Internet Security Luminary Calls For Reducing Digital Dependence
An increasingly complex and Internet-enabled network of systems creates dependencies on remote resources that are the root cause of most security risks, according to a security industry luminary, who warned that "connecting everything with everything" creates a house of cards weakening the integrity of critical systems.
"The more we put on the Internet, the broader and more immitigable security surprises can become," said In-Q-Tel Chief Information Security Officer Dan Geer in front of a group of nearly 5,000 penetration testers, incident handlers and other security professionals Wednesday in Las Vegas at the 2014 Black Hat Briefings. "Bounding dependence is the only way out. If you don't bound dependence, we invite common mode failure."
Dependencies are rapidly reducing system integrity and resiliency, said Geer. As a matter of policy, everything that is officially categorized as critical infrastructure must conclusively show how it can operate in the absence of the Internet, Geer said.
[Related: Security Expert: Industry Is Failing Miserably At Fixing Underlying Dangers]
In-Q-Tel is a non-profit technology investment arm that aims at getting the private sector to develop capabilities that support the intelligence community.
The biggest financial firms say their dependencies are not manageable, Geer said, referring to Wall Street's biggest trade group, the Securities Industry and Financial Markets Association, which proposed a public-private cyberwar council last month to thwart terrorist attacks and ensure the resiliency of the U.S. financial markets. The financial industry says it can no longer protect themselves from states or global terrorist actors and others aimed at bringing them down, he said.
"There are no people who are sad but wiser about what happens when you connect everything with everything," Geer said. "Until such people are available I will busy myself with reducing my dependence on and thus my risk exposure to the digital world even though that will be mistaken for being curmudgeonly nostalgic. Call that a misrepresentation if you like."
Geer said the security industry can no longer advocate for more layers of costly security controls to address cybercrime. Organizations protecting critical resources must reduce dependencies, maintain manual processes and system redundancy to reduce the risk of catastrophic failure, he said. New security platforms are not necessarily the answer, he said.
"Most of what commercially succeeds, succeeds only so long as attackers don't give it their attention and what commercially fails is not because it didn't work. It's because it wasn't easy or sexy or cheap enough," Geer said.
NEXT: Increased Regulation Has Uncertain Results, Geer Warned
Cybersecuirty has become interlaced with nearly every aspect of technological society, impacting nearly everybody and capturing attention of government policymakers who will attempt to address the complex issues with legislation that may result in uncertain and potentially negative outcomes, Geer said. Nonetheless, Geer called for measures that could address software security vulnerabilities, bolster critical infrastructure protection and hold businesses accountable for data security and system integrity. Policymakers are watching, he said.
"Cybersecurity is being taken seriously, which as you know is not the same as being taken usefully, coherently or lastingly," Geer told attendees. ’We and the cybersecurity issue have never been more at the forefront of policy and you ain’t seen nothing yet."
Creating a set of mandatory reporting requirements forcing the private sector to provide information about security incidents, could illuminate the character of cyberattacks and help develop a common methodology and metrics for cybersecurity effectiveness, Geer said. Geer also advocated new rules overseeing source code liability, comparing software to constructing a house, which has long placed builders to certify the structural integrity and hold themselves liable for incomplete or shoddy construction.
’There will be more nasty surprises as badly constructed sourcecode will get a wider airing,’ Geer said. ’Either software houses deliver quality and back it up with liability, or they have to let their users protect the sourcecode themselves.’
Geer also addressed the issue of embedded system security, calling on software makers to release source code for products they no longer support to the open source community. ’Embedded systems also need a remote management interface or a finite lifetime,’ Geer said. ’They cannot be immortal and unfixable. To do so guarantees that if they live long enough something bad will happen.’
Information security professionals are becoming increasingly relevant, taking the public stage during high-profile data breaches, system outages and other security incidents, said Jeff Moss, founder and director of Black Hat. The increased focus on cybersecurity has captured the attention of policymakers and prompted medical device manufacturers, automobile makers, and other industry groups to begin taking positive measures to ensure security and safety in their products, Moss told attendees just prior to Geer’s opening keynote on Wednesday.
Complexity often opens security weaknesses, misconfigured networking devices and other system vulnerabilities that attackers can target. Increasingly powerful and interconnected embedded systems in home appliances, medical devices and everyday items will only add to the rapidly increasing complexity that security professionals are dealing with, Moss said.
’We’re going to need radical simplicity around key systems we care about and everything else we are going to have to live with,’ Moss said.
PUBLISHED AUG. 6, 2014