Dan Geer, the chief information security officer for In-Q-Tel and the keynote speaker at this year’s Black Hat conference, is undoubtedly one of the smartest people in any room he walks in to. His presence at Black Hat was somewhat precarious given his position at a firm responsible for providing the C.I.A. and other U.S. intelligence agencies with information technology, but the opinions he shared in his speech were his own, something he was diligent to repeat.
The topic of the keynote speech was the abstract concept of national cybersecurity policy. Geer dismisses “cyber safety” and “cyber order” as unattainable goals, and advocates cybersecurity policy as the “the least worst thing.”
Geer’s speech was very much an exercise in critical thinking. What would cybersecurity policy look like, what should it address, and how might it affect the freedom and functionality of the Internet. Geer discussed 10 areas for potential cybersecurity policy.
- Mandatory reporting of security failures
Geer compares this concept to the way the CDC handles dangerous infectious diseases. If you go to the hospital and say your feeling ill you have the right to be treated privately, the moment the doctors suspect a serious disease such as Ebola things change, quarantine, the incident is reported to a central authority, information about the incident is shared, an investigation ensues, and there is probably media coverage.
Security failures should be reported in the same way. Geer suggests breaches beyond a certain threshold should be mandatorily reported, reporting breaches below the threshold are voluntary. In his speech he did not speculate on what the threshold for security failures should be. What he was clear about was there should be no silent failures.
This concept breeds new questions. Should failure to report a security failure then become a crime? Hacking a computer system is a felony, and failure to report a felony, which you have knowledge of, is a crime. By way of this logic failure to report an above threshold security failure should be a crime. But then again, in real life governance is not deeply based in logic, so…
- Net Neutrality
A hot button topic in the media, and in Geer’s s eyes the most important piece of potential cyber legislation. He purposes two types of net neutrality, internet providers must chose one or the other, they cannot pick and choose.
Either, ISPs should be allowed to charge different rates depending on traffic content but with a caveat. ISPs then become legally responsible for that traffic, making them culpable for harmful content.
OR, ISPs have no responsibility for the content they transmit but they cannot snoop on that content nor charge different amounts, all bytes are created equal.
I suspect the latter to be the more popular opinion among DDW readers. I myself find this to be the more appealing of the two (then again it would be fun to watch ISPs squirm in court, but I digress).
- Source code liability
Geer purposes we adopt an ancient principle for software developers; If a builder builds a house for someone, and through his shoddy craftsmanship the building collapses in on itself killing the inhabitants, the builder shall be put to death.
I suspect Geer is not purposing the death penalty for shoddy software developers, but the concept is to hold developers accountable for their products. If software you purchase is used correctly but unintentionally causes a system failure there should be penalties. The developer is responsible for any damage their software does if it is used “normally.”
Obviously software is not always used as it is intended, there are many of us who tinker and fiddle with things we purchase. As such Geer purposes a software license which allows users to disable parts of the software. By disabling any part of the software the user reduces the developer’s liability for any failure to, at most, a refund.
- Strike back
Many companies, and potentially individuals, who have been hacked have desired revenge. Some have acted, others have done the research to attribute the attack but failed to pull the trigger on an attack of their own. The vast majority of people are not capable of response, and revenge in concept only breeds further reaction.
Geer dismisses strike back and discourages recourse, though on a personal level he wishes he could retaliate.
Nothing lives forever, software should be no exception. Embedded systems should be required to have a remote management interface to be updated, or they should have a finite lifetime to prevent becoming outdated.
Swap over is preferable to swap out.
- Vulnerability finding
This I believe to be one of Geer’s most far-fetched ideas. Its a fantastic idea, but a fantasy. The U.S. government should corner the market on purchasing vulnerabilities, offer 10x whatever the highest bid for any vulnerability. Then, and here’s where it becomes fantasy, make the vulnerabilities public.
Truly, this would be the most appropriate way from a cybersecurity standpoint to handle vulnerabilities. Making all vulnerabilities public allows developers to patch holes they were previously unaware of.
Seeing as the U.S. government and its intelligence agencies are actively involved in cyber warfare this idea is likely to fall upon deaf wars with any one that matters regarding policy decisions.
- The right to be forgotten
“It should be possible to reinvent yourself, but this idea disappears with enough data,” Geer says.
Everything we do online is identifiable. Geer believes the only privacy in cyber space is through misrepresentation, and that is becoming increasingly difficult to do successfully. Geer states if he were to create a cover identity, at this point it would be far easier to “borrow” an identity of someone who fits his profile than create one from scratch.
People make mistakes, especially at a young age. In late 2013 California passed a bill to allow teenagers to “reset” their digital identity. Perhaps we adults should be afforded this same “erase button.”
- Internet voting
Speaking to a room full of security professionals and world-class hackers fully aware of the risks involved in all facets of the Internet, Geer skips chose to skip this topic.
In short, lol.
Abandon cars frequently find new owners, abandon bank accounts get taken over by the government. Software developers often abandon software after several years, users with this software no longer receive updates, but abandon software stays abandon.
Software developers should either continue to update their products indefinitely (unlikely), or once they abandon a product they should make the source code open source for others to maintain.
Meat-space (real life) and cyberspace are converging. Geer sees two possible futures, either the web becomes more like real life and develops borders, jurisdiction, and boundaries, or meat-space becomes less and less relevant and “akin to one-world technocratic government more or less follows.”
In Geer’s mind a “one-world technocratic government” threatens freedom and is the undesirable outcome. He worries meat-space becoming more like cyberspace will lead to the “balkanization and commercial efforts to artificially create information monopolies, while if the physical world goes toward digital space, then we have greater surveillance, the erosion of trust, much information leakage, and the reaction to that leakage.”
If Geer is correct and the best option for convergence would be to have cyberspace become more like meat-space, then “the net must be broken up into governable chunks.”
As the cyber world continues to grow in complexity Geer’s national cybersecurity policy concepts set out to introduce a level of logic and reason into cyberspace.
Many will protest regulating any thing surrounding the Internet in fear of a slippery slope. Developers would likely cry bloody murder if policy were to command Geer’s purposed level of software accountability.
Link to the full keynote transcript: http://geer.tinho.net/geer.
Whether any of these concepts are preferable to the state of the Internet as it is now is for you to decide for yourself.