Cybersecurity as Realpolitik by Dan Geer
At a time where cyber security has reached the top concerns to senior leadership of companies, Dan Geer delivered a thought provoking key note speech at the Black Hat hacking conference where he claimed that “policy matters are now the most important matters”. He also spoke about the role of government in internet technology and suggestions for future.
Geer advocated for improving industry efforts via policy through various steps. He particularity advocated for mandatory reporting by using the practice as an effective and fundamental strategy at CDC (centers of disease control and prevention) as an example, Geer claimed that reporting/ disclosing security threats could significantly change the industry’s detection and response endeavors like how CDC content health risks to public, for instance the CDC don’t care about an individual patient or his associated health information rather if it poses a risk to a large subset of people the hospital is legally mandated to report the illness to make everyone aware about the illness. Geer suggested mandatory reporting not just for vulnerabilities like Heartbleed which caused internet wide implication but for all sort of vulnerabilities (security incidents and breaches).
Although several states have now enforced data breach notification laws, Geer proposed that policy should demand the disclosure of security incident on top of the severity threshold that we have. He also advocated for a policy that will force companies to be liable for their software integrity. Geer also mentioned that organization making software’s that are widely used often “do it well” but in situation where they are guilty of bad coding or other bad development method for cutting down the cost, then the organization should be made responsible for the damages created by the software. Geer also stated that a policy or contract stating that the vendor should be responsible for their technology will enable software users to “chop out” piece of commercial software that they don’t trust.
Geer also mentioned his interest in seeing similar approach getting applicable to ISPs to come to a conclusion about net neutrality. For instance, if they can charge what they want according to the content then they have to accept the responsibility for the damages the content brings as well, otherwise ISP would neglect content inspection, support net neutrality and enjoy common carrier protections.
Geer proposed that the US government buy all the zero-day vulnerability in the market and make them publicly available this will make the software developers aware of all the vulnerabilities and they can fix them, and security companies can find ways to fix them and avoid nation-states from weaponizing them. “Once vulnerability finding became a job and not a hobby, those finding vulnerabilities stopped sharing” if the government as Geer mentioned buy the vulnerability then vulnerability hunting will become profitable without being destructive.
Geer also advised to focus on a specialization within security to people who are getting into the field of cyber security. While security practitioners who has been longstanding have gained an overarching comprehension of the threat landscape over the years and as threat and issues have been expanding and growing significantly “no person starting from scratch can do that now”.
Geer also meditated on the part of government in a world where internet as a critical tool in showing of the power rather than a hobby. Geer also questioned whether we are going towards a future where cyberspace mimic “meatspace” or the other way around.
Geer kept some of his proposals short (internet voting was a bad idea) and some of them broad reaching (issues of liability). I also agree with him on how we should make abandoned software’s like Windows XP open source. He also made some statements that got me surprised which includes his belief that the European union’s right to be forgotten law is a good factor and doesn’t go far enough.
The most striking statement was his conclusion, as summating Geer conclude that the only way to protect his rights and himself is by limiting his exposure to internet. It’s a remarkable yet challenging statement considering the venue and the source.
In a nutshell, Dan Geer laid out a challenging and ambitious plan to make internet secure and define privacy in the digital age. Although I believe the ideas, he proposed will make the digital world much safer I find some of the proposals to be practically challenging to implement. For instance, the statement that US government should buy all the zero-day vulnerability, I don’t personally think the government will be willing to fund money to buy out zero-day vulnerabilities from people all over the world. I personally think software liability is very challenging to implement since some software’s are manufactured by governments and I don’t think they will take responsibility of the damages occurred via misusages by a third party. Whereas I think some of his ideas like open source abandoned software, mandatory reporting are great ideas and can be implemented with effort and will factor into making the digital world secure. Lastly, as a cyber security student I was surprised by his statement of going offline. In an era where technology has reached the nook and corner of the society how could a person possibly live without the influence of technology or the internet. Although I agree that going offline can protect himself and his rights, yet I personally believe that its easier said than be done.
Reference: • Do. “Black Hat 2014 Keynote: What Infosec Needs To Do”. Infosecurity Magazine, 2019, https://www.infosecurity-magazine.com/news/black-hat-2014-keynote-what/.