perspective, you know, this is really to a degree where some of these root causes are coming from, right?

We're dictating how we think people should act, right? And again from a business perspective, we're also assuming that other businesses are going to act accordingly to the way we act. And that's, you know, it's all intertwined here. And that's what personally I think has to change in order for us from a just a generic national economy perspective to kind of write the ship. You know, we've got time. It's not like, oh wow, the fall of Rome is tomorrow. You know, but hey, look, you everybody in here knows the media coverage of everything that's been happening over the last two, three years is just getting, you know, like like like you know, the previous um presenter

Mick was talking about. It's all these fires now. Um yeah. And so at some point all of these people who are are defining um you know either from a from a politics, from a government, from a business perspective, all these people who are defining these kind of like standards of how we are supposed to conduct business or act or whatever, they're gonna at some point when the hits fan and be like, "Whoa, you were supposed to protect us." and and that's infuriating for, you know, I'm seeing a lot of people shake, you know, nodding their heads here. Um, you know, but but when the the root causes, right, are driven by that whole greed uh ego power,

you know, it's it's eye openening when you think about it to a degree, you know, and and maybe maybe maybe Maybe I'm not saying anything new or different, but um yeah, you know, here here here's where it gets from my perspective and and and I'm talking a lot about I know I'm talking a lot about just stuff that sucks. Um and and I I I promise I'll I'll try to, you know, at least suggest some things going forward. But one of the things that we all have to realize now is that we are living in an environment where it's harder and harder to keep secrets. Whatever those secrets might be, okay, passwords, you know, intellectual property,

formulas, etc. All of this it's harder and harder to protect for any for long periods of time. It's just a reality that we all basically have to accept. So now how do we engineer and design solutions that take this into consideration, right? and and and yeah, like I said, there's a need to protect information before it gets to that level of, you know, uh fine um blueprints to to some, you know, militaryra helicopter. Well, the software actually was designed by a kid coming out of Cal State and uh well, you know, the Chinese already have it. By the time that software actually got into a militaryra helicopter, it's already done. it's already gone. So I want to talk a little bit about

adaptability. Okay, there's a lot of talk at a lot of different conventions about these solutions that we can apply data loss prevention, protect against protect against bring your own device, etc. It's all these different solutions, right? that n if if last year 92% of the breaches went undetected. Well, and bearing in mind and and I I fully expect a few more arguments here. I'm not actually advocating that less detection is the way to go, but if 92% of these, you know, events, breaches went undetected and everybody's still kind of conducting business. Is that where we need to focus? I don't know. Right. Same with firewalls. Right. I'm not advocate for antivirus. You know, I know

several people in this room understand and and and fully predict that anti virus technology is completely on its way out. Okay. That firewalls, sure they serve a good purpose in a network, right? But based on all of these different me you know avenues vectors mechanisms of getting data from an organization is that really you know a a a pillar of your network infrastructure anymore I don't know to adapt is really what needs to happen not adding all these different protections against the latest whatever um you know acronym

got to leave your comfort zone and the only way and if any has anybody read this book learning from the octopus it's a spectacular book about and the guy the the guy who wrote it is is this biologist ologist and he worked in um he worked in our he worked in government for a while. He was an adviser. He was a science adviser to some congresswoman or something like that. But his whole premise is what we what can we learn from nature from an adaptation perspective. Okay. For millions and millions of years, nature has successfully developed security controls within its own through adaptation, not by throwing a firewall on it or whatever. I mean, he doesn't outright

come out and say that, but you know that I will. uh you know so so all of these vicarious systems that are available to us to solve problems that's not adapting to the current you know environment that we are facing today which is completely fluid and moving and changing every day and you know from from a again a 30,000 foot generic political perspective vote I'm Sorry. All of this stuff about non protection of data, anything that that you know is nonp protection of data, non-p protection of innovation, not addressing existing economic issues, anything else a politician might it's smoke screen. I'm sorry. It's not important. This stuff is important. So that's kind of what I wanted to talk

about today. Um the exercise that I would like to try to you know to to to go through here is all right let's talk about let's talk about adaptability and what can anybody give me maybe an example of something that you would consider adapting to this to this environment this this kind of new environment that isn't you know toolbased or or or or you know or what have you. Anybody

right?

Yeah.

No, not at all. All right. Yeah.

Yeah. So, so I so I guess that that you know from my perspective that poses the question right as infosc practitioners you know I know not everybody in here is you know in in in infosc but um is it our responsibility then to go outside the box get out of our comfort zone and and and figure out how can we adapt these solutions to you know better protect our innovations.

water.

No.

Right.

Right.

Okay. So,

Sure.

Uh, you know something? I I I I the the UD of FUD. I'm with you on that. But fear is good. I'm sorry. It is. Fear of loss revenue. Absolutely.

Raise your hand if you got more funding.

Street. Yeah. Yeah. It means you have to open your pocketbooks. Al

Yeah, sure.

previously Sure.

Fin.

Yep. Absolutely. Oh, absolutely. I completely agree with that. And and so, you know, it to a degree that's almost a battle that may not ever, you know, be be quote won, you know.

Yep. Absolutely.

United States.

Yeah.

Yeah. Again, you know, why spend billions of dollars developing it when you can spend a million buying it stolen? Yeah. Absolutely. Yeah. And that's a good point because this is all a big it is a big business, right? whether you're talking about the crime aspect of it and you know let's say our Eastern European and Russian uh crime organizations profiting you know that that so that's the profit business model from from um you know the volume of credit card numbers that they can you know suck out of organizations these days versus you know the business of well espionage and and and making your country competitive That's a That's a business model.

right?

Yeah.

It's it's a great example of adapt adaptation in in business. Yeah, absolutely. Absolutely.

Right.

right?

Right.

business. Yep.

Well, what what I think is going to happen though, Jack, is that we're we're going to be pushed it we're going to be pushed into a situation where you are going to start feeling pain, right? And so just like every reactionary, you know, situation on the planet, we're gonna keep on doing business as usual and, you know, shit's going to happen and that's going to force something and that you're going to feel pain and, you know, at some point, you know, they'll probably even legislate stuff, whatever. You know, it's

Right.

Yeah. All right. I gotta I gotta get out of here because um but here here here's what I want to the final thing, right? So, you know, I guess takeaways, right? What are the what are really the root causes of of what we're seeing here and how can we adapt to that? That's really what I wanted to to to, you know, talk about and and hopefully, you know, you'll leave with some of that in your brain. All right. Hey, thanks everybody for hanging out and uh I appreciate it. Thanks, Guys, feel free to