SAN DIEGO -- Dan Geer recalled listening to a bank presentation on the company's risk calculations, in which an executive expressed full faith in his figures. He knew they were accurate, the man said, there was no ambiguity about who "owned" each risk, from which priorities were determined.
"In our field, there's almost nothing but ambiguity about who owns what risk," Geer told an audience at last week's Usenix Security Symposium. Assigning risk ownership and determining risk values are paramount to the industry's future, he cautioned. "If we do not measure it, it simple will be assigned by legislative fiat."
The warning was part of a 90-minute challenge Geer, a luminary in information security, posed to scholars, engineers, students and practitioners as part of his talk, "Metrics, Economics and Shared Risk at the National Scale."
Geer said now is the time for the security community to create process- and goal-based metrics -- based on such variables as replacement costs, black market prices and patent losses -- to create greater awareness and investments in defending networks from intruders.
"The level of interest in what we do has never been stronger and is likely to continue increasing," he said. But such attention will also give rise to more charlatans "so it's important for those that know something to act and speak up."
As enterprises become more digitally interdependent, they're also more vulnerable to attacks because of the current low state of security -- a condition perpetuated by naivety and a lack of information sharing about threats and vulnerabilities. "In the Internet, there are no safe neighborhoods. Every sociopath is your next-door neighbor," said Geer, vice president and chief scientist with Waltham, Mass.-based Verdasys Inc.
Consumers' understanding of risk is dropping at a time when information asset values are increasing, he continued. That's changing the nature of the computing environment. "No one owns the risk -- yet," he said. "The average 'clue' is dropping, while the charlatan faction is rising."
He predicted security would become more about protecting data and less about the perimeter -- a common theme among security conference speakers this summer. The biggest public concerns, he suggested, should be successful attacks to critical entities like the Federal Aviation Administration, Domain Name System, Emergency Broadcast System and a cascade failure from interlocking networks dependent on an "always-on monoculture" rife with flaws.
This led to a familiar thread for Geer: risks associated with enterprises and nations that rely too heavily on one company's product line. Geer lost his job at network security firm @stake after helping pen a widely distributed paper about the dangers of a national dependency on Microsoft solutions.
"I submit a reason the Internet still works is because there's enough heterogeneity in the machine base, but not in the client base," he offered. Later, in discussing the dangers of one major vendor remaining tightly integrated in the vast majority of computer systems, he said, "I cannot talk about this problem without mentioning Microsoft, just as I cannot talk of solar power without mentioning the sun."
Security's greatest strength right now is the field's "hybrid vigor," Geer concluded. He urged people to push for more heterogeneity in computing environments and to remain vigilant in defending networks, even if a threat does not seem imminent.
"Absence of events," he warned, "is not a predictor."