Las Vegas -- The Black Hat 2016 conference keynote was a call to action in both the public and private sectors...
to focus on ways to make dealing with cyberthreats faster and more efficient.
Dan Kaminsky, security researcher, co-founder and chief scientist of White Ops, began by saying it is important not to underestimate speed when it comes to making security decisions.
"Speed has totally changed, what was once months has become minutes. Everything has changed," Kaminsky said. "What you can build, what gets broken and how long we have to learn and adapt from our experiences, those cycles have gotten so fast. And our need to make things secure and functional and effective has just exploded."
Kaminsky described a number of different things, from large projects to small moments in development, that can impact security.
"People think that it's a zero sum game, that if you're going to get security everyone else has to suffer. Well, if we want to get security, let's make life better for everybody else. Let's go ahead and give people environments that are easy to work with," Kaminsky said. "Think in terms of milliseconds. Think in terms of the lines that you're impacting, the time that you're taking, the difficulty in making something scale out not just for your own use but for the use of the world. This is the game to play."
Kaminsky dug deep into the history of the internet and the gritty details of code to identify ways to improve speed, but two themes came back time and again in his talk.
First, Kaminsky said information sharing is a critical way to improve security in the short-term. He said managers have all had the experience of assigning engineers to fix a security issue "that has probably been fixed a thousand times, so maybe we should start actually releasing the code that we're doing … If you actually want your coworkers to solve a problem not repeatedly, it might be cheaper and [more] cost effective for you to just give it to the world."
"Bugs are not random. Fixes are not random either. We're not taking all of the lessons we have to deal with and actually dealing with them," Kaminsky said. He noted talking to a group of bankers who shared code and fixes with each other. "He said, 'Yeah, we don't compete on security. If one of us gets hit, we're all going down so we should probably share our information.'"
For longer term projects, Kaminsky said we needed to see more work from the public sector.
"I believe in all projects in terms of timelines," Kaminsky said in a press conference following his keynote. "How long is it going to take to do this? Some things are just going to take three years of effort and the longer the timeline, the less it's something that private sector is good at and the more it's something the public sector is good at. How do I get a hundred nerds working on a project for ten years and not getting interrupted and not getting harassed and not getting told to do different things? The way you don't make it happen is how we're doing it in infosec today, which is the spare time of a small number of highly paid consultants. We can do better than that."
Kaminsky said he wants something like the National Institutes of Health (NIH) for cyber -- a public works organization to take on long-term research projects with stable funding.
"I want an organization dedicated to the extended study of infosec, that can fund and implement the hard and sometimes really boring work that fixing all these problems is going to take," Kaminsky said.
One example of such an effort was the work done by the Software Assurance Metrics And Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST), which Kaminsky described as "the greatest scut work" he's ever seen.
"They went ahead and they collected variants of every single vulnerability in C and Java, and there's like thousands, and they went ahead and made it so you can compile them into one program," Kaminsky said, and he described the value of such a body of work for all of the companies working on static analysis tools. "That stuff may exist in the bowels of Microsoft or Oracle or many other companies, but it was NIST that got it out the door."
No matter the aim, short-term or long, Kaminsky stressed the value in sharing information and being open with knowledge.
"Experts and users have different things in mind for their technology. I don't mind if you just want to work on your own stuff," Kaminsky said. "But the real magic comes when you take the expertise that you've got in security and you translate it and you rebuild it and you reform it. Don't be afraid to take the knowledge you have and make it accessible to vastly more people."
Find out how to use security tools to automate incident response.
Get more information on the differences between dynamic code analysis and static analysis for source code testing.