For me, cybersecurity can seem small. Beyond my community of friends and colleagues, all I can see is a cyber world that is a mirrored reflection of a reflection of repeated activities. Attack. Defend. Analyze. Adapt. Attack. Defend. Analyze. Adapt. While the attackers are generally conceived as US foreign adversaries(1), the rest of the cycle is decidedly American (or at least western). Without self reflection the daily view can become myopic.

Phone PhreakingThis probably feels familiar to many in the cybersecurity community. After all, since the mid 50s, early phone phreaks (arguable the first hackers) like David Condon were tricking the American-as-apple-pie Ma Bell(2). Indeed, the majority of the infrastructure and software that was to be hacked and secured was US based. But how much of our world is self constructed, mirrored glass, showing our own reflection over and over again, oblivious to the outside world?

On the heels of RSAC (where I got to give not one, but two presentations  [one, two]) I was extended the opportunity to speak at “Tactical Edge 2023, CISOS LATAM SUMMIT”.  This event is the brainchild of Edgar Rojas, and has been running for nearly a decade. Ed saw a need for organizations in Latin America that wasn’t being met by bigger conferences like RSAC and Blackhat/Defcon. Aside from the overwhelming cost of attending those conferences, he saw the riot of information thrown at attendees made it nigh impossible for Latin American CISOs to talk to experts and vendors in a way that allowed them to hear the information they needed to make their own organizations more secure.

His solution is to bring the experts (and vendors) to Colombia. It might sound a bit too effusive, but it was one of the best conferences I’ve attended. A really an incredible experience for everyone involved. For the attendees, they get access to experts who give them relevant information and can answer questions. For vendors, they get intimate access to CISOs, people with purchasing power who are actually interested in the product. No wading through reams of badge scans to figure out which leads might actually be worthwhile to pursue. And finally, for the experts (that’s me!), we get fresh (to me at least) perspectives on cybersecurity and how the rest of the world operates. The conference has been a growing success with hundreds of attendees, 60+ of experts, and multiple events per year.

For my sessions, I did a little bit of extra research on some existing Cyentia research: IRIS 2022, Arete Ransomware reports, and the Cisco Security Outcomes Report. For the first and last I narrowed the focus down to Latin America and tried to pick apart some meaningful differences, for the Arete reports I didn’t have regional information, but of course there are excellent lessons to be learned there. I won’t get into the details of that extra analysis in this blogpost (maybe the next one), but I did find some interesting variations. Here, I’d like to talk more about what I learned from the attendees and other experts.

In particular, I too often forget that the world extends beyond the major cyber players’ national border. The rest of the world is also subject to the whim of US and EU cybersecurity policy and regulation, they face the same APTs from China, Russia, Iran, and North Korea, and they are expected to keep up with the latest attacks and defenses that are conceived and dealt with in cultures and contexts that are vastly different than their own. I construct a cybersecurity world based on my own perceptions of technology, how people use it, and how it can be subverted, believing that no world exists beyond a moat of shining waters of my own ideas. 

This thinking is pretty easily shattered when talking to attendees of the summit. In particular, I learned about Colombian Law 1581 which is a Colombian based privacy law similar to the GDPR. The challenge for Colombians is the need to adhere to the law which is similar to, but not the same as the GDPR. Meaning approaches designed to support data privacy under the GDPR may mostly work, but subtle differences can open them up to fines and other regulatory actions. This is doubly complicated by the fact that many of the attendees worked for EU or US based organizations with presence in Latin America.

In the US, English based cybersecurity world we rapidly create and throw around terms like Zero-Trust and SASE. Even within our own US-based zeitgeist the shape and borders of these terms and how they map onto actual technologies can be murky. That murkiness is magnified when we try to translate those terms and concepts into another language and context. During a panel with the other experts (Mike Kiser, Dr. Andrea Little Limbago(3), and Ryan English) we attempted to stress that “Zero Trust” was not something you could just “buy”, but a process that requires products and coordination. Despite the panel’s considerable expertise, it was still a challenge to articulate to the attendees just what they needed to do to achieve Zero Trust in their organization. 

It’s likely that this blogpost reads (at least partially) like a naive college student’s first trip abroad(4). I aspire to be worldly, and I think many in the cybersecurity community do as well. But the contrast between RSAC and Tactical Edge could not have been more stark. Even in the roiling, fast moving stream of ideas at Moscone, it seemed everyone was speaking more or less the same language. Removed from the context of San Francisco, however, our cyber-speak seems insular and convoluted. This is the point where the similarities to the book referenced in the title of this post start to break down though. Whereas Márquez’s Macondo is degraded by the changing world around it and its own insularity, the US-centered cybersecurity world is the one imposing its will on the rest of the world. We wreak havoc(5) and expect others to keep up, ruining potential partnerships and avenues to better secure our own networks. This kind of “keep up or die” is a counterproductive strategy for the kind of interconnected, mutually-supporting defense that is needed to defend against state-backed attackers who can cause massive damage with relatively minor investment, much less the evolving everyday threats organizations face. Expanding our view beyond our current hall of mirrors will likely do everyone a world of good.
 

(1)  This is as stereotypical a US viewpoint as there ever has been, but also not completely incorrect. Ask Ryan English (who was also an expert at Tactical Edge) about the cyber bad guys he spends his day hunting.

(2) See Phil Lapsley’s very excellent book Exploding the Phone for more info on the history of phreaking.

(3) This deserves more than a footnote, but Andrea’s session did an excellent job of elucidating the many interactions between geopolitics and cyber security that I am just touching on here.

(4) I could go further in that direction. Colombia is a beautiful country and I was lucky to have it shared with me by Ed and locals Carlos and Lina. It is easy to believe that magic realism is not just a literary device in Colombia, but an everyday experience.

(5) Wendy Nather’s concept of a “Security Poverty Line” continues to be one of the most useful framing devices for thinking about how security gets done in the real world.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.