Hello, my name is Bruce Schneier. Yes, the Bruce Schneier. Via a Google Hangout. Here are my notes from Mr. Schneier's keynote this morning:
Recap of the Sony hack: it's not a cyber war, but war-like tactics in broader cyber conflicts. If a tank drove down your street, you would know a government was involved, because only governments can afford tanks. In cyber conflicts, the weapons are democratized. We can't tell if the attacker is a government or a small group of motivated people.
Cyber attacks are harder to attribute. It's possible, even likely, that Western attacks are routed through China because everyone knows that a lot of attacks come from Chinese networks. Attribution leads to deterrents. It's in the US's best interest to signal that they can attribute. Attribution based on secret evidence isn't trusted. This problem only becomes worse when our attribution relies on secret evidence.
Whose job is it to defend Sony? If the attackers are a couple guys in the basement, it would be the police. If it were North Korea, then maybe the military. We need good defense without attribution. As a law enforcement officer, you ask "Who did it?" so you know who should respond. As a defender, you ask "How was it done?" so you can defend. Who is doing it doesn't matter to you. Attribution becomes a forensics problem, not an incident response problem.
In the NSA, there are two acronyms worth knowing: CNE (computer network exploitation), CNA (computer network attack). These are separate things for the purposes of government, but technically these are identical until the last step:
rm *.* or
Nation-state actors (North Korea, China, USA), consumers of cyber weapons arms manufacturer (Hacking Team), cyber militias (Libya). How can we build resilience in our infrastructure?
What concerns me is that we'll all be in the blast radius. A lot of non-nation states are becoming victims of nation-state attacks.