In the Eye of the Storm

New America Cybersecurity Fellow Greg Michaelidis is just back from Kiev and asks ‘Does the world need another cybersecurity conference’?

With all the cybersecurity conferences around the world, one could argue the marketplace for such events is mature, even saturated. As we work to build greater international cybersecurity capacity it is difficult not to be slightly conflicted by the idea that better cybersecurity awareness brings with it the desire to host more cybersecurity conferences. 

But while these gatherings represent a kind of progress in cybersecurity capacity building globally, starting a new one with international ambitions is no small matter. Future success shouldn’t be assumed. Yet that is what the Ukrainians have done, and I was excited to be asked to be a part of the inaugural Global Cybersecurity Summit (GCS) held in Kiev, Ukraine—a country much in need of support right now.

Perhaps the biggest takeaway was the universality of the cyber problems we all face. For example, my panel focused on ways to improve the knowledge and security of users—the 95% of us that will never work directly in the cybersecurity field, but depend on it just the same. 

However, little focuses the mind about the importance of strong national cybersecurity as much as sitting in a country that is on the literal and figurative front lines of multiple overlapping, hybrid wars. Along its eastern border, the Ukrainian military has been fighting Russia-backed fighters since 2014. Simultaneously, the Kremlin continues efforts to destabilize the country through cyber attacks and disinformation campaigns, including two large-scale digital assaults on Ukraine’s civilian electric grid. The first, in December 2015 in western Ukraine, knocked out power to a quarter million people, and is considered to be the first kinetic cyber attack on civilian infrastructure during a conflict. 

So, to use the public health analogy, holding the GCS in Kiev is a bit like hosting a medical convention at the epicenter of an influenza pandemic. As a result, unlike many cybersecurity conferences on the circuit, this one carries a true sense of urgency that was evident in the remarks of several Ukrainian experts and officials. The urgency was also on display in the security measures taken by those of us who were outside participants.

Indeed, it is not unusual for traveling cybersecurity professionals to use temporary devices or a virtual private network (VPN) when traveling abroad. But rarely do attendees at equivalent conferences face aggressive attempts to hack their online email, cloud accounts, and devices, including via targeted spear phishing and, possibly, a cellular-spoofing stingray device. That made the first GCS a Russian masterclass in the case for two-factor identification—though an audience poll revealed that even in this community that message has not been widely heard.

The real test of whether a new cybersecurity conference will survive and prosper is whether it stands out from the crowd. On that front there were encouraging signs, none more so than former U.S. Deputy Secretary of State Tony Blinken’s direct criticism of not only Kremlin actions, but of the Trump Administration’s reticence to address Russian interference in Western elections in his opening keynote address (his full remarks are here). 

Our Ukrainian hosts and speakers conversed clearly and openly about the assault on their nation. When so many countries and corporations remain mum about breaches they suffer—feeding a sense of secrecy and shame about victimhood—Ukrainian officials have been refreshingly open about the ongoing situation. And it was clear from the two days of panels that few disagree with the need for shared knowledge, ethical disclosures, and an all-hands-on-deck approach to the problem in Ukraine. In truth, no country is close to having this covered, certainly not the U.S.

There remains some way to go, of course. Shortly after I returned from Kiev, WIRED ran another excellent piece on Russian hacking and cyber war, this time detailing the ongoing assault on almost every aspect of Ukraine’s public and private sectors. Just as troubling is the article’s contention that Ukraine may serve as a sandbox for the Kremlin to try out digital tools to threaten, deter, or even attack the United States. 

Clearly the stakes are high—for all of us. But as a weary attendee of countless security conferences, although an eager supporter of international capacity building, it was at least reassuring to have one’s faith restored in the value of such events. Let’s hope next year the organizers will have the luxury of a narrower, less urgent theme. I look forward to finding out.