RSAC Another RSAC has come and gone, with almost 44,000 attendees this year spread across San Francisco’s Moscone Center and the surrounding facilities, according to conference organizers. Hopefully, all of us made it home safely, didn’t get deported to a Venezuelan prison, and didn’t end up bringing home a virus – computer or corona.
You can read all of The Register‘s coverage here, and as with previous years’ conferences, some key trends and themes emerged throughout the week. The most obvious? “AI is everywhere,” as everyone from former National Security Agency cyber boss Rob Joyce to Rapid7 senior director of threat analytics Christiaan Beek told us, using those exact words, when asked to share their takeaways from this year’s event.
“I don’t think it’s too much, because I am an AI optimist,” Joyce told The Register. “I really think there’s going to be incredible stuff — we talked about Waymo — but in the near term, we are going to swamped with a lot of things that are bad security and it’s going to be exploitable.”
Particular buzz was reserved for the subset known as “agentic AI,” as we predicted in the lead up to RSAC.
We called it
Over at one of Amazon’s San Francisco offices, securing AI agents garnered a whole panel discussion among the tech giant’s Chief Security Officer Steve Schmidt, AWS Chief Information Security Officer Chris Betz, and Amazon Chief Information Security Officer for ads and devices Amy Herzog.
But it’s not just the vendors who are keeping a close eye on this emerging technology.
“As companies deploy agents, they give them the autonomy and authority to do something on their behalf, and criminals are going to flock to those because they have that autonomy,” Joyce said. “I think we’re going to have a lot of AI mishaps over the coming year.”
Naturally, conference goers want to know how cybercriminals and nation-state hackers are using AI in their attacks, and the top use case seems to be fraud and social engineering.
Generative AI makes it much easier to craft phishing emails in any language without those pesky spelling and grammatical mistakes that used to be a dead giveaway. It can also produce phony invoices and documents with company logos that look just like the real thing, and create fictitious business profiles at scale.
“The widest adoption of [AI] use cases we’ve seen is from China and cybercriminals,” FBI Deputy Assistant Director Cynthia Kaiser told The Register.
China’s the biggest threat, but Norks the buzziest
Threat intel analysts across both public and private sector agreed that China has become America’s top cyber threat — and the various Typhoon attacks over the past couple years were frequent topics of discussion — but the phony North Korean IT worker was certainly the buzziest threat topic.
“The North Korean worker situation is mind blowing,” cybersecurity author and investor Nicole Perlroth said during an offsite panel hosted by developer security provider Snyk.
Before the panel, Perlroth met with a group of Fortune 50 CISOs, and one of them told her that last quarter, they submitted their new-hire list to the local FBI field office.
“Six came back positive for North Korean agents,” she said. “Two of them weren’t even North Korean — they were Indian citizens who were being paid by North Korea to take these jobs … that’s one company. I won’t tell you who they are, but you would never think North Koreans would be trying to get inside this company.”
And they’re even gunning for Google jobs
One Fortune 50 company that the Norks are trying to get an inside view of is Google.
“We have seen this in our own pipelines,” said Iain Mulholland, Google Cloud’s senior director of security engineering, during a press-attended threat-intel roundtable. Google “detected” the North Korean IT workers applying for jobs, and in response continued to “evolve and adapt” defenses.
Almost every CISO of a Fortune 500 company that I’ve spoken to have admitted that they had a North Korean IT worker problem
“Almost every CISO of a Fortune 500 company that I’ve spoken to — I’ll just characterize as dozens that I’ve spoken to — have admitted that they had a North Korean IT worker problem,” added Mandiant Consulting CTO Charles Carmakal.
The Google Cloud owned-incident response firm has “notified countless organizations” that, not only have North Koreans applied for jobs at their companies, but in several cases, “have actually been hired,” Carmakal said. “It’s a very significant problem.”
Plus, “the other issue is that they’re not all direct hires. Some of these are contractors,” Google Threat Intelligence VP Sandra Joyce said, noting this adds another “layer of complexity” where enterprises not only need to background check direct hires, but also employees working for contractors.
Luckily, there is one question that companies should ask during job interviews that, we’re told, always roots out North Korean spies and forces them to drop out of the recruitment process. Read all about it here.
Trump loomed large
As we noted earlier in the week, the US government’s top cybersecurity leaders didn’t have as much of a speaking role or presence at RSAC as they have in previous years. Meanwhile, questions about what the White House’s security snafus and budget-slashing efforts will mean for the private sector loomed large, and ran like an undercurrent throughout this year’s conference.
In addition to federal employees being silenced at the biggest cybersecurity event in America, many of the speakers and attendees seemed to be leery to talk about topics like CISA employee and program cuts, and what US government changes will mean for the industry.
DOGEing the question?
Most seemed to take Homeland Security Secretary Kristi Noem’s lead and “just wait till you see” approach.
During an offsite Amazon threat-intel panel, reporters asked Amazon and CrowdStrike execs if the federal government’s headcount reductions and budget cuts had impacted their ability to do their jobs and collaborate on threat intel with government counterparts.
“We haven’t seen any change in that regard,” Amazon CISO CJ Moses said. “We’re monitoring the situation just like everybody else, to see if there’s any changes. But as of today, there hasn’t been an impact to our ability to share the information that’s needed.”
“Same,” added CrowdStrike senior VP of counter adversary operations Adam Meyers.
An FBI official was slated to participate in this press-only panel, but was dropped from the lineup as the event neared.
Google execs had a similar response when asked about government changes and if budget cuts have affected its direct threat intel sharing.
“So far, we have been able to continue our mission of supporting all of our customers and sharing intelligence with our partners,” Google’s Sandra Joyce said.
If anything, we’re just going to see a lot more activity right now, and I think we have to be more prepared than ever
Over at the Snyk panel, the speakers seemed more candid, with Easterly calling the CISA brain drain “a loss for the American people” at a time when threats from China and ransomware criminals alike are skyrocketing.
“If anything, we’re just going to see a lot more activity right now, and I think we have to be more prepared than ever,” Perlroth said. “So I think the cuts are disturbing on a practical level.”
Snyk CEO Peter McKay, meanwhile, noted that “you judge the culture of a company based off of how they treat people on the way out, because that’s the way you’re going to get treated when it’s your turn.”
When it comes to the federal government slashing employees, “I worry how good of talent you’re going to get in, when they see how you treat people on the way out.” ®
