LAS VEGAS – Dan Geer carried his version of computer security’s Ten Commandments to a rapt Black Hat 2014 audience today, offering up 10 personal recommendations and observations related to the current state of security in the context of government surveillance and eroding privacy.
Adorned in bifocals, Geer read his 60-minute essay to thousands in the audience, which was representative of an industry, he said, that has never been more at the forefront of policy decisions made at the highest level. Geer also stated the painfully obvious in pointing out the growing realization offensive capabilities, whether in the form of the NSA’s cadre of surveillance tools or governments amassing zero-days at the expense of those unknown vulnerabilities ever being patched, are something that only the most resourced nations can delve.
“When we speak of cybersecurity policy, we are no longer engaging in a parlor game,” Geer said.
With regard to surveillance, Geer cautioned that they day may come when surveillance becomes too cheap to limit through budgetary processes, making it even more challenging to legislate.
“Ever cheapening surveillance changes the balance of power in favor of the executive and away from the legislature,” Geer said. “Things that need no appropriations, exist outside the system of checks and balances.”
Geer’s 10 proposals, none of which he said were fully formed, turned the tables on software makers and Internet service providers, putting liability in their laps for faulty products or for allowing bad traffic to reach its destination. Geer also addressed the security of embedded systems, vulnerability hunters and brokers and the right to be forgotten online, calling the European Union’s legislation mandating this option be made available to citizens “appropriate and advantageous.”
Geer hit hardest at software vulnerabilities, calling for mandatory reporting of vulnerabilities, and not only for Internet-wide bugs such as Heartbleed. He advocates following a model developed by the U.S. Centers for Disease Control where outbreaks above a certain threshold must be reported to the public at-large.
“The Verizon Data Breach Investigations Report says that between 70 percent and 80 percent of breaches were discovered by unrelated third parties, not by the victim. The victim might never know if those who do the discovering were to keep quiet,” Geer said, who also pushed for a similar reporting structure for less severe bugs similar to the aviation industry’s processes for reporting near-misses.
Geer also talked about the side effects of vulnerability finding, a practice he said was once a hobby but now has become a specialized job, rewarded by vendor bug bounties, and private and government exploit brokers who compete with the underground in paying for bugs.
“Once we made it too hard for [bug-hunters] to do as a hobby, we almost guarantee that those finding them won’t share them,” Geer said. “The percentage of attacks using zero-days has risen. And that is not surprising.”
Geer lobbied for the U.S. government to “corner the world market” on vulnerabilities and pay 10 times for any competing bid, and then make the vulnerabilities public.
“In effect, zero the inventory of cyberweapons,” Geer said.
Geer did not let vendors off the hook either, calling for a shift in product development that puts vendors in the liability crosshairs. “You’d better do it well, or be responsible if it goes poorly,” Geer said.
Geer proposed several options for vendors that included one where products are delivered with buildable source code that leaves vendors liable only for a refund should things go poorly.
“Make it possible for users to inspect code and chop out bits of software they choose not to run,” Geer said. “Disable the parts the licensee does not want to trust, and the copyrights remain yours to control.”
Otherwise, he said, vendors should be liable for damages caused by vulnerabilities in software when it is used normally. The majority of today’s software, he said, would fall under this type of legislation.
“Either software houses deliver quality and back it up with liability, or allow users to help themselves,” Geer said. “Would this work? In the long run, yes. In the short run, I’m pretty certain there would be a lot of nasty surprises as open source code hits a wider area. Software houses will yell bloody murder when this type of legislation is introduced and will shout that this law means the end of computing as we know it. Well, yes please, that is exactly the idea.”
Geer hopes to apply a similar approach to ISPs, whom he says can be allowed to charge what they want based on content, but they would be responsible for that content if it is hurtful, he said. Otherwise, ISPs could abandon content inspection, support Net Neutrality, and enjoy common carrier protections at all time.
“Choose wisely,” Geer said. “ISPs should get one or the other, not both.”