Misinformation, MFA Doubts, and AI: Everything We Saw at RSAC 2023

The last of the livestreams are over and in San Francisco, another RSA Conference has come and gone. This year, we saw sessions about the impact of AI, the continued spread of misinformation, the failures and future of multi-factor authentication, the security of EV charging stations, and much more. Here's a rundown of everything we saw at RSAC 2023.

Among the headline-making attendees at RSAC this week was Yoel Roth, former head of Trust and Safety at Twitter. He joined a few other cybersecurity experts to discuss how the industry could help curb the spread of disinformation and misinformation online. As Kim Key writes, the session, titled Misinformation Is the New Malware, turned into less of a discussion about whether the industry could do it, and pivoted to who should do it.

Catherine Gellis, an attorney and policy advocate, noted that if you look at the issue from a legal perspective, the US Constitution’s First Amendment protects some forms of disinformation or misinformation. "Sometimes people are wrong," explained Gellis. "Wrongness happens, and if you had a law that was speaking to wrongness and forbidding it, you would have some chilling effects on people who are saying things they are right about."

The government shouldn't be the sole arbiter of truth regarding online speech, according to Gellis, who noted that the First Amendment also protects private corporations' rights to limit speech on their platforms.

In his keynote speech, RSA Security CEO Rohit Ghai acknowledged an uncomfortable truth: AI will have a big impact on the security industry. "We must accept that many jobs will disappear, many will change, and some will be created," Ghai said. (The RSA Conference is separate from RSA Security.)

The jobs that might disappear will, according to Ghai, be ones that AI can do faster and better than humans can, such as dealing with a glut of phishing attacks generated by "bad AI." New jobs in cybersecurity could include protecting the data that AI draws on from attack, and ensuring that AI tools function ethically.

Careful preparation, swift and effective communication, and a healthy amount of flexibility are the primary traits of any successful corporate cybersecurity incident response plan, according to a panel of veteran communications and security leaders. The presenters swapped cybersecurity incident response horror stories onstage while imparting advice for fellow industry professionals tasked with handling the aftermath of an online attack.

Brad Maiorino, chief information security officer at Raytheon Technologies, noted that in his experience, consumers are quicker to forgive corporate leaders who respond to cyber incidents by putting out an apologetic, factual, and prompt statement. "I was at the time saying, 'You're crazy, you can't do that!' but in the end it proved to be beneficial," stated Maiorino. "The customers came back and they rewarded the company for it."

Check out PCMag's guide for preparing your business for a ransomware attack or other cyber incident.

One unusual session teetered on the edge between security and jurisprudence. It presented a mock trial that turned on the question of whether putting out trap files to catch hackers could constitute an attractive nuisance, given that an innocent third party might spring the trap. This trial came to a logical conclusion, but we will surely see real-world situations that are harder to parse.

At PCMag we strongly advise you to engage multi-factor authentication (MFA) whenever it’s available. And yet, it’s common to find data breach situations with MFA involved. Has MFA jumped the shark? A talk on MFA dissected several breaches and found they succeeded by attacking MFA configuration, the MFA provider, or the MFA user, not MFA itself. MFA still rules!

Passwords are a problem and the solution, we're told, lies in using Passkeys, or cryptographic credentials that securely authenticate individuals without usernames or passwords and have multi-factor authentication (MFA) built-in. Several sessions at RSAC focused on the benefit of Passkeys, while also taking a look at the challenges still ahead.

The good news is that the creators of Passkeys have already solved many of those challenges. Google Product Manager Christiaan Brand showed how Passkeys are easily created and synced seamlessly between devices within the same ecosystem (Android-to-Android, for instance). Need to get your Passkey from your Pixel phone to your Dell XPS laptop? Just scan a QR code and a Bluetooth connection authorizes the Dell to log you in.

The biggest issue so far is adoption. Apple, Google, and Microsoft have thrown their weight behind Passkeys, integrating them into all their platforms, but very few sites and services are accepting them. There are more thorny challenges, however. For example, because Passkeys only sync within an ecosystem, so most people will probably end up with multiple valid Passkeys for the same site—one for Apple, for Microsoft, and so on. That could get confusing for users. "A lot of this stuff is still early days. This is kind of part of the ugly. We haven’t quite got this figured out as an industry," said Brand.

Fans of hardware security keys don't need to worry, though. In his RSAC session, Yubico VP of Standards and Alliances Derek Hanson explained that Yubikeys and similar devices can create and store Passkeys, but these would live only on the keys and not sync between devices.

People view the NSA as an insular, secretive organization, but the agency actually works in partnership with many other agencies and industries. Its cybersecurity director shared security areas the NSA considers top priority, including Russia, China, and artificial intelligence. He wrapped up with an invitation to join the NSA security team at the NSA hiring booth in the Expo Hall. He managed to resist saying, “Come to the dark side–we have cookies!”

The Cryptographers’ Panel has been part of RSAC from the beginning. Historically, it's comprised Whitfield Diffie and Martin Hellman, famed for the Diffie-Hellman key exchange system that makes public key crypto possible, along with Ron Rivest, Adi Shamir, and Leonard Adleman, the R, S, and A of the essential RSA encryption algorithm.

Diffie and Shamir graced this year’s panel, along with IBM Distinguished Engineer Ann Dames, Dell’s Radia Perlman, and Clifford Cocks—a cryptographer who created an encryption algorithm similar to RSA for the UK's clandestine GCHQ years before RSA was revealed.

The panel’s lively discussion covered many topics, including quantum computing, AI, and blockchain. Pointing out that quantum computing will eventually defeat public key crypto, Shamir stated, “If you’re worried about 50 or 100 years security, don’t use public key cryptography. Use a classical crypto system and go through the hassle of manual exchange of keys.”

Shamir also said he'd changed his mind about AI, which he had thought would be most useful for people defending against cyberattacks. Now, he sees it as a potentially bottomless source of phishing attacks. "The ability of ChatGPT to produce perfect English and interact with people will be misused on a mass scale."

Perlman got a laugh with advice for coders whose clueless managers drank the blockchain Kool-Aid: “If your manager insists on blockchain, build the best solution you can and then tell him you did it with blockchain. He’ll never know the difference.”

US Deputy Attorney General Lisa Monaco outlined a surprising new approach for the Department of Justice in her talk with former Cybersecurity and Infrastructure Security Agency head Chris Krebs. When it comes to cyberattacks, Monaco said, it's more important for DOJ to disrupt existing attacks and prevent new ones than it is to rack up arrests and courtroom wins.

"In days gone by, that might have been heresy," said Monaco, referring to the joint operation that took down the Hive ransomware group, which yielded decryption keys for Hive victims, but no arrests.

In the novel Ender’s Game, the government trains young Andrew (Ender) Wiggin to kill real-world aliens using a video game. Can we train the next generation of fearless malware killers in the same way? Several sessions at RSAC looked at this topic from different viewpoints. One focused on enhancing security training for employees by making it entertaining, going so far as to turn the training into a Cybersecurity Circus. Another presented an actual, fully developed cybersecurity game designed to hone the skills of security teams, along with advice for CISOs and team leaders on incorporating gamification. And a third walked through the reasons for gamifying security, along with a slew of resources for exploring the field.

Hacking connected cars is a common stunt at the Black Hat conference, but Techniche CTO Thomas Caldwell wanted to look at another key piece of automotive infrastructure: the EV charging station.

His review of the available research turned up numerous instances where security experts had found ways to access charging station source code, take advantage of vendor-made backdoors, and potentially start fires. As charging stations become more ubiquitous across the US and the rest of the world, perhaps we'll see more attacks at future conferences.

We know that modern generative AI systems such as ChatGPT and Bard can accomplish tasks like writing a tale about Elon Musk in the style of Edgar Allen Poe, or whip up a working code snippet in no time. But that power can also be used for deception. Looking for love online? An AI-powered bot could catphish you into thinking you’ve found your soulmate.

An RSAC session explained in great detail the kind of unhelpful and malicious tasks that AI can accomplish. Starting from a history of Turing’s Imitation Game and the “therapist” program ELIZA, the talk moved all the way into totally modern possibilities, complete with pages and pages of code. Watch out; spammers and scammers are about to get a lot more convincing.

Most people are familiar with the NSA as a spy agency or privacy boogeyman, but the agency has a second role in helping develop technologies to protect against spying. In their RSAC session, Co-Leads at the NSA's Center for Cybersecurity Standards Mike Boyle and Jessica Fitzgerald-McKay touched on the arcane process for developing technology standards. These often involve numerous meetings with committee organizations, and aren't well understood by even the most seasoned cybersecurity experts. And, as the speakers explained, they can also be battlegrounds where nation-states push their own agendas.

The speakers pointed out that the US and other democracies lag in their involvement in the development of standards and called on companies and individuals to get more involved in the process.

There are clear standards for ownership and inheritance of physical property and even intellectual property, but nothing similar for the massive digital life each of us accumulates. Marcu Preuss and Dan Demeter of Kaspersky's Global Research and Analysis Team (GReAT) explored in detail the pitfalls and challenges of protecting your digital inheritance and presented RSAC attendees with a clear and precise path to ensuring that your digital inheritance doesn't get stuck in digital probate.

RSAC likes to show off by inviting well-known entertainers to speak at the conference, giving attendees a break from the tradeshow floor and the doom-and-gloom so common at security conferences. This year, we were surprised to see Monty Python member Eric Idle as well as Christopher Lloyd of Back to the Future fame.

And although we missed the opening keynotes due to technical difficulties, when we did get the livestream working we were surprised to see comedian Fred Armisen playing a solo version of the Beatles' "All You Need is Love."

In response to the COVID-19 pandemic, RSAC has offered an online component for its conference since 2021. This year, most of us watched the proceedings remotely from our home offices, although intrepid PCMag reporter Michael Kan braved the crowds.

We were sometimes frustrated at the lengthy delay between when a session concluded at the conference and when the video would be available, but overall we're happy to see more security conferences embrace a hybrid experience. It may not be the same as a boots-on-the-ground presence, but it makes RSAC far more accessible than ever. We hope that continues.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Your subscription has been confirmed. Keep an eye on your inbox!

SecurityWatch