In a eclectic keynote delivered to the Black Hat conference audience, Dan Geer, CISO at In-Q-Tel, made known his thoughts on and ideas about a number of things: from Internet voting to vulnerability finding, from net neutrality to the right to be forgotten.
In-Q-Tel is a not-for-profit corporation that invests in tech companies with the goal of keeping US intelligence agencies equipped with the latest information technologies, but in this instance, Geer put forward his own views.
He believes that voting over the Internet is a generally very bad idea (“Motivated & expert opponents are very nearly undefendable against.”) and that abandoned code bases should be open sourced as a matter of public interest.
He explained that net neutrality should be a matter of choice for ISPs: choose charging based on the content, but be responsible for it even if its “hurtful”; or enjoy carrier protections, but then forfeit the right to inspect the contents and charge more.
He used the example of the United States Centers for Disease Control to argue the likely benefits of a mandatory reporting regime for cybersecurity failures estimated to have surpassed a specific severity threshold; and said that software developers and vendors should be held legally responsible for “sloppy coding, insufficient testing, cost cutting, incomplete documentation, or just plain incompetence,” and for whatever damage their software causes when it is used as it’s intended to be used.
“Either software houses deliver quality and back it up with product liability, or they will have to let their users protect themselves. The current situation — users can’t see whether they need to protect themselves and have no recourse to being unprotected — cannot go on,” he noted.
He pointed out why he believes that striking back at cyber attackers is difficult to do right (shared infrastructure, attribution problem), and that the “right to be forgotten” and the right to choose whether you will use your real identity for your digital one or not (and on which occasion) is something that he wants for himself and for others.
He finally proposed that the US Government openly corner the world vulnerability market by paying for the information ten times more that other bidders, and make all of them public.
“This strategy’s usefulness comes from two side effects: one, that by overpaying we enlarge the talent pool of vulnerability finders, and two, that by making public every single vulnerability the US government buys we devalue them,” he pointed out. “We don’t need intelligence on what weapons our adversaries have if we have something close to a complete inventory of the world’s vulns and have shared that with all the affected software suppliers.”
His proposals are unconventional, and most of them – if not all – will likely never be realized (and maybe they shouldn’t be), but he definitely managed to stimulate the audience and, hopefully, start discussions that will bring about better solutions to the cyber problems we now face.
The transcript of the keynote is well worth reading, and it can be downloaded here.