Improving Technical Security Privacy

Dan Geer Revisits 2014 BlackHat Recommendations: More Industry Recognition of the Problem, Much Left To Do

Computer security analyst and risk management specialist Dan Geer used his keynote at the Black Hat conference in 2014 to make 10 policy recommendations for increasing the state of cybersecurity. Among his suggestions: mandatory reporting of cybersecurity failures, product liability for Internet service providers and software companies, and off-the-grid alternative control mechanisms for increasingly Internet-reliant networks like utility grids and government databases.

I caught up with Geer for an update on his proposals, and his views on the current state of cybersecurity.

First, let’s talk about your policy recommendations for making the digital world safer. Have you seen any progress on any of these fronts?

Not in the concrete sense of here’s a law, or here’s a dollar or here’s a new organization, but in the sense there is broader recognition that we actually have to do something. This isn’t just a bunch of ninnies complaining. We have to do something.

The sensitivity to all of this is getting higher. I hope that doesn’t result in panic or doing something silly, which could happen. I hope instead that the reaction is more, “you’re right, we really have to do something substantial.”

Can you point to some examples of this broader recognition?

If you look at the topics that are discussed at meetings that are not academic meetings, more and more of them have a policy flavor, and only a small number still that “here’s a technological nicety that’s really cool.” Again, I take that as a marker in time, as a change in opinion, as to whether the threats are real or not.

Also, just as we thought that some banks were too big to fail, I think we have to think about things on the Internet that are too connected to fail. That idea is beginning to get a little play. For instance, there is a bill in the U.S. Senate, The Securing Energy Infrastructure Act (S.B. 3018), that argues that electric systems need to have, at least in part, analog not digital controls. Like a fire line or firebreak, where a failure can’t jump from this point to that. I think the very idea that a sitting senator would introduce something talking about the need for non-digital controls on the grounds of resilience is indicative of minds coming around.

You also call for mandatory reporting of security breaches. Is there any progress being made on that front and why do you think that is important?

It’s going to happen and I think it’s going to happen for public companies first. The Securities and Exchange Commission has been ramping up its rule-making in this area for a couple of years now. The issue goes to materiality and what do I have to tell my stockholders. Cyber failure has clearly become material. And things related to it that are secondary, like loss of trade secrets and customer data, have become material.

Most of your recommendations focus on organizations and companies. Where do consumers fit into this and the liability issues of cyber failures?

It’s getting harder for consumers to avoid being recruited into problems. There was a recent example of closed-circuit televisions that were recruited for a giant distributed denial of service attack. Consumers are not in a position to prevent what they own being used as a weapon against someone else. If my car is stolen and is used in a bank robbery, I probably won’t face and repercussions. If my handgun is stolen and used in a bank robbery, I might, especially if I left it on the front porch. Where is the line for computers? Probably closer to the automobile. But on the other hand, Internet service providers have to take some responsibility. If they want dumb clients then it’s their problem.

We have seen some big companies report massive breaches recently, albeit quite a while after the fact. Do you think more are stepping up on their own to announce security breaches, or are they only coming out when they are forced to?

According to Data Breach Investigations Report from Verizon, 80 percent of data breaches are discovered not by the victims but by someone else. That is important, and it hasn’t changed. If people don’t report cyber failures then you are encouraging silent failure – silent in the sense that you discover there has been a cyber invasion and you repair it but don’t tell anyone. I am sympathetic, but I’m afraid you’re going to have to tell. It’s like driving off the end of a bridge and not telling anyone. And silent failure is the problem we have more of than anything else. Silent failures often are gateways or stair steps to other failures.

So it is essential that we get a handle on this kind of thing. In the medical world, you have medial privacy unless you have a disease that is too important. If you show up with the plague, that’s a big deal. Sorry about your medical privacy, but we have to notify all sorts of people.

Some people may object to that, and they may have an argument of principle, but they don’t have an argument of logic.

That same logic should apply in cyber space. As the definition of a material event changes, like you lost all your client data or accidentally shipped something that had malware in it, those things all have to be reported.

I am not sure how to make that pleasing for all concerned. It’s one of those things that it’s a bad solution but I don’t have a better one.

You run the Index of Cyber Security which regularly polls those on the front line about the state of cybersecurity. What are some of the trends you are seeing?

A steady increase in risk more than anything else, but other things as well. Three years ago, we asked what fraction of the security tools that the respondents are using now would they install again if starting from scratch. Three years ago, they expressed buyer’s remorse for about a third. This year buyer’s remorse had grown to half. So, my reading between the lines is “I am buying one of everything and my unhappiness is growing.”

Another thing that I think is quite fascinating is that the size of data breaches seems to be on a curve known as power law, an interesting kind of curve that says in effect the biggest one you’ve ever seen to date will be eclipsed by a bigger one but bigger in a certain substantial kind of way. That is what is happening and while we are talking, just such a report (from Yahoo) has appeared.

To quote Nassim Taleb, “We are undergoing a switch between continuous low grade volatility to the process moving by jumps, with less and less variations outside of jumps.” Using a forest fire analogy, if there are no little forest fires, then eventually you will get a whopper. In the woods, that is due to a buildup of combustible timber. On the Internet, that is due to a buildup of unwarranted trust and dependence.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.