Disturbance: on the Sorry State of Cybersecurity and Potential Cures
2019-10-23, 09:45–10:05, Europe

Infosec research, good and bad, abounds, like almost everything else in this ‘infobese’ era. Cybersecurity conferences are filled with presentations exposing new vulnerabilities, as if we didn’t have enough of those already, describing best practices or showcasing tools and techniques. That is fine, as long as we keep the end goal in plain sight: protecting the digital realm.

In this blockchain-free talk, we’ll compare past, current and possible future trends of the threat landscape and attempt to demonstrate why, with all our goodwill and altruism, educational and mentoring programs, the sorry state of cybersecurity is here to stay unless we take a step back. It’s hard and yet necessary to question ourselves, to reframe and rephrase the messages that we keep conveying for the last twenty years, and stop the long shoulder-patting tradition. If we really care about cybersecurity, it’s time we address the core problems from a different perspective, one that requires hardship, courage and patience, one that places the audience at the centre, armed with a profit carrot in one hand and a liability stick in the other.

In a seminal talk titled ‘You and your research’, given at Brucon in 2011, Haroon Meer, a well known and respected security researcher, found out that there were more cybersecurity conferences than days in a year. During the same conference, Alex Hutton delivered a wonderful keynote about why information risk management Is failing and offered solutions to address this significant problem. And these are just two examples of cybersecurity folks talking to other cybersecurity folks, on and on and on, in an honest attempt to protect the digital realm, if not cure once and for all its ailments.

Since then, APT emerged and kept refining their craftsmanship and some run-of-the-mill cybercriminal groups reached a chilling level of proficiency. Cybersecurity conferences and training multiplied and the demand for skilled infosec professionals exploded. And the complexity of IT grew and with it the attack surface.

Yet, for somebody who worked long enough in this field, it feels like cleaning an ever-expanding mess, armed with a teaspoon, while a burnout is lurking in the shadows. So what our core problems besides a substantial part of an industry which keeps pushing semi-magical solutions, lured by the promises for easy money? Why it seems that we aren’t making any true progress? Is it the lack of regulations and policies? Lack of sharing? Or is it an issue of liability and an economic system that is running amok?