Don't expect AI to save our security skins, warns RSA boss
And the government isn't helping either
RSA 2016 RSA president Amit Yoran used the opening keynote of his company's conference to warn about the dangers of trusting new technology – and to launch a stinging attack on government stupidity over encryption.
Yoran acknowledged that deep learning and AI systems were going to be a theme of the conference this year – indeed RSA is launching its own behavioral analytics engine at the show – but said the industry can't rely on such systems to solve real-world security problems.
People got very excited about AI when Google's AlphaGo deep learning system beat the European Go champion five times in a row. It was an impressive achievement, he said, but hardly a good demo of AI for the security industry.
"Go has defined boundaries and all players must follow a set of unchanging rules that are knowable and static," he said.
"In cyber security, our opponent isn't playing by the same game and they don't play by our rules: they don't even have rules. Our problem isn't a technology problem, they aren't beating us with better technology; they beat us by being more creative, more patient, and more persistent."
To beat the crooks, companies need to train their own hunters and give them the freedom to act, Yoran said. If companies are putting most of their effort into security compliance they are missing the point, he warned.
Schoolin' your guests
Yoran said that this year's conference had more government speakers and visitors than ever before. That's welcome, he said, but the industry needs to educate the government and tell it when it's being dumb.
"Weakening encryption was so misguided as to boggle the mind," he said. "We are in a golden age of surveillance. Weakening encryption is solely for ease of police in catching petty criminals. No terrorists and nation states would use weak technology, but if we adopt it you can bet they'll target us. We need to be respectful but make sure our voices are heard."
He also slammed the US administration's approach to the Wassenaar Arrangement governing the export of technology. The initial revision of this treaty would have banned large chunks of security technology from being exported, and Yoran welcomed the American government's decision to back down on the issue.
Yoran's comments were echoed by subsequent speakers. Former president of RSA Art Coviello, who popped in to pick up a lifetime achievement award, said that the industry had had these discussions before in the crypto wars of the 1990s, and the equations hadn't changed – breaking encryption is a dumb idea.
Microsoft president Brad Smith was equally blunt about government's overly intrusive approach to data in his keynote. Encryption is a key issue, he said, but so too is law enforcement's attempts to overturn two centuries of case law by going after cloud servers.
Redmond can and does work with law enforcement, Smith said, citing the Paris terrorist attacks. Microsoft handed over content from messages from 14 individuals as police sought to locate terrorists on the run, and it did so in an average time of 30 minutes, only pausing to check that the requests were lawful.
But in its Dublin case, Microsoft will stand firm on attempts by law enforcement to get data from its cloud servers. The company will continue to fight this case, he said, because it's a key legal issue.
"We believe that when the government wants to investigate a business it should go to the business, not the cloud service provider instead," Smith said. "It has worked that way for two centuries and should stay that way. Businesses have a right to know they are being investigated." ®