[AUTHENTICITY CERTIFIED: Text version below transcribed directly from audio]
Good morning, everyone! Welcome to RSA Conference 2014.
I don't even know what to say about these acts anymore, but when I first heard that someone from the cast of T.J. Hooker -- that wasn't even the joke -- when I heard someone from the cast of T.J. Hooker was going to open the show, I was actually hoping it was going to be Heather Locklear. I guess I should have known better when priceline.com tried to become a sponsor. All the same, it was appropriate to have William Shatner open the show, because I think it's safe to say that this year's conference will boldly go where no conference has gone before.
It promises to be the biggest ever, with more than 25,000 attendees, more than 400 sponsors and exhibitors, more than 550 speakers, and the press in record numbers. For more than 20 years, the RSA Conference has been the place where the world talks security.
But this year seems different.
Well, maybe it isn't that different. Shortly after its birth, this conference was the focal point for the battles over key escrow, the Clipper chip, and R-Crypto itself, at that time, classified as ammunition with an export embargo. We had discussions over the nature of privacy and how government and industry could engage in productive collaboration rather than paralyzing conflict.
Sounds familiar, doesn't it?
Almost 20 years later, we seem to be back at that crossroads again. And while I try to do this keynote to highlight the macro issues facing us, and I will including guiding principles and best practices to take us forward, this year I need to start with the discussion of RSA itself. Because unlike nearly 20 years ago when we were seen as leading the charge against the government to secure the privacy of digital infrastructures, we've been accused of being on the other side of that battle.
We spoke to this issue when the claims surfaced in December, but what's hard to do in the fast-moving swirl of today's 140-character based media dialogue is provide any broader context for the state of the industry at the time or for that matter, the state and evolution of RSA's business. And that's what I hope -- that's what I hope to do here this morning.
Ironically, the situation RSA finds itself in today traces its roots to the same battle that RSA and its founder, Jim Bidzos, led against the NSA in the '90s. Just as we were prevailing in those fights, the age of one vendor, RSA controlling much of the direction of encryption was ending. Because our encryption tools were under export controls until 1999 and were without international patent protection, most of the rest of the world had already implemented the RSA algorithm using open source tool kits. With the expiration of the U.S. patents in 2000, the entire world headed that way, and that is why encryption in use today has been overwhelmingly implemented with open source tool kits, not RSA's technology.
Recognizing that reality and encryption's inevitable shrinking contribution to our business, we worked to establish an approach to standard setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and our trust behind a number of standards bodies, ANSI, X9, and yes, the National Institute of Standards and Technology, NIST. We saw our new role not as the driver but as a contributor to and a beneficiary of open standards that would be stronger due to the input of the larger community.
In the early 2000s that transition took place.
So, when the industry began discussions on using an elliptic curve derived algorithm for random number generation rather than hash derived, we were happy to support what had already coalesced in the community as a strong method, a method that was adopted by NIST as a standard in 2006 with little opposition. Given that RSA's market for encryption tools was increasingly limited to the U.S. Federal Government and organizations selling applications to the Federal Government, use of this algorithm as a default in many of our tool kits allowed us to meet Government Certification requirements.
And that brings us to today.
When, last September, it came became possible that concerns raised in 2007 might have merit as part of strategy of exploitation, NIST, as the relevant standards body, issued new guidance to stop the use of the algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use.
So, now I turn to the NSA itself.
Has RSA done work with the NSA? Yes. But that fact has been a matter of public record for nearly a decade. You see, many people forget that the NSA is not a monolithic intelligence gathering organization. The NSA also has a defensive arm, the Information Assurance Directorate, the IAD, whose stated mission is to defend information systems and U.S. critical digital infrastructure. In practice, NIST, RSA, and indeed most if not all security and technology companies work primarily with this defensive unit within the NSA. In addition, we all receive valuable intelligence critical to our missions from the IAD on threats and vulnerabilities. They help us.
But regardless of these facts, when or if the NSA blurs the line between its defensive and intelligence gathering roles and exploits a position of trust within the security community, then that's a problem. Because if, in matters of standards, in reviews of technology, or in areas where we all open ourselves up, we can't be sure which part of the NSA we're actually working with and what their motivations might be, then we should not work with the NSA at all.
To eliminate that possibility, we endorsed NIST's new proposal for the creation of cryptographic standards, and perhaps more important, we support the recommendation of the President's Review Group on Intelligence and Communication Technologies to simplify the role of the NSA, that it should be solely a foreign intelligence organization, and that the IAD should be spun out and managed by a different organization. Sadly, much of the great work of the IAD and all of those people is getting lost in the feeding frenzy -- frenzy around this controversy. It's not only sad, it's dangerous for the country. But however it's done, creating greater separation between the offensive and defensive roles of the NSA would go far to repair relations and rebuild trust.
But I donít want to limit this critique to the NSA, as it has become clear that they are not alone. All nations spy on one another, so I would repeat what I just said to all governments and their intelligence agencies. In short, all intelligence agencies around the world need to adopt a governance model that enables them to do more to defend us and less to offend us.
Stepping back, the tension between and among competing interests of governments, businesses, and individuals in the digital world should not be surprising. Information has become more easily accessible and more valuable. We're in the midst of a fundamental and historic shift in the use of information technology -- a shift that is already having monumental implications for the future of our society and culture. The rapid expansion and democratization of technology has brought the agenda of different groups crashing together with unpredictable consequences. The collision of these agenda highlights the lack of societal norms to guide our digital world.
We need to elevate the conversation to talk about the lack of norms. We've had centuries -- centuries to figure out the norms of behavior and rules of engagement in the physical world. Even after all that time, we're still figuring it out. We had a scant decade or two to figure out the rules for the digital world. The resulting chaos and confusion that reigns online, in the media, and in legislatures and courtrooms around the world reflect a lack of digital norms. A famous, or should I say infamous, humorist once said, "Mankind is facing a crossroads. One road leads to despair and utter hopelessness, and the other to total extinction."1 Not much of a choice.
As funny as that sounds, it accurately portrays people's views of the current situation. We're in the midst of chaos and confusion, but if we don't figure out digital norms and do so quickly, the alternative may be extinction -- extinction of the internet as a trusted environment to do business, extinction as a trusted environment to coordinate research and development, extinction as a trusted environment to communicate with each other.
Digital technology, Big Data, and the Internet of Things are becoming a potential path out of just about every societal ill. On Thursday, for example, Scott Harrison will be sharing the inspiring story of his organization, Charity: Water. Without the internet though, this story wouldn't be a success story and thousands of communities of would be still without fresh and safe water to drink. Yet, these same digital capabilities are also becoming a path to a destructive power that rivals anything since the coming of the digital age. Clearly, we are at a crossroads. How we in the industry and governments around the world choose to lead on these issues will have profound implications for good or ill for generations to come. We cannot shrink from this responsibility, we must embrace it.
Therefore, I'm using this keynote and we must use this conference to call upon all nations to adopt and implement the following principles:
- First, to renounce the use of cyber weapons and the use of the internet for waging war;
- Second, to cooperate internationally in the investigation, apprehension, and prosecution of cyber criminals;
- Third, to ensure that economic activity on the internet can proceed unfettered and that intellectual property rights are respected around the world;
- And fourth, to respect and ensure the privacy of all individuals.
Why now? Why these four?
First, the genie is out of the bottle on the use of cyber weaponry, and unlike nuclear weapons, cyber weapons are easily propagated and could be turned on the developer. Paraphrasing a famous quote, "Those who seek military advantage riding the back of this tiger will end up inside."2 Many of you would have seen the New York Times article yesterday on this very topic. We must have the same abhorrence to cyber war as we do nuclear and chemical war.
Second, the only ones deriving advantage from governments trying to gain advantage over one another on the internet are the criminals, criminals who grow bolder by the day. Our lack of immediate consistent and sustained cooperation globally gives them the equivalent of safe havens.
Third, the benefits to all of us from productivity improvements in commerce, research, and communication are too valuable to not achieve agreement on the rule of law. Rule of law must rule.
And fourth, our personal information has become the true currency of the digital age, and while it's important that we are not exploited, it is even more important that our fundamental freedoms are protected. But with our personal freedom comes responsibility. Governments have a duty to create and enforce a balance -- a balance that embraces individual rights and collective security, a balance based on a fair governance model and transparency.
As to governments themselves, let me quote one of the U.S. founding fathers, James Madison, "The great difficulty lies in this: you must first enable the government to control the governed; and then in the next place oblige it to control itself."3 Openness and transparency will be paramount.
Now many of you will be skeptical or worse, cynical, that these principles could ever be adopted. Many will think I'm naÔve. Yet, there is precedent. We already live in a dangerous world, but it's a world that has been made less dangerous by accords on nuclear nonproliferation, the outlawing of chemical weapons, and the outlawing of war in space. Why not cyberspace?
When I recently spoke to a noted activist and self-styled anarchist about these concepts, he said that he didn't want to hear anything about cold war analogies. I'm sure his lack of faith in any government would lead him to believe that these principles are unrealistic and impossible to attain, but that is a dangerous belief and leads to the conclusion that chaos and worse are inevitable. We must reject that notion.
I am inspired by perspective from the cold war and in particular, a speech given by President Kennedy at American University in 1963, a speech about peace in an age of nuclear confrontation. I believe his words are relevant to us today. This is what he said, "Our problems are manmade; therefore, they can be solved by man. And man can be as big as he wants. No problem of human destiny is beyond human beings."
Man's reason and spirit have often solved the seemingly unsolvable and we believe they can do it again. I'm not talking about these principles as some form of utopian vision for the future. No nation will or should act unilaterally on these principles. The lack of trust and the genuine conflicting ambitions of so many will make adoption a difficult task, a task made even more difficult by the lack of constructs for proving attribution of actions online. It will take inspired leadership and a more enlightened world. Nations act out of self-interest but whatever our differences, there should be no doubt that these principles are in the interest of all nations and all of humanity.
So, let us devote ourselves to a series of concrete achievable actions on a path toward these principles. Governments in a technology age can't do it alone. They need our help as well. So, what can we -- we in this industry and as individual organizations do?
Well, we can bring together vested interest so that an environment of positive dialogue commences and is built. This week, the RSA conference has brought together the cyber czars of 12 nations to discuss security and privacy. Last summer, RSA conference Asia Pacific similarly brought together the leaders of the ASEAN countries. Last year, at this very conference at RSA 2013, we brought together the leadership of the U.S. Financial Services Information Sharing and Analysis Center, FS-ISAC, and the leadership of 50 international banks. The result has been the expansion of the FS-ISAC internationally, aligning the interest of the world's financial services industry and strengthening the security and reliability of financial systems.
We need more of these collective efforts and I'm proud of the role RSA is taking in creating these opportunities for discussion as well as our voice in the debate. And many other organizations and conferences are engaged in similar efforts. But the entire industry must take a more active role than ever before. We, all of us, understand both the risk and the threats facing us better than anyone.
Who but us?
We can even move more quickly knowing that governments often cannot.
Therefore, we must as an industry strongly advocate for the principles I laid out. We must in a thoughtful, factual, and persistent way raise the level of understanding and the consequences of inaction. Instead of headline grabbing hyperbole, we must lay out a series of coherent, compelling arguments for why inaction to a lesser -- leads to a lesser and more dangerous world for generations to come. We must shine a light on these issues and inspire our political leaders as never before. And we must do our job, continuing to develop process and technology frameworks to implement the intelligence driven security model that I've spoken to you so often about in the past. We are already underway and making progress on these frameworks with NIST under President Obama's Executive Order. Finally, we must do what we do best, develop and implement the technologies that will protect us now and into the future.
In all of my years in security, I've never seen the scale of investment and innovation that we're seeing today. You'll see much of it over the course of this week at the conference and this all happening none too soon.
As we all know, the expansion of the attack surface and increasingly sophisticated methods of malware and other viruses have outpaced conventional controls. Never before has the need for intelligence driven security been greater. We urgently need antimalware that is intelligent enough to spot zero-day threats and block them. We urgently need security systems that are intelligent enough to see patterns of attack and by correlating and analyzing data from numerous diverse sources across an organization give us the actionable information we need to respond.
That's why RSA is partnering with our sister company, Pivotal, to provide a new model for deploying and leveraging big data across all parts of an organization. We urgently need these systems to be intelligent enough and integrated to automate responses and prevent harm. Not only in today's hardware defined infrastructures but also in the new generation of software defined networks and infrastructures. We urgently need a more intelligence based approach to identity systems. We need to recognize and adapt to the age of user defined IT reflected in trends like shadow IT and BYOD. It is essential that these systems enable security teams to accept the changing balance of power between users and IT departments while still being able to exert policy and control over their user devices and sessions as they relate to their organizations. These systems must operate in mobile and cloud environments, so identity management and governance can be applied consistently.
Also, we urgently need tools to improve our ability to articulate and manage digital and operational risks which are converging in today's technology dependent environment. And finally, we need to make it easier for organizations to take advantage of these tools even if they don't have the resources or expertise themselves. That's why RSA is expanding our managed service partnerships, working with companies like Verizon who can provide security management services for their customers leveraging technology from RSA and others. This is a very important but not an exhaustive list of what we need to be doing as an industry.
What I want to convey is that while we urgently need to help governments of the world develop the digital norms, we as an industry need to do our part by developing and implementing the capabilities that secure those norms and our future. Neither of us can do it alone. It will take industry and government working in concert to create the digital world we want. That's why I'm calling on the nations of the world and all of you to work together for the benefit of all us -- all humanity. I know this will not be easy to achieve.
We all have our own interests and we clearly have differences, but let me once again refer to President Kennedy's American University speech, he delivered it about six months after the Cuban missile crisis, six months after the U.S. and Soviets almost blundered into thermonuclear war, six months before he was assassinated. I was 10 years old at the time. Most of you weren't even born. This is what President Kennedy said,
Let us not be blind to our differences -- but let us also direct attention to our common interest and to means by which those differences can be resolved. And if we cannot end now our differences, at least we can help make the world safe for diversity. For, in the final analysis, our most basic common link is that we all inhabit this small planet. We all breathe the same air. We all cherish our children's future. And we are all mortal.
Premier Khrushchev was said to have been deeply moved and impressed by President Kennedy's speech and two months after, the nuclear test ban treaty was signed.
So, let's make President Kennedy's words breathe again and spur us to action.
Let governments adopt the four principles I outlined, and let industry create the secure frameworks and technology we need.
Let us all put aside our differences and move forward this week and in the weeks, months, and years to come with confidence and resolve to make our digital world safer for all.
1 Woody Allen, Mere Anarchy
2 John F. Kennedy, Presidential Inaugural Address
3 James Madison, The Federalist No. 51
U.S Copyright Status: Text = Uncertain.