At Black Hat 2014, conference founder Jeff Moss reminded the audience that staying safe today requires us to simplify our approach to information security.
With the changes we've seen in digital information gathering and the number of security lapses that continue to grow, it's no longer enough to just focus on the big picture. Staying safe today requires us to make a plan, ensure that we're following best practices, and worry about the little things.
In this year's Black Hat convention keynote, Dan Geer brought a captivating message and stern reminder about the state of information security today and the role that those working in technology have as data curators and defenders of user privacy.
As Chief Information Security Officer for In-Q-Tel, Geer commands much respect from researchers and security executives alike and, when he speaks, the whole industry takes notice.
Geer outlined ten proposals in his wide-ranging speech, covering currently pressing subjects such as embedded systems security, government surveillance, the right to be forgotten, net neutrality, and the state of vulnerability research and disclosure; just to mention a few.
He warned that while these policy proposals were not yet completely formed what they lacked in detail was made up for in the range covered.
As fundamental requirement for future information security best practices, Geer called for mandatory reporting for all types of vulnerabilities—not only for those with Internet-wide implications (like Heartbleed), but for all organizations, both large and small. Geer wants mandatory reporting to follow the model of the US Centers for Disease Control, where details of outbreaks of diseases beyond a specific threshold must be released to the general public.
The CDC is not always concerned about health information or the individual patient, but the moment a risk is posed by a patient to the general public the hospital is legally bound to report the illness. Victims would be the beneficiaries if a similar approach could be used for security incidents and breaches, because they have been made aware. At the moment, victims end up never knowing because companies keep quiet.
During the press conference after his speech, Geer stated that most people are prepared to do mandatory reporting, providing that everyone else must as well. No one wants to feel that they alone are bearing the costs of increased reporting, or that they have been singled out.
Geer also said that software providers must take responsibility for any bugs in the code and for what occurs to clients while their products are being utilized under normal conditions. Alternatively they should allow users to see the source code and delete the portions they choose to not run.
Geer quoted the Code of Hammurabi: "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death." Obviously he’s not supporting the death penalty, but his point is that vendors should be subjected to civil and criminal liabilities for not effectively securing their products.
Geer believes that software companies must deliver quality products and be able to back it up with liability, or they should permit users to help themselves. Basically, do it well, or take responsibility for any problems.
Geer is a strong proponent of adopting the same approach for Internet service providers regarding the question of net neutrality. He feels strongly that if ISPs are charging whatever they want based on content, then they should accept responsibility should that content be hurtful. Otherwise ISPs could get rid of content inspection and be supportive of net neutrality while still having the benefits of normal carrier protections.
Geer says that ISPs shouldn’t get both: they must choose carefully—one or the other.
It was suggested by Geer that the United States government control the zero-day vulnerability market by purchasing all vulnerabilities from the researchers, and then publicly disclosing them.
By doing it this way software makers can fix vulnerabilities when they become aware of them and security companies can work out effective methods to protect systems. By using the public disclosure method, it would remove the abilities for spy agencies, nation-states, and criminal hackers from weaponizing these vulnerabilities and using them against attack targets.
If the government were to become the buyer offering financial payments, then we can assume that searching for flaws would become profitable, without being destructive.
Geer noted that those people discovering vulnerabilities stopped sharing information once vulnerability-finding stopped being a hobby and became a job. It used to be that bug-hunting was great for bragging rights, where the information was quickly shared by the finder to stop someone else taking credit for it.
Regarding the right to be forgotten, as defined recently by the European Union’s legislation which mandated that individuals have the right to have their information deleted from search engine results, Geer believes it was advantageous and appropriate. During his press conference following the keynote, Geer noted that there’s something quite special about having the ability to re-invent ourselves.
Of his proposals discussed at this year's Black Hat Conference, Geer said they are just the first step.
It's expected that these suggestions for the future of information security will result in considerable push back. And as more of them are discussed and evaluated, even the experts may change their mind about the right approach. Geer reminds us that "when a strongly held belief is proven wrong, that the humble person changes their mind." He then followed that with the warning, "those who don’t play the game don’t make the rules."
Black Hat 2014 was a reminder that it's up to all of us to become more involved in the development of our industries, think considerably more about security implications, and take a more activate stance in support of safety, privacy, and the right we have to communicate online.