Las Vegas gets front-row seats to watch cybersecurity debate play out

By Karoun Demirjian

Wednesday, May 2, 2012 | 2 a.m.

Every summer, the hacker community’s best and brightest convene in Las Vegas to discuss the latest in security technology — and the best ways to circumvent it.

What keeps them in business year after year is a credo firmly rooted in reality: that it’s impossible to achieve full cybersecurity.

This year, Congress is determined to at least start proving that wrong.

The government’s motivation is fraught with urgency: The nation’s top defense officials and senior lawmakers believe that, in this day and age, there is no bigger national security threat to the United States than the cybervulnerabilities that come with the country’s data dependence.

The problem demands a solution, they argue — but at this juncture, it’s not clear their efforts will have the intended effect.

As wired as the world has become in 2012, this is the first time Congress has produced comprehensive legislation to address the practical considerations of protecting and policing systems.

Lawmakers know that with the sheer volume and flow of information, there’s no way government alone can implement a new era of nationwide security. But discussing what it can do has led to bitter political standoffs.

Republicans maintain that encouraging cooperative information-sharing between businesses and government agencies is the best way to close security gaps. Democrats say that approach is ineffective and they would rather tap the Homeland Security Department to establish national cybersecurity standards and insist firms disclose when they’ve been compromised.

Somewhere in the middle, legions of laypersons are complaining that there’s already too much information being mined to warrant increased government authority to police the web-waves.

But whatever lawmakers decide, there may be no better test for whether it will work than Las Vegas — and not just because of an annual convention.

• • •

Las Vegas is known to most of the world as the global capital of casino culture. But computer geeks say it’s also a mecca for hackers.

“We sit here in Las Vegas not because it’s a beautiful place. I’d rather be in Santa Cruz. I’d really like to see green sometime,” said Al Melquist, a bank hacker during the 1990s who said he worked for various federal government agencies under the terms of his prison release for nearly two decades before starting his own file-sharing company. “You’ve got the ex-agents who want to be James Bond. You’ve got the ones who are agents that are James Bonds. We sit here because everything that goes into the country and out of the country goes through Vegas.”

Melquist heads up the Las Vegas area’s regional Def Con outfit, which estimates that as many as three-quarters of the world’s top-class hackers call Las Vegas home.

The concentration of hackers doesn’t mean the Las Vegas Valley poses a greater threat to the nation’s cybersecurity like China — the No. 1 antagonist to the United States when it comes to fishing data and spying on systems. It’s simply a by-product of the region’s position on the grid that government agencies rely on to cull and circulate clandestine information.

In short, Las Vegas is a data crossroads — a place where secure information can be stored and rerouted to be processed.

“When you get a convergence point, that gives you access,” said William Binney, a National Security Agency whistleblower who has been sounding warnings about the methods and scope of the government’s data-collection practices. “If you have access, then you can put all the devices you want to collect it.”

Las Vegas’ position as a data crossroads is in some ways strategic. The region is less prone to the type of natural disasters that could upset or compromise the flow of secure information through cyberoptic cables than other ports.

The city also hosts two industries hugely dependent on encrypted data: casinos that use technology to regulate gaming operations and transfer the massive amounts of money that flow through them, and military and intelligence facilities in the Nevada desert that have to keep test drone flights and other operations secret from spying eyes.

Las Vegas has something else industry players deem more crucial: Switch.

Switch is a large, multicampus data storage facility housing thousands of servers belonging to companies such as Google, eBay and Zappos. Switch keeps their servers cooled, secured and connected to an intricate web of fiber-optic cables that provide swift and secure means of transmitting encrypted data.

But walk into the building and it’s clear this is no average data vault. Guards armed with military-grade assault rifles man the front desk; television screens piping in live-feeds of everything from global terrorist activity to regional weather patterns stand in for artwork on the wall. Those who dare enter the storage facility are frisked and sent through a holding chamber before they’re allowed in.

Switch’s most important clients are the agencies of the federal government that are now deep into the business of data collection and storage.

After Sept. 11, a battery of new laws changed the culture of surveillance in the United States.

The revelation of some of the newly sanctioned activities — wiretapping, the president’s surveillance program and the surveillance-related provisions of the Patriot Act — have sparked national privacy debates. Those programs have also produced a large treasure trove of information that needs to be stored.

And it’s a pile that keeps growing.

According to various reports, the government is planning a million-square-foot data collection center in Utah and another comparably sized one in San Antonio, Texas, to handle the projected need for data storage in coming years.

Switch is undergoing a similar expansion.

For several months now, the company has been expanding its storage capacities with a third, 300,000-square foot secure data facility in North Las Vegas. Switch officials did not respond to requests for an interview or divulge the details of how they intend to use the new facility.

But company officials have confirmed in the past that government agencies are among their most important clients.

The $400 million expansion, which ranks as the state’s largest construction project, has been a particular favorite of Nevada officials. Gov. Brian Sandoval never misses an opportunity to trumpet the company’s potential to create jobs in the short term and serve as the backbone for a new technology economy in the future.

The governor also seems aware that if more data comes to Las Vegas, there’s more reason for potential data miners to follow.

In March, Nevada became one of only a handful of states to receive federally sponsored cybersecurity training as part of a yearlong course conducted out of Reno and Las Vegas.

The program, which is run by the team from the University of Texas at San Antonio’s Center for Infrastructure Assurance and Security, trains state and local government leaders, business leaders and community organizations how to safeguard their own data and avoid becoming a weak link that would-be hackers or even terrorists could exploit to work their way into bigger government targets.

It’s a program CIAS staff hope to export to the whole country. But so far, Nevada is only the fifth state to be chosen for such training.

“We have never had this kind of high-level attention before,” CIAS associate director Larry Thompson said, explaining that Sandoval had made it mandatory that his cabinet attend the sessions and had dispatched the state’s chief information officer to coordinate training meetings with city councils and county commissioners.

“It’s undeniable, the significance Nevada has to the nation when it comes to the transmission and storage of information,” Thompson said. “The governor is rightfully focused on the fact that if there’s some big things happening in Nevada, Nevadans and leadership have to concentrate on maintaining the security of that infrastructure — for the quality of life of the citizens, too.”

But that doesn’t mean Nevada is actually ready to combat the problems in its midst. The state is only on the bottom rung of the five-step program to become cyber-secure: recognition of the potential problem.

“You’ve got to start somewhere,” Thompson said, adding that of all the states that have gone through CIAS’s DHS-sponsored training, only one — Delaware — has made it past the primary level of training exercises in the first year. “You’ve gotta start with the basics first.”

• • •

Members of Nevada’s delegation are saying the same thing about the bills they’re backing in D.C. to address cybersecurity.

“Our approach has been to take it in small step-like fashion,” said Rep. Joe Heck, who sits on the House intelligence committee and is backing the Cyber Intelligence Sharing and Protection Act (CISPA) the House Republicans’ favored legislation.

Heck said Southern Nevada “could be a potential target from an economic standpoint or a political one” thanks to the mix of government facilities and financial interests in the region — which, he acknowledges, the House bill does nothing to protect.

“Eventually, we will have to start investing and protecting the infrastructure with hardware, software, but first we’ve got to know we have real-time access on a two-way basis as to what the threats are,” Heck said. “Before you can be truly secure, you have to know what the threat is.”

Sen. Harry Reid thinks the bill he’s backing in the Senate can do more off the bat.

“Cyberattacks ... could cripple anything from our military defense to critical infrastructure such as power grids and emergency response systems,” Reid said in February. “This bill will give our national security community the tools they need to protect us from such threats.”

But those in the industry are far less bullish about their expectations — for any piece of legislation.

"It's a farce. All they're doing is saying 'we have to figure out who might attack us from anywhere,'" Binney said. "They're not focusing on solving the problem."

"What I hope will come out of (the debate) is more attention," Thompson said. "The unfortunate thing is that a lot of people chasing money will see this happening too."

But even as the nation's cyberindustry proliferates — and its cybersecurity systems improve — the cyberscene in Las Vegas may remain much the same.

"What does a hacker want to do? A hacker wants to get a couple million bucks and then he wants to be a playboy," Melquist said. "So Vegas is perfect."

Conor Shine contributed to this report.