One of the most respected security officers in the world called today for a series of changes in the cybersecurity field that, if implemented, would dramatically reshape how the Internet is safeguarded and managed.
Appearing as the opening keynote speaker for the 18th annual Black Hat Cybersecurity conference in Las Vegas, Dan Geer drew on his decades of computer security experience to outline a series of key changes he feels are necessary to protect the health of the Internet and the burgeoning global industry around it. “Cybersecurity is now a riveting concern, “said Geer. “Policy matters are now the most important matters.”
For Geer, who is currently the CISO for In-Q-Tel (an investment firm that supports the CIA), there is a lengthy list of policy issues in the world of the Internet that need urgent attention. Leading the list for Geer is mandatory reporting of cybersecurity breaches, an area of growing concern that currently has no firm requirements.
Geer used mandatory reporting requirements by the Center for Disease Control (CDC) of communicable diseases as a prime example that should be emulated in the computer world as well. With malware attacks now global in scale, Geer asked the obvious question: “Shouldn’t cybersecurity event data be subject to mandatory reporting?”
Source code flaws and the lack of liability for their creators was another key concern for Geer. “The only two products not covered by liability are religion and software,” said Geer to much laughter and applause.
He acknowledged that software houses will not welcome any imposition of liability ownership for their products, but he felt that the urgency to address the problem was more critical. “We’re trying to solve a dire security problem and unlimited time is not in our interest,” Geer warned.
Geer also weighed in on the recent controversy surrounding privacy concerns on the Internet and the “right to be forgotten.” He supported the European Union’s decision to more strongly enforce privacy controls for search firms such as Google, and felt that even that “doesn’t go far enough.”
He also dropped an interesting side remark that even the government intelligence community is struggling to protect the tools of their tradecraft against the tide of digital monitoring. “Crafting good cover is getting harder and harder,” admitted the chief security officer for the CIA's not-for-profit investment group.
Geer touched on several other areas of concern during his 45 minute address before the large annual gathering of computer hackers. These included Internet voting (“which I will dismiss for this audience”), not striking back against cyber criminals (“as much as I would like to do it myself”), and companies who abandon updates for older operating systems (“either you support it or you give it over to the public”).
He also expressed his opinion on the boiling issue of net neutrality and the “free pass” the FCC seems inclined to give Internet Service Providers (ISPs). “The value of the Internet is the bits it carries, not the carriers of those bits,” said Geer.
The longtime security analyst brought a historical perspective on the industry to a much younger audience, many of whom were half his age. Geer created the first information security consulting firm on Wall Street in 1992 and, in his concluding remarks, seemed to grow weary of the battle. “There is a lot of traffic we do not have a handle on,” said Geer, and concluded by declaring a growing interest in actually separating himself from the digital world. It’s a choice not many seem able to embrace for now, and he gave everyone plenty of weighty issues to ponder during this six-day event.