Security On Assignment: Security Blogger Summit

by Steve Ragan - Feb 9 2009, 18:25

Madrid – Last week, I had the honor to travel to Spain and take part in a roundtable discussion hosted by PandaLabs. Moderated by Panda’s Josu Franco, by the end of the session there were two trains of thought; the first is there is a strong need to educate end users, the second deals with the economy of security – the market rewards innovation and advancement, not security as a concept.

The panel I sat on included some serious heavyweights from the security industry.

Security experts from Spain included:

Antonio Ortiz (co-founder of Weblogs SL, editor of ERROR500)

Javier Villacañas (COPE journalist and author of the blog “A todo Chip”)

Ero Carrera (from Hispasec)

Sebastián Muriel (General Manager of Red.es)

Francisco A. Lago (National Institute of Communication Technologies or INTECO)

César Lorenzana (from the Technology Crime Division of the Spanish Civil Guard)

 

Security experts from the United States included:

Andy Willingham (Andy ITGuy and Senior Security Engineer for MARTA)

Byron Acohido (USA Today, The Last Watchdog, and author of Zero Day Threat)

Bruce Schneier (You know who he is...)

 

In all, the 10 of us talked about various topics including the state of security, what role the government should play when dealing with Internet security, end-user training and what value it holds in security, software flaws. We also fielded various questions from the audience of almost 200 people.

Bruce Schneier opened the discussion with a lesson in the economics of security. By far the best quote he offered was that the Internet is “one of the most important revolutions after Rock and Roll.”

While the evening followed his ideas on the economics of security loosely, there was never a solid return to the subject.

His outline, the topic of a later article, is essentially that security is governed by strong economic factors: “We could have better technology, but we are not prepared to pay for it. The market rewards the cool and the fast, but not the good.”

The discussion was split into two segments; a roundtable where we gave our opinions on three topics (assessment of security today, predictions for the future of security, and a recommendation), this led to us debating one another for a bit. The second segment was a Q&A with the audience.

(At this point it should be noted that Panda went all out here, and offered up a translation service similar to those used at the U.N.)

One of the things that made the discussion panel great was the wide ranging opinion. We all agreed on many levels of security comprehension, training, development, policy, and implementation. At the same time however, none of us agreed on a single level of approach. This is the foundation of security; no single policy, practice, tool, or resource can act as a 'silver bullet'. So it was impressive to see this on a live front.

It was both a learning experience and a normal discussion of security from my end of things. A normal discussion, because the questions posed to us from the audience addressed many of the common concerns from the public as a whole and IT. I say learning experience, because some of the experts from Spain opened me up to a new way of seeing things. For instance, the government approach for tackling the issue of security is more involved there than it is in the U.S.

From what I gathered, the government in Spain wants more regulation and accountability. I learned about a national ID system in place in Spain and how this could be used to secure the infrastructure. While I am not a fan of government regulation on the Internet as a means to security, I will concede that just because this method might not work in the U.S., does not mean it wouldn’t work in Spain.

It is my opinion, based on what I learned by listening to the others on the panel, that by the time the security industry fully matures from the infancy it is in today, we will see an assorted mix of technologies, law, policy, and skill from across the globe to deal with problems. We have some of that today, but there are still too many boundaries to deal with -- as well as red tape. In the future, once this is cleaned up, there will be a stronger security industry for it.

The one thing that all of us agreed on was that over the past few years cyber crime has grown up. We are way past the time of exploitation of flaws and software for fun and bragging rights. Now the cyber crime arena is a full-scale business. Criminals have developed techniques, technology, and actual business models and are making a full-time living from their 'art'. There are even job postings and positions within the organized groups, provided you have the proof to back-up your claim of skills.

With this emergence of organized cyber crime, one audience member asked why there isn’t more enforcement from government or police authorities when it comes to tracking down the criminals and halting their operations.

This lends itself to the train of thought that security is still an infant. Local police and governments do try to tackle the issue, but there is no real cooperation outside their own boundaries. When cooperation is attempted, ego, politics, and red tape prevent this. An example of politics and ego can be seen in the Gary McKinnon case. He used remote software to access U.S. government computers. At the end of the day, his trial and extradition was pure ego and politics on the part of U.S. prosecutors.

César Lorenzana explained things from a law enforcement point of view and offered a rare look inside that avenue of operation. Once the video of the discussion is live, it will provide a far better translation than I could based off my notes and recording.

Most of the local press coverage of the event, and the comments from those who attended, expressed hope that there would be a repeat of the event in the future. While I would gladly attend again (I can’t stress enough how cool this was or how amazing Spain is), I just hope Panda does see fit to hold another one. Events like these need to happen all over the world, and should take place regularly.

On some levels they do, but instead of talking to other experts and members of the press, the events should include more end users and the public at large. This is because, as security practitioners, our livelihoods are spent protecting these people in one way or another. It would be wise to learn what they are worried about and what they expect from us, even if we sometimes hear their thoughts and wonder from what planet they might come from.

Around the Web