Cybersecurity Today: Insights from BSides and RSAC

Release Date: May 3, 2025
Host: Jim Love
Guest: David Shipley

Introduction

In the May 3, 2025 episode of Cybersecurity Today, host Jim Love engages in an in-depth conversation with David Shipley, a seasoned cybersecurity correspondent. Shipley shares his firsthand experiences from two significant cybersecurity conferences: BSides and RSAC (formerly known as RSA). The discussion delves into the latest trends, threats, and strategies in cybersecurity, with a particular focus on the evolving role of Artificial Intelligence (AI) and its implications for both defenders and adversaries.

BSides Conference Highlights

Expanding the Cybersecurity Community

David Shipley begins by shedding light on BSides, a community-driven series of cybersecurity conferences that have been proliferating across various cities, including Fredericton, Halifax, and Regina. Unlike the more commercial and expansive RSAC, BSides offers a more grassroots approach, fostering skill development and providing a platform for emerging speakers.

"The volunteer sort of community-driven organization helps the industry really create these events in a box and for many speakers it's their first time..."
— David Shipley [04:21]

Notable Sessions and Emerging Threats

Among the myriad of sessions at BSides, two talks stood out for their quality and content. The first was by the CEO and founder of the company behind TruffleHog, who presented on the "AI Apocalypse." Shipley commends the clarity of the presentation, especially in explaining how large language models (LLMs) function within a three-dimensional word mapping space.

"He really did one of the clearest, cleanest explanations. And I've tried my best to follow some of this conversation on how large language models work..."
— David Shipley [04:21]

Shipley also references a pivotal research paper (detailed in the show notes) that uncovers vulnerabilities in AI guardrails within these models. The discussion highlights the ease with which adversaries can bypass these safeguards to create sophisticated malware, emphasizing that the "AI apocalypse" is a looming threat.

RSAC Conference Insights

Scale and Commercialism

Contrasting with BSides, RSAC proves to be a massive commercial enterprise, attracting between 42,000 to 48,000 attendees. The conference's scale is evident in the extensive vendor presence, with nearly 400 exhibitors showcasing cutting-edge cybersecurity solutions.

"Between 42 and 48,000 people descend on San Francisco for this conference... the trade show floor is incredibly loud."
— David Shipley [22:57]

Prevalence of AI Buzzwords

A pervasive theme at RSAC is the ubiquitous mention of "Agentic AI" and "Patagonia vessel," terms that appear in nearly every vendor presentation. Shipley criticizes this trend, noting that many vendors are overselling AI capabilities that may not yet be fully realized.

"Agentic AI is the new independently operating AI... your Python script is not agentic AI."
— Jim Love [25:07]

"Everybody and their dog... Agentic AI in particular is built on many cases, large language models and generative AI again. They have the same hallucination problems."
— David Shipley [25:51]

Navigating the Vendor Landscape

Shipley shares his frustration with the vendor experience at RSAC, particularly the challenge of obtaining clear pricing information. This highlights a broader issue within the cybersecurity industry: the overwhelming number of solutions versus the finite budget available to organizations.

"The most frustrating experience of my entire life trying to get a straight answer of how much will this thing cost me?"
— David Shipley [25:55]

The Dual-Edged Sword of AI in Cybersecurity

AI as a Threat Enhancer

AI's integration into cybersecurity tools is a double-edged sword. While it offers enhanced capabilities for defenders, adversaries can also leverage AI to amplify their attacks. Shipley discusses how AI can streamline the creation of malware and vulnerability exploitation, citing that the scalability and sophistication of attacks are increasing.

"AI in general is the synthetic identity management... criminals are able to build really clever chains."
— David Shipley [35:39]

AI in Defensive Measures

On the defensive side, AI is being employed to develop countermeasures against deepfakes and other advanced threats. Shipley recounts a BSides demonstration where AI was used for live deepfake karaoke, illustrating both the creativity and the technical challenges involved.

"There are counter deepfake technologies emerging. So the arms race is fully on on deepfake video detection."
— David Shipley [18:55]

Security Implications of AI-Generated Code

The discussion also touches upon the security vulnerabilities inherent in AI-generated code. Shipley emphasizes the risks associated with AI's probabilistic nature, such as the inadvertent creation of insecure libraries or inefficient code structures.

"I'm more worried about the security of AI-generated code than I am about the accuracy of AI-generated code."
— Jim Love [38:26]

Human Aspects of Cybersecurity

Security Culture and Champions

A standout panel at RSAC featured Dr. Jessica Barker and Tanya Janka, who discussed the importance of fostering a positive security culture through security champions. By empowering developers to take proactive roles in security, organizations can reduce incident response times and improve overall security posture.

"By changing the culture of software coding from constantly reacting to vulnerabilities and incidents to proactively caring about security..."
— David Shipley [46:09]

Chris Krebs and Community Trust

Shipley also highlights a poignant session involving Chris Krebs, former director of CISA, who addressed issues of trust and integrity within the cybersecurity community. Krebs shared his experiences dealing with political vendettas and underscored the critical need for truth and transparency in maintaining public trust.

"What's happening to him isn't just about him. It's about trust. And that's a fundamental part of the cybersecurity community."
— David Shipley [42:46]

Alarming Trends in Cybercrime

Pig Butchering Scams

One of the most distressing topics covered is Operation Shamrock, spearheaded by Aaron West, which targets "pig butchering" scams—elaborate financial fraud schemes that exploit vulnerable individuals. Shipley recounts the harrowing details of these operations, including human trafficking and extreme violence against victims.

"These complexes... have a group of trafficked individuals who were then in sexual enslavement... the depravity and the scale of this..."
— David Shipley [49:47]

Rising Financial Fraud

Recent reports indicate that cyber-enabled fraud accounts for a staggering $16.6 billion, with pig butchering scams alone responsible for $5 to $6 billion. This surpasses the financial impact of ransomware, highlighting a shift in the modus operandi of cybercriminals.

"Of that, this pig butchering, romance fraud, financial grooming was 5 to 6 billion. This is six times larger than ransomware."
— David Shipley [49:47]

Gradual Erosion of Security

Jen Easterly, former director of CISA, warns of a "cyber boiled frog" scenario, where the steady rise of fraud and cyber threats goes unnoticed until it becomes overwhelming. This metaphor underscores the insidious and escalating nature of cybercrime in the digital age.

"What worries me more is the cyber boiled frog that we're seeing in this explosion of fraud and that we're being boiled alive and we don't realize it."
— David Shipley [49:47]

The Future of Cybersecurity

Consolidation and Market Saturation

Despite over 4,000 vendors listed in the latest security yearbook, the industry shows little sign of consolidation. The proliferation of solutions contributes to market saturation, making it challenging for organizations to navigate and invest effectively in cybersecurity measures.

"There are 4,000 vendors still listed in there and there were 400 of the most well-off vendors at this conference. This industry is nowhere close to consolidating."
— David Shipley [54:27]

Cost of Security

Shipley emphasizes the urgent need to quantify the cost of security, proposing the development of a "cybersecurity basket" analogous to the consumer price index. Understanding the financial implications is crucial for organizations to allocate resources effectively and prioritize security measures.

"We desperately need to build a sense for the cost of security... it's going to be an astounding number."
— David Shipley [54:42]

Conclusion

Jim Love and David Shipley's comprehensive discussion offers a window into the current state and future trajectory of cybersecurity. From the grassroots efforts of BSides to the sprawling vendor landscapes of RSAC, the conversation underscores the multifaceted challenges faced by the industry. The pervasive influence of AI, the rise of sophisticated cybercrimes, and the critical importance of fostering a robust security culture are central themes that resonate throughout the episode. As organizations navigate these complexities, the insights shared provide valuable guidance on securing their firms in an increasingly perilous digital landscape.

"Just because you can't do everything doesn't mean you shouldn't do anything. Clean up your active directory."
— Jim Love [54:40]

Stay tuned for upcoming episodes where Jim and David will delve deeper into these topics, featuring interviews with experts and further analysis of emerging cybersecurity trends.