CPS 2019: NSA Security Expert Points to People as the Main Problem

UNIVERSAL CITY, Calif. — Dr. Eric Haseltine, chairman of the board for the U.S. Technology Leadership Council, was once head of research and development for Walt Disney Imagineering, before leaving to become director of research at the National Security Agency (NSA).

At both he got lessons about cybersecurity, but, boy, not the same ones.

“Imagine all you know about baseball is the Little League World Series, and then you go a Major League Baseball game,” he laughed Dec. 4, during his keynote presentation How to Achieve World Class Security (Hint: It Isn’t Technology)” at the Content Protection Summit.

Having lived in both the content and government worlds of digital security, he said Hollywood could learn a lot from how not only the U.S. government tackles cyber threats, but also from how competing nations like Russia go about protecting their assets, and attacking others’.

“If I haven’t hurt your brain this morning, I’ll have failed,” he warned the audience. He said most content companies go about developing their security techniques completely wrong, relying far too much on technology, and largely ignoring the human dimension of security. No data system, no matter how new, will ever be perfect, and human behavior presents by far the biggest security risk, he said.

Haseltine pointed to how Russia defends against cyberattacks — and are successful more often than not, despite them spending $1 to every $13 spent by the U.S. government on cybersecurity — because they don’t focus on technology, instead looking at human faults, and the risk that come with the blind spots in human perception of threats and risks.

“They are an extremely hard target,” he said. “They reward risk-taking.” He noted that the Russian military appoints majors to immediately shut down government operations and agencies the moment a potential cyberthreat is discovered. “Their priority is to protect the motherland, not somebody’s ego. That’s courage,” Haseltine said.

That’s an attitude content companies should adopt. “You have to have the courage to push back against the lawyers, push back against the suits,” he said. “The single biggest vulnerability you have is the executive who says things like ‘Make do with what you have.’”

And everyone in the Hollywood ecosystem needs to have a better focus on the human problem with security, he added. “You don’t need to have a malicious employee, you just need one who’s unmotivated or lazy,” he said. “You have to constantly make people realize they are at war, all of the time.”

The Content Protection Summit was produced by MESA and CDSA, and was presented by SHIFT, with sponsorship by IBM Security, NAGRA, Convergent Risks, LiveTiles, Richey May Technology Solutions, EIDR, the Trusted Partner Network (TPN) and Darktrace.