Tip:
Highlight text to annotate it
X
[ Music ]
>> Since Lance mentioned that I will say that I wasn't detrained
as a statistician about statistician.
Everybody my agent security is training in something else.
But those of you who are being trained in it per se have a different starting place
than people like me that-- people like me.
And I think you should pay attention to this actually because we come at it from other fields
and will be soon replaced by many of you.
The fact that we come at it from the other fields means that there's viewpoints that are--
are worth stealing from this other fields and applying to this one.
And while we're still around, you should steal everything you can.
I'm happy that some of you will be the world's leading expert
on one cubic inch of the security manual.
It's nice to have some people who also have civil engineers, why the buildings fall down.
Or in the case of statistics of making decisions, under scant evidence.
Or in the case of an attorney, knowing the difference between--
knowing the detailed operational difference between a policy and an enforcement.
And the fact that there are other things that can contribute to the field,
I encourage you to take advantage of as much as you can just
because the hybrid vigor that comes from that.
We desperately need, we do not have time to invent everything from scratch.
Now, I am not here to of course when you have a panel and you like people to disagree.
To some amount, I will disagree on purpose if you know what I mean.
But I'd like to say a few things about where the jobs I think will be in the future.
And in some sense, what you have to prepare for.
And the professor was absolutely correct that specialization is a bonus.
It is difficult to imagine someone becoming a generalist from the get go now.
I'm lucky enough to have that.
Professor Hoffman was lucky enough to have that because we started when there was less to know.
And the amount now to know is so great
that serial specialization is all I think I can offer you.
And I think you have to realize that.
And serial specialization is not necessarily a bad thing.
If you look at the way many large corporations work to reach the executive suite,
you have to have worked in sales.
You have to have work in your Japanese office.
You have to have work on the manufacturing floor and so forth.
In other words, a series-- a series
of specializations is a good preparation for giving to the top.
And even though what I'm not going to say will not sound
like it, there is always room at the top.
And I encourage you, if you are serious about this and you shouldn't enter it if you're not,
to assume with that, you have to keep moving upward all the time because the pressure
and that's what I'm going to talk about mostly.
The pressure on you to do that much like an academia up or out,
the pressure will be significant.
And the reason I say that is the rise of automation and the spread of our dependence
on computerized gizmos of all sorts.
The '90s, the commercial world largely caught up with the military world
in the application of cryptography.
At the moment the commercial world is busy catching up in the application traffic analysis.
It's called marketing but it is what it is.
Coming next, I'm not all together sure but I do know
that the internet of things is going to be real.
The idea that nearly everything will have an address and the implications of that
from a security point of view are exactly as the previous speaker said,
an increasing amount of complexity.
And the increasing amount of complexity will be the chief enemy that you have.
It will not be the Russians that are your chief enemy just to pick on somebody.
It will be complexity in and of itself.
And that complexity is organic.
You can't make it go away any more than you--
I hope we don't get to the point where you can vote on the weather every morning
because I can't imagine what that would do to the client.
So you have to sort of accept that there will be bad days.
You have to accept in the sense that complexity will be your enemy at all times.
But the degree to which you will be essential in the future has to do
with our dependence on the computer world.
And if I may say so, the more advance the society, the more that is true.
United States is especially vulnerable to security flaws because we are dependent
on cyber processes more than other countries not--
again, pick on anybody but there are plenty of countries in the world
for which a cyber security failure is a non-event.
What are you talking about?
We don't have electricity.
That is not the case here.
On the other hand, the ability of other countries to leak progress in various ways
as perhaps best illustrated by the way many countries
who never had a wired television system are decided they don't need one
because wireless is a way to catch up with the modern world and not have to, you know,
have a supply of logical kinds in the pacific northwest to put
up phone poles to run wireless on.
This catapulting, this rate of change, this complexity will be your principle difficulty.
And so to a degree, training you for what the current needs are is not going
to be helpful except as a learning a way to think,
because the current needs will not be the needs next year.
I work an arena of funding small companies.
Cyber security companies in my view have probably the hardest problem of any small firm
because the interval, the narrowness of the window of success is so great
that you have to hit it just exactly.
Imagine walking out into your first baseball pitch
in the major leagues is a strike, you know.
That-- it is so difficult to do that and yet at the same time, that's where we are.
You have to learn how to think about this.
And I'm sorry to tell you that the demand for people such as yourselves is
so great that it outstrips the supply.
And as such, the fraction, of people who are practicing the cyber security arena
who are charlatans I fear is rising.
And I don't mean to insult anyone in that regard but the demand supply mismatch is so great
that not everyone can be good enough.
And I encourage you to realize that being good enough will imply learning how to think
about this, being someone who can motivate yourself to self educate overtime,
that it is not going to necessarily be easy.
This brings me to a couple of points that I always like to make
and I feel like I should make them here.
One is that in a globalized world, genius is cheap.
The head of the Gallup Organization just came out with book.
He says that looking at the world population and they do a lot of that
of course 'cause they do public opinion polling, that's what they do.
There are roughly 3 billion people who would like a job
and there are roughly 1.2 billion jobs.
Consequently, the next 50 years taking the subject
of his book will be a fight about where those jobs go.
I suggest that cyber security eventually ends up in that category as well.
If there are lot of smart people elsewhere who are desperate for a job.
Your competition is not just in the US for example.
Another aspect of this is that large number
of low end jobs are disappearing into the second economy.
Professor Hauffman spoke about that.
The lights at the end of the tunnel by-- I'm trying to think who it was by.
There's several books now.
McKenzy's [sic] talked about this, the degree
to which jobs including white collar jobs are disappearing
in digital economy to be replaced by machinery.
That will also eat at you from behind.
One of the things I think that is so crucial for educators in this field and crucial
for the development as workforce is to figure out how we can deploy the scarce well trained,
well selected cyber workforce in a way where the sentients and more to the point the conscience
of the person remains valuable and we don't turn over all of our protection to machines.
We are-- and some risk of doing that.
Tomorrow, the FCC is going to make an announcement and yes, I'm--
I shouldn't even say that, I suppose but watch for it.
Because one of the things that they are worrying about and well they should,
and we're all should be worrying about too is, whose responsibility is cyber security?
You've all seen in our statistics that perhaps 50 percent
of all home machines are to some degree infected.
Whose responsibilities had to fix that?
We want the responsibility to be the vendor.
No, the Microsoft is going to auto update.
If you wanted to be the ISP, they are in a position to see who is in the botnet,
be more to be the individual because after all, if you drive like a mad man and you run
over people, you know, it's not as if that's General Motors' fault and so forth and so forth.
Whose responsibility is this?
And those of you who will-- who have or developed or keep more to the point
as I was saying earlier, keep your skills high, you will end up with some
of that responsibility whether you like it or not because those
who cannot protect themselves will outvote you if nothing else.
The-- for what is worth in addition to working in cyber security, I run a farm
and my next door neighbor had a wonderful phrase I stole from him, which is we were one day,
something bad happened with the tractor and he said,
"Always remember that hydraulics don't have a conscience.
And the same would be true here.
Remember that the machinery that we may deploy here doesn't have a conscience.
I think the most critical thing we can worry about is, in so many words goes back
to what will actually, what do we mean by "cyber security?"
And I would submit that it is this.
It is the state of security is the absence, the absence of unmitigatable surprise.
Look at SB1386 through the first of the data breach laws in United States.
It says that if I as a bank or merchant or whatever,
lose everybody in this room's credit card information it is my duty
to tell you that I have done so.
And probably to buy your credit watch service for a year and so forth and so forth.
In other words, the law says people will lose things
and we will prescribe what the mitigation is.
That's the state of security by my definition.
It doesn't mean that there is never a failure.
It means that if there is a failure, you can mitigate it.
But this brings me to the second point and for those of you who are actually
in the engineering side of this, security engineering is 100 percent in my view
about ensuring that there is no silent failure.
When you look at the Verizon data breach report, it says that 86 percent
of the most recent number, 86 percent of all the data breaches
that they've investigated have been brought to light, had been brought to the attention
of the victim by someone other than the victim.
In other words, people don't know that they had their data ripped off.
Of course you don't.
I steal your data, you still have it.
I steal your car, you'll notice.
There's a difference.
And the idea that there is a silent failure is from my point of view a demonstration
of the absence of proper engineering in that space.
So those of you who are worrying about this from an engineering point of view try to think
of security engineering as the choice of what failure modes that you will have
because it will be some, and to ensure that they are not silent in the process.
And again, for those of you who are going into this field,
it's not as if I'm telling you easy things.
Everything I told you in fact is difficult.
If it had-- if it wasn't difficult, it would already be solved.
And the fact that it's still a problem, indicates to you that it hasn't been solved
by the first rank of people, the first wave of people, the people like me who want to retire
and make room for you in the workforce, we haven't solved that.
And the degree to which complexity is part of that is real.
You saw I am sure that I guess it was two months ago, some researchers figured
out that you can make the more dangerous H5N1 flu virus transmissible amongst people.
They demonstrate by making a transmissible [sic] which turn
out to have more or less our immune system.
And there was an immediate human cry all the way
up to the World Health Organization, don't publish your results.
I ask you, what is the probability that the computers that contain the information involved
in those studies hadn't already been plundered?
Who are we preventing from knowing that?
Now, of course it would be good if it turned out the way they figured that out,
any fool could do it with stuff you could buy at the grocery store,
I bet it is not my understanding but nevertheless, that is information
which if it gets out, presumably will be acted upon.
Other information will be acted upon.
You cannot get it back at the end of the day.
Those of you who are going directly in the military service or working for the NSA
or the CIA or any other agencies will learn this better than I know because amongst other things,
our choice, I don't have a clearance.
But I will say that this idea that data once revealed doesn't undo itself,
tells you that this design for what are the tolerable failure modes is important.
And you should learn that.
And in fact, I think all of you back to this question of specialization, you should all work
on black team or red team various times.
I've never tried to build something that would be attacked by other people of skill.
You don't know what it's like.
If you've never attacked something
without knowing how the other system works, you don't know what it's like.
And I suggest that you need both of them in your resume.
It would be especially useful to you because if nothing else, it teaches you something
that you didn't know you didn't know.
I don't want to sound like Donald Rumsfeld here.
Our field is dominated by things where the important aspects of them are things
that we didn't know we didn't know.
I'll close with one thing and that is I suspect in your work lifetime there will be licensure.
I'm not myself a fan of that honestly, but I think it is coming.
Certainly, there are plenty of jobs now that require
for your various kinds of certifications.
I'm not strictly speaking making fun of that.
But I am saying that those are floors not-- and don't let them be a ceiling.
If you really want to take my advice and remember that automation
of security will be chasing you at all times, but that there is always room at the top.
The licensure business won't do you much good.
If licensure came in tomorrow, I would try to resist it personally
because all it can do is embarrass me.
On the other hand, for those of you who are starting out, it probably be very useful
for certain kinds of job applications.
They will insist on you having, I don't know what, CISSP maybe or, you know, whatever.
But licensure is likely to be an aspect of your life going forward the same way it is
for medicine whether that will be run as a medicine by professional societies
or whether they will be run by governments remains to be seen.
You should plan on that being a fact in your career.
I think that's probably good now except for one thing I supposed,
and that is that all security technology is dual use.
It all can be used for good things and it all can be used for bad things.
That maybe true at all technology but I know that it is true for security technology.
The things that prevent crimes are also the tools
of surveillance et cetera, et cetera, et cetera.
I'm not here to have that discussion.
But as you go forward, the tools you use will have sharp edges.
And so in many ways, your integrity will matter and that's what I said before.
I would like not to replace the human integrity, the human conscience
with automation across the board.
But the demand is so great that the automation has to take up the smaller jobs
so that there is room for the bigger jobs.
And I have plenty of examples there if you'd like but thank you.
[ Music ]