With less than two months to go until AppSec DC is here, AppSec organizer and OWASP chapter lead and international committee member Rex Booth was nice enough to do an interview with us about all things AppSec.

In this interview, Rex tells us who should attend AppSec this year, why he got involved with AppSec in the first place, and why application security is one of the most important areas of the security field.

Why did you originally get involved in AppSec, and how have you seen AppSec grow since you first got involved?

Following undergrad, I immediately started working as a web application developer.  In college, I had a professor who had the foresight to emphasize the importance of security within applications, and I took it to heart – first as a developer and later as a consultant.  In the years since I started professionally, AppSec has matured and grown significantly to the point where the field is almost becoming crowded – which is a great thing – but we still haven’t fully penetrated the most important market: developers.

In your own words, what is the theme of AppSec this year, and which part of AppSec are you looking forward to the most?

From an OWASP perspective, I think the theme could easily be maturity; meaning that as an organization, we’re growing numerically, we’re growing in terms of recognition, and our products – our tools, documentation, and methodologies – have truly come into their own.  Personally, I’m looking forward to November 14th, the day after the conference, when I can look back and admire the completion of a successful event that brought together so many talented people under one roof.

For those that aren’t already familiar with AppSec, who should attend, and which tracks would you recommend for those that don’t have a technical background?

In an ideal world, everybody would attend, since application security is the responsibility of everybody from the end user, to the developer, to executive leadership. I think the ultimately unsatisfying answer is that it depends on your background and your role in your organization.  As a manager, I’d personally probably gravitate to the SDLC and Compliance tracks, but we’ve received so many quality presentations, I think each individual will have to make some tough decisions on what to attend.

On that note, this year’s AppSec will hold hands-on training before the conference; what kind of training will be offered, and how does it tie into the conference as a whole?

We’re fortunate to offer a wide variety of training from very qualified firms and individuals.  Our training selection will cover topics ranging from hands-on testing to threat modeling to secure development.  These trainings also include various technologies, so if you focus on Java or .Net or PHP, we have classes that focus on those technologies.  We made a concerted effort to provide training that reflects the diverse audience we expect at the conference; security professionals, developers, managers and everyone in-between – there’s truly something for everyone.

The goal of OWASP is to make application security more visible; why do you feel that application security is one of the most important areas of the security field?

Other facets of security have become something of a science over time.  Application security very much remains an art.  Accordingly, we as a community and as individual users aren’t able to apply a patch or deploy a device and call it a day.  We have to remain vigilant and continue to actively seek and develop advances in our field.  It’s not that application security is inherently more important than other aspects of security – it’s that application security is currently the weakest link in the chain and needs the most attention.

AppSec is still looking for volunteers; what kind of people are you looking for, and what kind of time commitment should they be able to give?

The most important characteristic we’re looking for in our volunteers is dedication and the ability to follow-through.  Even if you only have 10 hours to give, we likely have an opportunity for you to participate.

Lastly, if people walk away with only one thing from AppSec this year, what do you hope it is?

I hope that everyone who attends walks away feeling that they, as individuals, as professionals, and as members of our community, can make a difference in application security.

Rex’s Bio: Rex Booth is a Senior Manager with Grant Thornton’s Global Public Sector practice in Alexandria, VA.  He has over nine years of professional experience in application development and information security services for government agencies, private industry, and financial institutions.  During his tenure at previous employers, he designed and developed complex distributed web-based applications.  As a member of a managed security services team, he co-architected and implemented a scalable information detection and prevention information aggregation solution for use in a real-time 24/7 information security monitoring system, correlating and reporting on hundreds of devices.  Since joining Grant Thornton, Rex has managed and assisted with multiple information security and risk management engagements auditing IT system controls including FISMA, IV&V, SOX, and OMB A-123 engagements as well as identity management and system certification and accreditation efforts.  Rex has presented on the topic of information security and assessment methodologies to various institutions and is currently a chapter lead and international committee member for the Open Web Application Security Project (OWASP).

o o o o o

A special thanks to Rex, Doug Wilson, and Mark Bristow for agreeing to interview with us. Doug’s interview is already available, and Mark’s interview will be published soon, so keep an eye out!

With AppSec DC right around the corner, we were lucky enough to secure an interview with OWASP co-chair Doug Wilson. In addition to co-chairing OWASP (a formidable feat in itself) Dough is also an integral part of this year’s AppSec DC.

In this interview, Doug sheds light on what AppSec DC is all about, and why you should attend if you aren’t planning to already. Also be sure to check out the official AppSec DC wiki page to find out more about how you can attend or get involved in this year’s AppSec DC.

What can people expect from this year’s AppSec compared to previous years?

AppSec, like a lot of OWASP and Web App Sec in general, is still growing into full maturity. This year’s AppSec will be the biggest conference that OWASP has done to date, and probably the biggest Web Application Security conference in the world. Bigger is not always better, but I think that the size and scope this year have allowed us to get a real wealth of speakers and talent to take part in this event. The conference itself hasn’t been influenced by events in Washington, so much as current events influenced the choice by OWASP to have the event IN Washington itself. The OWASP board charged us with creating a quality conference, which they would have done regardless of location, but they especially targeted the DC Metropolitan area because of the many things that OWASP has to offer to the federal government, combined with the rapidly emerging importance of Web AppSec to the federal space at the same time.

Cyber Security is a big concern across the boards inside the beltway, but let’s face it — network security is a more mature field. There are more solutions and people ready to provide those solutions on that front, whereas the Web App Sec field is still somewhat immature in the federal space. Thus an organization such as OWASP that is developing practical tools and guides that can be used to build solutions for little or no cost in that space is invaluable to the government . . . if the government is aware that it is there, and how it can be utilized. We really hope that a lot of federal decision makers, at high and low levels, take advantage of the opportunity of having OWASP’s national gathering right in the middle of DC, so they can become acquainted with what we have to offer.

Is AppSec still looking for volunteers? If so, what do you need the most help with, and how should people go about getting involved?

AppSec is always looking for volunteers. OWASP is a non-profit, and aside from specific vendors hired to come in and fulfill some contracts (such as catering), almost none of the people working the conference from the OWASP side will be paid. We are doing it because we are passionate about what OWASP stands for, and because we want to pull off an excellent conference. We’ll need help to do that, and are looking for equally passionate people to help out.

What we mainly need is people to staff the days of the show: Obviously, this is a trade off, because if you are working the show, you will miss out on part or all of the content that attendees get to appreciate, but you will be helping the event happen, and without that, no one would get to see the content. All of the organizers and our “Arch Minions” as we have taken to calling them (lead volunteers) are willing to make that sacrifice. However, we will have many positions that need filling that can be staffed for part of the conference, and we invite people who want to help out, or who want to see only part of the conference on the cheap to sign up and help make this event happen. You’ll get the opportunity to see some of the talks, and work the rest of the event. We’ll need folks for registration, badge checking, speaker and trainer assistance, facilities liaisons, and much more. If you are interested, you can contact myself or one of the other organizers via our OWASP emails (fairly easy to dig up), or by emailing infoATappsecdcDOTorg.

Another thing we will always need more of are sponsors. Sponsorships are important to the depth of our conference. Without sponsors, we can still provide the fundamental conference, but sponsorship dollars help OWASP and help us put on a better conference, with more perks and benefits for the attendees, which make for a more enjoyable overall experience. So every additional sponsor we sign up will add to the quality of the experience for everyone attending. If you are interested in sponsoring, or know an organization that would be a good fit, please contact us.

While AppSec places a heavy focus on people who are already in the field, you also make AppSec open to students. What do you hope college students in particular will get out of AppSec, and how do you think it will influence them when they graduate and enter the field?

The biggest thing I think that anyone wants to get out of a conference like AppSec is to learn new things, and interact with other people who are knowledgeable in their field. I think that that is also a lot of what drives students in any discipline, and AppSec will provide an excellent learning environment to properly motivated individuals. My hope is that we will attract people who are developers and are curious about security, or people who are studying a standard IS/IT/IA track and want to learn more about application security. One of the most powerful people for making effective change in application security in any organization is a security conscious developer. Right now, that’s a rare animal, but someone who has development skills and security knowledge has the best of both worlds, and is in a very good position to look for great career opportunities, even in a “down market.” My hope is that we can take people who are aware of the concept of security, but haven’t really prioritized it, and make them re-evaluate how important it is, and eventually just include it in how they go about creating applications in the future. That’s the ultimate goal of Web App Sec, really — having a world where all developers are security conscious, and security is considered from the first inkling of putting a project together.

Recently, Mark Bristow (another organizer) and I gave a talk at the DC PHP Users Group on Web Application Security 101, and how the OWASP Top Ten applied to it. We got a fairly warm reception, and I felt good about it. But a week or so later, I was at a store near the University of Maryland College Park campus, and someone stopped me coming out the door. It was a person who had seen the talk at the DC PHP group — but was also a CS student at Maryland. He was really excited about the talk, and really wanted to know more, and to attend the conference. That made me feel much better than just “good” — that one bit of outreach had possibly taken someone who was going into the field of application development, and made them aware of something that could reshape their entire career for the better. We had made them start to prioritize security in what they did, and having them be excited about it on top of it. That’s awesome! I think that’s why we want to encourage students, and that’s what they can get out of it above and beyond what they learn at the training or talks.

In the press release for this year’s AppSec, you say “AppSec DC is a unique opportunity for federal decision makers and key technologists to become familiar with OWASP and the resources it has to offer.” AppSec has a heavy mix of both private and public sector speakers this year. Why do you feel it is especially timely for the private and public sectors to learn where each other is coming from?

One of the things about Web Application Security is that it’s a really big problem to try and solve. It affects everyone who uses the internet, and potentially even those who don’t. At a time where the government is trying to tackle the gigantic issues of protecting National Critical Infrastructure and securing IT resources across the government, the main access method to both control of infrastructure and information (i.e. the “Web”) is the most important thing to focus on. Only by working together and collaborating will we be able to make inroads on this massive problem, and both sides have resources that the other do not.

If we wait for the government to figure out all the expertise that has been developed in the private sector, or if we wait for the private sector to have the reach and impact of the government, we’re doomed. However, if the government reaches out to  the public and private companies and groups (such as OWASP) who are already focused in this area, it can be a winning situation all round. The government (and the citizens!) of many countries, not just the United States, can have more confidence in the stability of their infrastructure and their government resources, while the governments provide growth opportunities for companies and organizations that provide the expertise. I think that every day we do NOT have this sort of collaboration in place is one where we get further and further away from the constantly moving target of creating more secure web applications for all walks of life.

You also go on to say that, “OWASP’s mission and community align closely with the goals set forth by the US Chief Information Officer: transparency, engagement of staff, reduction of cost, and innovation in technology. OWASP can enable the government to attain these goals in the pursuit of securing critical technologies that depend on the web.” Which tracks at this year’s AppSec would you recommend for government employees who want to reach the goals you outlined?

It really depends on the employees role within the government. I like to feel that we have something for everyone. For those who are new to OWASP, and/or those who focus on high level decision making, we have several tracks that talk about some of our core ideas, as well as steps to apply security at a process or management level. Tracks such as the OWASP and the SDLC track on the first day, and the Process, Metrics, and Compliance track on the second day all have a wide variety of talks that will provide value to decision makers, managers, and development team leaders, or anyone who wants to get an overview of how you can apply good web application security practices to your organization’s current efforts. Conversely, we’re not letting our technical specialists down. The Tools track, the Web 2.0 track, the OWASP track, The Attack and Defend track, and pieces of all the other tracks will appeal to engineers who are developing or attacking applications and want to know what’s new and on the cutting edge. A large number of our speakers are experienced presenters, with previous talks at AppSec, Black Hat, Defcon, Shmoocon, and others under their belts.

Do you feel that some of the training courses offered on the 10th and 11th would be good for government employees who want to learn about application security more deeply, but might not have a technical background?

Again, it will depend on their role. We have good courses for technical and non-technical people who are interested in Web App Sec. For leaders and managers, we have the Threat Modeling Express course from Security Compass, and Leading the Development of Secure Applications from Aspect Security. Both of those courses are designed for non-technical decision makers, and both are being taught by experts from top companies in the field. If an attendee is interested in learning a bit more about the technical process, we have a variety of courses deal with “how to learn to test” in various arenas, such as the Samurai Web Testing Framework class from Inguardians, and the Applying the OWASP Testing Guide with the OWASP Live CD course taught by Matt Tesauro (creator and project lead on the Live CD). These courses will probably require a little more technical knowledge, but will teach some of the fundamentals of how to test a web application and walk users through some of the steps involved in the process.

And lastly, what would you say to those who are still sitting on the fence about attending AppSec?

I’d say that this is a great opportunity for everyone interested or affected by Web Application Security, but especially those located near Washington DC. DC has a huge population of people who are interested in security, and an even bigger population who should be and are affected daily by decisions that are made (or not made) regarding security. AppSecDC offers a very inexpensive, extremely valuable learning and networking opportunity which is unlike anything else ever offered in the District. If you are not from DC, it’s a chance to come and see the infosec climate in the Nation’s Capital, and interact with government employees and those who work with them, at the same time listening to and learning from some of the top minds in Web Application Security from around the world. This is the biggest OWASP event, and likely the biggest Web Application Security Event ever held. Considering the price tag (especially with OWASP membership discount and early bird registration discounts), it should be a very simple decision when you see the value that you will get for your investment.

As an additional incentive to out of towners, our location is right in the middle of downtown at the Walter E. Washington Convention Center, and our host hotel, the Grand Hyatt Washington has been nice enough to extend our convention rate through the weekend, so if you are coming in from out of town, you can stay the weekend and see the sites of the nation’s capital as well.

Doug’s Bio: Doug Wilson is a Senior Application Engineer with SAIC, where he supports government and private sector customers. He specializes in Information Security and Highly Available Web Architectures. Doug has been working in a variety of IT positions for the past ten years, and has always been “the security guy” regardless of what he’s been doing. Prior to joining SAIC, Doug worked as a contractor at the National Institutes of Health for almost six years. While at NIH, his main duties were developing progressive security and application hosting programs for a group that supports infrastructure at NIH for over 40,000 users. Prior to NIH, Doug had worked for several local web hosting companies.

When Doug is not working feverishly trying to get everything in order for AppSecDC, he is also a co-chair of the Washington DC Open Web Application Security Project (OWASP) chapter, and founder/organizer of the monthly CapSec DC happy hour. He also participates in the DC web design and development community, having presented on Web Application Security at Refresh DC, Barcamp DC, the DC PHP Users Group, George Washington University, and other events in the DC metro area.

o o o o o

A special thanks to Doug, Rex Booth, and Mark Bristow for agreeing to interview with us. Mark and Rex’s interviews will be published in the upcoming weeks, so keep an eye out for them!

You’ve all all seen our Conferencespage, right? After all, it’s one of the most comprehensive lists of infosec conferences in and around the NoVA, MD, and DC area, so it’s safe to assume that you’ve already referenced it and used it to attend a ton conferences.

We kid, we kid. The truth is, many people don’t know that in addition to a detailed list of infosec meetups, we also have a listing of infosec conferences that we update on a regular basis. We do this so you can plan ahead for conferences that you’d like to attend.

Like our NoVA Meetups page, we list the name of the conference and provide a link to its website or registration page. Unlike the NoVA Meetups page, we organize the conferences by the month they are estimated to take place in.

And we don’t just stop at conferences taking place in the NoVA, MD, or DC area; we also have a listing of what we call “Drivable from NoVA Infosec Conference Events”—conferences that aren’t in the immediate area, but can be driven to within a days time.

We also have a listing of national and international conferences for those of you who like to get out of the area every once in a while. These include favorites such as BlackHat (the one in Europe) and the RSA conference in San Francisco.

So if you’re looking for a good conference to attend, you now know where to look. Why not tell a friend about our Conferences page and plan to attend one together?

Don’t forget—you can also search @grecs #con during the week for any new or updated conference new.

There’s been quite a bit of buzz surrounding this year’s PrivacyCampDC, and it’s easy to see why. Described as “an unconference about [p]rivacy with a particular focus on electronic privacy and Government Policy,” the goal of PrivacyCampDC is to “connect researchers, developers, practitioners, citizens and other enthusiasts for a day of intense collaboration and knowledge sharing.”

And lets be honest: the world ‘camp’ just sounds so much more interesting than ‘conference,’ doesn’t it?

We’re really excited to see how this event plays out, so if you end up attending, please drop us a line about how it went. Also be sure to check out the helpful information below.

• Who: PrivacyCampDC
• What: “[A]n unconference about [p]rivacy with a particular focus on electronic privacy and Government Policy.”
• When: 06-20 – 06-20-2009
• Where: Center for American Progress Action Fund (1333 H Street, NW – Washington, DC 20005)

For more information on PrivacyCampDC, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the PrivacyCampDC registration page for more information.

o o o o o

If you attend this event, why not write about it for NovaInfosecPortal? Contact us if you’re interested.

Just a quick reminder that the Secure Americas Conference starts on June 4th—a week from today. See our original post for more information. View our Calendar for a complete list of infosec events in and around the NoVA area.

o o o o o

SANSFIRE 2009 is coming: Can you handle the heat?

Starting June 4th, the International Information Systems Security Certification Consortium, Inc., (ISC)² will be having its fifth annual Secure Americas information security conference in Arlington, Virginia. Bringing together notable speakers from both public and private sectors, the Secure Americas conference is known for addressing timely (and often controversial) topics relating to information security.

Featuring two tracks—one on government-related security issues and the other on the public/private partnership around security—Secure Americas conference attendees will have the opportunity to hear from respected speakers Shawn Henry, Tom Kellerman, Elizabeth Nichols, Marc Pearl, Tony Sager, Winn Schwartau, and Bob West.

According to the (ISC)² website, the government track will focus on “on security issues from the Federal level down to State and Local. It will also address topics “ranging from what web 2.0 means to govt. security professionals, to how a change of administration is affecting securing federal government agencies while we also focus on the importance of how government and law enforcement work internationally in the ongoing battles against terrorism, organized crime and corruption.”

The Professional Development/Management track will address “the continued struggle to protect the Nations critical infrastructure from finance to SCADA systems,” and will discuss “some of the realities in working with the ever increasing pool of defense contractors and what that means for security as well as discuss the ever increasing security compliance and regulatory environment.”

To learn more about this conference, continue reading below.

• Who: International Information Systems Security Certification Consortium, Inc., (ISC)²
• What: Secure Americas
  • Features two tracks: One on government security and the other of professional development/management.
• When: 06-04 – 06-05-2009
• Where: Embassy Suites Crystal City – National Airport (1300 Jefferson Davis Highway Arlington, VA 22202)

For more information on Secure Americas, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the (ISC)² website for more information.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

What beats a week of security training with your peers? Not much. That’s why SANSFIRE 2009 is an event that you should add to your calendar right now, before you get distracted by any other pesky summer plans.

Taking place in Baltimore this year, SANSFIRE will be held between June 13th and 22nd at the Hilton Baltimore. There are special rates available before slots fill up, so register now if you haven’t already.

And speaking of special rates… if you register by the end of today, May 6th, you get $350 off the regular price of the event. If you can’t quite swing registering today, the good news is that you’re also eligible to receive a $250 discount if you register before May 20th.

According to the SANSFIRE website, “[a]t SANSFIRE 2009 you will be provided with new information about new threats, and you can acquire the solid foundation in InfoSec that you need to stay on top of them.” There will be over 30 courses to choose from this year, with new courses alongside tried-and-true classics. You can check out the list below to get an idea of what’s being offered.

• Security 401: SANS Security Essentials Bootcamp Style
• Security 504: Hacker Techniques, Exploits & Incident Handling
• Security 560: Network Penetration Testing and Ethical Hacking
• Management 414: SANS® +S™ Training Program for the CISSP® Certification Exam
• Security 503: Intrusion Detection In-Depth
• Security 508: Computer Forensics, Investigation, and Response
• Security 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
• Security 301: Intro to Information Security
• Audit 507: Auditing Networks, Perimeters & Systems
• Management 512: SANS Security Leadership Essentials for Managers with Knowledge Compression™
• Security 501: Advanced Security Essentials – Enterprise Defender – NEW

The courses also come with distinguished faculty, including: Stephen Northcutt, Johannes Ullrich, Dr. Eric Cole, Rob Lee, Lenny Zeltzer, Joshua Wright, John Strand, Chris Brenton, Kevin Johnson, Scott Moulton, Frank Kim, Jason Fossen, Eric Conrad, David Hoelzer, Stephen Sims, Michael Murr, Jonathan Ham, Bryce Galbraith, Fred Kerby, Mike Poor, and Jeff Frisk.

SANSFIRE even has options for those of us who learn better at night, with evening events focusing on the SANS web application honeynet. According to the SANS website, “[e]vening talks at SANSFIRE 2009 will provide extraordinary insights into actual attacks that have taken place over the past year. […] You’ll learn about current threats and how the SANS Internet Storm Center can help you in your fight against these threats.” Free to registered attendees, volunteer incident handlers will be present at these evening events.

• Who: SANS
• What: SANSFIRE 2009
• When: 06-13 -06-22-09
• Where: Hilton Baltimore (401 West Pratt Street, Baltimore, MD 21201)

For more information on SANSFIRE 2009, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. Register for SANSFIRE here.

###

In addition to registering for SANS events through NovaInfosecPortal, you can also help keep the site going by becoming a subscriber.

Have you registered for the SANS AppSec event yet?

If not, there’s still time left to purchase your registration. While the event starts tomorrow, April 29th, registration is still open. You can purchase your registration through our SANS section (just click on the SANS image to be taken to the official website), which won’t cost you anything extra, but will help us keep this site running strong.

Entitled “Application Security Workshop — What Works? What Products, Services and Configurations Work Best to Protect Applications From Common Atttacks?” this SANS training workshop gives attendees real information from real professionals in the field. The primary speakers for this event are Jeremiah Grossman of WhiteHat and Konrad Vessey of NSA, meaning that they’ll have information that you won’t be able to get anywhere else.

So if you’d like to learn about solutions that are more than just nice sounding theories, this is definitely a workshop you should attend.

• Who: SANS, with Jeremiah Grossman of WhiteHat and Konrad Vessey of NSA
• What: ”Application Security Workshop — What Works? What Products, Services and Configurations Work Best to Protect Applications From Common Atttacks?”
  • According to the SANS website, workshop attendees will “hear from actual users of multiple products – senior people from the federal government and from major financial organizations. They will tell you which products and services they implemented, what worked, what didn’t and the lessons they learned along the way. It is real-world, from-the-trenches information that you really cannot get any other way.”  
• When: 04-29, 8:30 AM - 6:30 PM EST
• Where: The Marriott Wardman Park (2660 Woodley Rd. NW Washington, D.C. 20008)

For more information on SANS, see its description in our Conferences section. View our Calendar for a complete list of infosec events in and around the NoVA area. To purchase registration for an upcoming SANS event, click here.

###

Speaking of SANS, Do you have your pass to SANSFIRE yet? If not, why not purchase it through NovaInfosecPortal? It doesn’t cost you anything extra, and it helps us keep the site going.

Just a quick reminder that the GovSec infosec conference event starts tomorrow. For more information about the GovSec conference, see its description in our Infosec Meetups section. You can view our Calendar for a list of similar infosec events in and around the NoVA area.

See our original post for more information about this conference. You can also view our interview with Paul Joyal to get insider details about GovSec and Paul’s security predictions for 2009.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

With GovSec right around the corner, we were lucky enough to secure an interview session with Paul Joyal—one of the key security moderators at GovSec, and one of the most respected professionals in the security field.

In our interview with Paul, he tells us why he chose to be involved with GovSec, and why 2009 could be one of the most notable years for security yet.

What is your role in GovSec this year?

This year I am organizing a luncheon presentation* with the National Security Advisor for the Government of Georgia to discuss the Cyber Warfare attack which occurred during the military invasion of Georgia by Russia in August last year.

I will moderate the session and provide an overview of Soviet and Russian doctrine on information warfare. This allows us to better understand how Information Warfare or Cyber Warfare fits into a military combined arms strategy. Also participating is Stephen Spoonamore, who will describe the nature of the cyber attack on the banking structure and how it produced a number of unintended consequences internationally.

*The Brave New World of the 5 Day War: Where Cyber and Military Combined. Guest Speaker is Eka Tkeshelashvili, the Secretary of the National Security Council of Georgia
 
What made you want to be involved with GovSec?

I have been involved in GovSec for a number of years. It has provided an excellent forum for bringing Federal, State, local Law Enforcement, and the security community together for relevant Homeland Security educational exchanges. It is also a terrific networking opportunity for those who attend the full conference.

In fact, 3 years ago I contacted a friend—Alexander Litvinenko—in London, inviting him to visit the United States for the first time and address the GovSec convention on his book, Blowing Up Russia. Shortly after committing to attend [GovSec], he was poisoned with Polonium and died. Unfortunately for me, my attempts to find a substitute speaker were thwarted by my being shot after appearing on NBC’s “DateLine” program on the Litvinenko poisoning and blaming the Russian government.

Last year […] I was able to invite and moderate Marina Litvinenko’s presentation at GovSec, which allowed her to present the talk her husband was thwarted from giving.

Along those lines, DC has many security conferences related to government security featuring high profile speakers. How do feel GovSec stands out from other conferences?

As I stated before, the fact that Alexander Litvinenko had committed to address Govsec, matched with the fact his wife did address GovSec, is an indication that this convention can hold its own with any convention of this nature. This year’s GovSec— with Louis Freeh and the National Security Advisor of the government of Georgia—simply underlines this point.
 
What does GovSec offer cyber security professionals specifically?

The luncheon I have organized is one example of a timely and unique window into the most dramatic cyber warfare case study available to the profession today. There will be new and dramatic information covered in this session. (To see an example of other sessions, click here).

What are your predictions for cyber security trends in the upcoming year?

We will find out that the government and the private sector have been “had” more than we ever realized. This will lead to more attention and commitment of resources.

Additionally, this year the United States is led by our first Web 2.0 President. He [Obama] has made it clear that technological improvements are needed for government to become more responsive and effective. Keeping with this imperative is his pledge to elevate Cyber Security as never before.

In her first week as Homeland Security Director, Janet Napolitano has ordered a review of the Cyber Security program. President Barack Obama wants $355 million for the Homeland Security Department’s cybersecurity efforts in fiscal 2010. The document states that the funds will be used to support DHS’ National Cybersecurity Division and the department’s role in the Comprehensive National Cybersecurity Initiative (CNCI). The money would be “targeted to make private- and public-sector cyber infrastructure more resilient and secure.” This is an important development because vulnerabilities in either sector can harm the other.

The Russian-Georgian war illustrates how governments can utilize private individuals and groups as deniable cut outs in cyber attacks. Determining “who is who” has become a much more difficult problem. In the case of the Cyber attack on Georgia, the role of the Russian Business Network (RBN) has been mentioned. RBN is an organized crime group with very sophisticated capabilities in hacking into banks and financial institutions. This should remind us that the connection of crime, intelligence, and foreign operations are at times indistinguishable. This complicates the threat environment.

And finally, why do you feel that cyber security is an important topic for security and non-security professionals to learn more about?

Cyber security will experience a greater growth in jobs and requirements in the next 2 years than any other sector of the security profession.

Paul’s Bio: A graduate of Catholic University with a Masters in International Relations, Paul M. Joyal is the managing director for NSI’s public safety practice and directs the law enforcement and public safety practice. Currently, Paul serves on the Prince Georges County Law Enforcement Task Force and Governor Martin O’Malley transition team for Public Safety. Paul also serves as the president of the State of Maryland Chapter of the FBI InfraGard and was recently selected as delegate for the State of Maryland at the annual national InfraGard conference. Paul has been recognized as one of the principal leadership awardees by the Respect for Law Alliance, having received the Golden Eagle Award, “Defender of Counterintelligence and Homeland Security” along with Attorney General Michael B. Mulkasey and NYPD Police Commissioner Raymond W. Kelly.

###

Special thanks to Paul and the GovSec Team for making this interview possible. For more information on GovSec, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the GovSec website for more information.