EDWARD AMOROSO: I see a lot of techies here, so we
can kind of talk technical here without apologizing.
So, you tell me if you want me to go deeper.
But let's start with physics.
If you go back to 1890, it was a good time to do
physics, would you agree?
There was about a 40-year period where physics was
an amazing thing in terms of work, the innovation,
Einstein publishing all of this stuff.
Then kind of around 1930, 1890-1930 after 40 years
of incredible innovation in physics, everybody got
all socially conscious, right?
We realized that we'd invented technology,
invented nuclear physics that potentially could
have a pretty significant impact on the world.
I think I see something similar in computing.
In 1968, there was a NATO conference where the term
"software engineering" was invented.
My dad was there at that conference.
And about 40 years later, we had the iPhone and
Facebook and Twitter and so on and so forth.
That 40-year period, I would argue, was about as
creative, and about as productive as we saw in
physics from 1890 to 1930.
Now, since 2008, we've gotten a little socially
conscious, haven't we?
We have a similar problem now, where we realize that
some of the technology that we built, while it
makes our lives better, it also potentially could
make our lives a lot worse, which is what a lot
of the people in this room do research and
development to try to prevent.
So, I went back and I looked and I saw that
Einstein had written this very cool letter to
President Roosevelt -- took a long time to get it
to him, and he laid out his concerns for the
nuclear era and what should be done.
I sat down and wrote a letter to President Trump,
and all my friends joked, they were like, Ed, you
are no Einstein and you know what my joke back had
to be?
Well, you could argue that President Trump is no
Roosevelt.
But nevertheless, I'll get to that later.
Share with you the kind of discussions.
Rob Joyce has been amazing, so I have had
some really good discussions with them.
And we will get to that.
Now, this presentation is kind of crazy.
I bet it's like nothing you've ever seen.
It's different every time I do it, and what I do is
I have a running Turing tape of little zots of
things that are interesting.
Where I ask the most provocative question I can
think about, and then try to give an answer.
And I go and I just snip out some pieces from the
tape and I put it together.
Sometimes I do it without looking in advance, but I
cheated upstairs and I looked to see what was
pulled here.
But, it's all these crazy, kooky things.
They ask big questions.
For example, the first big question will be that one.
So, we will talk about this.
It strikes me that across the media, we talk about
this all the time, and nobody is proposing a
solution -- the kind of solution that computer
scientists would think about.
Right?
What are you taught day one -- you know, Doug
would teach you this day one in Computer Security
101.
It would be: You don't stop cyber-attacks by
asking the hackers to please cut it out.
Right?
You would get an F on a quiz from me if you did
that.
And yet, what's our solution to stopping
election meddling?
Well, we have to ask nation-states to stop.
And we should all go, what?
That's not the way it works.
So, first thing I think, is you do an exploitable
asset threat model.
There are nine things that you can attack, and they
are arranged in rows.
So, the first thing is social messaging, website
messaging, and email.
That's like, messaging.
All of that nonsense garbage that gets pushed
out to affect the way Americans think.
The middle row, the campaign staff.
I have some interesting stories and anecdotes
about that.
Then the bottom is the election infrastructure.
Somebody voting, the databases, and so on.
Keeping track of votes.
And there is the people supporting it.
So, I think for each row, there is a solution.
Let's start with the first one.
If you have ever heard of digital risk monitoring,
then you are reading -- there is a Forrester wave
on it.
There is a bunch of companies that troll
around for evidence of fraudulent mishandling,
misuse, and just blatant theft of identity, and
brand and reputation.
And they go troll around, looking for evidence of
this.
They have Turing test type capabilities, where they
are looking for automation.
And there is that many of them all doing pretty
well, at least according to Forrester.
So, I believe we need that for our nation.
Why don't we just set up a national version of this
and troll around protecting our national
brand?
Why isn't anybody proposing that?
I'm not sure why.
There are probably a lot of people in the room here
who could do that.
Would you please?
Second thing is, we give Secret Service protection
to keep our candidates from getting shot.
Well, when somebody is a viable candidate, they
apply for Secret Service protection, they should
have to turn in all of their iPhones, all their
computers and everything and we should take over
the campaign infrastructure for every
viable candidate.
And by the way, if they say, well, you know, it
might get leaked, then what is every CISO in the
room, that you have ever met, tell every executive,
that they support?
What is the one sentence everyone says?
Don't type anything into email or do something you
wouldn't want to see in the New York Times, right?
Everybody says that.
Are we not allowed to say that to people running for
President?
Like, they -- how about they grow up a little bit,
and in their campaigns, be careful about what you
type.
So, we should immediately have like an NSA Secret
Service group take over the whole campaign IT
infrastructure, whip it into a SCIF-like
protective enclave, and that's it.
I think that will be better.
Then for the third thing for the election meddling,
you know those two guys.
I had the opportunity to speak in detail -- I
interviewed both of them for my blog and my podcast
and both Whit and Ron Rivest said -- when I
said: What do you think about using PKI based
capabilities to build the national election, these
guys freaking invented PKI.
They both said: I think paper would be better.
And I thought, well, if they think that, I think
that.
All I mean here is, do not build national anything.
Keep them segregated, keep them separate.
You notice there wasn't -- or, apparently wasn't a
lot of success cascading attacks across states,
because our mutual dysfunction and
non-interoperability and paper -- that plays to our
advantage, so let's not upgrade our elections too
much.
Does that make sense?
So, that's my proposal.
Oh, this is an old joke.
I saw this at CMU a few years ago, I thought it
was funny.
What if the Intelligence Community hired Gartner,
you would get something like that.
Those are all the adversaries that are
hacking.
Apparently, Russia has the most completeness of
vision for -- this is not Gartner.
My apologies if you work at Gartner, I'm just
ripping you off here a little bit.
But noticed I put Russia up here at the top.
But whatever.
Why those five on the top?
Because all five of them are on record as saying
they have 100% success rate on offense to any
target.
And you guys all know that's true.
Doesn't that make it weird to do what we do, if
there's like a group of people who at any time can
just go around anything we do, it makes us feel
stupid, doesn't it?
Like, our goal should be to move those five
countries, including our own, down and to the left.
Okay?
We all agree that's kind of a mission.
As you do your R&D, tape that up on your wall and
think, you know what?
This is not really reasonable, you know?
Trying to build defense, we are scientists, this
should work.
It shouldn't be, it works comma unless it's one of
them, then it doesn't work.
What is that?
That doesn't make sense.
Anybody disagree with this?
So, we should be deeply ashamed of that.
Oh, this is a good one.
Why couldn't the Russians find Hillary Clinton's
email?
I thought we would stay away from anything
controversial here, I hope you don't mind.
Okay, now, wipe your mind of that question and now I
want you to think as if we were in Enterprise
Architecture 200, at Stevens, where I teach,
and we start with something like that.
And I say, now look -- you all agree that if this is
some big bank or company, that's a global parameter.
Like, the red dots are SOCs, NOCs, control
centers.
The blue dots are data centers, servers,
something like that.
And if down here in the bottom right, I have a
break-in to that blue dot, well lateral traversal and
enterprise perimeter protected trust, allows
cascade across all the other dots, right?
Duh!
That's 101 parameter networking that you have
mutual trust there, right?
That's true.
Nobody would disagree with that, and you would go,
that's a terrible thing, because the attack surface
is enormous and everybody is vulnerable to everybody
else's weakness.
That is the problem.
That's why we don't like parameters.
That's why you have initiatives in government
on cloud, and that's why Doug and others are
funding a lot of virtualization work,
because we want to get away from this, right?
So, tell me if you hate this.
Look up in -- I think it's a little north of Toronto,
see the blue dot there?
It's not super imposed perfectly, that might be
somewhere else in Canada.
But watch that one.
Watch what I'm going to do.
Let's say I'm worried about something there, and
I know I've got weaknesses across this whole
parameter; if I went like this, do you hate that?
If I pull that out and take it out of the
parameter, I drop it into like a microsegment on
Google's cloud with beautiful kind of, dynamic
virtual protection service chained in, using the
underlying cloud architecture, all kind of
dynamic -- do you hate that?
It's separate.
You have to do something to get to that isolated
server, right?
I mean, Enterprise 200, you better agree, because
I will give you a wrong on the quiz if you don't
agree with that.
Now, there is some State Department here.
Okay, you all know what that is, that's the State
Department.
Now, here's what's terrible if you do
security for the State Department: A: you have
300 embassies and consulates scattered
around the world, run by pretty aggressive, capable
people.
If you are an Ambassador, that's capital "A"
Ambassador.
I think if you are Ambassador for like, five
minutes, don't you get to be Ambassador forever?
Like, you are Madam Ambassador for life.
So, it's a big deal.
Then you have all of these wonky people at State
Department telling them, you know, you pick good
passwords and protected network and all of these
policy things that DS and others would be providing.
And maybe they found -- they probably do more, and
I have a lot of respect for DS, I'm just saying,
that's not an easy mission, right?
Furthermore, these embassies and consulates
are in the scariest places, right?
From a physical -- just sort of a logistic
perspective.
It's not easy to protect or keep track of.
So, how is the State Department and everybody
else run?
Their unclassified network looks like that: A big
blob of stuff.
And you could argue that their classified network
is probably about the same thing.
Look, I'm going to tell you something here, so the
State Department people are going to want to
strangle me.
But, I'm pretty sure that in some of the more remote
outposts, the SCIFs may not be policed the same
way you police a SCIF here in Washington in an
agency.
Maybe I'm wrong.
I think there may be quite a few violations.
I heard one where there is a door propped open,
keeping party equipment or party supplies in the
SCIF.
I have heard of other cases where dignitaries
have come in and the network not working, but
they have to get that YouTube video up for the
dignitary, so they snap into Wi-Fi from the local
deli.
And you think that local deli providing Wi-Fi and
baiting our consulate isn't waiting for that?
You get the point.
So, that's what the network looks like.
And let's just say that Hilary Clinton had put her
email -- you guys are on the West Coast, let's put
it over in Los Angeles.
There is Hillary Clinton's email on the West Coast.
Suppose she had done that.
Well, we already know that the Russians owned the
State Department network, you saw all that stuff in
the news.
Hearings and so on.
So, when they did that, I think they were looking
around for her email, but it was there.
Now, I give them negative infinity credit for this.
Because they didn't do this because they were
interested in micro segmented cybersecurity,
none of that.
It was all this kooky, crazy reason, but by
accident, they put it in a place that I'm pretty sure
nobody could find.
Now, maybe they found it.
Isaw some news reports.
But you know damn well, if that stuff had been
sitting inside the State perimeter, we would have
seen in three or four months ago for sure.
That's my belief.
The reason I bring this up, is there are a lot of
people who concluded from all of that, that we
shouldn't have separate, isolated servers.
Whether you are Democrat, Republican, forget that we
are computer scientists here, I think we are an
apolitical group.
I was cringing and screaming at the
television going: NO!
It's not get back in the perimeter where you
belong!
I'm going: I don't like all of that nonsense
Podesta did and they went to an isolated server for
all the wrong reasons, but like, by accident, that's
right.
Break the networks up into pieces.
Distribute and virtualize.
So, that's what I think.
You can strangle me later.
Oh, this is a good one.
My first hack ever at age ten.
That is a gun shop near where I grew up.
It's called Sportsman's Shop.
It's not there anymore, in Neptune City, New Jersey,
two blocks from the beach in Avon/Belmar.
They used to have a soda machine that looked like
that.
Do you ever see a Vintage Vendo?
If you share a generation with me, you will remember
that was a soda machine, you would grab the top of
the bottle and you try to pull it out, but it
wouldn't come out.
You would put your quarter in, and it would open up.
Well, I figured out, when I was a little kid, that
you could take a bottle opener and a straw, pop
the top, and drink all the soda out of that thing.
And that hacked the Vintage Vendo machine.
Oh, this is a good one.
So, I approached about a dozen machine learning
type companies doing cyber.
And I made them all the same offer.
I said, if you will please help me understand the
underlying machine learning in your tool, I
promise I will write a big article, I will explain it
to all of us.
Like, people asked me what TAG Cyber is, I feel like
I'm a proxy to go out across the industry, try
to understand it through my brain, and then I spit
it out in articles that hopefully you can
understand.
That's what I do every day.
Interview ten or so companies.
I did a couple today.
So, I went through to try to understand machine
learning.
I'm a computer scientist, right?
I mean, I think I can understand complex stuff.
But when I boil all of it down, and I went through
algorithms where you have dots and you draw lines
through it, and you are computing distances
between stuff.
And you are doing Bayesian, all of this
really complicated stuff.
But I was melting it all down on my Sterno --
melting it down, melting it down, melting it down,
taking like a polynomial time transformation of
every algorithm, the base, and I kept coming up with
the same thing that I think you are going to be
disappointed about.
Now, let me show you what the base is, and then I'm
going to make a comment about it here, that is
gonna just tick off half of the people in this
room.
But, I offer it because I love all of you, and I
just think it's important for us to have a
discussion.
Let me show you.
So, if wind is less than gust, then open the
umbrella.
Right?
And if you are a programmer, I've got to
put a "fi" there just to end it up.
Okay?
Everybody get that?
So, wind, less than gust, open the umbrella.
Now, let's set the gust to 100 whatever -- 100 miles
an hour?
Everybody good with that code?
And I'm going to do it over and over and over and
over and over again.
Okay?
Now, if you are into optimization, program
optimization -- if you are an old guy like me, to
worry about CPU cycles, you look at that and you
go, I don't like that setting gust every single
time, over and over.
Let's do this: There, optimize it.
Everybody good with that code?
So, here is the fun line.
If the umbrella breaks, set the gust to wind.
And every company I talk to told me, that is their
machine learning.
Now, it was couched in advanced mathematics.
Like, it took me a lot of time to do this.
Here is where I'm going to get you mad, but I will
you tell you anyway, and I will do it by telling you
something someone else said.
Here's what Dykstra taught us.
I wish he had never passed away, we need him now.
But here is what he told all of us: He said:
Science, when it's created, goes a little
nuts every time there is a new scientific discipline
created.
He goes, when chemistry was first conceived, you
had a lot of nonsense in there, and it took
hundreds of years for alchemy to be pulled out
of chemistry and you are left with something not as
good, right?
What did Newton spend half of his life on?
He's an alchemist.
Everybody really wanted that bad, but sorry, it's
just periodic table and boring equations and all
of that fun stuff like making life -- that isn't
going to work.
Then mathematics has all of this stuff, and then
numerology gets pulled out, and what are you left
with?
Geometry and trigonometry and like, predicting
things based on numbers, that's not gonna work,
sorry.
Again, we had these crazy concepts.
Astronomy, looking up into the stars.
Astrology gets pulled off -- oh, you mean that I
can't predict my personality type by the
month I was born?
No, sorry, it's going to be just mapping out a
bunch of dots.
Sorry.
Which brings us to computing.
Our alchemy, according to Dykstra, and I will let
you decide if this is right or wrong, has been
creation of life.
Like, go back and look at an old movie or something
from 1950 where they had computers, and it was
always -- I am the robot!
Right?
That came from von Neumann's book, right?
His book on computer and the brain, which by the
way, you should buy.
What a poignant book!
It's a little, beautiful book where he writes these
essays about computing and artificial intelligence,
and then he dies at the end of the book.
You see him die.
And in the preface, it's his wife saying, I'm
really sorry, Johnny was writing this book and he
died.
I'm like, come on, it's so sad.
But it's the beginning of artificial intelligence,
and it's 70 years ago.
The fact that we haven't been able to do artificial
intelligence tells me that there is some alchemy in
there, that has to be pushed out, and there is
something real and that's what I melted it all down
to in my mind.
If you can tell me otherwise, tell me, and I
will look at your algorithm and they are
much more complex than this, but it's syntactic
sugaring on a condition causes a change in the way
some computing path is followed.
That's what I see.
So, we will move on.
Are you guys still with me?
I didn't see five or ten of you run out, so maybe I
didn't tick you off too much.
Oh, this is a good one.
Can botnets take out the internet?
Well, yes, but let's look.
Here is what a botnet looks like: A bunch of
dots and arrows.
There is bots, there is bot controllers, there is
command and control, there is communication and so on
and so forth.
When you look at all the traffic, it's that one to
many, many to one concept.
Right?
Like my voice to your ears is one to many.
It hits your ears -- and works great, because one
to many is awesome, but many to one is terrible.
Like, if your ears could bounce what I'm saying, at
Doug, then I go ehh!
And it sounds like you all went, ehhh, to him, and he
goes, ahhh!
And if could amplify and have a whole botnet of
people doing that at like, DNS servers, the guy is in
big trouble, right?
And when you graph that -- like, here is an old Norse
screen, that everyone looks like that.
There is always this weird fan out.
You could squint at a million screens from 300
yards away, and you would go, that one is the botnet
DDoS attack.
It's always a broom going out, right?
So, it looks like that.
If you do the math on this stuff, here is what you
get: So, my mother's computer is -- I'm 100%
sure it's always infected with the worst malware you
could ever get.
She has a Windows PC, she does -- she does these
Excel Spreadsheets, which is why she can't go to
just like, an iPad, but she emails my kids, she
goes on MarthaStewart.com and plays some games.
And she's got a computer attacking China all day
long.
Right?
When I walk in the house, it sounds like this:
Hmmmmmmmm.... I go, Mom, what is that?
Oh, Eddie, don't touch my computer.
Every time you touch it, it breaks and I can't
email the kids.
I'm like, oh my gosh.
But you look and it's doing all this stuff.
So, if her computer, it's on a Verizon Fios
connection -- if it's just stealing -- like, the
malware is only stealing one meg, then I only need
1200 computers like my mom's to hit a 1.2 gig
pipe.
And I only need 100,000 of my mother, to fill up a
100-gig backbone pipe.
Dude, that is a big pipe.
We are talking tier 1 carrier sized networks
there.
And 100,000 is so pedestrian, you don't even
name 'em, right?
You guys have all seen 100,000 botnets, that's
nothing.
Talk to me when you get to a million at one meg, you
can fill up 1,000 gig, which is starting to look
like peering capacity in the United States.
So, I used to freak out about this.
I would go have these encounter sessions with
Howard Schmidt, who we all lost recently, but Howard
would listen and I would be like, dude, you know --
I'm pacing back and forth.
You know how calm he was, he was very relaxed.
And he invites me to give this talk to a group of
people.
He said, come out to the White House and give a
talk.
It was a year after he'd become the Cyber Czar.
I said, okay, I will come, I will come.
So, I get there and it's in that White House
conference room.
I'm sitting down and Howard says: Ed is going
to give a talk about blah, blah, and I get up and
people clap and I'm up there, and I'm talking and
I had that -- I'm talking about that.
Okay?
This was in 2010.
So, I'm talking and, my mother's PC, everybody
laughs when I go: Hmmmmm...
I made that joke then.
And I'm looking, and there is all these fancy people
here.
Like, the ones you see on Meet the Press.
I didn't know all of their names -- maybe you guys
would.
Would you like, I didn't know the Department of
Labor person who was sitting there, they told
me later.
Whatever.
So, all of a sudden, Secret Service comes in
and Obama walks in and I'm going -- like, he walked
in and they went like this, which means, sit
down.
So, he comes over.
I shook his hand, I sit right here and President
Obama gets up and starts talking.
And while he's talking, there was only one thing I
would think of, I need proof.
Right?
Because I'm going to get home and my wife is gonna
go, eh, how was your trip?
Oh, it was good.
The train was crowded, hot day, met Obama, had a
little indigestion today.
She would be like, what?
So, while he's talking about this -- and he was
talking about denial of service, I had my iPhone
in my pocket, so I'm thinking, whatever.
So, I reach in my pocket like this -- I pull out my
iPhone and I shot and there is his butt.
And look, there is Vint Cerf.
I sent Vint that note, and he goes, yay!
Look at that!
There I am!
Isn't that cool?
I got Obama's butt.
Okay, good one.
So, what were the original Clinton campaign fears
about email security?
Twenty years and eight or nine months ago, one score
and nine months ago, I got a call from some people I
knew at the DNC.
I think one of them had been in one of my Stevens
classes.
I got a call and here is the sentence I hear: We,
the Clinton campaign -- they didn't say it like
that -- but, we the Clinton campaign, are
worried that email security will lose us the
election.
I will let you stew on that, that was 1996.
Now, here is what they were worried about: That
was the election.
If you know the DNC building and the Fairchild
Building, they are separated by a couple of
roads, right?
I don't know if you've ever been there, but you
probably see it on like -- if you watch CNN or MSNBC
or Fox or whatever you watch, you've seen those
buildings a million times the last few months.
So, they were worried -- here's how they described
it to me.
They said: Our headquarters and Fairchild
buildings are connected by a T1 and we are worried
that the wire between the buildings that goes under
the road, from one building to the next could
be dug up by the Republicans -- because
look, there is the -- I drew the line in there,
again, that is one of the buildings.
See that dirt patch looks like an infield?
They said, we are worried the Republicans could come
dig up the T1 and tap our email.
I had to go like this.
But here's the reason they had no understanding of
telecom: The people that work at the DNC, RNC and
every other campaign, are our children.
These are wonderful kids.
Half of them went to Georgetown, studied
political science, they graduated in N minus 1
election year.
You graduate in an N minus 1 election year, you
studied Poli Sci at Georgetown, there is a law
somewhere that says you must work on a political
campaign.
Right?
So, these are kids there.
They are not neglectful.
It's our kids that are working there.
So, I show up there and I went in the Fairchild
Building, as I recall, and it's an office building,
there are other tenants there.
You go in, it's a slate floor with a thing on the
wall that says: Suite 101, Obstetrician, Suite 203,
you know, whatever doctor.
Suite 106, Democratic National Committee.
So, I go over to suite whatever it was, and you
wouldn't knock -- do you knock on the
obstetrician's door?
No.
I open it and it opens.
I open it, it's a dark room.
I flip on the light, and I'm the only one in their
place.
Some guy came in a weird biking outfit an hour
later and said: hey dude, on the way in, and hey
dude, on the way out.
Didn't ask who I was.
And it's that whole biorhythm thing, you know,
young people don't wake up until 10:00a and they hit
us parents -- I have three millennials at home.
So, I get up, I'm bored, I wander around, what do I
find -- tah dah!
Cisco router.
Everybody knows how to break a Cisco router.
Turn it off, turn it on, hit CTL B, it breaks, it
stops it, flip the manual to password recovery, type
that crap in, and you own their whole network.
Why was I there?
Because they were worried about somebody digging up
the T1 line and I got their router in an open,
unlocked room.
Twenty years ago.
So, a big group of people, I was part of it, made a
bunch of recommendations and had they followed
those recommendations, we would be in a different
place right now.
Whether you like that or not, I don't know.
We are scientists here.
Bad cyber security decisions have
consequences.
They might have consequences tomorrow,
they might have consequences one score and
nine months later, but they will have
consequences.
You make bad decisions, they are going to come
back.
I was telling my wife this and she goes, are you sure
you didn't dream it?
And I went no.
And I looked it up.
I actually wrote about it in a book.
This really, really, really happened.
Oh, this is a good one.
This just jumps around.
That's why I call this a random walk.
There are all these little speed dating type topics.
The CISO position that we all look at, is going
through the same evolution that the personnel
department went through.
Let me show you.
I found this on the internet.
The National Park Service in 1930 something, had no
personnel group.
I don't know why.
Maybe somebody with a typewriter typing badges.
By 1950s, they had a branch of personnel.
By the 1970s, it is reporting directly to the
director.
Now, can you find a single company in America that
doesn't have an HR direct report to the CEO?
Now, if you go on their website, you will find the
CEO and the HR lead with their smiling faces next
to the Chief Counsel, next to Head of Operations and
so on.
There is usually about eight or ten people
running a company.
Every single company you want to go find has an HR
person in that list.
Where are we today?
I spent four or five hours trying to find a publicly
available org chart that shows the CISO.
Now, I know people have CISOs, but the org charts
don't show them, they are buried still.
Like, 2017 Department of Energy.
The Department Energy guy right back there.
It doesn't show the CISO there.
Nowhere to be found.
Couldn't find it on the website.
State Department, similar thing.
You can go on and on, go on every company in the
Fortune 500 and they don't list the CISO anywhere.
I feel like that tells me, that's where we are with
respect to the position today.
That you will see pretty soon that -- like, 2020 or
something -- it will be faster, you know,
everything speeds up like S curves and stuff.
And then in some number of years there will be a
Chief Risk Officer position at every company.
That's my prediction.
Oh, okay.
Telling the truth to auditors about your
primary controls.
This is what you lie to your auditor about on
every report.
You say: Electrons bounce off our perimeter.
And we put all of this stuff in there.
And it's good, it's inside the perimeter and you can
sign off on all of your audits because that is
your primary control.
Right?
But that's not what you really have.
That's what you really have.
And that enables APT.
So, APT happens.
Email through -- somebody in Marking clicks on a
phish, you use Active Directory to laterally
traverse, you find stuff, you exfiltrate out.
Duh, that's how every attack works.
So, that is what I think you should put on the
cover of your next audit report.
The reason this is profound, is because
people ask all of you, they say, why do we have
all of these attacks?
And you know what you do, you go like this, like we
all do.
You go: Oh, well, you know, we're working on it.
But that's a bunch of bung.
That's the reason.
If that is your perimeter, then how do we not have
more attacks?
That's your perimeter.
Anybody disagree with that?
You can't put that on the cover, because you can't
sign off on the control.
So, I've been off -- you are not going to like me
for this -- but every time audit groups like ISACA
and others ask me to train, I do.
And I go talk to big groups of auditors and I
show them this -- sorry, but -- the control
community needs to understand that this is a
bunch of bung, okay?
Last topic here: Should private citizens advise
presidents?
We don't have enough of that.
You know, does anybody know who that is?
Shout it out, come on.
If this was 1937, everybody would have
shouted out in unison.
You don't know who that is?
Bernard Baruch.
That is him sitting out in Lafayette Park, gazing
across at the White House.
The press loved it.
The guy was one of the most fantastic financiers
of his time.
If you get a chance, reading his biography is
thrilling.
He wrote one, he wrote asecond book about his
years in the War Department, advising.
Then somebody wrote a biography about him and I
walked past Baruch College on my way to work in New
York every day.
But that is him gazing off at the President and we
mentioned earlier, this is the letter that Einstein
wrote to Roosevelt.
I just don't think we have enough private citizens
who are providing guidance to our government, because
we are too polarized.
Like, we are too polarized as a country.
Look, can we make a pledge as a tech community, that
we are not going to be polarized?
It's kind of silly for us.
This is probably the largest, most unified
group that I know of, that's not really
politically connected.
We have to be above that.
So, here is the letter that I wrote to Trump.
I asked him to do three things, and I shared this
with Rob, and I will keep sharing it, because I
think these are the right things.
We should only have one framework, NIST.
We don't need FedRAMP.
You don't.
You don't need FISMA.
How has that been working out for you?
What's the point?
Just do NIST.
Everybody should do it once, do it properly, and
that's it.
Would you go get your home inspected 37 times?
If you are going to buy a house, you take an
inspector, you go around with a clipboard -- ah,
the gutter looks a little weak, you mark it down,
you go around.
You have a competent person you trust, you have
a pretty good punch list, you fix it.
Would you do that 37 times?
You would be out of your mind if you did that.
And yet, we do that every minute with compliance.
I figured, Trump, that would be so Trump, right?
One framework, get rid of the others.
The second one, just, everybody needs to
understand their progression to cloud.
I don't mean writing big reports, I just mean each
of the big 16 civilian agencies should be laying
out a plan to accelerate the move to cloud, because
the perimeter, as I showed you, is porous, so what do
you want to stay there for?
Why are you slowing down?
If the entire house is being shot at, and there
are bullets and cannonballs coming through
and you go, let's get the hell out of here!
And somebody goes, wait, we can't go out there,
it's dangerous.
You would go -- you lean back as a cannonball just
misses your head.
That's what we have right now with every civilian
agency, every company.
When you slow down the progression to cloud, you
slow down in improvement and security.
You are cloud to all of us.
So, do you do a better job than Amazon?
If you don't, why don't you move there?
You are cloud to your users and partners.
The last thing is Cyber Corps and then I will
finish up here.
There is a lot of Cyber Corps programs.
A nice thing we were talking about in San
Antonio.
They are scattered all over the place.
I'm asking President Trump, why don't we do
what Sargent Shriver did it 1962 or something,
where instead of a Peace Corps, let's create a real
Cyber Corps.
I mean, a real one.
Get the Fortune 500 to each put up a million
dollars to sponsor 10,000 per kid, per semester, the
universities can help.
A million dollars gets you what?
A hundred kids times Fortune 500.
Add that up, carry it out over four years, and make
them all work in our civilian agencies.
DOD's got enough.
Just the civilian agencies.
That would change the whole nature of
everything.
You don't have to pass any legislation, just dump a
bunch of kids in there.
They are going to show up with their iPhones, they
are going to want to use cloud, they are going to
show up at 10:00am to work, but they are going to be
creative, and they're going to be different, and
they are going to be demanding and they are
going to be angry, and it will change government.
Why don't we do that?
What am I missing?
All these little scattered cyber programs.
You have 'em work for four years after you pay for
their college.
I know a lot of you are going, oh, I have that, I
have that.
How many do you have?
A hundred, fifty, a thousand?
I'm talking about changing the face of civilian
agencies where you walk in and you can't help but hit
20 millennials walking past you.
That's what we need.
So, I wrote that.
Rob has been amazing.
You know, I spent a lot of time going through this.
He's got a lot of pressure from people asking him to
do too many big things.
I would say, a lot of people here are his
friends, he was here speaking.
I think the best support we can do for him is, A,
be good at what you do.
We need all of you to be, I think R&D in particular,
had been under attended to.
I give a lot of credit to Doug and the team for
keeping the spirit of research and development
alive in government and in academia.
But to be good at what you do.
But also, as you interact with government, keep it
simple.
Pick a few simple things and don't get off on -- we
are going to solve industrial control and
solve -- I didn't even put election security here.
I think those are all too big.
I think it's better if you pick a few things and
really focus.
That's been my advice.
Again, I said a minute ago, should private
citizens like myself be advising Presidents?
I think we should, and I think you should as well.
I think it's our right as Americans.
I'm happy to take -- we still have a couple
minutes here, potentially.
Doug, I will turn over the balance if you want to get
going?
[applause]
DOUG MAUGHAN: Thanks Ed.
That was fantastic.
Questions for Ed?
AUDIENCE MEMBER: Charles Harvey, International
Trade and Technology.
I have a question.
After the 2008 campaign, it was widely publicized
that both campaigns were hacked by both the
Russians and the Chinese.
Do we never learn or --?
EDWARD AMOROSO: Yes and no.
I think we do learn.
I mean, everybody is hacked.
I think that's what you learn very quickly when
you become a CISO.
You learn very quickly that Leon Panetta was
right.
He said on 60 Minutes, you either have been hacked
and you know it, or you have been hacked and you
don't know it.
That's what you have.
And he didn't make that as a glib statement.
He's saying that if everyone has these
parameters that are porous, and in the case of
the 2008 election, you've got campaign
infrastructure that is run by youngsters who are not
career IT security pros.
Of course, it's going to be hacked.
But I do think we learn.
I think as Americans; the problem we have is we
usually learn after we have been punched in the
jaw and we are laying on the ground.
That's when we seem to be best at getting up and
uniting.
Think about the tenor of our outrage after 9/11, we
felt like, we are not gonna take it.
This is enough.
We are angry.
Now, whether we did the right thing, I don't know.
I'm just saying that that mood was something that I
miss. Now, I feel like everybody is all sort of
all over the place.
But I think as a tech community, we need to
unite on one theme, and that's that everybody has
been hacked, get over it, and now let's do something
different.
I think distributed systems, virtualized
systems, cloud based infrastructure, and then
reloading your security is where -- in my reports I
have three themes.
I call it explode, offload, reload.
Explode your infrastructure into pieces
-- so here is an image for you -- it's a terrible
image, I apologize.
A truck bomber drives up, radios back: Yes, I see
the building in sight.
Drives and hits the building and it explodes.
That's option A.
Option B: Truck bomber drives up, sees the
building, but then slams on the brakes, radios
back: There is no building.
They broke it up into a bunch of bricks, what do I
do?
There is bricks scattered all over the place.
So, that's exploding your infrastructure into
workloads.
Offloading means you are not gonna be able to do it
as others do it.
Like, I'm a big proponent of software defined
anything.
I think if you are not looking at AT&T's software
defined network, duh, I still bleed AT&T if you
cut me, but I'm just saying that that software
It enables so much for what you should be doing.
And cloud infrastructure.
The cloud providers are getting better, and they
are probably better at doing it than you.
So, that is offload.
And then reload means, all of that old cybersecurity
stuff you were doing 20 years ago, forget all
that.
There is beautiful capabilities, so many
vibrant venders out there.
You have your pick.
Like, you could set your watch every hour a new
cybersecurity company pops out of Tel Aviv, right?
So, whatever.
Use them.
These are great.
So, explode, offload, reload, that's what I've
been preaching.
So, I hope we learned that.
Good question.
Anything else Doug?
AUDIENCE MEMBER: To stay apolitical, are you with
the three ISPs, or everyone else on net
neutrality?
EDWARD AMOROSO: Well, I don't think net neutrality
is a security issue necessarily, so I never
had much of an opinion there, because I try and
stay very focused on malicious attack,
malicious threat.
You are probably going to want to throw an egg at
me, but I don't really have an opinion about
that.
Here is the reason I say that: I think that it's
important for a cybersecurity practitioner
to be focused and not have opinion creep, you know
what I mean?
Like, a lot of people ask me, what about acceptable
use policies?
I go: That's up to you.
They go: But you are a security guy, aren't you?
I say, no, I don't have an opinion.
If you want to restrict sites, that's up to you.
That's not a security issue.
So, I have tried through my career to be very
focused on what I think I know something about.
Here is what I like about all of you, the technical
community.
When you go to a tech conference -- and then I
will contrast this to a political organization.
A tech conference -- if an expert comes up -- Doug
brings an expert up here who is really good at
automated advanced biometric analytics.
And there is like, a PhD from MIT in that.
And this would be like a young lady standing here,
knows everything about that.
You ask her a question, and she will go: Well,
there is probably somebody in the room here who knows
more about this than me, but I will just offer...
right?
Isn't that what scientists say?
They say, this is what I think I know, and I know
what it is to not know something.
But then you go to a political group and
somebody knows one percent, and they are the
expert forever on that.
And you look at them and you go, you don't know
that!
What are you talking about?
So, for things like that, I don't know.
I sit like you and I go, I don't know, and I focus on
things that I think I know more about.
I bet if you ask anybody in the room, they will
probably give you a better answer than that.
But, thanks for asking.
AUDIENCE MEMBER: Pastor Ed.
You said you was preaching, I'm going to
call you, Pastor Ed.
Quick question for you.
So, a lot of talks obviously deal with things
other than software.
A lot of folks have been talking about
architecture, networks, so forth and so on.
I think software is probably the most critical
part to anything we do in terms of a cyber
perspective.
What are your thoughts of software security, and the
role that it's going to play in terms of improving
and advancing our cyber capabilities?
EDWARD AMOROSO: That's a great point.
So, software security is still pretty nagging,
isn't it?
Like, software engineering should be in a less sorry
state than it is.
If there is one area where I'm maybe not as
optimistic as I wish I could be, it would be in
software engineering.
I feel like Agile development, it's like a
direct descendant of Barry Boehm's spiral model,
right?
Like, if you share a generation with me, you
know waterfall became spiral and then all of a
sudden became Agile.
I felt like Agile was just looking at all the bad
habits that we had and then codifying it in a
diagram.
[laughter]
So, the fact that we still don't have the ability to
write error-free code, and we acknowledge that and
almost celebrate that, worries me.
That worries me.
And notice the machine learning thing?
Here's what I've learned: I'm so embedded in
academia and software engineering and so on,
here is what I think is right: When you look at a
little piece of code like what I put up on the
board, I think that's what correctness is all about.
It means writing something small and simple and
compact, that you really feel like you understand
and you are sincerely surprised if there is a
problem.
I grew up in and around Brian Kernighan and Dennis
Richie and all of these beautiful Bell Lab
scientists.
One of my great times in my life was having the
opportunity to work with Bob Mars who invented half
of the stuff that you see in security today.
And every one of them would equate correctness
in security and software with elegance, simplicity,
economy of design, and being able to understand
everything you wrote.
Similar to my comment a minute ago about something
I don't know, don't do it.
When it's code, if you are dragging a library in you
don't understand, what are you doing dragging that
library in?
Like, really.
I get "reuse" but if you don't understand it, are
you comfortable dragging all of that code in that
you have no clue anything about?
That's what the Unix masters taught us.
So, great point.
Software defined everything is awesome, but
at the root of it, we still have -- let me say
one more thing and then I will turn it back to Doug.
On software engineering as an education, I really do
think this community needs to be a little tougher
about standards for how we train software engineers.
You've all had the experience of going --
it's always out on the West Coast, you go out
there, you visit the development team, and
there is the ponytail guy and the young lady, and
you meet them all.
And, oh, we want you to meet our developers.
So, I'm shaking hands.
Hi, where did you learn development?
Oh, I'm not a software engineer, I was a musician
and I just sort of fell into coding.
And you go, would you like, go to a civil
engineering company and look at all the bridge
designers and go, oh where did you learn civil
engineering?
Oh, I never took an engineering course, I was
a ballet dancer.
I just fell into civil engineering.
You go, so -- I think we should be a little bit
tougher about who does the coding and who doesn't.
Good question.
DOUGLAS MAUGHAN: Join me again in thanking Ed.
[applause]
For more infomation >> Mazda 3 SkyActiv-G 120 Dynamic+ RIJKLAAR € 3.290,- korting!! - Duration: 1:00. 
For more infomation >> Grande fratello vip 2, il torbido passato di Jeremias: cosa sarà successo? | M.C.G.S - Duration: 4:44. 
For more infomation >> Kia Picanto 1.0 First Edition/ Trekhaak/Parkeersensoren | RIJKLAAR | 5D - Duration: 0:57. 
For more infomation >> Mazda MX-5 RF 2.0 SkyActiv-G 160 GT-M 6MT i-ELOOP (Nw.Pr € 44.500,-) - Duration: 1:02. 
For more infomation >> Das deutsche Alphabet schreiben - Duration: 7:59. 
For more infomation >> JSAやるぜ 오랜만이야. 일본의 서든을 줄게! - Duration: 9:39. 
For more infomation >> La proposta di Loredana Lecciso ad Al Bano e Romina | K.N.B.T - Duration: 2:59. 
For more infomation >> JSAやるぜ 오랜만이야. 일본의 서든을 줄게! - Duration: 24:31. 
For more infomation >> Thor: Ragnarok
For more infomation >> Seat Ibiza SC 1.0 TSI STYLE CONNECT,org ned auto,NAVI,AIRCO ECC,CRUISE C,LM VELGEN,ELEK RAMEN - Duration: 0:59. 
For more infomation >> Volvo XC90 R-Desgin | AWD | GRIJS KENTEKEN | EX BTW | SCHUIFDAK | LEER | BOWERS & WILKINS | - Duration: 0:54. 
For more infomation >> Jacques Maire | CETA - Duration: 4:17. 
For more infomation >> Lockbama · The Rave (Tay-K "The Race" Spanish Remix) (SIXfilms Exclusive Music Video) - Duration: 1:59. 
No comments:
Post a Comment