By Joseph Menn
SAN FRANCISCO (Reuters) - Technology security professionals seeking wisdom from industry leaders in San Francisco this week saw more of the dark side than they had expected: a procession of CEO speakers whose companies have been hacked.
"It's pretty discouraging," said Gregory Roll, who came for advice and to consider buying security software for his employer, a large bank which he declined to name because he was not authorized to speak on its behalf. "It's a constant battle, and we're losing."
The annual RSA Conference, which draws to a close on Friday, brought a record crowd of more than 20,000 as Congress weighs new legislation aimed at better protecting U.S. companies from cyber attacks by spies, criminals and activists.
If the bills suggest that hackers are so far having their way with all manner of companies, the procession of speakers brought it home in a personal way.
The opening presentation by Art Coviello, executive chairman of conference sponsor and recent hacking victim RSA, set the tone with the Rolling Stones song "You Can't Always Get What You Want."
RSA, owned by data storage maker EMC Corp, is the largest provider of password-generating tokens used by government agencies, banks and others to authenticate employees or customers who log on away from the office. Not long after last year's RSA conference, the company said an email with a poisoned attachment had been opened by an employee.
That gave hackers access to the corporate network and they emerged with information about how RSA calculates the numbers displayed on SecurID tokens, which was in turn used in an attack on Lockheed Martin that the defense contractor said it foiled.
Coviello said he hoped his company's misfortune would help foster a sense of urgency in the face of formidable opponents, especially foreign governments, who are being aided by the blurring of personal and professional online activities. Some 70 percent of employees in one survey he cited admitted to subverting corporate rules in order to use social networks or smartphones or get access to other resources, making security that much harder.
"Our networks will be penetrated. People will still make mistakes," Coviello said. He argued that with better monitoring and analysis of traffic inside company networks, "we can manage risk to acceptable levels."
If that didn't inspire enough enthusiasm after the worst year for corporate security in history - including the rise of activist hacks by Anonymous, numerous breaches at Sony Corp, and attacks on Nasdaq software used by corporate boards - there was more to come.
Next onstage was James Bidzos, CEO of core Internet infrastructure company VeriSign, which disclosed in an October securities filing that it had lost unknown data to hackers in 2010. [ID:nL2E8D1DFB] He was followed by Enrique Salem, CEO of the largest security company, Symantec, which recently admitted that source code from 2006 version of its program for gaining remote access to desktop computers had been stolen and published. [ID:nL4E8D77TN]
FBI Director Robert Mueller spoke on Thursday, warning that he expected cyber threats to pass terrorism as the country's top threat.
Though all sounded an upbeat call to arms, some watching grumbled that vendors with little credibility were trying to use their own shortcomings to peddle more expensive and unproven technology.
"There's some panic" among the buyers, said a security official with ING Groep NV who asked not to be named because he was not authorized to speak to the press. Banks are very sensitive to questions about security breaches and often deny they have any significant problems in this area.
That panic contributed to vigorous panel discussions and hallway debates about who should be in charge of safeguarding defense companies, banks and utilities - private industry itself, the U.S. Department of Homeland Security or the National Security Agency, which has the greatest capability but a legacy of civil liberties issues.
A pending bill backed by Senate Majority Leader Harry Reid would put DHS in the lead, with assistance from NSA. Former NSA chief Michael Hayden said in an interview at the conference that should suffice.
"The Net is inherently insecure," Hayden said. "We need to quit admiring the problem and move out. No position could be worse than the one we're in now."
Coviello said one of the few pieces of good news was that the country as a whole is now realizing the gravity of the loss of its trade and government secrets, along with the difficulty of reversing the trend.
"People have definitely talked more seriously after our breach," he said in an interview. "Maybe a sense of realism has settled in."
(Reporting By Joseph Menn; Editing by Richard Chang)