An increasingly complex and Internet-enabled network of systems creates dependencies on remote resources that are the root cause of most security risks, according to a security industry luminary, who warned that "connecting everything with everything" creates a house of cards weakening the integrity of critical systems.
"The more we put on the Internet, the broader and more immitigable security surprises can become," said In-Q-Tel Chief Information Security Officer Dan Geer in front of a group of nearly 5,000 penetration testers, incident handlers and other security professionals Wednesday in Las Vegas at the 2014 Black Hat Briefings. "Bounding dependence is the only way out. If you don't bound dependence, we invite common mode failure."
Dependencies are rapidly reducing system integrity and resiliency, said Geer. As a matter of policy, everything that is officially categorized as critical infrastructure must conclusively show how it can operate in the absence of the Internet, Geer said.
In-Q-Tel is a non-profit technology investment arm that aims at getting the private sector to develop capabilities that support the intelligence community.
The biggest financial firms say their dependencies are not manageable, Geer said, referring to Wall Street's biggest trade group, the Securities Industry and Financial Markets Association, which proposed a public-private cyberwar council last month to thwart terrorist attacks and ensure the resiliency of the U.S. financial markets. The financial industry says it can no longer protect themselves from states or global terrorist actors and others aimed at bringing them down, he said.
"There are no people who are sad but wiser about what happens when you connect everything with everything," Geer said. "Until such people are available I will busy myself with reducing my dependence on and thus my risk exposure to the digital world even though that will be mistaken for being curmudgeonly nostalgic. Call that a misrepresentation if you like."
Geer said the security industry can no longer advocate for more layers of costly security controls to address cybercrime. Organizations protecting critical resources must reduce dependencies, maintain manual processes and system redundancy to reduce the risk of catastrophic failure, he said. New security platforms are not necessarily the answer, he said.
"Most of what commercially succeeds, succeeds only so long as attackers don't give it their attention and what commercially fails is not because it didn't work. It's because it wasn't easy or sexy or cheap enough," Geer said.
NEXT: Increased Regulation Has Uncertain Results, Geer Warned