20th New York State Cyber Security Conference

12th Annual Symposium on Information Assurance(ASIA)

June 7 - 8, 2017

Empire State Plaza - Albany, NY

Keynote - Day One

"Asymmetric Cyberwarfare: The Business Case for Insecurity"

The sinking of the Titanic. The 1996 Chicago Bulls. The terror attacks on 9/11.

All of these historic milestones had one thing in common: the opposing elements were unequal, unique and misunderstood. Today, on the front lines of cyberwarfare we are experiencing the same recurring conditions - unequal forces have met to compete in a very new and very miscalculated contest.

History is repeating itself - or is it?

Cybersecurity experts worldwide argue that the time, money and energy we've spent on cybersecurity hasn't paid off, and it never will. They claim that despite  skyrocketing budgets, advances in technology and growing cybersecurity investments, private and public entities in America are no more secure than they were decades ago. They argue that the odds are against us and that the best we can hope for is survival.

The truth is, we've just begun to fight.

And we're about to bring the big guns out. Our successes in cybersecurity, fleeting as they may feel at times, are significant and telling. We've got some secret weapons to deploy and this time the machines are on our side. And Mother Nature has a few things up her sleeve that will inevitably result in the demise of our adversaries. The next round is surely ours.

Reg Harnish is an entrepreneur, speaker, author and the CEO for GreyCastle Security, a leading cybersecurity consulting firm headquartered in Troy, NY.

Reg has been practicing security for nearly two decades, specializing in security solutions for healthcare, higher education, critical infrastructure and other industries. Reg's security expertise ranges from risk management and incident response to regulatory compliance and awareness. Reg brings a thought-provoking perspective to the industry and strives to promote awareness, security "thinking" and practical application of security fundamentals.

As the CEO for GreyCastle Security, Reg is responsible for defining and executing the company's vision. Reg has led the organization to four consecutive years of triple-digit growth while establishing GreyCastle Security as a highly-respected thought leader. GreyCastle Security is currently working with organizations in nearly every state in the United States, including Fortune 5000 and Global 100 organizations.

Reg attended Rensselaer Polytechnic Institute, and has achieved numerous security and industry certifications, including CISSP, CISM, CISA and ITIL. Reg has achieved various physical security certifications, including firearms instruction and personal protection. Reg is a graduate of the FBI Citizens Academy.

Reg is a fellow of the National Cybersecurity Institute, a cybersecurity educational institution located in Washington, DC. Reg serves on numerous security association boards and is currently an advisor to several educational institutions focused on cybersecurity.

Reg is a nationally-recognized speaker and has presented at countless industry events, including BSides, ISSA, ISC2, ISACA, ASIS, DHS and InfraGard. In 2017, Reg was named cybersecurity consultant of the year for all of North America by the Cybersecurity Excellence Awards. Reg's successes have been featured in leading industry journals, including Software Magazine, ComputerWorld and InfoWorld. Reg is a contributor to numerous security publications and has co-authored several books on cybersecurity awareness.


Featured Speaker - Day One

"Embedding Security for a Better Tomorrow"

12:15 - 1:00pm

The demographics of the Internet are rapidly changing and soon enough (if it hasn't already happened) there will be more consumer and SOHO marketed embedded devices online than traditional computing resources such as desktops and servers. Unfortunately, many vendors targeting consumers and small businesses have largely ignored security concerns throughout the product life-cycle. As a result, mass quantities of exposed vulnerable embedded devices like network security cameras/recorders, routers, and home automation controllers are online and now pose a serious threat to critical Internet infrastructure. 

This presentation will walk through some of the more interesting security flaws that Craig and others have found when analyzing embedded devices and what it has been like working with product teams to get issues resolved.  This talk will also review a few real-world security events, including devastating attacks in 2016, that Craig believes will foreshadow the future of the Internet if the current trend of insecurity is left unchecked.  After setting the stage of impending doom, Craig will then steer the discussion toward thoughts on what different groups of people such as policy makers, law enforcement agencies, consumers, security professionals, and product vendors can and should be doing to thwart these problems.

Craig Young, Principal Security Researcher, Tripwire VERT

Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including a memory corruption in MatrixSSL that could be used to achieve code execution on at least 100,000 Internet gateways.


Keynote - Day Two

"Explaining Cyber Insecurity as Defense Adaptation"

9:00 - 9:45am

Why do even the most developed nations remain so dreadfully exposed to physically destructive attacks on strategic homeland targets by foreign states? Answering this question is vital to international relations theory, as well as national security practice. Throughout history, national security systems have had to adapt to changes, both in peacetime and during war, to defend each sovereign society from foreign threats and survive. Cybersecurity was literally born decades ago within the Western defense and intelligence circles, and relentlessly developed ever since. Ministries of Defense and armed forces embrace cyber intelligence, cyber defense and cyber offense to improve their traditional capabilities but neither defense system performs the core function: protecting the society. Destructive direct cyber-attacks on strategic non-military homeland targets by foreign adversaries renders core defense competencies obsolete.  Lior will discuss an analytical framework to explain and mitigate cyber insecurity.

Lior Tabansky is the Head of Cyber Projects Research and Development at Tel Aviv University's Blavatnik Interdisciplinary Cyber Research Center (TAU ICRC.)  Lior's 2017 doctoral dissertation "Explaining National Cyber Insecurity: A New Strategic Defense Adaptation Analytical Framework" explains why even the most developed nations remain so exposed to destructive cyberattacks on strategic homeland targets by foreign states. It includes a comparative analysis of critical infrastructure protection and national strategy of Singapore, Israel and the United States. Lior holds a Master of Arts in Security Studies from Tel Aviv University, his thesis "The Role of Advanced Technology in Israel's Struggle Against Palestinian Terrorism, 2000 to 2005" earning critical acclaim and igniting public debate.

Lior's book Cybersecurity in Israel, co-authored with Professor Isaac Ben-Israel, is the first comprehensive "insider" account of decades of Israeli policy and operations, enabling an original analysis of the roles grand strategy and innovation play in cybersecurity. Lior offers a uniquely strategic cybersecurity grasp, facilitated by his Political Science & Security Studies expertise (PhD 2017), cyber strategy formulation for corporations and governments, and IT-pro career spanning 15 years.

Plenary - Day Two

"International and Cross-National Threats and Legal Responses in Cybersecurity"

9:45 - 10:30am

Cyber attacks have become an all too frequent threat to economic well-being.  In recent past, political and foreign policy motivations and consequences have been ascribed to a number of what are now infamous incidents.  There are a number of examples, but this talk will highlight three:

  • Russia's hacking of the U.S. 2016 Presidential elections, according to US intelligence, was a long-term effort to gather and reveal information that would be so compromising or embarrassing materials as to impact the U.S. elections, as well as those in Europe.

  • North Korea's cyber attacks on its neighbor to the south as well as the U.S., designed, it appears, to extract information in some cases, exert pressure in others, and simply achieve financial gain in some.

  • The theft of NSA's Eternal Blue exploit of a Microsoft is yet a different case - a cyber tool developed for foreign policy reasons, but rendering many computers, including those of our allies, vulnerable once stolen.

The question raised by this variety of examples is what have nations done to address these threats, and what legal, policy or political measures are effective short of a cyber attack back.

The talk will review a series of national legal responses by Russia, China and the U.S., analyzing them to understand if these responses are truly cyber defenses, or rather protectionist or repressive measures.  Finally, the talk reviews the 2001 Convention on Cybercrime of the Council of Europe, known as the Budapest Convention.  This treaty lists a set of crimes that signatory states must transpose into their own law, criminalizes activities such as hacking, and establishing rules for international law enforcement intervention.  The Convention, signed by many, does not include key countries such as Russia, China and India due to claims of extraterritoriality.  Russia has for years attempted to induce other countries to support it in drafting a new treaty.  The talk explores the impact of the current policy responses, the likelihood of future responses, and the need for more action given our ever-growing reliance on the Internet.

Elana Broitman is the director of New America NYC. She has served as the deputy assistant secretary in the Office of Manufacturing & Industrial Base Policy in the Department of Defense and as a senior advisor to Sen. Kirsten Gillibrand (D-N.Y.), having spent time in a technology company, with prior service as counsel to the House International Relations Committee.  Broitman brings philanthropic experience, having worked as senior vice president at UJA-Federation.  Broitman's work has focused on cybersecurity, national security, human rights, and refugee issues. She is a graduate of Trinity University and the University of Texas School of Law and speaks both Russian and German.