,
21 tweets,
7 min read
Read on Twitter
It's the last panel at #HewlettVerify. It's @jamil_n_jaffer moderating a conversation with Lisa Monaco and Matthew Prince of @Cloudflare.
We're talking threat actors. Tweets to follow.
We're talking threat actors. Tweets to follow.
@jamil_n_jaffer @Cloudflare Matthew Prince talks about how @cloudFlare can see mass activity (DDOS attacks for example), but not individual attacks.
Compares threats to the torpedo in Red October. Even if you miss the target, it's still in the water.
Compares threats to the torpedo in Red October. Even if you miss the target, it's still in the water.
@jamil_n_jaffer @Cloudflare Talking about linkages between cyber criminals and nation state actors. Kid in the basement can get them noticed by nation state actors, and recruited in.
We often underestimate how much damage a 15 year old kid in the basement can do.
We often underestimate how much damage a 15 year old kid in the basement can do.
@jamil_n_jaffer @Cloudflare Post Snowden, we've seen disclosure of a bunch of government tools.
Lisa says actors have become more sophisticated, dangerous in their use of tools. Sense is the nation states have set themselves apart from transnational groups. Not just espionage but geopolitical escalation.
Lisa says actors have become more sophisticated, dangerous in their use of tools. Sense is the nation states have set themselves apart from transnational groups. Not just espionage but geopolitical escalation.
@jamil_n_jaffer @Cloudflare Matthew Prince: Can't underestimate how much damage Snowden did by revealing how sophisticated the US was, and now others felt they needed to catch up.
Seeing a commercial industry of private malware.
Seeing a commercial industry of private malware.
@jamil_n_jaffer @Cloudflare Prince: Flipside is that private industry takes security seriously post-Snowden. And even thinks of USG as an adversary.
Commercial products (like gmail) are way more secure now than pre-Snowden.
But the hospital down the street hasn't gotten more sophisticated.
Commercial products (like gmail) are way more secure now than pre-Snowden.
But the hospital down the street hasn't gotten more sophisticated.
@jamil_n_jaffer @Cloudflare Q: What do we do about industries not in the business of cybersecurity but are also under attack. Who's role is it to provide security?
Monaco: Critical is important but also diffuse. Need a multi-stakeholder, multinational effort.
Monaco: Critical is important but also diffuse. Need a multi-stakeholder, multinational effort.
@jamil_n_jaffer @Cloudflare Q: What's the right answer for role of government vs. private sector in cyberdefense?
Prince: Sign up for @cloudflare. flip, but private companies can help. How do we build moats around every system and every device, not just one moat.
Prince: Sign up for @cloudflare. flip, but private companies can help. How do we build moats around every system and every device, not just one moat.
Lisa Monaco: Most sophisticated companies are setting up their own private intelligence centers and understand the threat better than the government.
Should always respond, and impose costs, they don't have to be cyber costs. Could be financial, criminal.
Should always respond, and impose costs, they don't have to be cyber costs. Could be financial, criminal.
Q: What's the cyber threat you're most concerned about?
Prince: Strategic threat from governments' temptation to impose regulation of tech industry. Data Localization, encryption backdoors for example.
Prince: Strategic threat from governments' temptation to impose regulation of tech industry. Data Localization, encryption backdoors for example.
Prince: Can't have it both ways about security of the products that consumers use and simultaneously hand over to law enforcement. Legislation globally are a more meaningful security threat to technology than a Chinese DDOS attack.
Monaco: Concerned that we'll have a fractured internet. Worry about Chinese style firewalls other places. Or security arguments advanced as pretext to be able to crack down on dissidents.
Monaco: Privacy debate should move to a data-security / data governance arguments.
Q: from audience. What do you do about getting asked to kick people off your platform?
A: Difference between platforms which are a modern newspaper with editorial standards vs. infrastructure level of the internet.
A: Difference between platforms which are a modern newspaper with editorial standards vs. infrastructure level of the internet.
A: should every level of the internet make editorial decisions about what's on the internet?
Who decides? In European legislation, they carve out infrastructure companies.
Who decides? In European legislation, they carve out infrastructure companies.
Q: What's your assessment at the highest level of the cybersecurity of the US, including resilience?
Monaco: difference between civilian agencies vs. .mil. worse than yellow in civilians. Problem of legacy systems.
Monaco: difference between civilian agencies vs. .mil. worse than yellow in civilians. Problem of legacy systems.
Monaco: Congress and hte Administration haven't funded upgrades. + lack of a cybersecurity coordinator. But also, elevating NPPD.
Prince: Internet is a trust based system. You want to see the scariest attacks, look at crypto currencies.
Prince: Internet is a trust based system. You want to see the scariest attacks, look at crypto currencies.
Prince: With Crypto currencies now the dynamic is "hack something, get money." Scary b/c DNS system is unencrypted, but resistance to encrypting DNS. next level down, at IP address, you can attract traffic to it.
Prince: seeing IP attacks on shifting on crypto currencies, just for seconds. Right now it's against criminal enterprises, but capability could be sold to nation states. Risk to entire system.
@Sanger Q: After OPM hack, Obama didn't go make the case for IT upgrades for security. Why not?
Monaco: Asked for $300M in a revolving fund to replace legacy systems. Asked agencies to asked for their high value assets - datasets that would be dangerous in hands of an enemy.
Monaco: Asked for $300M in a revolving fund to replace legacy systems. Asked agencies to asked for their high value assets - datasets that would be dangerous in hands of an enemy.
@sanger And that's a wrap on #HewlettVerify for 2019!!
