LAS VEGAS – There is no guarantee that the internet will succeed. And if we aren’t careful we can really screw it up. It has happened before and we can do it again.
The warning comes from technologist Dan Kaminsky who says there is a need to treat the internet similarly to the way the National Institutes of Health is devoted to medical research. Kaminsky, who was delivering the keynote to over 6,000 Black Hat USA 2016 attendees, said problems that need to be addressed within the security community are political, technical and how the security community collaborates.
“The internet is important. It is the greatest driver of economic energy since the industrial revolution and we could lose it,” Kaminsky said. Citing statistics from the National Telecommunications and Information Administration that over 50 percent of Americans are backing away from the internet because of security and privacy issues.
“The internet doesn’t have the equivalent of ‘the guy’ that’s working on cancer. We need institutions and systems. We need to have something like NIH for cyber. It needs to have good and stable funding,” Kaminsky said. Research, problem solving and solutions are too often conducted in fiefdoms that seldom share the collective solutions needed to help fix the big security issues of the day. “I’m worried. I’m worried about our ability to innovate and our ability to create and I’m worried that we are not building the sort of infrastructure to make the internet a safe place.”
By taking a NIH type of approach, Kaminsky argued, the internet would foster a large number of deeply committed security experts to work independently and away from commercial interest that push the security sector to come up with quick fixes to solve big security problems. “We need to make changes and we need to have studies about the way we program and the method that people use to build secure things,” he said.
“So what I’m looking to answer is – forget the layers of abstraction and the politics – how do we get 100 nerds working on a project for 10 years without interrupting them or harassing them and telling them to do different things. How do you make that happen? How you don’t make that happen is how we are doing that in InfoSec today – and that’s with the spare time of a small number of highly paid consultants. We can do better than that,” he said.
Kaminsky doesn’t see the NIH approach as a panacea to all that ails the security world. In fact, in his talk he described a delicate balancing act where the security community derives the benefits of broader administration without being hamstrung by potential politics. Control, greed and companies driven by profits, he argue, killed the internet of the 1990s. He argues AOL tried to create a walled garden and control everything and make billions. But that internet failed, he told attendees.
“There are two models of an internet. There is the walled garden and freedom. The walled garden is, ‘okay here is your environment and go ahead and try to use it.’ The other model is that people can put stuff up and other people can use and abuse it. People don’t need to ask for permission they don’t need to beg. Maybe it works and maybe it doesn’t.”
He warns, the same way AOL’s walled garden threatened a free internet of the 1990s, government control over encryption could have the same stifling effects on innovation and cyber liberties. “Let’s stop the encryption debate. This is actually useless. It’s driving all the energy away from what we need to fix,” he said.
Topping Kaminsky’s fixit list was devising better ways for the security community to collectively move the security ball forward and not view security solutions as individual races to win. “Let’s take our obscure knowledge and real expertise and making it available the rest of the security community,” he said. “By sharing knowledge and solutions it allows us to find flaws quicker and fix them even faster.”