“We will never be secure until security is on everybody’s mind,” declared Mårten Mickos, the Finnish-born CEO of HackerOne. “With cybersecurity, we must be open and sharing and collaborative, and then it will work.” Willem Jonker, CEO of EU-backed EIT Digital, heartily agreed. “There is an enormous skills gap when it comes to digital technologies,” he said, “especially cybersecurity.” Welcome to Cybersecurity Awareness Month, led by European-styled collaboration.
The two executives joined 100 guests at the RocketSpace incubator in San Francisco to headline a full slate of European and American experts in information security, from government and law enforcement to hot startups. Sponsored by EIT Digital, the in-depth night covered best practices, the European perspective, educational initiatives, spiced with more than a few cautionary tales of what happens when somebody screws up.
And somebody always does. People are always the weakest link, the experts agreed, no matter how strong the technology or the systems. Better discipline, and an increased attention to behavior monitoring of data streams going in and out. Firewalls, the traditional mainstay of cybersecurity planning, focus on keeping the bad from coming in. More recently experts monitor flows of traffic going in and out: the “exfiltration” of data such as that seen in the recent catastrophic Facebook data breach.
Facebook is facing a massive $1.63 billion fine for its failure to protect sensitive account information, and as Jonker pointed out, cybersecurity is at heart a problem for your entire enterprise. Organizational vulnerability was well understood by the panel of local government experts from San Francisco, Palo Alto, and the county of Santa Clara.
Jay Song of the California Highway Patrol talked of the massive challenge his agency faces as it takes on the digitization of systems and databases of public records. Song oversees 7,500 police officers whose highway-centric jobs are almost fully mobile: “80% of our business is in the vehicle.” From their cars, motorcycles, and mobile devices, they’re sharing and accessing massive amounts of data all day long, so it’s especially critical that they follow best practices in data protection. Digitizing the force is requiring the CHP to be nimbler about security. When they digitized the state’s annual collision report detailing 450,000 collisions, for example, they were very successful in improving operations efficiency and reducing paper. And yet “the cities of California are linked to the entire nation. They are very technology savvy and they expect us to provide the same services as Apple and Google,” Song added. “The price is how do we protect that information?” The answer is education.
The cybersecurity skills gap is a growing challenge worldwide, and driving new initiatives in education. Julie Shapiro of UC Berkeley Executive Education, Cian Mitsunaga of EIT Digital, and Carolyn Shek of the San Francisco Office of Economic and Workforce Development were on hand to talk about new educational and apprentice programs, including the Cybersecurity 360 program for executives. This international collaboration between UC Berkeley and EIT consists of two modules, the first in San Francisco, then in Munich on network security, IoT security, GDPR compliance, data privacy, and other security concerns. The EIT Master Program, a cross-discipline postgraduate degree offered in six locations throughout Europe, said Jonker, is increasing in scale. Graduates have launched multiple startups including a phishing detection service and a drone security app. Responding to growing interest, a new module has been added to focus on cybersecurity.
What’s different in Europe, noted Mickos of HackerOne, is a tendency to value collaboration over secrecy. Policies that emphasize clearance and certification, where “people are hiding in some security room and nobody can talk to them,” he said, “is the biggest mistake ever.” Mickos’s company employs 250,000 freelance white hat hackers paid to find vulnerabilities in commercial and government systems such as the DOD, the Pentagon, and all branches of the US armed forces. “It was very hard to hack the Air Force,” he joked. “It took us 8 minutes to break in.” Joining him on the panel of tech executives were Chris Ahlberg of Recorded Future, and Tom Mullen of OPSWAT, drawing from their experienced corporate perspectives on security. The takeaway? Collaboration is key.
Mickos cited the compelling example of airport security protocols, where universal discipline standards require that everyone goes through a checkpoint to get on the plane, vastly improving security. “And then it doesn’t matter how many black hats there are – and there aren’t that many,” he said. “Because there’s a thousand times more good guys in the world, or, ten thousand times. So, if we just realize this, then we’ll be pretty good.”
Security and its risks are “not limited to a specific country or even to a specific continent,” said Jonker. He shared Mickos’s optimism about Europe’s collaborative efforts, and pointed to this year’s roll-out of GDPR across the EU as an important step toward bringing attention to privacy issues. “European governments,” Jonker added, “are more sensitive about security and protecting the citizens.” Their leadership will have a worldwide impact.
