Cybersecurity: How to Use What We Already Know

If you like this presentation – show it...

Slide 0

Cybersecurity: How to Use What We Already Know Jean Yang Privacy. Security. Risk. October 1, 2015 @jeanqasaur

Slide 1

@jeanqasaur Our Future Runs on Software Smart homes Driverless cars Automatic dating But first we need to “solve” security!

Slide 2

State of the Art @jeanqasaur Research Industry Undo mechanisms Encrypted databases Program analyses Provably secure software Firewalls The big question: How can we take advantage of research ideas in practice?

Slide 3

This Talk @jeanqasaur Companies Venture capital Startups Academia Policy makers Consumers How can we connect researchers to everyone else?

Slide 4

Part I: What Do Researchers Know? @jeanqasaur

Slide 5

Jean Yang / Jeeves 6 State of the art. The Programming Perspective: We Still Live in the 1970s Permissions checks are required across the code.

Slide 6

Policy-Agnostic Programming @jeanqasaur My PhD work. Programs attach policies to data. The rest of the code may be policy-agnostic. Programming model provides mathematical guarantees. Implementation strategy scales for real-world programs. jeeveslang.org

Slide 7

Policy-Agnostic Programming for Our 21st Century Security Concerns @jeanqasaur Model View Controller Without automatic policy enforcement With Jacqueline, a policy-agnostic web framework that extends Python’s Django jeeveslang.org

Slide 8

Part II: How Can We Use Research to Build Secure Software? @jeanqasaur

Slide 9

Barriers to Industry Adoption Managers need to fight status quo. Programmers need to manage legacy code. @jeanqasaur What about the startup route to tech transfer?

Slide 10

Security is no Tindog @jeanqasaur The Hot New Silicon Valley Startup Startup that Helps Us Build Secure Software Fun concept. Slick design. Toddler nephew can use it. Integrates with your life. Technical concept. Verifiable by experts. Requires infrastructure change.

Slide 11

Unique Challenges for Security Startups @jeanqasaur Justin Somaini, Chief Trust Officer Concept is highly technical. No flashy demos. Adoption requires client expertise and/or trust. Solving a technical problem != building a product.

Slide 12

Cybersecurity Factory $20,000 @jeanqasaur Raj Shah Office space Focused mentorship A network David Ting An 8-week accelerator I started that gives teams: Legal support Maxwell Krohn cybersecurityfactory.com

Slide 13

Part III: How To Motivate Customers to Pay for Security? @jeanqasaur

Slide 14

Insecurity is Expensive “A report released this month by the Atlantic Council and Zurich Insurance Group estimated that by 2030, an insecure Internet would reduce global economic net benefit by $90 trillion. In contrast, a completely secure Internet would result in a global net gain of $190 trillion.” -Jeff Kosseff, cybersecurity law professor @jeanqasaur

Slide 15

The Security “Prisoner’s Dilemma” @jeanqasaur Lack of individual incentive: Requires more employee training. Requires more programmer effort. Doesn’t currently provide competitive advantage.

Slide 16

Creating a Culture Around Caring Consumer Example: Snapchat @jeanqasaur Numerous privacy violations, but valued at $16 billion with 100 million users. Policy Example: Dentists Common to email records in violation of HIPAA, but HHS does not audit.

Slide 17

Summary: How to Secure Software @jeanqasaur Ask smart people to come up with technical solutions. Put solutions into practice. Iterate. @jeanqasaur jeanyang.com Connect research with industry. Change incentives for security. Communicate and educate!