LAS VEGAS -- Dan Geer, who made his name a decade ago by criticizing Microsoft's near monopoly on the desktop to task as an inherent security risk, today kicked off Black Hat 2014 in Las Vegas with a keynote address laying out several provocative suggestions for fundamentally changing the infosec approaches of both governments and the security industry.
Noting that computer security is now discussed at high level of government, Geer, who serves as CISO of In-Q-Tel, a not-for-profit venture capital firm that supports the U.S. intelligence community, said that when those in the industry speak about cybersecurity policy, they are no longer engaging in a parlor game.
"Once a topic area like cybersecurity becomes interlaced with nearly every aspect of life for nearly everybody," Geer said, "the outcome differential between good policies and bad policies broadens and the ease of finding answers falls."
Geer's wide-ranging keynote included speculation on whether the government's ability to mount globally scaled surveillance operations would change the relative balance of power between the legislative and executive branches of the U.S. government. His belief was that advanced surveillance capabilities augment the power of the executive branch because, in his view, legislative control emanates from the ability to control budget allocation. If surveillance efforts are "too cheap to meter," legislators will be unable to control them.
An underlying concern in Geer's talk was the growing complexity of an Internet that is quickly increasing its attack surface -- especially every time some new element of the Internet of Things is added to the mix. The only solution to building systems that are more complex than can be administered, Geer said, is to take a bluntly pragmatic approach, "splattered with Realpolitik" and prepare to patch embedded systems regularly and to place bounds on complexity where possible.
Dan GeerCISO, In-Q-Tel
Ultimately, Geer offered a series of proposed measures that would increase the security and privacy of the Web. Some probably didn't strike the audience as particularly controversial: He asked for more aggressive government-mandated requirements for reporting of cybersecurity failures, and he came down against the development of offensive security capabilities that allow organizations to attack their attackers.
Among his more controversial suggestions, Geer proposed that software vendors be forced to choose between making all their source code as well as development environment and library information available or accepting full liability for damages to users incurred "when it is used normally."
"For better or poorer, the only two products not covered by product liability are religion and software," Geer said. "And software should not escape for much longer."
Geer sought to offer an example of normal use in the form of a hypothetical salesperson from an enterprise's vendor delivering new product documentation on a USB key.
"You plug that into your computer and you copy the files. That's what used normally means, and it should never cause your computer to become part of a botnet, transmit your credit card number to Elbonia, or copy all your design documents to the vendor," Geer said. "If it does, your computer's operating system is defective."
Geer came down "after a good bit of waffling on the question" in favor of Europe's new right to be forgotten regulation, suggesting that, as envisioned by the European Union, it wasn't actually broad enough. He furthermore argued that "a unitary, unfakeable digital identity is no bargain and I don't want one. I want to choose whether to misrepresent myself. I may rarely use it, it is my right to do so. If that vanishes into the panopticon, then I have lost something and in my view gained next to nothing."
Perhaps the most provocative suggestion was that the U.S. should "corner the market in newly discovered vulnerabilities" referencing the robust underground market for zero-day vulnerabilities found by security researchers. The government, he said, should pay 10 times what anyone else pays and should make the vulnerabilities public after obtaining them as a way of neutralizing their effectiveness.
"I've long preferred to hire security people who were, more than anything else, sadder but wiser. They and only they know why most of what commercially succeeds, succeeds only so long as attackers don't give it their attention. And what commercially fails is not because it didn't work but because it wasn't easy or sexy or cheap enough."
This real-world experience, though, "comes only from people who have experienced private tragedies. No one has experienced failure at the scale we're talking about now. There are no people who are sadder but wiser about what happens when you connect everything to everything."
Geer made a point of saying that his discussion topics and recommendations weren't based on inside industry knowledge, a nod to his ties to the intelligence community. Rather, he argued, information that is widely available through open sources is increasingly nearly as good as an insider view.
"If the chief benefit of a [security] clearance is to be able to see into the future a little farther than those who don't have them, then it must follow that as the pace of change accelerates, the difference between how far you can see with a clearance versus how far you can see without one will shrink."