The RSA 2020 conference kicks off next week in San Francisco, this year with a theme looking at the “human element” of cybersecurity. As they prepare to cover the show, Threatpost editors Lindsey O’Donnell-Welch, Tom Spring and Tara Seals break down the biggest news, stories and trends that they expect to hear about at RSA 2020 this year:
- Top sessions and keynotes to pay attention to
- Threatpost’s planned set of exclusive video interviews
- Ethics and AI
- 5G security
- Trends in the industrial cybersecurity landscape and IT – OT convergence
- Connected medical device security issues
- Automotive IoT
Below find a lightly edited transcript of the podcast.
Lindsey O’Donnell-Welch: Welcome back to the Threatpost Podcast. This is our big RSA preview podcast. We’ve got the RSA conference coming up next week in San Francisco. And today Friday the Threatpost team is preparing, so we’ve got Lindsey O’Donnell-Welch, myself and Tom Spring and Tara Seals with Threatpost here to talk about some of the biggest themes that we’re going to be looking out for at RSA. Tom and Tara, how’s it going?
Tom: How’s it going, Lindsey?
Tara: Hey, Lindsay. Thanks for having us.
Lindsey: Good. Good. How are you guys feeling before the big RSA conference on Monday?
Tom: I’m feeling like I’ve got about a week more preparation to do and about 24 hours before I have to finish lining up all my ducks for RSA, which is about par for the course, honestly.
Lindsey: Exactly. Yeah, I always feel as though the Friday before is just when everything is starting to get a little bit crazy and things are starting to ramp up. But, you know, when I was starting to look at the conference for this year, I went back to last year and looked at some of the biggest themes that we saw there. And I have to say, just looking at what was covered at the conference last year, I don’t know if we’re going to see the same types of stories coming out of this RSA 2020. I remember last year there was a lot of chit-chat around AI as well as privacy for Facebook and data privacy. I feel like the themes that we’re seeing in the sessions and the keynotes are kind of different this year.
Tara: I think looking at the sessions and trying to figure out what we’re covering is interesting because I do kind of feel that those themes of AI and privacy are still there, but they’ve matured a bit now. So they’re not as broad, and I think that a lot of the sessions are trying to drill down into certain areas within that. Like there is a session on automotive exploits and IoT, which I think will obviously touch a lot on the privacy aspects of things, but it will be tailored to that specific segment. So, you know, I think conversations are maturing.
Tom: I know that the 2020 official RSA conference theme is “the human element.” And they have their little rap on how the human element plays so much into the cybersecurity landscape, whether or not you’re a researcher, or whether you’re on the other side of the equation in terms of being a victim of a cybersecurity breach, or you’re being exploited in terms of social media, public opinion manipulation. And I think we are seeing a lot of the sessions maturing beyond artificial intelligence and machine learning and talking a little bit, perhaps, you know, how those things are impacted by the human element, and what their motives are,and how they’re impacting humans. And that’s just a riff on the RSA “theme,” I’m not too sure how much people would hear or pay attention to whatever the official theme is, but it does make sense. And it’s reflected in some of the sessions.
Lindsey: Yeah, that’s a really good point. And I know one of the keynotes by Wendy Nather with Cisco is called “We the People: Democratizing Security.” And it just made me think about everything that’s been happening over the past year in terms of spyware and what we’ve seen with stalkerware, and really how a lot of these high-profile hacks are impacting human-rights activists. If you guys remember the whole WhatsApp flaw that was being exploited allegedly by NSO Group, those kinds of stories I think are really leading into this conference. So I think that is a theme that’s really applicable to what we’re seeing. Tom, you mentioned that this is something that applies to defense teams as well as cybercriminals, because if you look at the cyber gangs and BEC groups, there is kind of the human element that you need to really look at when you’re looking at various hacks — and so I think it’s a really good theme.
Tom: Yeah. Well, I’m looking through some of the sessions that we’re all going to be covering. One of the things that is coming up is, “combating cyber-sexual predators,” “safety implications of medical device cybersecurity,” “how fraudsters steal voices and make billions” — if you look at it from the the lens of how this impacts us as people it’s less about, perhaps APT hacking governments or how SWIFT transactions are being diverted. I think it’s a good theme. And it’s real, cybersecurity is hitting people where they live, and it’s impacting people in a very personal way. Perhaps it’s unavoidable with all of the digital equipment, and how plugged in we are as a society.
Tara: I definitely think that there are some sessions that are the traditional, more sort of legacy-focused, on malware analysis and things like that. But I think you’re absolutely right, Tom, that there are other tendrils that are coming into the discussion now, that makes it a lot more more human. Maybe inadvertently feeding into that overall theme of the show. Things like “am I allowed to subvert machine learning for fun and profit?” That’s one of the that’s one of the sessions that Lindsey, I think you were planning on going to. But these have to do with ethics and what the broader implications are going to be when you start fooling around with machine learning and AI, and things like deep fakes and whether or not AI is something that as a broader society, we need to be concerned about.
Tom: I’m actually jealous, Tara, one of the sessions that you’re gonna be covering “5G Trust Model: recommendations and best practices.” We’re hearing a lot about 5G and we’re going to be – I mean, help me out here – 5G’s coming down the pike and the cybersecurity implications are real.
Tara: Yeah, 100 percent, it’s very true. And there a couple different sides of that. You’ve got the carrier side of things because the network itself is just so software-based and different than previous generations, which has a certain set of ramifications to it. And then you’ve got the enterprise side of things, the applications and use cases that 5G will enable. And that has a whole other set of security implications. And so there’s going to be a lot of chatter at the conference judging just by you know, what the agenda has planned out, and also from my private conversations with people about what they’d like to talk about in the show. So yeah, I think that’s going to be a big dimension too going forward. There’s another session too that I thought was really interesting about genomics, as a new frontier for privacy and security. So basically, you know, taking your DNA I’m presuming and discussing how that can be used for ill, or be monetized on the Dark Web or what have you. Kind of a scary one.
Tom: It’s definitely creepy, worried about people stealing stealing your fingerprints.
Tara: Or your retinal scan.
Lindsey: Yeah, well, I think that makes a lot of sense given that we have seen a lot of concerns around the toolsets that collect your DNA and tell you about where you’re from. So I think that will be a really interesting session to hear more about. And I know speaking in the same kind of sphere, which the healthcare sphere, I know that there are going to be a lot of sessions talking about medical IoT and medical device cybersecurity. I know there’s one that I’m going to that will discuss safety implications of medical-device security and then there’s another one that is talking about the internet of medical things, which is going to be hosted by Fortinet. So I remember at RSA last year, Tara, you had a really interesting story about a proof of concept hack that was launched on an ultrasound so I think that those types of stories are obviously are really scary, but also kind of cool to learn more about how one could go through that. And I feel like RSA always does a really good job with the medical landscape and really demonstrating the safety issues and the privacy issues in that atmosphere. So I’m really curious to see what’s going to come out of this year’s show.
Tara: Yeah, and on that same wavelength in terms of physical realities and the fear that surrounds a lot of conversations when it comes to cybercrime: The SANS Institute is having a panel discussion on the last day talking about the top new, most dangerous attack techniques and how to counter them. And so hopefully, they’ll have some interesting things that maybe people don’t think about every single day when it comes to infection vectors and some of the things that cybercriminals can carry out going forward. I’m looking forward to that one as well.
Tom: So one of the one of the themes, that’s part of every RSA is encryption and the cryptographer’s panel. I’m really interested, they have a fresh take every year on what’s going on with cryptography and encryption. And it’s really getting interesting. I mean, you hear about our attorney general wanting to have backdoors to Apple and a lot of governments around the world are now trying to subvert encryption, and it’s such a sensitive topic. And it really feels like we hit a boiling point in terms of the battle between what government wants and what the cybersecurity community knows is best in terms of the use of encryption. So I know that there are a lot of panels that are going to reflect that theme. And I’m really interested in in getting the state of the art you know, where some of the government officials who are actually hosting panels or leading sessions, what their take is. It’s a particular area of interest for myself.
Lindsey: Yeah, Tom, that one looks really good. Do you guys have any other interesting ones? I know that there are going to be a bunch of well-known speakers and experts within the security community, like Bruce Schneier, Katie Moussouris, Patrick Wardle, I think even beyond the sessions, hearing from these experts and their updates on what they’ve been looking at and anything new there will also as always be really interesting.
Tom: What I always find most interesting is, you get the these big corporate cybersecurity conferences and I don’t think anybody’s allowed to drop any zero days. I mean, it’s super interesting, deep dives, without a shadow of a doubt worth going to and covering a lot of the sessions. But the most interesting, right, is when you were able to pull some of these researchers aside and get the interesting story, the ones that they’re not giving the sessions on, and that’s always a lot of fun and something I’m looking forward to trying to dig out some of the juicy stories that that are always floating around at these conferences.
Lindsey: Yeah, definitely. I think that’s always good. You know, it’s always good to hear the sessions but really being able to touch base that way is always helpful, especially from Threatpost’s perspective. So I’m looking at some of the other interesting sessions. There’s one about automotive and IoT network exploits. And I’m always really interested in the connected auto/any sort of car type of exploit or vulnerability. So I’m curious to see if there’s anything that will be good from coming from that one.
Tom: I don’t know about good. Probably bad. Tara, you’ve written a lot about operational technology and information technology, but I think that’s probably going to be a big theme this year, too. I mean, Lindsey, you touched on it with some of your device [coverage], and automation is really coming into our lives, not just our factory floors and smart cities. There needs to be a real a different approach to security that isn’t just IT. And it’s a merging of OT and IT and well, I just did a webinar on it, IT and OT are on the mind, but I do think it’s going to be reflected in this year’s RSA in the more than a few sessions.
Tara: And I feel this ties together a whole bunch of different themes. I mean, just in the course of us talking, some things have emerged, right. So we’ve talked about ethics and emerging technologies like AI, we’ve talked about 5G, we’ve talked about medical devices, smart cities, OT-IT convergence, and how IoT kind of brings together all of these different things, right?
Tara: So it coalesces and you can find some common ground here amongst all of these themes, and it all has to do with going back to this convergence, IoT, smart-everything idea.
Lindsey: Yeah, and especially, I mean, that it’s pretty applicable to everything that’s happening. I mean, even just this week we were writing about the U.S. pipeline that was disrupted by a ransomware attack. So I think we’ll we’ll be getting expert advice on things that are happening here and now in real time too. So hopefully that can lend some insight into the conversation that’s happening.
Tara: Yeah, for sure. What about the keynotes, guys, have you taken a look at who’s kicking off the conference? Anything interesting there?
Lindsey: So I know the very first thing that’s happening after opening remarks is, there’s a keynote session called “Reality Check: The Story of Cybersecurity,” and that’s by Rohit Ghai, who is the president with RSA. So I’m curious kind of how that’s going to go, because usually the keynotes kind of sets the theme for the rest of the conference too. So I’ll be interested to hear more about what he has to say.
Tom: Yeah, I’ll be honest with you, sometimes I get a little jaded at the keynotes. I mean, there’s always something I would say that I enjoy, like 30 percent of the keynotes. And believe you me, that 30 percent of the keynotes that I enjoy is pure. I really feel like I’m learning stuff. There’s a lot there. But sometimes, and I’m not gonna name names, a lot of the keynotes feel a little commercial to put it lightly.
Lindsey: Well, we’ll see what happens. I mean, there is another keynote that it does sound kind of interesting, which is by Jessica Parker with Cygenta and that’s called “Fear and Loathing in Cybersecurity, an Analysis of the Psychology of Fear” that does actually sound like it would be a good one and fitting into the human element of things.
Tom: Yeah, I’m scared. I’m scared just the title alone.
Lindsey: Anything else that you guys are looking forward to? I feel like we touched on a lot of the bigger sessions and keynotes that will be discussed.
Tom: We would be remiss if we didn’t mention the underlying story in terms of some of the big names that are dropping out of the RSA conference. I don’t want to go into a deep dive, but it’ll be interesting to see how clean things are and how many people are standing at every corner with a Purell bottle. And I don’t know — it’s going to be interesting. That’s all I can say.
Tara: I wonder if they’re gonna have decontamination chambers in between the halls.
Tom: I don’t even want to say the “C word,” but I do think that that’s gonna that’s going to put a zap on things at this conference.
Tara: I did notice that there weren’t nearly as many networking events and parties scheduled this year.
Tom: We should definitely talk a little bit about all of the video that we’re doing, Threatpost is stepping up and I’m really psyched. Lindsey, you’re going to be doing the lion’s share of the of the videos out there. I know you’ve got some A-listers that we’re going to be talking with and all of our content obviously is going to be on Threatpost, and we’ll be updating in real time on the news stories. I feel like we’re just getting better and better with the videos and finding really interesting people to talk to, and getting them to maybe break a little news for us on camera and push the discussion outside of the sessions that were cooked up six months ago and the keynotes that were figured out two months ago. We’ll have some really good, lively real-time news to report on and talk with experts about.
Lindsey: I feel like we’ll have a ton of different experts, but I know personally, I’ll be talking to Cisco Talos. And as you guys know, they always have really good threat research throughout the year, specifically around new RATs and trojans. And they’ll have a lot of really good insight into the new malware campaigns that they’re seeing, as well as some of the behaviors of nation-states and how those behaviors and tactics and tricks are changing. And then I’ll also be talking to Checkmarx about IoT security and the biggest issues that they’re seeing there, as well as some other companies too, so it should be really good. And Tara and Tom, I know you guys have a bunch of speakers lined up for who you’ll be interviewing as well.
Tom: Well, yeah, so I’m going to talk to Veracode about the NSA’s adoption of open-source software. And I got some time to speak with the researcher over at Akamai regarding attacks in actually some pretty startling numbers, in terms of attacks against APIs. And hopefully we’ll have a better understanding of what these attacks are like and how they’re shaping up. I’m looking forward to it. It’s going to be good.
Tara: I’m excited for my people too — I’ve got Merritt Maxim, who is a research director at Forrester, and he’s going to talk to me about smart cities, so that’ll be timely, I think. And then there’s this guy, Terry Dunlap, who is with ReFirm labs, but he was former a NSA security analyst. So we’re going to talk about aviation security. And I think that’ll be interesting.
Tom: I like Merritt, he’s a good dude.
Tara: Yeah. And then Patrick Wardle. I’ll be talking to him after his presentation, which is going to be on repurposing Mac malware, the dark side of recycling. He should have some additional info for me, so that should be pretty good, I think.
Tom: Yeah, Patrick’s really good. He’s always breaking news. I mean, he’s always got something up his sleeve in terms of news and his research. He’s a pretty sharp cookie.
Lindsey: Yeah, definitely. Well, for all our listeners, be sure to continue to come on to Threatpost and check out our new stories that will be breaking and the different research that we’ll be covering and our video interviews too. So lots to be excited about there. And Tom and Tara, anything else you wanted to mention before we we wrap it up?
Tom: Just looking forward to a good show.
Lindsey: Great. Well, we will be out there and covering on the show floor all the different sessions and keynotes and I’m very excited to be getting getting to San Francisco and getting started and should be a really fun time. So Tom and Tara, thanks for coming on to Threatpost podcast.
Tom: Thank you, Lindsey.
Tara: Thanks so much.
Lindsey: All right. And stay tuned for more RSA news coming next week.
For all Threatpost’s RSA Conference 2020 coverage, please visit our special coverage section, available here.