On April 19 and 20 2016, at The Computer History Museum, Silicon Valley, the Security Innovation Network (SINET) had their tenth annual IT Security Entrepreneurs Forum. SINET is a non-profit organization. Its mission is to advance innovation and enable global collaboration between the public and private sectors to defeat cybersecurity threats. They connect communities of thought leaders in government and industry with builders, buyers, researchers and investors across the international security domain. The goal is to promote and advance Cybersecurity innovation. Supported by the US Department of Homeland Security, Science and Technology Directorate, this organization recruits an impressive membership across all sectors of the industry. Sponsors included: Kauffman, General Dynamics, Google, Zurich and cybersponse. All of these firms are concerned about Cybersecurity.
The forum had approximately 78 speakers along with moderators from the private and public sectors. All subjects centered on cybersecurity and future innovations.
An interesting discussion on the Military’s Observe, Orient, Decide, and Act (OODA) loop concept was explored under the session entitled, “How to Use the Military to Operationalize Cyber Risk Mgt (OODA Loop concept)”. An interesting takeaway is that cybersecurity is learning from other fields – biology, etc. in trying to build a holistic approach to security. For example, Homeland Securities Continuous Diagnostics and Mitigation (CDM) program is focusing on being more proactive than reactive to attacks. The thought is that one needs to understand the profile of the attacker and what he is looking for. Another issue is that companies don’t receive the right quality data fast enough. Technology companies are slow because they are still grappling with efficiently analyzing structured and unstructured data. So the OODA loop is not closed yet.
Securing complex global networks was also discussed. People think if they purchase more security solutions, they will have more protection. But they never think about the attacker. Who is the adversary? In the OODA loop, the adversary needs to be observed. The focus should be on a thread-focused security posture. The example of the June 2015 U.S. Office of Personal Management breach demonstrated the importance of asking - what do enemies want? And why?
As the Internet of Things (IoT) solutions are starting to be deployed, IoT cybersecurity is becoming a legitimate concern. The session, “IoT Cybersecurity – How Do We Protect the World with Limited Resources” covered some of those concerns. The panelists all agreed that the combination of cyber and physical systems is not new. However IoT devices operate in a smaller footprint (e.g. limited connectivity, power and memory.) Thus these dynamics require a new industry security posture.
One of the biggest security concerns to the U. S. government is industrial controls. Other concerns were healthcare and medical devices, manufacturing and transportation. All of these verticals need better security. The panelists all agreed that this is a collective exercise for the industry. Developers need to build security into stacks and actively monitor and test for vulnerabilities. Smaller and faster devices are also needed with programmable filters. Machine- learning filters are needed to analyze the data to solve the problems faster.
With the exponential increase in devices, the government foresees a growing concern around privacy, civil liberties, policy and compliance. To address some of these issues, Underwriters Labs has published a new IoT standards document. This step will help to educate the IoT community. In the private sector, the Continuous Diagnostics and Mitigation (CDM) standard is starting to be deployed.
Of particular importance is how the cyber world impacts the physical world and the physical world impacts cyber. IoT, critical infrastructure and terrorist protection all require that we are able to bring together and understand information from multiple sources and domains – particularly at the nexus of cyber and physical. Facilitating this “connect the dots” imperative is an Object Management Group® (OMG®) standards process underway to federate, integrate and map operational threat and risk information across diverse domains, technologies and organizations regardless of the technology, schema or domain.
There were also insightful discussions concerning “Military & Civilian Government Challenges in Cybersecurity”. Managing control systems such as automotive and weapons with consistent availability and reliability is a major challenge.
This summary just scratched the surface of the rich content and insights gathered at this year’s SINET event. One major takeaway is that as Cloud and IoT technologies take shape, cybersecurity in both the private and public sectors need to be enhanced. While addressing the cyber challenge, we don’t want to create a cyber stovepipe - we must consider cyber in the context of our society and physical world. Collaboration and co-innovation are the keys to meeting that need.
Principal IoT Analyst, Solution Specialist