About
I have a bedrock passion for security, privacy — and technology that betters society. Experienced six-time cybersecurity head, incl. two public offerings and a concurrent CISO/TechOps/Platform Head-reporting-to-CEO for private $100M+ company. For Fortune 1, ramped & led +2/3 of Infosec team for $13.5B eCommerce.
Proficient with UNIX, shell scripting, cfengine/puppet, perf tuning; OSS roots. Accomplished w/ PCI, IPO-readiness, SOX, GLB, CIS/CCPA, forensics. Config, change & incident mgmt; DR/BC; due diligence. 15+ yrs (Sec)DevOps; 15+ yrs hands-on; 13 yrs sys admin; 9 yrs primary 24/7; 2 yrs dev. Developed intuition for "what's going to break next."
Building Towards the New Security & Privacy Landscape: Where Do We Go From Here?
1. B U I L D I N G T O W A R D S T H E N E W
S E C U R I T Y & P R I V A C Y
L A N D S C A P E
W H E R E D O W E G O F R O M H E R E ?
JULIE TSAI, CYBERSECURITY LEADER
STANFORD CYBERSECURITY & PRIVACY FESTIVAL
STANFORD UNIVERSITY — OCT. 20, 2021
2. W H A T ’ S H A R D E R N O W
• Virtual+Physical Attack Surface Expansion
• Human-made
• Digital active surface Is Everywhere Now
• Active threat networks
• Overarching reliance & exposure on technology
• Many of the hardest vulnerabilities are where the
technology and humans intersect
• Social engineering - phishes, impersonation
• Tailgating
• Exception processes
• Where resourcing can’t cover enforcement
3. W H A T ’ S H A R D E R N O W I I
• People’s Health Information Disclosure is
Becoming Normalized as Society’s Price of Entry
• Will CDC/Public Health indicators become like
financial indicators (prime interest rate) which
dictate the climate of restrictions and disclosure
requirements to participate in professional,
social, and public life?
• Requires new expectations on privacy, or new
ways of accommodating public needs with
preserving private civil liberties
4. N A T U R A L I Z I N G D I G I T A L T R U S T
• The intuitive things that we do to determine
• Who We Trust
• What Context We Trust
• The Extent We Trust
…. How does this get abstracted into the digital
realm?
… We have so much data but all we can do is convert
concepts of trust and relationships into probabilities,
decision-making into quantified risk thresholds.
… Is this sufficient? Do we lose or gain in the
process?
5. I F Y O U O N L Y K N O W M E O N L I N E ,
W I L L Y O U E V E R R E A L L Y K N O W M E ?
1. Coves and Commons - and Real Caves
2. Circles of trust in real life become more like arenas
and graffiti walls in the digital world
3. The imperfections and forgiveness - inference - of
human memory. Natural coarse-graining*
4. Adjustments to current state - intuitive
adaptation/expectation to real-time change (or its
lack thereof)
5. Synthesis of all the human information - physical
presence (or energy), subjective tone, expression,
focus and aversion, character and potential
7. P H Y S I C A L A N D E P H E M E R A L -
E A C H H A V E T H E I R P L A C E
Physical Digital
Realtime Efficiency Asynchronous Efficiency
Persistent Artifacts Ephemeral Artifacts
Linear Scale Exponential Scale
Data Is an Attribute Data Has Its Own Value
Point-in-Time Data Value Drifts Point-in-Time Data Value Persists
Large Amounts of Integrated Data Discrete Atomic Data
8. “ S T R O N G A U T H E N T I C A T I O N ” M F A / 2 F A
More
Ephemeral
More
Immutable
Something
You Know
Something
You Have
Something
You Are
9. C A L L T O A C T I O N Q U E S T I O N S I
•How can we use technology in a private & secure way?
• Networked technology is pervasive in every arena
• Increasing reliance during pandemic times
•How do we encourage meaningful innovation in this
area?
•Does secure and private use of technology require that
consumers also transform into stewards of their data?
10. C A L L T O A C T I O N Q U E S T I O N S I I
• How could we design technology in a way that
tailoring for the consumer doesn’t require giving
away permanent ID
• Something I Am - Temporary ID/Attributes
• Something that loses value/meaning in the long
term
• Biometrics that vary and aren’t highly specific
• Does the integrity of identity require it be specific
to the human
11. C A L L T O A C T I O N Q U E S T I O N S I I I
Can We Value, Measure, and Design for
Attribution Fade (or Decay) for better privacy?
12. S I M P L E E N O U G H T O L I V E W I T H
Technology hard enough to manage by its makers
Can it be understood be its consumers?
Can it be managed if it’s not understood?
13. R E F E R E N C E S & I M A G E C R E D I T S
• “Coarse-graining” - see http://markburgess.org/blog_reactive.html
• Tatto fader - see https://twitter.com/avid/status/1354263865773723649?lang=de
Notas do Editor
foobarfoo
foobarfoo
We have attributes - so much data
We have attributes - so much data
3. “Coarse-graining” - see http://markburgess.org/blog_reactive.html
4. Adjustments to current state - i.e. a photo depicts who we are at a point-in-time. If I don’t update this picture, I can use it for whatever period of time. But at a certain point it no longer serves as a digital confirmation, but an artifact like a watermark or other pattern of life. Whereas a human would rapidly confirm or not confirm the match is correct, accounting for age. Or a Secret question, “what is my favorite color?” what if it’s different tomorrow?
5.
We have attributes - so much data
3. “Coarse-graining” - see http://markburgess.org/blog_reactive.html
4. Adjustments to current state - i.e. a photo depicts who we are at a point-in-time. If I don’t update this picture, I can use it for whatever period of time. But at a certain point it no longer serves as a digital confirmation, but an artifact like a watermark or other pattern of life. Whereas a human would rapidly confirm or not confirm the match is correct, accounting for age. Or a Secret question, “what is my favorite color?” what if it’s different tomorrow?
5.
Point in-Time Data Value
My password - in real life value only there if it works
In P-i-T password dump may have persistent value
Point in-Time Data Value
My password - in real life value only there if it works
In P-i-T password dump may have persistent value
foobarfoo
foobarfoo
foobarfoo
Point in-Time Data Value
My password - in real life value only there if it works
In P-i-T password dump may have persistent value