October 9-10, 2018 | The Hyatt Regency Baltimore Inner Harbor | Baltimore, MD
Maryland is recognized as a cybersecurity leader - nationally and internationally. The state has developed cybersecurity experts, education and training programs, technology, products, systems and infrastructure. With over 10 million cyber hacks a day resulting in an annual worldwide cost of over $100 billion, the United States is at risk.
Last year alone, tens of millions of Americans had their identities and their bank accounts threatened or compromised. Ensuring that our nation has the workforce, technology and resources to protect our citizens, businesses, infrastructure, intellectual property and more is of paramount importance. Maryland continues to be a leader on this front.
Click a block to view session details
Constellation Ballroom A/B
The Honorable C.A. "Dutch" Ruppersberger
As the nation's cyber warriors, US Cyber Command (USCYBERCOM) operates daily in cyberspace against capable adversaries, some of whom are now near-peer competitors in this domain. We have learned we must stop attacks before they penetrate our cyber defenses or impair our military forces; and through persistent, integrated operations, we can influence adversary behavior and introduce uncertainty into their calculations. Our forces must be agile, our partnerships operational, and our operations continuous. Policies, doctrine, and processes should keep pace with the speed of events in cyberspace to maintain decisive advantage. Superior strategic effects depend on the alignment of operations, capabilities, and processes, and the seamless integration of intelligence with operations. Now we must apply this experience by scaling to the magnitude of the threat, removing constraints on our speed and agility, and maneuvering to counter adversaries and enhance our national security.
This session will provide an overview USCYBERCOM's updated mission and the primary objectives for the agency. We will also cover industry/academia/USG interaction and how the development of partnerships will be a primary objective to develop enhanced operational capabilities.
This panel will highlight, discuss and demonstrate often-overlooked security risks of IoT firmware and software. Diving into how to discover vulnerabilities left behind by China's second largest camera manufacturer, Dahua, the panel will unmask how flawed firmware on IoT devices has resulted in countless cases of privacy invasion and malicious tampering proven detrimental to government organizations.
Fueled by nearly a decade of work defending and securing IoT devices for sensitive applications within NSA, experts on this panel believe many of the breaches and vulnerability discoveries today can be attributed to IoT issues. They also assert that today's network security solutions for IoT devices fail miserably at preventing or detecting the root cause of attacks like insecure coding practices and backdoor accounts.
This is essentially a `tools' discussion - what is needed, what may not yet exist - access tools, polymorphic tools, neural networks, automated courses of action, ways that the industry side of the equation can help support the work now and in the future.
This session will provide a forecast for technology requirements and upcoming needs of USCC.
Addressing Threats: What is significant in your Career and Educational Background that helps you address today's threats: Data Breaches, Human Factors, Forecasting, Risk Management, Disruptive Technologies, Mobile Computing, Internet-of-Things, Data Privacy, Critical Infrastructure, and Artificial Intelligence?
Dr. Omondi Opala
Dr. Lawrence Awauah
The Internet as we know it was created by ARPANET in 1969 as switching and flexible distributed packet communication network nodes. The communication process depends on packet forwarding from source to destination through a next hop device also known as routing. The most widely used network transport protocol combination is TCP/IP manages sessions between two interconnected network nodes. The Internet of Things (IoT) is poised to revolutionize the IT industry by allowing connectivity to appliances, cameras, and dumb devices on manufacturing machines to gather pertinent data on utilization. The Internet of Things (IoT) is associated with connecting the sensors and actuators to the new Internet. These include remote home monitoring technologies, wearable computing, self-tracking tools, augmented reality, sensor-rich fabric, intelligent energy and power systems, autonomous vehicles, drones, retail tracking, automated inventory management systems, industrial connectivity and much more.
The IoT phenomenon has been widely adopted by the relevant industries to show case the ubiquitous Internet's value proposition but it brings along a major security risk to the enterprise networks. This is due to the fact that IoT devices relies on some of the vulnerable wireless technologies such as Bluetooth, Wi-Fi, Zig-Bee, Cellular, RFID and many other forms of wireless access technologies. The majority of studies done Gartner and Forester on the Internet of Things estimate that over the next 20 years could add as much as $15 trillion to the global GDP. Others argue that the current over 10 billion wireless devices will increase to 30 billion by 2020 making it a compelling business decision to consider adopting the solution and planning on how to security use it to transact business. The success of the IoT adoption rate does not lie on smart-phones, tablets and laptops which are the current eco-system of IoE but on node or sensor type devices. In this paper we will explore the demand for IoT in different business sectors, highlight inherent risks and recommend security best practices for implementation.
USCC was granted acquisition authority by the US Congress in October 2016. This session will provide an overview of the acquisition and contracting methodologies to be used by USCC for the purchase of products, services and knowhow required to support the updated mission.
Academically, were you prepared for the following? How often do you use academic and non-academic skills related to these categories? Risk analysis, Revenue generation, Employee productivity, Ethics, Strategic value of the cyber team, reporting structures, Customer satisfaction and Cyber Innovation. What is life after being a CISO?
Until now, most have assumed encryption is enough to protect stolen data from compromise. Encryption standards have evolved over time as computing capabilities have advanced to crack older generations of code and we have always lived under the assurance that our latest encryption is strong enough to withstand the most formidable foe with almost unlimited resources. However, the newest quantum computers have the capacity to break even the strongest encryption society relies on today. It is time to fight fire with fire and completely upgrade our approach considering quantum networks for encryption key exchange. Battelle, industry researchers and academics are identifying ways quantum networks can be used to protect future generations from having to worry about their encryption again. This panel will center around highlighting new threats that require advances in encryption, automation and machine learning.
DreamPort will provide innovative collaborative solutions to problem sets by attracting and engaging industry, academic and government mission partners. DreamPort will provide a mechanism for collaboration to enable and bolster the creation and sharing of insights to solve unique problems and deliver tools to US Cyber Command to address evolving cyberspace threats and opportunities. Our structure allows freedom of maneuver and through rapid development cycles create tools and methods in support of mission requirements. These responsibilities emphasize mission and operational outcomes consistent with Unified Combatant Command Status providing enhanced readiness, capability, scalability and capacity for action.
One of the biggest misconceptions about GDPR is that companies have to be "compliant" by May 25th or the fines will start rolling on May 26th. Lets talk about the reality of what being compliant with GDPR actually means and how this regulation is an on-going process, not a "one time" checklist. GDPR is about data protection but also contains guidelines to follow, which affect how the commission will review any data breaches. The panelists have been working with corporate compliance officers - especially those in the utilities, financial services, and healthcare industries- to integrate GDPR preparedness into their organizations. They plan to offer insight into how these executives are adapting to the regulations, and how they are navigating the requirement of having a "reasonable" level of protection for personal data. Given the increasing complexity of the compliance landscape, and the rising importance of privacy, should more large organizations hire a Chief Privacy Officer? What other advice is relevant for those concerned with GDPR compliance?
What do you get if you combine an abandoned row home, an out of service phone number, and the Social Security number of a newborn baby? A perfectly good line of credit.
Even as the annual costs from identity theft continue to grow, this type of fraud is no longer limited to the compromise of real, tangible identities. Instead, a more insidious form of fraud is beginning to take shape: synthetic identities. Synthetic identities are pieced together from different personal data sources, creating new, largely undetectable personas that can be used to open accounts, take out loans, and run up huge debts. In many cases, synthetic identities exploit the fresh, untapped data of children and infants, creating bad credit that will go unnoticed for more than a decade.
How are these synthetic identities created? Where are criminals getting this data? What can the security industry - and everyday consumers - do about it?
This session investigates the development of synthetic identities, going beyond the surface-level introduction offered by other identity presentations. The session will examine how this new form of fraud is taking shape, and why these synthetic identities can so regularly go undetected. The session will include a deep dive into the thriving underground market for personal data on the dark web, including a survey of the criminal tradecraft that makes it easy for fraudsters to create and exploit these synthetic identities.
Attendees will come away from this session with a framework for understanding how data is valued and traded on the dark web, how data breaches open up a lifetime of exposure, how synthetic identities are developed and exploited, and what security professionals - and parents - can do to protect against this new type of fraud.
Cybersecurity was predicted to be an $86.7 billion dollar industry in 2017. That's why no one wants to tell you that cybersecurity really isn't sexy. Who wants to shatter perception on an industry that is worth more than the predicted GDP of Sri Lanka in 2017?
There's a secret out there that no one wants you to know. Why? Because knowing it would cause disruption to an industry that analysts say will hit global spending costs of $86.4 billion dollars in 2017. Think about that. $86 Billion is roughly the 2016 GDP of Egypt[SH1] . What's this secret that impacts the financial equivalent of the Home of the Nile?
It's that security isn't sexy. Really and truly. Yes, there are more successful security breaches than ever before. And yes, there are more point products to have to keep track of and places for you to spend your security budget. But the truth of the matter is that security is a repeatable business process that, if we can remove the noise around it, is something we can dramatically improve.
The best and fastest way to improve a company's security posture? Ah - that's the sexy part. Let's start talking business. Attendees of this session will learn:
1. Why educating our security leaders and security professionals about how the business operates is critical to the security posture of our businesses;
2. What their role in the long term success of the business looks like;
3. The importance of working in tandem with corporate IT from a business point of view;
4. How to not only elevate the role of security in a corporation, but translate cybersecurity into a Board-level conversation so there is across-the-board understanding.
Public/private collaboration is essential to fill the cyber talent pipeline and improve the safety of information networks that drive national security and economic stability. Collaboration among federal, state, local and private stakeholders, including industry, non-profits, and academia, is the foundation for new cybersecurity education, training and workforce development initiatives. These innovative partnerships are actively addressing the need for skilled and motivated workers to fill the pervasive cybersecurity talent shortage. According to a recent 2018 ISACA survey, 59% of enterprises report unfilled security positions, and 54% stated it takes over three months or longer on average to fill security positions.
In an era marked by rising cyber threats, Maryland's standing as one of the nation's most advanced workforces and a leader in securing critical cyber infrastructure is a testimony to the power of the state's commitment to collaboration among stakeholders. Learn how innovative public/private partnerships are cultivating the skilled workforce needed to compete in today's competitive global environment and equipping industry and government for the challenges that lie ahead.
At the end of this session, participants will be able to:
• Look beyond traditional hiring models to find high-potential talent that can fill vacant positions
• Introduction to various collaboration models that improve cyber workforce development
• Identify existing partnership opportunities in MD
When patients seek medical care, one of the first actions healthcare providers take is ordering imaging procedures such as X-Rays or MRIs to help diagnose issues and determine next steps. Like much of the healthcare industry, medical imaging has also rapidly moved toward the digital space. These images, stored within an online Picture Archiving and Communication System (PACS), are shared among medical staff and remotely accessible on mobile devices.
While PACS allow for more efficient medical processing, the systems are often not developed with security in mind and expose the broader hospital system to cybersecurity risks. Malicious actors could leverage unsecured PACS to infiltrate hospital systems and access critical information and vital medical services, putting patients at risk.
The National Cybersecurity Center of Excellence (NCCoE), working in partnership with healthcare delivery organizations (HDOs), cybersecurity vendors and academic partners, is developing guidance to help HDOs secure their PACS ecosystem, based on a comprehensive risk assessment.
The Picture Archiving and Communications session will:
• Outline the scope of PACS systems within hospitals and other healthcare delivery organizations
• Detail the cybersecurity risks associated with PACS
• Showcase the reference architecture developed by the NCCoE, using NIST cybersecurity standards, to secure the PACS ecosystem within an HDO.
This advanced-level session focuses on driving aggressive growth and business development in the cyber market. Cybersecurity Ventures predicts global spending on cybersecurity will exceed $1 trillion between 2017 and 2021. Well-positioned contractors view the cyber market a growth market even amid federal budget uncertainties. Attendees to this session will learn how to fast-track cyber market growth in both defense and civilian agencies. If you are ready to add a zero onto your revenues, this practical, bottom-line, results oriented session will address:
• Funding trends and using them to your advantage
• Contract vehicles: go or no go
• Positioning to win market share
• The real decision makers and how/when to engage
• Fast-track tools for success
According to a recent Cisco report, there are over 1 million cybersecurity jobs unfilled, which is projected to rise to 6 million by 2019. The problem is two-fold: filling the current gaps while preparing the next workforce generation. The solution requires that the public and private sectors work together to create clear career paths in cybersecurity. In order to recruit and retain skilled personnel, together they must incorporate a variety of employment tools and resources.
In this session you will learn what the public sector is doing at the state and federal levels and how the private sector can become involved while aligning their own efforts, and, an analysis of the latest career education and training programs working to solve this massive problem.
Dr. Balakrishnan Dasarathy
Answering this question rigorously is vital for keeping faith in our democracy!
Our election systems consist of two major types of systems: ballot and registration systems. A close examination of these systems is necessary to get a complete picture of the prospect of a hack and its ramifications.
Voting ballot machines, where votes are cast, are the most important ones from the election integrity perspective. These machines are not typically connected to the Internet, at least during voting, and that prevents them from being hacked. A thumb drive is used to extract data from a voting machine, and this thumb drive with cryptographically-protected data is then securely handed over to a central location for vote-tallying purposes. In some states, many direct-recording electronic voting machines that do not produce any paper record remain in use. This certainly puts such machines at risk for lost votes in case of machine failures.
The voter-registration systems in many states allow eligible voters to register online, and, as such, are not cyber-attack proof. Hacking here could certainly lead to deletion or manipulation of voter rolls?thus disrupting elections and reducing faith in our electoral process. Fortunately, processes can be put in place to detect, on a daily basis, any alteration to the voter database.
Trustworthiness: Before the 2016 general election, about 34% of likely voters believed that year election would be rigged, according to a New York Times report. The pressing issue is not just one of information security, but about assurance and the trustworthiness of all voting technology and processes. Trustworthiness demands that we maintain a paper trail, that officials and party representatives verify all voting systems are working just prior to voting, and that there is a review of tally results in each precinct?or at least randomly selected precincts?with ballots from the paper trails kept.
The work focuses on identifying the existing challenges and opportunities to make elections secure and reliable: ranging from the voter registration process and the actual voting to counting the results. The solutions require the a certain technology mix, the development of standards and policies along with the political will to fund and deploy a robust election process.
The topic is both timely and relevant given the upcoming elections and will include information and experience related to the securing of the Frederick County Election Board systems and processes during the summer of 2018.
Due to the overwhelming demand for talent in cybersecurity in our region, new and non-traditional pathways to enter the field have emerged. Employers are seeking mission-ready candidates from higher education and new academic programs in cyber are appearing, but the number of qualified students coming out of these programs pales in comparison to the growing demand. Additionally, these graduates typically require on the job experience to be fully productive in their roles.
While there is a negative unemployment rate in cyber, there are too many citizens in our state who are unemployed or underemployed. For the most part, the pool of qualified cyber talent is treated as a zero-sum game, leaving employers to fight over these scarce resources. While companies are drawn to Maryland for our highly educated and well-prepared workforce, they quickly realize that there is a war for that talent, and attracting and retaining it is expensive.
Necessity is driving innovation. Employers are widening their apertures to find candidates from alternative sources with great success. New approaches are developing new talent in cyber, including vocational training programs and apprenticeships. Those with the aptitude and passion needed to be successful in a career in cyber but have not had the opportunity to obtain a cyber-related degree finally have the opportunity to break into the field. And they are bringing with them new experiences, perspectives and diversity to the cyber workforce.
Our panel will include employers with experience hiring cyber talent from these non-traditional sources as well as the cyber professionals who have traveled alternative pathways to break into the field. Hear from them about their experiences and learn about opportunities to participate in the innovation that is happening in our state.