At Black Hat Conference, good guy hackers have a bleak view of US cybersecurity

An attendee checks the conference schedule on his phone as he waits for a keynote address during the Black Hat information security conference in Las Vegas, Nevada, July 26, 2017.
Steve Marcus | Reuters

In a dark conference room lit up by large electronic screens scattered across the walls, dozens of engineers are huddled over computers, trying to safeguard their network from hackers. The room is the Black Hat Network Operations Center at the Mandalay Bay Hotel in Las Vegas, where 15,000 cybersecurity professionals from companies like FireEye and RSA are gathered for the Black Hat Conference. The room is not for show; for most of the attendees, the threat of getting hacked is real.

"In security, there's a general belief we all have – it's not whether or not you will be breached or attacked, it's a matter of when," says Haiyan Song, senior vice president and general manager at Splunk, a cybersecurity company.

According to the Identity Theft Resource Center, the number of U.S. data breaches so far this year hit a half-year record of 791, which is 29 percent higher from this time last year.

Amid those figures, experts seem to have a bleak view of the state of information security. A survey of the top leaders at the Black Hat conference found 60 percent believe a successful cyberattack on U.S. critical infrastructure will likely occur in the next two years. Examples of critical infrastructure include power grids, traffic signals, dams, or nuclear power plants.

Industry watchers say applying digital technology to operate critical infrastructure like utilities, energy, or telecom can be a cyber hazard.

"When you combine old tech with new tech, it almost always creates vulnerabilities," says Carson Sweet, co-founder and chief technology officer at cybersecurity startup CloudPassage.

The experts behind the study say part of the reason for the pessimism in the industry is that hackers are getting more potent.

"Cyberattacks are definitely increasing because they're becoming more effective," says Steve Wylie, general manager of Black Hat. "And I don't think that enterprises have the tools necessary to handle them."

Security pros are worried about governments getting involved in hacks. 70 percent of those surveyed in the Black Hat poll also said recent examples of state-sponsored cyber attacks – from allegations of Russian election hacking to North Korea's possible involvement in the Wanna Cry attack – have eroded their confidence in the security of critical infrastructure. Only 26 percent believe the White House will have a positive impact on cybersecurity policy.

Michael Chertoff, the former Secretary of the Department of Homeland Security, says while the risks are great, he doesn't necessarily believe a significant hack on U.S. critical infrastructure is imminent. One way companies are fighting back, he says, is by elevating the top IT leaders to the C-suite, in the Chief Information Security Officer (CISO) position.

"I think as we've seen an elevation of some of these attacks, and serious impacts on businesses, there's an understandable desire from the board of directors and CEO's to have somebody who owns the responsibility of security," he says.

Still, some say companies need to go further, but doing more "hygiene" checks of their networks, and arming those CISO's with large enough teams to battle those digital predators.