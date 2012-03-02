* Experts discouraged by year's big breaches
* New technologies bringing more risks than answers
* Industry debates best roles for DHS, NSA
By Joseph Menn
SAN FRANCISCO, March 2 Technology security
professionals seeking wisdom from industry leaders in San
Francisco this week saw more of the dark side than they had
expected: a procession of CEO speakers whose companies have been
hacked.
"It's pretty discouraging," said Gregory Roll, who came for
advice and to consider buying security software for his
employer, a large bank which he declined to name because he was
not authorized to speak on its behalf. "It's a constant battle,
and we're losing."
The annual RSA Conference, which draws to a close on Friday,
brought a record crowd of more than 20,000 as Congress weighs
new legislation aimed at better protecting U.S. companies from
cyber attacks by spies, criminals and activists.
If the bills suggest that hackers are so far having their
way with all manner of companies, the procession of speakers
brought it home in a personal way.
The opening presentation by Art Coviello, executive chairman
of conference sponsor and recent hacking victim RSA, set the
tone with the Rolling Stones song "You Can't Always Get What You
Want."
RSA, owned by data storage maker EMC Corp, is the largest
provider of password-generating tokens used by government
agencies, banks and others to authenticate employees or
customers who log on away from the office. Not long after last
year's RSA conference, the company said an email with a poisoned
attachment had been opened by an employee.
That gave hackers access to the corporate network and they
emerged with information about how RSA calculates the numbers
displayed on SecurID tokens, which was in turn used in an attack
on Lockheed Martin that the defense contractor said it foiled.
Coviello said he hoped his company's misfortune would help
foster a sense of urgency in the face of formidable opponents,
especially foreign governments, who are being aided by the
blurring of personal and professional online activities. Some 70
percent of employees in one survey he cited admitted to
subverting corporate rules in order to use social networks or
smartphones or get access to other resources, making security
that much harder.
"Our networks will be penetrated. People will still make
mistakes," Coviello said. He argued that with better monitoring
and analysis of traffic inside company networks, "we can manage
risk to acceptable levels."
If that didn't inspire enough enthusiasm after the worst
year for corporate security in history - including the rise of
activist hacks by Anonymous, numerous breaches at Sony Corp
, and attacks on Nasdaq software used by
corporate boards - there was more to come.
Next onstage was James Bidzos, CEO of core Internet
infrastructure company VeriSign, which disclosed in an October
securities filing that it had lost unknown data to hackers in
2010. He was followed by Enrique Salem, CEO of
the largest security company, Symantec, which recently admitted
that source code from 2006 version of its program for gaining
remote access to desktop computers had been stolen and
published.
FBI Director Robert Mueller spoke on Thursday, warning that
he expected cyber threats to pass terrorism as the country's top
threat.
Though all sounded an upbeat call to arms, some watching
grumbled that vendors with little credibility were trying to use
their own shortcomings to peddle more expensive and unproven
technology.
"There's some panic" among the buyers, said a security
official with ING Groep NV who asked not to be named because he
was not authorized to speak to the press. Banks are very
sensitive to questions about security breaches and often deny
they have any significant problems in this area.
That panic contributed to vigorous panel discussions and
hallway debates about who should be in charge of safeguarding
defense companies, banks and utilities - private industry
itself, the U.S. Department of Homeland Security or the National
Security Agency, which has the greatest capability but a legacy
of civil liberties issues.
A pending bill backed by Senate Majority Leader Harry Reid
would put DHS in the lead, with assistance from NSA. Former NSA
chief Michael Hayden said in an interview at the conference that
should suffice.
"The Net is inherently insecure," Hayden said. "We need to
quit admiring the problem and move out. No position could be
worse than the one we're in now."
Coviello said one of the few pieces of good news was that
the country as a whole is now realizing the gravity of the loss
of its trade and government secrets, along with the difficulty
of reversing the trend.
"People have definitely talked more seriously after our
breach," he said in an interview. "Maybe a sense of realism has
settled in."