The Swiss Cyber Storm 2019 Program – Part 1 of 2
Swiss Cyber Storm 2019 will run under the motto “Embracing the Hackers”. We have presented and explained this overall theme for our conference in a separate blog post in Spring. Now it is time to present you our lineup for our conference on October 15. This is the first of two blog posts about our speakers.
Dave Lewis aka Gattaca
Dave Lewis founded the Liquidmatrix Security Digest, he writes a column in Forbes and currently acts as a Global Advisory CISO for Duo and Cisco advocating security on a global scale. Dave serves as one of the directors of BSides Las Vegas (This is where the BSides movement started), so he has good ties with the hacker community. I’d say he has seen it all and he’s in a perfect position to introduce us all to the “Embracing the Hackers” motto with his keynote.
When we say Embracing the Hackers, this is because we want to improve the overall security of our services. The bug discovery process is one important aspect of this. It is well known that adopting a hacker mindset or collaborating with hackers can speed up the discovery of lethal bugs, but how can we really adopt these practices? After all, it’s a bit more difficult than changing your glasses. We have looked around to find somebody who examined this as we are convinced it is a core issue with security – and a core competence of hackers. And we found somebody at the University of Maryland who brings this knowledge: Entering Daniel Votipka who presents us his research in his talk “Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes”
Sarah Jamie Lewis
No hacker hit the Swiss news this year like Sarah Jamie Lewis. She and her peers ripped apart the software of the Swiss Post / Scytl E-Voting system when the source code was published in February. Working on a shoestring budget, she destroyed the claims in expensive and shiny reports by renown ETH professors and KPMG. When the Federal Chancellery forced Scytl to publish the source code of its online voting system, that was a novel move in Switzerland. Sarah Jamie Lewis promptly delivered the proof why this detail in the regulation was in fact a key element. If you follow Sarah on Twitter, you know that she is not shy when it comes to expressing her thoughts. We’re looking forward to her presentation “How not to secure your E-Voting system” that promises to go right at the heart of the problem.
Christian Killer / Melchior Limacher
While everybody is talking about E-Voting these days, we are easily forgetting that only 2% of the voters ever used the electronic channel in Switzerland at any given vote. Over 90% of voters vote by post mail. In an international setting, this number is staggering and global voting experts are getting the creeps by the mere thought of 90% of voters sending their votes in a letter. But our trust in Swiss Post is unbroken as is the trust in the local communities and their credibility when it comes to counting votes. After all, they are counting by hand, aren’t they? Christian Killer examined the highly digitized process around voting by mail and Melchior Limacher is looking at the security of some of the electronic systems involved; systems where regulation is almost completely absent.
One week before the national elections, their talk “Digital Exposure of Traditional Swiss Voting Channels” is a welcome description of a process that very few people really know.
When I first talked to Nicole Becher about cyber insurance two years ago, she explained how this market is in full motion and that we can not be quite sure where it is heading. And that the big case was missing; the case that would give guidance to all involved parties. So I decided to give it another year or two before we would look into that topic at Swiss Cyber Storm. But the missing case seems to have materialized now in the form of Zurich vs. Mondelez. This case is about the refusal of the American branch of Zurich Insurance to indemnify Mondelez (speak Toblerone!) when Petya shut down one of their German factories. Mondelez has an infrastructure insurance covering cyber security incidents of this level, but Zurich refuses to pay as the policy does not cover acts of war. Zurich states the malware was set free in the war of Russia against Ukraine and Zurich is not liable. “A Primer on Cyber Insurance and Insight Into Zurich vs. Mondelez” promises to be a very interesting talk.
So if Zurich says, that Petya was an act of war, what is war in cyber space? Who can decide if it is a war? The country that fell victim to an attack? An American court? Interestingly, there is no established norm that defines a war in the virtual world. Yet everybody is using the so called Tallinn Manual as a proxy to such a norm. And we thought who is in a better position to explain this all to us than somebody who worked on said document: Entering Liis Vihul from Cyber Law International, the managing editor of the 2017 edition of the Tallinn Manual. Her presentation “What Is Cyber War in International Law and Why Does It Matter?” will put a few things straight.
[There is a certain chance Liis will have to cancel her appearance at Swiss Cyber Storm on relative short notice.]
Penetration testing is well established in most large Swiss organizations and enterprises. The usual next step when embracing the hackers – a bug bounty program – is rarely taken though. And also Red Teaming, considered a more holistic extension of the pentesting concept, is mostly unknown despite being a ubiquitous topic at international conferences. However, there is an exception in our country: Credit Suisse has an official red team running under the direction of Peter Hladký. He will tell us about Red Teaming, how you can do it in Switzerland, what it means for his company, how it fits into the overall cyber security posture of a bank – and if we are lucky, he is allowed to present some real cases: “A Practical Approach to Red Teaming in Switzerland”.
Jaya Baloo is a charismatic speaker. Seven years the CISO of KPN (Koninklijke PTT Nederland), she sure has the background to give us her very personal view on the theme “Embracing the Hackers”. Even more so as the Netherlands really overhauled the complete cyber security setup after the issuing of fraudulent certificates by Dutch DigiNotar in 2011. This encompassed countless initiatives including a law that creates a legal safe harbor for hackers participating in bug bounty programs (a vital element that is missing in Switzerland). And Jaya picking up a new job as CISO of Avast in October 2019 does not change this a bit. It only makes us more grateful for he coming to present at Swiss Cyber Storm. Join us to listen to Jaya Baloo telling us her “Lessons From the Trenches”.
Christian Folini, Program Chair
[Disclosure: Christian Folini is consulting Swiss Post on its E-Voting system. He almost wet his pants at the thought of inviting Sarah Jamie Lewis. But then she really deserves an audience!]