CSFI Participates in the 2014 Cybersecurity Innovation Forum at the Baltimore Convention Center.
The 2014 Cybersecurity Innovation Forum was a three-day event sponsored by the National Cybersecurity Center of Excellence (NCCoE) with the Department of Homeland Security, the National Institute of Standards and Technology, and the National Security Agency. Approximately 700 Cyber Security professionals attended the event in spite of sub-zero temperatures and snow in Baltimore.
Phil Venable, the Chief Information Risk Officer at Goldman Sachs, kicked off the event with a superb presentation discussing innovation and insights at Goldman-Sachs over the last decade and reminded us all of the participants that the fundamental lessons from the 1970s forward still applied to trusted computing today. He also stressed the difference and importance of understanding the differences in “being secure” vice “providing security.” All cyber professionals should also be heartened by Phil’s recommendations to improve not only the quantity of cyber security professionals across the various sectors, but their productivity through sound practices as well. Please contact Phil for a copy of his briefing, I think you would find it very insightful.
Major themes throughout the forum included emphasis on the POTUS-directed Voluntary Cyber Security Framework (NIST), implementation of STIX & TAXII as new standards for information sharing, and changing the economics of cyber protection. STIX is a data exchange format, and TAXII is the transport mechanism. Michael Daniel, Special Assistant to the President & Cybersecurity Coordinator, White House, shared the NSS key perspectives on current cyber issues 1) The threat is real, but it is not a movie script, 2) the threat is becoming broad and diverse, 3) it is more sophisticated, and 4th) cyber threats have reached a point where they are now capable of being destructive. Michael also stressed the need to “flip the economics of cyber defense in favor of the defender.” Several of the speakers and panels followed up on this idea, and presented ideas for making attackers devote more resources to their operations, hopefully making it less lucrative for them. Yes, this should remind us of the US strategy for bringing down the Iron Curtain, though I hope we can do it for less!
TAXII and STIX received consistent and repeated calls for support from NIST, DHS and Industry representatives as the “format of the future” with several of the Industry vendors openly stating they were actively investing significant internal funds to adopt these standards, and to make STIX the baseline format for their products. Many of the participants and panel members supported the move to STIX as a substantive and effective way to improve Information Sharing needed for overall increased security.
Participants supported the cyber Eco-system theme and added their particular twists to it, including pushes to consider health care analogies. In this case, we should think of STIX and TAXII as the first coordinated method to improve the “immune system” of shared cyberspace.
The NIST Voluntary Framework is slated to be released on 14 February 2014 and we should all become familiar with it as soon as possible. You can expect to see gaps and seams in the Framework, but each one should be viewed not as a short-coming, but an opportunity for innovation and solutions. We also need to understand the language of the Framework, and be ready to assist our agencies, clients and teammates putting requirements and needs into the same language. Doing this will enhance communication during operations, and ensure that proposals, bids and work plans are understood and meet Government and Industry expectations.
The 2014 Cybersecurity Innovation Forum was a great venue. The hosts, sponsors and Baltimore Convention Center staff did a superb job putting it together and executing the event. The Forum was set up along four tracks; Trusted Computing, Security Automation, Information Sharing, and Research with several Plenary sessions and Panels each day. Thanks very much to Paul De Souza for arranging the pass to ensure a member of CSFI was able to attend and report back to our members. I recommend everyone view the full agenda and presentation list is at: https://www.fbcinc.com/e/cif/default.aspx. — contact the presenters with questions.
Robert A. Morris, Colonel (ret), USAF
CSFI Advisory Director
Filed under: Cybersecurity