Transcript
Anna Delaney: Hello, welcome to the ISMG Editors' Panel, live at RSA Conference 2023. This is day three, and I'm joined by my colleagues, Mathew Schwartz and Michael Novinson. How's it going so far, gentlemen?
Mathew Schwartz: It's excellent. Great to be here.
Michael Novinson: Enjoying the show, lots of great conversations.
Delaney: So let's recap day two, first of all. What were highlights for you, Michael?
Novinson: Some of the highlights for me were interacting with Jay Chaudhary. He is the CEO of Zscaler. We talked a lot about zero trust, not just theoretically, but how to put it into action, what CIOs are doing, what board members are doing, what the federal government is doing, and how organizations can get started on that zero trust journey. But really the topic du jour of day two, as well as the conference as a whole is generative AI. From the standpoint of venture capitalists, well, how can they make money off of it? What does it look like to secure AI data, AI algorithms, AI models? Where can they get started with that? As well as what are some of the cyber risks and some of the cyber opportunities around generative AI? So for me, those are the two big themes from day two.
Delaney: Do you think there's some concrete conversations from what you've heard? How much of it is buzzy buzzy?
Novinson: Definitely some buzzy, buzziness. I think certainly. And this actually was a day one conversation with Nikesh Arora, the CEO of Palo Alto Networks, that there is this pressure to be first. And everybody wants to say, "Oh, we've embedded ChatGPT into our product." Really, what does that mean? If you've done it in four weeks. Is that just you really just put an interface on the front of your product, where you can ask questions and natural language that connects you and sure that's nice and requires less coding. But is that really adding value? Is that really taking that quantum leap forward? And I think some of the folks certainly - Palo Alto Networks and Zscaler - are biding their time. They're really trying to figure out how can we use generative AI to really increase the efficacy or detection, not just to interact with a bot, but really to make our technology better at doing what it does? And what are some of new things that we have to think about protecting as a result of what adversaries are able to do with generative AI.
Schwartz: Yeah, that was one of the big topics with Cisco, when I spoke to them today, or yesterday, I should say. They were looking at how you can use AI, how attackers can use AI and also how you need to use AI to secure AI, or some flavor thereof in the evolving AI sphere, I guess.
Delaney: What were highlights for you, Mathew?
Schwartz: So day two, fascinating stuff. I got to speak with Hugh Thompson. A lot of people know him because he shows up on stage every year. He has for a long time. He has for 15 years been the programming director for RSA. So helping lead the charge when it comes to sifting through all of the applications they get to speak. And he highlighted three things - generative AI. Thank you, Michael. Software composition; so getting into things like the software bill of materials, what does that even mean? And then when you have that, how do you begin to try to apply it. Huge issues there. And then also, just all of the dynamic changes, as he said, in cyber. Everything is so dynamic. And that was a big theme I heard around AI, around how it is is being used, how it could be used. I mentioned the Cisco discussion I had. That was excellent. That was with Jeetu Patel and Tom Gillis. They had done a keynote, excellent keynote, where they were talking about trying to find new ways of thinking, identifying the flaws with the old and seeing where you go forward. There's a great line from Tom in his keynote. He's talking about trying to find a synchronized symphony of security defenses, i.e., trying to get everything talking to each other in a good way. So Cisco obviously has some thoughts about how they think you should do that. So do some other people, but wonderful, fascinating discussions. And then I'm just going to pivot into the cryptographers panel. Because ChatGPT was a big theme there as well as you would expect it to be because they rigorously chase down whatever the hype is, whatever the buzzwords are, I think with an eye toward can we puncture this, you know, thin concept if it is a thin concept, so I always really appreciate the deep thoughts that they bring to some of the big issues of the day. What are those big issues of the day, Matt? Well, I'm glad you asked. Chatbots were a big one, as we've been discussing, I love Adi Shamir. He is the "S" in the RSA cryptosystem. Small claims to fame there, especially with a cryptography audience. But he said that a year ago, when it came to AI, he thought there was going to be more, well, lots of potential good application on the defensive side and minimal offensive application. And I don't think I've ever heard him say this before. He said, I've completely changed my thinking over the past year, and he is extremely concerned about a tool that can sound human and what you can do with that at scale, given the gullibility of humans when it comes to things like I don't know, our election or a Nigerian prince, you know, telling me that my million dollars has finally arrived. So that was one of the big fascinating things. And the other one was, I'd say the decline and fall of blockchain. It wasn't declared dead. And certainly blockchain and cryptocurrencies are two different things. But where people have been bullish on blockchain in the past, they are a lot less bullish. Now, some of the people on the cryptographers panel have never been bullish on it. Just to be clear, they've said, you all look at all the options. And if blockchain is the one and it won't be then do blockchain. So there's a bit of nuance there. Maybe not when it comes to blockchain. But just great discussion.
Delaney: Fantastic. So Michael, were there any surprises?
Novinson: I think so, in terms of some of the conversations I had around critical infrastructure, really the evolution in that space that I think historically has been really a larger organization focus, and now trying to figure out both how to bring it down to the municipal level, municipal water, municipal electric, as well as the simultaneous challenge. If you're a critical infrastructure organization, you still have to balance that with securing your classic IT systems. And how can you do that in concert, in collaboration with one another? So certainly some dialogue there. And I think as well, there were some conversations about I think, really just a sense that we don't really know what we're doing with ChatGPT yet. It's fun to play with, and whatever. It can sing us songs and write us poems. And that's fine. And that's consumer. But what does it actually mean in the context of cyber, just, we've had the privilege of getting dragged with some very smart people, and they really don't know yet. So I think there's a lot that remains to be learned.
Schwartz: Anna, how about you? Highlights?
Delaney: Talking with you. Well, it was great to speak with Joe Carson, of course, about gamification. It's interesting with security, how do you get through to people and make it fun, and he gave some really cool thoughts about how to apply gamification into organizations. So more on that later. So were there any surprises for you?
Schwartz: Surprises for me, I think the decline and fall of blockchain maybe was one of them. But the nuance around quantum computers was a surprise, just in terms of do people need to be worried. One of the takeaways from the Cryptographers' Panel was, if you've got secrets that need to be secret still in 30 years, in 50 years, then you should be looking really closely into what you do with that. And maybe encrypting it is not the answer. You know, I don't know about locking it up in a safe or something. But again, Adi Shamir was saying 99.99% of things, and he said, probably add some more nines on there, that we have stored in data format. I was like, do you want to have lunch tomorrow, and where, or we have this secret new product we're developing, but it's going to be out in a year. And all of a sudden, that's not secret anymore. So he was bringing a lot of nuances to the concerns that people rightly have about will we have crypto systems that are quantum resistant? That is a concern. The NSA is saying it is. NIST is saying that is a concern. So we need to listen to those voices. But he said, is it a concern for you? And what do you do about it? And I think that for the moment, most people are not going to need to do something about it. So it's fascinating and fun to follow. But the sky is not falling.
Delaney: Well, let's look at today. And what are the highlights for you? What are you looking forward to? Who you're speaking with? Are there any sessions you're attending? So, Michael, take it away?
Novinson: Absolutely. Well, so I'm really excited. I'm going to be speaking with Michael Sentonas, second in command at CrowdStrike, about some of the place they're making with Google. And some of the place they are making to broaden that XDR, and identity and cloud ecosystem. As well getting to speak with Rob Lee at Dragos, about what they're doing around critical infrastructure, and really looking at some of the risks that organizations have, and then how companies can get started on their critical infrastructure journey. Two conversations I'm very excited for today.
Schwartz: So my, if I have to limit myself to two conversations, I'm going to pick Brian Honan. He's a great resource for us here, at ISMG. I'm speaking with him, and we're going to be, I think, rounding up the last five years of GDPR.
Novinson: Two-three minutes.
Schwartz: Just a couple of minutes. And then also, I'm looking forward to speaking with John DiMaggio. He's a ransomware researcher. He's promised me some insights into, I think, some identities and some groups perhaps that haven't come to light before, or we'll see. So check back with me in 24 hours time and hopefully we will know a little bit more about ransomware than we did before.
Novinson: Yeah. Great. What are you most excited for today?
Delaney: Speaking again with you tomorrow and today, no there's plenty going on, with day by day here, so that's a wrap for us. Thank you so much for watching. Stay tuned for our updates tomorrow. I'm Anna Delaney for ISMG.