Black Hat 2016: We Need To Step Up Our Security Or Risk Losing The Internet As We Know It
There’s something wrong, big time, with privacy and security around the Internet, and the security industry needs to step up or risk losing it altogether, Dan Kaminsky, chief scientist and founder of White Ops, said in a keynote speech Wednesday at Black Hat 2016 in Las Vegas.
’We have work to do. We’re going to go ahead and get the Internet fixed because we’re risking losing this engine of beauty altogether,’ Kaminsky said.
The problem centers around one of trust where users are backing away from the Internet due to security and privacy concerns, Kaminsky said, citing a Pew Research study. However, he said the security industry is failing to remedy this problem by not learning from the past and just patching vulnerabilities one-by-one, rather than fixing the underlying issues.
If the security industry fails to do this, the Internet of today, which Kaminsky called ’this Internet,’ could become irrelevant, as it did under AOL and AT&T in the past.
Kaminsky said the security industry needs a ’germ theory of cyber,’ which enforces a focus on how data is moved, is stored and persists, similar to how a doctor would trace an infection. The question, he said, is if the security industry has a way of disinfecting the Internet.
That doesn’t necessarily mean increased regulation or software vulnerability mandates, Kaminsky said, saying that we ’didn’t heal illness by making sickness a crime.’ Instead, Kaminsky said the medical industry learned to heal illness by learning to deliver medicine and safety.
To solve the problem, Kaminsky suggested the security industry needs to launch a National Institute of Health for cybersecurity, an organization with funding and stability to help build standards and objectively study the industry.
’I want an organization dedicated to the extensive study of our field, that can fund and implement the hard and really boring work that fixing all these problems will take,’ Kaminsky said.
Beyond policy, Kaminsky said engineers need to step up and create better software and approach security problems in a better way, because today’s host of solutions ’just aren’t good enough.’ Kaminsky proposed an emphasis on technology approaches such as isolation as one way to do that.
Kaminsky also urged managers to step up and release their code, so they can focus on solving overarching issues, rather than repeating the same fixes over and over again across an architecture. There’s no reason not to do this, he said, as companies are not competing based on the security of their code, comparing it to how banks share information on threats because they recognize it isn’t their competitive differentiator.
These steps need to happen sooner, rather than later, Kaminsky said, as emerging technology areas such as the Internet of Things, the cloud and voice-activated technologies like Cortana and Alexa create added challenges and demands for security faster than ever before.
’Usually an industry gets some time to get its act together. Those days are over and people are realizing what’s happening,’ Kaminsky said.