As in my previous post (Sharing Our Way to Information Security), I’d like to describe a speech I heard at a recent InfoSec conference. This one, CyberSecurity as Realpolitik, was Dan Geer’s keynote address at the 2014 Black Hat USA on August 6 in Las Vegas.
Geer began his speech with some wistful thinking, noting that “every speaker, every writer, every practitioner in the field of cyber security who has wished that [this] topic, and us with it, were taken seriously has gotten their wish. Cybersecurity *is* being taken seriously, which, as you well know, is not the same as being taken usefully, coherently, or lastingly.”
In his attempt to offer something useful, coherent, and lasting, he offers ten policy proposals on “pressing” cybersecurity topics:
- Enforce mandatory reporting of cybersecurity failures
- Dig deeper on net neutrality: It alone is not a panacea
- Enforce source code liability
- Allow limited strike back for attacks
- Create solutions for fallback and resiliency
- Revive the Lost Art of Vulnerability Finding
- Give people the right to be forgotten
- Vote No on internet voting
- Abandoned code should become open source code
- Take care with how the physical and digital worlds intersect
Geer is a brilliant thinker, and a discussion about any one of his proposals could fill a book. But in keeping with my current theme of data breach information sharing, I’d like to focus on Proposal #1, with a few words about #6.
As I mentioned in a previous post, “those of us involved in network security could take a lesson from the CDC.” In Proposal #1, Geer picks up this theme and proposes the CDC communicable disease reporting model as one for the InfoSec community to follow—at least for serious breaches.
“When you really get down to it,” Geer says, “three capabilities describe the CDC and why they are as effective as they are: (1) mandatory reporting of communicable diseases, (2) stored data and the data analytic skill to distinguish a statistical anomaly from an outbreak, and (3) a way [for] teams to take charge of, say, the appearance of Ebola in Miami.”
He then asks whether everyone would support having to report cyber penetrations of your company—or your house (remember, we live in an Internet of Things)? Who would you report it to? A branch of the government? A non- or quasi-government entity? Should you face criminal charges if you fail to make such a report?
These are all valid questions. But they may be a bit off the mark since, as Geer then says: “… the Verizon Data Breach Investigations Report found, and the Index of Cyber Security confirmed, that 70-80% of data breaches are discovered by unrelated third parties, not by the victim, meaning that the victim might never know if those who do the discovering were to keep quiet.”
On to Policy Proposal #6, where Geer observes that “For a good long while, you could do vulnerability finding as a hobby and get paid in bragging rights, but finding vulnerabilities got to be too hard to do as a hobby in your spare time—you needed to work it like a job and get paid like a job… the side effect is that once vulnerability finding became a job and stopped being a bragging-rights hobby, those finding the vulnerabilities stopped sharing.”
So where does that leave us if most breaches are discovered by “unrelated third parties”—many of whom may no longer have an incentive to share?
As Geer notes, every solution has a side effect, and “once coin-operated vulnerability finders won't share, the percentage of all attacks that are zero-day attacks must rise, and it has.” (A zero-day attack, as Wikipedia explains, “exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.”)
Adam Shostack concluded in his BSidesLV opening remarks that it was up to security professionals to convince their companies to release details of a breach. If Geer is to be believed, we security professionals may also need to find ways to convince our own vulnerability hunters to share the goods as well.
NOTE: Geer’s speech makes for some fascinating reading. The full text of it can be found here.