McCaul tells cyber security conference of Russian role in US election

‘These were Americans in the crosshairs of the Kremlin’ US congressman tells RSA


"Imagine a hacked planet. Imagine how the earth would be without security. The privacy we take for granted falls away. We can keep no secrets. No exchanges are secure. The very idea of trust is gone. All of our digital interactions are out in the open, subject to exploitation. Our computers, networks and cameras are subject to blackmail and ransom and being taken over any day at any time." With this dystopian vision, actor John Lithgow warmed up the crowd of some 40,000 security professionals – "digital hunters" he termed them – at the RSA Conference in San Francisco on Tuesday morning.

Ultimately, the monologue was designed to be a crowd pleaser at a trade conference: the professionals present did not need to be told the world is a better place with them in it. But hacked power plants and transport systems are no longer the stuff of films, as this audience also knew very well.

Cyber-attack scenarios invoked by speakers included the possibility of autonomous cars being hacked and directed at a single target, or attacks on medical devices that might ultimately cost lives. It's science fiction, as renowned cryptographer and author Bruce Schneier put it in his talk later in the day, "But not stupid science fiction".

The event, according to RSA, the security division of Dell/EMC, is the largest such cyber security event in the world, attended by a hall of fame of security and cryptography people. Speakers this week will include Stella Rimington, former director general of the UK's security service MI5.

READ MORE

The line-up, and indeed the composition of delegates, is largely male and perhaps reflects the make-up of the industry. Sessions on diversity and problems attracting and retaining women gladly feature on this week’s agenda.

Tuesday's speakers including Dr Zulfikar Ramzan, chief technology officer of RSA, Michael Dell, Brad Smith of Microsoft, Christopher D Young of Intel Security, and Michael McCaul of the US House Committee on Homeland Security, spoke of the pervasive cyber security threat posed by nation states, threats capable of subverting democracy.

Russia

As McCaul stated baldly: “Last year, there’s no doubt in my mind that the Russian government tried to undermine and influence our elections. They broke into political institutions, invaded the privacy of private citizens, spread false propaganda. They created discord in the lead up to an historic vote.

“Frankly it didn’t matter to me whether it was Democrats or Republicans being targeted; these were Americans first in the crosshairs of the Kremlin and to me that was unacceptable.”

He said he had pushed both the Obama administration and then-presidential candidate Donald Trump to take "public and forceful stands" on the issue but he had been disappointed in their responses.

“The crisis was the biggest wake-up call yet that cyber-intrusions have the potential to jeopardise the very fabric of our republic.”

Terrorists were abusing encryption and social media to “crowd source the murder of innocent people”, McCaul said. But creating backdoors in products as a knee-jerk response would be a “huge mistake” and would put personal data at risk and leave companies open to intrusion, he said, to applause from a packed auditorium.

Closer co-operation was needed between industry and governments to tackle this threat from nation states, he said. While there was no direct reference to President Donald Trump’s so-called Muslim ban, a number of the speakers referred to the need for diversity and the reliance by the industry on talent from all over the world. McCaul acknowledged “in light of recent events in Washington”, that there was “deep concern” in the room about whether US policies would continue to welcome that international talent.

"This is a nation where the oppressed have long sought refuge and our country is a magnet for creators and entrepreneurs who are willing to take risk and pursue their dreams. The United States must maintain that tradition, not only for our country's credibility, but for the survival of liberty itself," he said.

Hacked

Brad Smith, president and chief legal officer of Microsoft, noted 74 per cent of businesses in the world expected to be hacked in the coming year and that the estimated economic loss to cybercrime would reach $3 trillion by 2020.

"Let's face it, cyberspace is the new battlefield. The world of potential war has migrated from land to sea to air and now cyberspace," he said. He called for a "digital Geneva Convention" under which the world's governments would pledge not to engage in cyber attacks on the private sector or to target civilian infrastructure. The world needed a new, independent organisation similar to the International Atomic Energy Agency, to bring together the best and the brightest from the private sector, academia and the public sector, he said.

“We need an agency that has the international credibility not only to observe what’s happening but to call into question and even identify the attackers when nation state attacks happen. That is the only way that governments will come to recognise that this is not a programme that will continue to pay off.”

Chris D Young of Intel Security said that no matter what anyone’s politics, everyone had to agree that the role of data security had been on display as never before during the election. “While I’m not questioning the outcome of the election, I am calling out the role of data security in that election,” he said.

The next threat vector would be the “weaponisation of information, with us as the targets”.

Erode privacy

In a similar reference in his own talk on Tuesday afternoon, Schneier, spoke of the “weaponisation of data” as a threat to all. Drawing on some of the evidence he gave to the US House Committee on Energy and Commerce last November, Schneier spoke of “a proliferation of sensors” that eroded privacy and allowed ubiquitous surveillance on a global scale. We were creating “a world-sized robot” through connected devices and we did not even realise it, he said.

There was a real problem of “security versus safety” and he believed we should start making moral, ethical and political decisions about how technology should work.

“There’s a fundamental difference between crashing your computer and you lose your data and crashing your pacemaker and you lose your life,” he said.

A new government agency was required to deal with the problem, he said, and he further acknowledged in a question and answer session afterwards that this was not just a US problem but an international one. The market tended not to fix safety or security issues without government intervention. And nothing motivated the US government like fear, Schneier said.

“The strong impulse we have towards leaving the market alone tends to disappear when people start dying.”

The irony of such an event is that thousands of delegates are tracked and scanned and barcoded to within an inch of their lives. There are warnings that filming is taking place and that traffic over the free wifi connection will be used in demonstrations. Patrons are urged to ensure they secure their devices using virtual private networks. They are also urged to don a white plastic armband which sits on their chairs when they file into the huge conference room at the Moscone Centre for the morning keynotes.

The purpose of the device does not become clear until shortly before the end of Lithgow’s speech. Raise your hand, he says, if you’re managing risk for your organisation. Raise your hand if you’ve pioneered a theory or a strategy or a product that makes the world safer. Raise your hand if you’re proud of what you do. Cheers fill the room and the air lights up with thousands of glowing wrists.

The conference continues at the Moscone Center in San Francisco until Friday.