Buy All the Cybersecurity Vulnerabilities: Black Hat Keynote
Black Hat keynote speaker Dan Geer has some radical ideas to reshape modern security, including a suggestion that the United States purchase security vulnerabilities and make them public.
LAS VEGAS: Dan Geer, a well known and respected digital security expert and the CISO of In-Q-Tel, had a unique opportunity this year, as he was the only keynote speaker at the Black Hat USA conference. In his address, Geer outlined a number of disparate steps and initiatives he sees as necessary to help improve cybersecurity, pointing out that cybersecurity "is now a riveting concern."
Cybersecurity has become incredibly complex, he said. "If area is the product of height and width, then the footprint of cybersecurity has exceeded the grasp of anyone of us."
That said, he offered up some tangible ideas on how cybersecurity can be improved, taken from lessons and operations used in the non-virtual world.
Buy All Vulnerabilities. Geer offered the audacious suggestion that the U.S. should corner the world's vulnerability market by buying all security vulnerabilities and paying 10 times more than anyone else would.
"Then we make them public and reduce to zero the inventory of cyber weapons that others have," Geer said. "I believe that exploitable software vulnerabilities are scarce enough that if we corner the market, we can make a difference."
Mandatory Reporting. Geer noted that the U.S. Center for Disease Control (CDC) is effective because it has mandatory reporting of communicable diseases. While hospitals have privacy rules for handling data, if you check in with a communicable disease like the bubonic plague, there is no privacy. In that case, reporting falls under CDC rules and public health law.
"Would it make sense for the Internet to have a mandatory regime for cybersecurity failures?" Geer asked.
Source Code and Liability. Geer said that in the physical world there is liability for products that fail. He suggested that software should have some form of liability, as there is for other products. "The only two products not covered by liability are software and religion," he said.
Resiliency. Gear noted that resiliency steps need to be in place, particularly for embedded devices. He suggested that embedded devices need to have remote interfaces for updates or they need to have a finite lifetime. "If software lives long enough, it will be taken over," he said.
Right to be Forgotten. Geer noted that everything we do is identifiable, and the right to be forgotten is consistent with the idea of a person moving to a new town to start over.
Opening up Abandonware. If an individual abandons a car on the road, it is impounded. If a bank account is abandoned, the bank assumes control.
"If I abandon a storage locker, it ends up on reality TV," Geer said. "Windows XP, however, gets no updates and it has been abandoned."
He suggested that if a product is abandoned it should be made open source, so others can pick it up -- just as abandoned physical items are repossessed in the physical world. "So either you support or you give it over to the public," he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.