The 32nd annual RSA Conference — one of the biggest cybersecurity shows in North America — was held at San Francisco's Moscone Center last week. The event was jam-packed with hundreds of vendors, scores of speaking sessions, and lots of swag.
More important than the swag were key updates on government policies, guidelines, and frameworks, as well as new discoveries concerning threat actors and advice for security leaders as they lay their plans for 2024 and beyond. Here are the major updates that matter, on topics ranging from artificial intelligence (AI) to software supply chain security (SSCS).
Join RL for a live discussion with two top cybersecurity experts (and RSAC 2024 speakers) on Wednesday, May 22 at 12pm ET. Speakers include Devici's Chris Romeo and BlackGirlsHack's Tennisha Martin, who will share their top takeaways from this year’s big show — and answer your questions.
Cybersecurity obsesses over AI
It's no surprise that AI and the impact that generative AI tooling has on various areas within cybersecurity were major topics at this year's RSAC. To date, talk about GenAI has been balanced between worries and potential benefits. Practitioners are concerned that threat actors could abuse this technology effectively, but they also have high hopes for how AI can assist threat hunters and security teams in their efforts. This dichotomy held true at RSAC 2024.
For example, IBM and Amazon Web Services (AWS) found in a poll they conducted on the current state of GenAI security that 82% of C-suite respondents said that “secure and trustworthy AI is essential to the success of their business" but that only 24% are actually securing their GenAI initiatives. Equally concerning: IBM found that nearly 70% of respondents believe that, when it comes to AI, innovation takes precedence over security.
The IBM/AWS survey paints an alarming picture: While the use of GenAI for business goals is generally popular, securing these programs is just an afterthought for senior executives.
U.S. Homeland Security Secretary Alejandro Mayorkas expressed concern for the current state of AI in his keynote at the show. Mayorkas noted in his talk that DHS is particularly focused on how AI can be implemented in ways that protect not only the privacy and safety of Americans, but also the country’s critical infrastructure. He said he is hopeful about the DHS’s newly established AI Safety and Security Advisory Board, which aims to balance AI’s benefits with risks related to critical infrastructure.
In another keynote, Tom Gillis, senior vice president and general manager at Cisco, agreed about the need to protect critical infrastructure and said cybersecurity leaders should harness the power of AI to bolster defenses while avoiding getting caught up in the hype around the technology.
“As AI gets weaponized by adversaries, the only way to stop those attacks is by making sure that you can use AI natively in your defenses.”
—Tom Gillis
RSAC speaker Elie Bursztein, an AI cybersecurity technical and research lead at Google’s DeepMind, shared optimistic thoughts with attendees concerning AI. His talk highlighted the ways in which cybersecurity can use GenAI for the better, such as identifying and fixing security risks in open-source repositories or remediating software vulnerabilities.
“AI is eventually going to give us back the advantage [over AI-empowered adversaries] because the upside of using it is really, really large.”
—Elie Bursztein
While AI looks promising for SSCS, more research and innovation needs to happen before the technology can reach its full potential in outpacing adversaries, he said.
The state of U.S. software supply chain security policy
RSAC has usually been an avenue for government officials to share key updates regarding cybersecurity policies and initiatives. This year’s show was no exception, and SSCS was in the spotlight.
In his keynote speech, U.S. Secretary of State Antony J. Blinken laid out his department’s goals in securing the digital systems that power the nation’s critical infrastructure.
“The distinction between the digital and physical realms is eroding.”
—Antony J. Blinken
To account for this concern, Blinken unveiled the new U.S. International Cyberspace and Digital Strategy, which he said treats digital solidarity "as our North Star." Blinken defined digital solidarity as the shared understanding among the tech world that it is necessary to be responsible and safe with emerging technologies.
This new strategy aims at aiding SSCS efforts, confirming the need to ensure that new software products and version releases are secure from threats. Those threats include malicious tampering with code, the exposure of software secrets and credentials, and more. Blinken said that the U.S. government is using its discretion to further SSCS and other cybersecurity goals.
“The United States is forging tech partnerships that will make critical technology supply chains more resilient, more diverse, [and] more secure. It is crucial that we work with trustworthy vendors and exclude untrustworthy ones from the ecosystem.”
—Antony J. Blinken
Secure by Design aims to bolster the software ecosystem
Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), unveiled new efforts from the agency that align with Blinken’s concern for digital solidarity. The CISA’s Secure by Design initiative, released over a year ago, has now expanded to include the Secure by Design Pledge, which is described as a “voluntary pledge focused on enterprise software products and services.”
The goal is that software producers that sign the pledge will promise to make a good-faith effort during the ensuing year to adopt seven goals, which include reducing entire classes of vulnerabilities and increasing visibility for product customers into cybersecurity intrusions. Several notable companies have already signed the pledge, including Microsoft, CrowdStrike, Google, and SentinelOne. The CISA is encouraging software firms that are interested in taking the Secure by Design Pledge to email the agency at SecureByDesign@cisa.dhs.gov.
Join the discussion: Get more insights from RSAC 2024
Join ReversingLabs for a live discussion with two top cybersecurity experts (and RSAC 2024 speakers) on Wednesday, May 22 at 12 pm ET. Speakers include Devici's Chris Romeo and BlackGirlsHack's Tennisha Martin, who will share their top takeaways from this year’s big show — and answer your questions.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.