By Gregory Hale
Security is often a reactionary business where professionals react to the latest attack or vulnerability, so it is rare when someone comes out with ideas to create an overarching secure environment.
Dan Geer did just that Wednesday at the Black Hat security conference in Las Vegas, NV.
“I am not keeping up with all that is going on. It is impossible,” Geer said. “Cyber security has spread into every aspect of our lives. Cyber security is a riveting concern. Every speaker, writer and practitioner in cyber security wants to be taken seriously. We have never been more at the forefront of policy – and we haven’t seen anything yet.”
Geer is a computer security analyst and risk management specialist, who raised awareness of critical computer and network security issues before everyone knew the risks. He also talks about the economics of security. He is also chief information security officer of the Central Intelligence Agency’s quasi-independent venture capital arm In-Q-Tel.
He also talked about when he started years ago when security professionals could be generalists. Not today.
There are three careers that beat users into the ground, he said, “farming, weather forecasting and cyber security. When younger people come up to me and ask about a career in cyber security I recommend specialization. Serial specialization is the only thing to do to get and stay ahead.”
He also talked about not taking things at face value. “Skepticism is what being a good security person is all about,” Geer said.
Geer offered ideas for security policies:
• Mandatory reporting. Would it make sense to have mandatory reporting for cyber security incidents? Forty-six states require reporting for one type of incident. If you discover a cyber security act do you ethically have to report the incident? Geer talked about the Center for Disease Control (CDC) when it comes to mandatory reporting. Under most medical rules, there is a right to privacy, but when a major potential disease breaks out, like Ebola, all bets are off. Above a threshold you should report, below the threshold, it should be voluntary reporting, much like the airlines report near misses.
• Net Neutrality. The question remains about if the Internet is an information service or a telecommunication service. Internet service providers can have one or the other: They can act as a common carrier or they can be a multi-carrier with responsibilities.
• Source code and reliability. There is no technical escape. Today the legal concept is product liability. “There are only two products not covered by product liability: Religion and software. Software will soon change. Today’s way of users not being protected cannot go on,” Geer said.
• Strike back. “I assume some of you have struck back at some point,” Geer said. There are ways to strike back; Microsoft and the FBI are working together to take down various entities, but that is expensive and for big companies and not feasible for most, he said.
• Resiliency. This area, Geer talked about the growth of embedded systems. “Embedded systems either need a remote management interface or they need a finite lifespan.”
• Vulnerability reporting. It used to be a side job to find vulnerabilities, Geer said. But technology has gotten to the point, where “finding vulnerabilities is a fulltime job.” Knowing that, when someone works to find a vulnerability, they are not volunteering to hand them over. They want to earn as much as they can. Geer suggested one way to solve that issue is for the government to get in the vulnerability purchasing business. “If the government pays 10x the best offer, we will corner the vulnerability market. Exploitable vulnerabilities are rare enough where we can corner the vulnerability market.”
• The right to be forgotten. “Everything we do is identifiable,” Geer said. “Your digital exhaust is identifiable. Crafting good cover is getting harder and harder. It is my right to misrepresent myself. Being forgotten is consistent to moving to a new town to start over, or to change your name.”
• Abandonment. Freshly abandoned software does not get any security updates. “Either you support it or it goes over to open source,” he said.
• Convergence. Yes, there is convergence of the physical world with the cyber world.
Technology is getting more complex, so with that, so is security. With that increased degree of complexity, Geer just said, “I will reduce my dependence on the digital world.”