About I have a bedrock passion for security, privacy — and technology that betters society. Experienced six-time cybersecurity head, incl. two public offerings and a concurrent CISO/TechOps/Platform Head-reporting-to-CEO for private $100M+ company. For Fortune 1, ramped & led +2/3 of Infosec team for $13.5B eCommerce. Proficient with UNIX, shell scripting, cfengine/puppet, perf tuning; OSS roots. Accomplished w/ PCI, IPO-readiness, SOX, GLB, CIS/CCPA, forensics. Config, change & incident mgmt; DR/BC; due diligence. 15+ yrs (Sec)DevOps; 15+ yrs hands-on; 13 yrs sys admin; 9 yrs primary 24/7; 2 yrs dev. Developed intuition for "what's going to break next."

1. B U I L D I N G T O W A R D S T H E N E W
S E C U R I T Y & P R I V A C Y
L A N D S C A P E
W H E R E D O W E G O F R O M H E R E ?
JULIE TSAI, CYBERSECURITY LEADER
STANFORD CYBERSECURITY & PRIVACY FESTIVAL
STANFORD UNIVERSITY — OCT. 20, 2021

2. W H A T ’ S H A R D E R N O W
• Virtual+Physical Attack Surface Expansion
• Human-made
• Digital active surface Is Everywhere Now
• Active threat networks
• Overarching reliance & exposure on technology
• Many of the hardest vulnerabilities are where the
technology and humans intersect
• Social engineering - phishes, impersonation
• Tailgating
• Exception processes
• Where resourcing can’t cover enforcement

3. W H A T ’ S H A R D E R N O W I I
• People’s Health Information Disclosure is
Becoming Normalized as Society’s Price of Entry
• Will CDC/Public Health indicators become like
financial indicators (prime interest rate) which
dictate the climate of restrictions and disclosure
requirements to participate in professional,
social, and public life?
• Requires new expectations on privacy, or new
ways of accommodating public needs with
preserving private civil liberties

4. N A T U R A L I Z I N G D I G I T A L T R U S T
• The intuitive things that we do to determine
• Who We Trust
• What Context We Trust
• The Extent We Trust
…. How does this get abstracted into the digital
realm?
… We have so much data but all we can do is convert
concepts of trust and relationships into probabilities,
decision-making into quantified risk thresholds.
… Is this sufficient? Do we lose or gain in the
process?

5. I F Y O U O N L Y K N O W M E O N L I N E ,
W I L L Y O U E V E R R E A L L Y K N O W M E ?
1. Coves and Commons - and Real Caves
2. Circles of trust in real life become more like arenas
and graffiti walls in the digital world
3. The imperfections and forgiveness - inference - of
human memory. Natural coarse-graining*
4. Adjustments to current state - intuitive
adaptation/expectation to real-time change (or its
lack thereof)
5. Synthesis of all the human information - physical
presence (or energy), subjective tone, expression,
focus and aversion, character and potential

6. I T ’ S A L L A B O U T
IDENTITY

7. P H Y S I C A L A N D E P H E M E R A L -
E A C H H A V E T H E I R P L A C E
Physical Digital
Realtime Efficiency Asynchronous Efficiency
Persistent Artifacts Ephemeral Artifacts
Linear Scale Exponential Scale
Data Is an Attribute Data Has Its Own Value
Point-in-Time Data Value Drifts Point-in-Time Data Value Persists
Large Amounts of Integrated Data Discrete Atomic Data

8. “ S T R O N G A U T H E N T I C A T I O N ” M F A / 2 F A
More
Ephemeral
More
Immutable
Something
You Know
Something
You Have
Something
You Are

9. C A L L T O A C T I O N Q U E S T I O N S I
•How can we use technology in a private & secure way?
• Networked technology is pervasive in every arena
• Increasing reliance during pandemic times
•How do we encourage meaningful innovation in this
area?
•Does secure and private use of technology require that
consumers also transform into stewards of their data?

10. C A L L T O A C T I O N Q U E S T I O N S I I
• How could we design technology in a way that
tailoring for the consumer doesn’t require giving
away permanent ID
• Something I Am - Temporary ID/Attributes
• Something that loses value/meaning in the long
term
• Biometrics that vary and aren’t highly specific
• Does the integrity of identity require it be specific
to the human

11. C A L L T O A C T I O N Q U E S T I O N S I I I
Can We Value, Measure, and Design for
Attribution Fade (or Decay) for better privacy?

12. S I M P L E E N O U G H T O L I V E W I T H
Technology hard enough to manage by its makers
Can it be understood be its consumers?
Can it be managed if it’s not understood?

13. R E F E R E N C E S & I M A G E C R E D I T S
• “Coarse-graining” - see http://markburgess.org/blog_reactive.html
• Tatto fader - see https://twitter.com/avid/status/1354263865773723649?lang=de