Going, Gone: I attended the 10th annual Billington Cybersecurity Summit last week. This 2 day, sold out event with over 1100 attendees at the Washington Convention Center had more than 70 world class speakers and 60+ sponsors and exhibitors. There were also three “Innovation Zones” highlighting cyber products from the UK, Canada, and Israel. You can see the sessions covered by C-SPAN here at https://www.c-span.org/search/?searchtype=Videos&sort=Newest&sponsorid[]=113750.

After cutting through the cliches and buzzwords, here are the major 15 themes that I took away from the 2 day conference and stand-out list of panelists at the conference.

  1. Everyone is really operating in a perimeterless security world. Zero trust concepts are in and should be used to modernize your IT architecture to protecting your supply chain but now you must add resiliency to your architecture as well. NIST is building a lab for zero trust experimentation.
  2. Binding orders are somewhat of a new [2015] and effective authority for DHS to help ensure swift action to combat emerging security threats.
  3. 5G, IoT/ICS, AR, and quantum computing will drive new offerings (and new threats) in security tools and services.
  4. Cyber is back at NSA as it launches new Cyber Directorate in October.
  5. DoD is changing its culture – cybersecurity trumps cost, schedule, and performance as DoD acquisition rewrites DoDI 5000.
  6. Everyone is working cyber workforce issues but these issues seem to affect government agencies relatively more severely. The DoD and IC seem to have started innovative workforce programs that should help attract and keep good talent but you can’t scale the cyber workforce fast or large enough to solve the cyber challenges.
  7. AI/ML is your friend and promises to be a real help for the workforce issues. AI/ML will be ubiquitous in cyber defense and cyber offense. AI/ML needs work to show how results are “explainable” – how to determine what is normal?
  8. Agile still needs better ways to bake security into the development pipeline, and you must be cuththroat in your IT modernization approach to “annihilate” your outdated and vulnerable legacy systems.
  9. DoD is going to grade your cyber maturity level and hold you accountable as a supply chain member of the DIB.
  10. The government is still studying supply chain risk. Getting asset visibility down to 3rd and 4th order supplier tiers is becoming important.
  11. There are different opinions on compliance – “Getting to compliance is important as every major breach was through a known and fixable vulnerability,” to “Compliance really doesn’t work, it adds unneeded tools, costs, and complexity to the cyber defense problem,” to “We can solve some of these complexity and compliance problems by moving to the big cloud providers who have already figured this out.”
  12. DoD is going into information operations in a big way – more deep fakes?
  13. DHS CDM is redoing the dashboard and looking for ROI. Need “proportionate defenses.”
  14. Managing risk is identifying and protecting your “crown jewels,” aka high value assets.
  15. China is our biggest concern – to DoD and to CIKR  – [Critical Infrastructure and Key Resources]. ICS exposure is still a big concern. IoT is going to become a big problem.

Coming Up: Next week are the MAVRIC conference and the CISA Summit. You can find all you want to learn about mixed reality, AR and VR at the 2 day [September 17-18, 2019 at Booz Allen Hamilton DC Innovation Center] MAVRIC conference which features government and industry speakers, poster sessions, investors, and more. You can find out more at this link – https://mavricconference.umd.edu/. You can also contact Lucien Parsons, Director of MAVRIC, at lucienp@umd.edu / +1.301.405.2924 to get tickets to the event.

Also next week, the CISA Cybersecurity Summit is from September 18-20, 2019 at the Gaylord National Resort & Convention Center, National Harbor, MD.  This no-cost event is organized by the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA). The event will bring together critical infrastructure stakeholders from around the world to a forum with presentations focused on emerging technologies, vulnerability management, incident response, risk mitigation, and other current cybersecurity topics. You can find the agenda here: https://www.us-cert.gov/sites/default/files/2019-09/2019_Cybersecurity_Summit_Agenda_S508C.pdf

So if you are in the DC area next week, I would definitely try to make one or both of these events!

And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.