RSA Conference 2016
25 Years of RSA
The RSA Conference just wrapped up at Moscone Center in San Francisco. A record number of attendees (around 35,000) flocked to the Halls where hundreds of vendors pitched their new (and some not so new) Cyber Security products and solutions. The keynote addresses were thoughtful and helped provide a few themes for the 2016 conference:
- The costs of enterprise security relative to the percentage of overall enterprise I.T spend (the increase has been dramatic.)
- The scarcity of Security Skills and competition for talent.
- Cyber Education – not just in the enterprise but through society.
- The flood of security data within the enterprise has reached the point where analytics will be a key enabler of the future.
Much has been written (and will be written) about the speeches, product announcements and idea exchanges at the conference. There certainly was a lot of discussion and debate about the pending United States vs. Apple case(s) where law enforcement is attempting to force Apple to assist in hacking into iPhones that were used in criminal activity. Most notably the one device in the case of the San Bernardino terrorist. For those of us who have been in Information Technology since the initial RSA conference twenty-five years ago, this discussion and debate is not really a new or novel topic.
The first RSA Conference was in 1991 and it was held in Redwood Shores where 100 attendees gathered to listen and discuss technology security. Two years later, in 1993, the NSA unveiled an encryption model that was pushed to technology vendors to adopt. That encryption model was known as the “Clipper Chip.” (Does that ring a bell?) If you are not yet in your forties you may never have heard of Clipper Chip because by 1996 it had died a lonely and miserable death. The NSA encryption technique adopted the “Skipjack Encryption Algorithm” (developed by the NSA). Skipjack used an 80 bit key and a symmetric cipher algorithm, much like DES. The fundamental part of the model for the NSA was that the private keys would be put into a “Key Escrow” where governmental agencies, with proper court approval, could access the private key in the Key Escrow and use it to decrypt the target device or communications. This was the first attempt by the United States Government to force technology vendors to create a back door for decryption.
Of course private industry had the same reaction to this type of governmental approach in 1993 that they do today. Backdoors, key escrows, or forced hacking from the manufacturer are all weaknesses in encryption and security that can be leveraged by bad guys as well as good guys. This wonderful taxpayer-funded invention was never adopted. Perhaps most surprisingly in that story is that there actually were people in the NSA that believed that technology vendors would embrace the idea. That sentiment quickly changed after the initial announcement and turned into the approach of trying to force adoption the technology vendors. The short life of the experiment tells the story that the NSA shot an air ball with that one.
The RSA Conference 2016 showcased amazing new advances in technology and innovative approaches to deal with Cyber Security. However the basic discussions in the hallways and lounges of RSA Conference 2016 were those around the topic of the nexus of privacy, technology, private industry and government. These conversations have not advanced much since the RSA Conference of 1994 when the Clipper Chip was being pushed.
Chief Technology Officer