20 Highlights From the Annual Cybersecurity Event in San Francisco
Eye on cybersecurity: This year’s RSA ran from Feb. 24 to 28 at San Francisco’s Moscone Center (Photo: Mathew J. Schwartz/ISMG)
Once again this year, the annual RSA cybersecurity conference in San Franscisco brought together tens of thousands of individuals, including CSOs, CISOs, IT professionals, regulators, senior government officials and other experts and industry watchers.
While this year’s theme was the “human element,” keynote presentations, panel discussions and briefings touched on the gamut of top cybersecurity topics, including election security, genomics, privacy, cybercrime and much more (see: 7 RSA Takeaways: ‘Human Element’ Meets COVID-19 Concerns).
Here are 20 visual highlights from this year’s conference.
Over the five days of this year’s conference, which ran from Feb. 24 to 28, organizers counted more than 36,000 attendees, 18 percent of whom – myself included – journeyed from outside the U.S. to attend. Attendance was down this year due to COVID-19 concerns (more on that later).
‘Live Long and Prosper’
George “Oh Myyy” Takei delivers the opening monologue at RSA 2020.
Kicking off the Tuesday morning keynotes on Feb. 25, actor George Takei, who played “Sulu” in the classic Star Trek series, invited everyone at RSA to pick a badge from a panel located outside the Moscone West keynote hall to express who they are.
“Thank you for being extraordinary humans – live long and prosper,” Takei said, delivering the well-loved – if admittedly non-human – Vulcan saying from Star Trek.
The Human Element
RSA President Rohit Ghai touches on the human element in his Feb. 25 keynote address at RSA 2020.
Following Takei was RSA President Rohit Ghai, whose keynote speech touched on multiple “human element” topics, including the all-too-present threat of burnout across the industry. “We have ignored the psychology of the defender to focus on the technology of the attacker,” he said (see: RSA President Rohit Ghai on ‘The Human Element’).
In addition, he said it was time for the industry to acknowledge that humans play an integral part in security systems, which must be designed accordingly. “In our world of cybersecurity, it is unreasonable to call end users the first line of defense and hold them solely responsible,” he said.
The human element became an unexpected variable for this year’s conference, owing to concerns over the coronavirus SARS-CoV-2, which causes the severe acute respiratory syndrome COVID-19, that kept some attendees away. Chinese participation was also out: On Jan. 31, the U.S. government blocked entry into the country to any non-U.S. residents who had been in China within the past 14 days.
My wrap-up on top RSA Conference 2020 themes and discussions, with supply chains, cryptography, zero trust, election security and coronavirus dominating https://t.co/NpFOXioYQO pic.twitter.com/VxxgVzWI8l
— Mathew J Schwartz (@euroinfosec) March 9, 2020
Before the start of RSA, 1.2 percent of attendees canceled their attendance. Overall, this year’s attendance was down by about 20 percent from last year, no doubt mostly – if not all – due to the novel coronavirus outbreak.
Hand Sanitizer Galore
RSA exhibition hall
In advance of the conference, RSA organizers previewed measures they used throughout the event to help manage any transmission of viral infections, including regularly wiping down surfaces, stationing hand sanitizer dispensers across sites and promoting non-contact greeting methods, including elbow bumps over handshakes.
What’s Your Appetite … for Risk?
Fourth Street advertisement facing Moscone West
For an industry that focuses so heavily on risk management – of the IT variety – COVID-19 posed a novel concern: How risky might a large gathering be from a health standpoint, and was that risk tolerable? The many attendees, obviously, speaks to those individuals’ risk appetite.
But on Tuesday – 15 days after the start of RSA – security firm Exabeam warned that two of its employees had tested positive for COVID-19, adding that it wasn’t possible to tell if they’d been infected before, during or after the event (see: 2 RSA Conference Attendees Test Positive for Coronavirus).
On Wednesday, with the scale of the outbreak having surpassed 118,000 cases in 114 countries, and leading to more than 4,200 people losing their lives, the World Health Organization classified COVID-19 as being a pandemic, warning that too many countries were failing to put sufficient measures in place.
“We cannot say this loudly enough, or clearly enough, or often enough: All countries can still change the course of this pandemic,” said Tedros Adhanom Ghebreyesus, director general of the World Health Organization, in a Wednesday press conference.
Exhibition Hall Goes Strong
RSA 2020 exhibition hall
This year’s conference counted 658 exhibitors. Due to COVID-19 concerns, in advance of the event, 14 exhibitors withdrew their sponsorship – and thus booths from the exhibition hall. Those included IBM and Verizon (see: IBM Exits RSA Conference 2020 Over Coronavirus Worries).
Sword of Cyber
The Plixer booth at RSA 2020
Nevertheless, footfall in the Moscone North and South exhibition halls looked strong – if not as mobbed as in previous years – no doubt animated at least in part by the eternal conferencegoer quest for swag. Especially popular this year: Plastic light-up swords being distributed by network management software vendor Plixer, with the pommels popping out of many an RSA backpack.
RSA guide at the corner of Fourth Street and Howard Street
Kudos to the many conference guides who stood outside in all weather – thankfully RSA 2020 featured sunshine and comfortable temperatures, and avoided the repeat downpours of RSA 2019 – to cheerfully guide conferencegoers on their way, with the offer of a free lollipop.
Women in Cybersecurity
Wendy Nather’s keynote speech focused on democratizing security, with the occasional puppy photograph.
The week’s keynotes featured a who’s-who of cybersecurity, with the roster including a much better cross-section of women in the industry than was seen – across all such conferences – even just a few years ago (see: Preview: 12 Top Keynote Sessions at RSA Conference 2020).
Again and again, many speakers focused on the human element in cybersecurity, as well as the need to put users first, rather than blaming them for the failure of technology, processes or systems. “We are trying to secure with an unsustainable model and it’s time to break it and put it back together,” said Duo Security’s Wendy Nather in her Feb. 25 keynote speech on democratizing security.
“Find Yourself” badge board at RSA 2020
Outside the Moscone West keynote hall, attendees could select from a variety of badges – sensai (worn by Takei), cryptographer, mother and many more.
Cybersecurity Experts Share Insights
ISMG’s Tom Field talks hack-attack “indicators of behavior” in a video interview with Cybereason’s CSO Sam Curry.
Once again this year, Information Security Media Group hosted two video interview studios, where we conducted dozens of videos with today’s top cybersecurity experts and practitioners on topics that included privacy, zero trust, hack attacks and the cybersecurity market.
See our RSA Conference 2020 overview to view these and more of the interviews we conducted at this year’s event.
Interviews I conducted touched on numerous topics and technologies, including discussing regulations with consultant David Ogbolumani, the former CISO of Kellogg, as well as the California Consumer Privacy Act and EU’s General Data Protection Regulation with the IAPP’s Caitlin Fennessy and Perkins Coie LLP’s Dominique Shelton Leipzig.
— Mathew J Schwartz (@euroinfosec) March 12, 2020
I also heard two sides of the Huawei debate via interviews with the company’s U.S. CSO, Andy Purdy, as well as with Michael Chertoff, the second U.S. Homeland Security secretary. Another hot subject was cybercrime, which I discussed with McAfee’s John Fokker, Sophos’ Chet Wisniewski and Blueliv’s Liv Rowley, among others.
‘The Oscars of Mathematics’
Vincent Rijmen, the co-creator of AES, said his message for students is that “doing mathematics can be as rewarding as being an actor.”
Every year at RSA, an annual award for “Excellence in the Field of Mathematics” gets bestowed, with the award winner – or winners – getting picked by a judging committee. This year’s award was given to cryptographers Joan Daemen and Vincent Rijmen.
“Daemen and Rijmen were selected for their major contributions to symmetric key cryptography, including the development of the Advanced Encryption Standard (AES), also known as Rijndael, which is the standard encryption scheme to encrypt bulk data around the world, including for the U.S. government,” RSA conference organizers say in a statement. Daemen is a professor at Radboud University in the Netherlands, and Rijmen is a professor at KU Leuven in Belgium. They “co-designed AES in the late 1990s and it was chosen as a standard cipher by the National Institute of Standards and Technology in 2000,” the RSA statement adds.
Accepting the award on behalf of himself and Daemen, Rijmen told the Moscone West audience that he would use this “Oscar of mathematics” to show students that “doing mathematics can be as rewarding as being an actor.”
Love for Blockchain
Three of the Cryptographer’s Panel 2020 panelists (from left): Whitfield Diffie, Tal Rabin and Arvind Narayanan
What were the major cryptographic innovations of the past 20 years, and what will be the ones of the next 20 years? That was a question posed to this year’s Cryptographer’s Panel by moderator Zulfikar Ramzan, CTO of RSA. Panelist Tal Rabin, an expert in cryptography and network security – including digital signatures and secure online communications – told Ramzan that for her, the blockchain was one of the standout innovations (see: 8 Takeaways: The Cryptographer’s Panel at RSA 2020).
8 takeaways from The Cryptographer’s Panel at RSA 2020: Experts on blockchain, differential privacy (Trump conspiracy?), crypto backdoors (still bad!), the human element and more https://t.co/Pa2MKpVHEz #RSAC #cryptography pic.twitter.com/EKBbnjfEkI
— Mathew J Schwartz (@euroinfosec) March 6, 2020
“What amazes me about that thing … is that it went back and it took things that we have known since the ’80s – byzantine agreements, hash functions, proof of work – and combined all of these things. That’s another thing that I love about this field, that it can … go into the past, and make them into magnificent and wonderful things in the future,” Rabin said.
“Maybe … we’re still lacking the killer [blockchain] app, maybe everything can be done better using some other technology, but even if it was, just for the introduction, for the fact that almost every person in the world knows the word ‘crypto,’ which it did not know 10 years ago.”
“But it changed the meaning a little,” said co-panelist Whitfield Diffie, who helped create the pioneering Diffie-Hellman key exchange protocol.
“Completely,” Rabin replied. She then relayed a story about how a cryptocurrency conference attendee had chastised her for using “crypto” to refer to cryptography, and her setting the young man straight by telling him that the crypto to which she was referring had been around since long before he was born.
But she harbored no grudges, saying that overall, the increased attention that blockchain has brought to all things crypto has been a wonderful, unexpected outcome. “But this is the power of this field, and it really brings beauty to all the things,” she said.
Hot Topic: Election Security
The two other Cryptographer’s Panel participants this year: Ron Rivest (left) and Adi Shamir, respectively the “R” and “S” behind the RSA algorithm
Ahead of the 2020 U.S. elections this November, election security was also a hot topic at this year’s RSA conference During the event, Elvis Chan, who manages an FBI squad responsible for investigating national cybersecurity matters, stopped by ISMG’s studios to describe how the bureau is helping to safeguard the nation and keeping a laser focus on election security (see: FBI’s Elvis Chan on Election Cybersecurity).
Elvis Chan, one of the FBI’s foremost experts on election cybersecurity at the @FBI, tells @SecurityEditor what the bureau is doing to safeguard the 2020 U.S. elections https://t.co/E5LzEncG9l #RSAC pic.twitter.com/HBbnbLLTbE
— Mathew J Schwartz (@euroinfosec) March 12, 2020
The topic was also the focus of briefings and keynotes, including the opening day’s Cryptographer’s Panel, during which Ron Rivest – the “R” in the RSA cryptosystem – warned that technology was not the solution to securing voting systems.
“One of the things we have learned is the importance of paper ballots – we see that putting a foundation of trust on electronic components that are hackable is just not the way to go, and having a paper ballot for every voter – a voter-verified ballot – is the way to go,” he told attendees.
Menace to Society: Ransomware
Chris Krebs, director of the U.S. Cybersecurity Infrastructure and Security Agency, in a keynote discussion with Heather Dahl
Ransomware was also a much-discussed topic at this year’s RSA event. “My deputy calls it a menace to society; I call it the scourge of the internet,” Chris Krebs, director of the U.S. Cybersecurity Infrastructure and Security Agency, said in a Feb. 25 keynote discussion with Heather Dahl, executive director and CEO of the Sovrin Foundation (see: CISA’s Krebs: 2016 US Elections Were Cyber ‘Sputnik’ Moment).
RSA President Ghai, meanwhile, urged organizations to never pay ransom to attackers. “We don’t have to win for the attacker to lose,” he said.
McAfee’s Fokker, in his interview with me at ISMG’s “Broadcast Alley” studio in Moscone West, charted the alarming trend in ransomware gangs not only holding victims’ systems to ransom, but also stealing data and leaking it, to try to force organizations to pay. “We saw it with Maze, REvil, BitPayer: A lot of these bigger ransomware groups are using this as a leverage method and to put pressure on the victim,” he told me (see: Ransomware Gangs Hit Larger Targets, Seeking Bigger Paydays).
Huawei Debate Rages On
Participants on the Feb. 26 “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei” panel, from left: Craig Spiezle, Katie Arrington, Andy Purdy, Bruce Schneier and Kathryn Waldron
RSA counts on a number of experts to set the tone and focus of its discussions every year, including Ron Rivest, Adi Shamir, Whitfield Diffie and Tal Rabin as part of the annual Cryptographer’s Panel. Another regular is Bruce Schneier, who again repeatedly appeared on stage, often discussing cybersecurity and public policy. One of these appearances was at an expert panel devoted to debating the question over whether Huawei gear could be trusted, or whether the risk that it would be subverted for China’s espionage efforts made it too risky to trust.
The “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei” panel was replete with well-honed Schneier pronouncements – aka “Brucebombs” – which helped highlight some of the bigger challenges the Huawei situation exposes, such as governments’ love of backdoors and equipment with exploitable flaws, when it suits them.
For example, during the panel discussion, Schneier accused the White House of sending mixed messages about Huawei. “It’s probably a national security issue, but we talk about it as if it’s a trade issue,” he said.
Multiple panelists, including Kathryn Waldron, a Fellow at R Street Institute, highlighted that really, it’s likely both.
Forget 5G; Put Your Hope in 6G?
Bruce Schneir and Kathryn Waldon
R Street Institute’s Waldron also highlighted that when it comes to Chinese-built gear potentially being used to support Beijing’s espionage aims, it’s impossible to fully quantify all of the risks that might pose. Same again, she noted, for the impact of all of the massive data breaches of personal information that have been attributed to China, such as the U.S. Office of Personnel Management, Equifax and Marriott breaches.
“China is taking my data; they’re building a database,” she said. “We don’t know how that data is going to be used in the future.”
Another wrinkle in the 5G debate: Even U.S.-government-approved equipment largely gets built and assembled in China. “Supply chain security is an insurmountably hard problem. It’s not just the country [of origin], it is the equipment, it is the software, it is the assembly,” Schneier said.
“We should have a discussion about what does supply chain risk look like, what does risk mitigation look like; understanding the risk does not commute … my risk,” said Katie Arrington, the cyber information security officer of acquisitions for the U.S. Department of Defense, who said her agency has been attempting to “buy down risk” with its approach to procuring non-Huawei gear.
Schneier, while lauding the Defense Department’s efforts to keep Americans safe, returned the focus to the Trump administration’s ban on Huawei, and what it hoped to achieve. “The point is that this won’t solve the problem, but it will solve a piece of the problem,” Schneier said. “I’m curious about what you’re buying instead [for the Pentagon], because my feeling is that 5G is lost, and our only hope is 6G.”
A Picture Versus 1,000 Words
Visual representation of the “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei” panel discussion
Returning to RSA was “Let’s Summarize,” which creates visual representations – live – of some briefings, this year including the “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei” Feb. 26 panel discussion.
Together with real-time closed captions – displayed on monitors, including screens at the front in areas with seats reserved for anyone needing to read what was being said – these offered a wonderful way to amplify and dive into the many insights being shared by panelists.
RSA 2021: Save the Date
RSA 2021 is set to run Feb. 8 to 10.
How will the 5G debate evolve? What will be the result of attempts to safeguard the U.S. elections in November, as well as to keep secure – and successfully conduct – the country’s census? What will our level of new coronavirus concern be by next year, and what will have been its impact not just on public health but the cybersecurity marketplace? (See: Cybersecurity Sector Faces Reckoning After Coronavirus Hits.)
No doubt those are just some of the topics that will feature at next year’s RSA conference, which is scheduled to run a bit earlier in the year – from Feb. 8 to 10, 2021 – once again at San Francisco’s Moscone Center.
Also, if Dell’s pending acquisition of RSA – not just the security firm, but also the conference – proceeds as planned, then 2021 will also see the conference being under new management (see: Dell to Sell RSA to Private Equity Firm for $2 Billion).
Here’s hoping the world has moved well and as safely as possible past the COVID-19 outbreak by then.
Photographs: Mathew J. Schwartz