Wednesday, May 9, 2018

ICMC18: Plenary Keynote Sessions

Yi Mao, atsec, welcome

This year's conference has more than 400 attendees from 26 countries and 9 tracks! The conference focus is Security First! We started with a very cute video.

Plenary Keynote Address: Digital Disruption and the Implications for Cybersecurity and Cryptography (P10a) Jason Hart, CTO Data Protection, Gemalto, United Kingdom

It took radio 38 years to reach an audience of 50 million people. Television only took 13 years to reach an audience of 50 million.

It only took 4 years for the world wide web to reach 50 million. We all started with modems, remember Hayes modems? US Robotics overtook them with their easier to use modems

Facebook took only 2 years to reach 50 million subscribers. 1 in 7 divorces are blamed on Facebook - a new sales chanel for divorce attorneys!

Pokeman GO - took 19 days to reach 50 million users. 19 days!

Nobody goes to the library to search for information anymore, even search websites are getting pushed out by higher order services like Alexa.

Digital Disruption - 10x innovation, 1/10th the cost and 100x the power.

In this time, you need to look for problems to solve. For example, look at Tipsy Robot - a drink making robot, that makes the experience for users easier and simpler (and consistent and eliminates standing in long lines).

Is our industry easier and simpler to use?

Amazon Web Services (S3) was easier to use than others - completely disrupted the market.

Look at some market leaders - uber, facebook, Alibaba and AirBNB - they don't have inventory, cars, or create content. They are changing the market by being simple, filling a need and they are habit forming.

What are we doing to make cryptography easy? There is an opportunity here.

Data is being created at an astronomical rate - 90% of the data was created in the last 2 years.

All businesses have secrets, it is our job to help them keep their secrets safe.

Out of all of the breaches last year, he believes only 1% had the proper cryptographic controls in place. Why? Everyone knows the importance of using cryptography - but it's too hard to use. We have a huge opportunity as a community here - everything needs what we're doing.

Traditional approaches have to change. What does the user need? Will we evolve or not?

We have the tools to solve the problems for trust and data privacy. We need to reset our expectations of users that use our security solutions.  We need to make it exciting and fresh. Adoption will happen.

User is worried about data integrity - they don't connect it to what we do. We need to be working at that level and worry about the implementation details ourselves.

IoT will be driving cryptography adoption in 2018 - we need to be ready as an industry to provide the right algorithms and options the industry needs.

We are moving away from Platforms as a Service, etc - and moving into functions as a service.

We know quantum is coming - are we crypto agile? Are we enabling our customers to be crypto agile?

The future will be decentralized - can we meet that need?  Can we do it simply?


Plenary Keynote Address: What’s Next for Cryptography? How CSE Balances Privacy and Innovation in the Public and Private Sectors (P10b) Scott Jones, Assistant Deputy Minister, Information Technology Security, Communications Security Establishment, Canada

CSE is Canada's cryptography leader, and need to protect the most important information, watch for threats and stay ahead of the industry.

CSE had in recent times been very focused on cyber threats and lost their focus on cryptography, which is the backbone of security. There will be a renewed focus on cryptography.

Cryptography is more widely deployed than the average user is aware - and that's okay, it should just work.

There are proposed changes to authorities and capabilities for CSE, including increased accountability measures.

People say that privacy is dead, but he believes that cryptography needs to play here to give people the option of privacy. In fact, it's our only option to maintain our privacy.

Breaches will happen - you can't protect against them all, so you need cryptography.

Unfortunately there is a lot of misinformation out there - that little lock on your browser is marketed as 'protecting your data' - true for in transit, but what happens on the other end?

Good cryptography implemented poorly is worse than none- it creates a false sense of security.

CSE will become (again) a proactive agent for research and standards, validation programs, secure tailored solutions program and cloud computing.

Government can't match the pace of innovation and speed of delivery of what is happening in industry, need to leverage that work for all except the most specific needs. Need to partner with industry here - share our knowledge and learnings.

Sitting in a building and being locked to a desk is no longer a method of securing data.

We need a variety of validated commercial products to choose from to meet different needs. We need to keep pace with new security vulnerabilities in commercial products. We need to evolve quickly.

Take the aircraft industry - they have to use only validated modules. But a security vulnerability has come out and is patched, but if they patch ... invalidates their validation.  We should not be making the industry make these choices.

Our technology is too hard to use - too many breaches are related to misconfigurations. If a misconfiguration allows a cloud deployment to be breached, we need the data to be securely encrypted.

We must avoid the arrogance problem - we don't have all the answers. We need to work together to solve the tough problems. We need to make our technology accessible - people don't even know what to ask for.

We want to start publishing our research questions - get your input and hopefully you can share your problems as well, and hopefully create partnerships to solve them.  Looking to partner both inside and outside of the government - we all have pieces of the solution. we can't solve these big problems without industry.

We are creating the Canadian Center of Cybersecurity - the Cybercenter will bring together many different research fields, and cryptography and cryptology will remain at the central focus, it ties everything together.

This conference will strengthen the world's Internet, it will strengthen commerce, it will make the world a better place.

We should not be content with the status quo or ever believe we've solved all of the problems.

Creating a quarterly cyber journal to try to bring security topics to the general masses, looking for submissions for cryptography.

Consumers are looking for features, we're looking 10-20 years ahead on how to keep the Internet secure.