Government Action, Insurance, Software Product Liability Urged for Cyber Security
Even though some experts are outraged by the extent of U.S. Internet spying exposed by former NSA contractor Edward Snowden, they are even more concerned about technologically sophisticated enemies using malware to sabotage utilities, wipe out data stored on computer drives, and steal defense and trade secrets.
Such fears and proposals on new laws and executive action to counter these threats were core topics this week in Las Vegas at Black Hat and Def Con, two of the world’s largest gatherings for security professionals and hackers.
At Black Hat, the keynote speech by respected researcher Dan Geer went straight for national and global policy issues. He said the U.S. government should require detailed reporting on major cyber breaches, in the same way that deadly diseases must be reported to the Centers for Disease Control and Prevention.
Critical industries should be subjected to “stress tests” like the banks, Geer said, so regulators can see if they can survive without the Internet or with compromised equipment.
Geer also called for exposing software vendors to product liability suits if they do not share their source code with customers and bugs in their programs lead to significant losses from intrusion or sabotage.
“Either software houses deliver quality and back it up with product liability, or they will have to let their users protect themselves,” said Geer, who works for In-Q-Tel, a venture capital firm serving U.S. intelligence agencies. Geer said he was speaking on his own behalf.
“The current situation – users can’t see whether they need to protect themselves and have no recourse to being unprotected – cannot go on,” he said.
Several of Geer’s proposals are highly ambitious given the domestic political stalemate and the opposition of major businesses and political donors to new regulation, Black Hat attendees said. In an interview, Geer said he had seen no encouraging signs from the White House or members of Congress.
But he said the alternative would be waiting until a “major event” that he hoped would not be catastrophic.
Chris Inglis, who retired this year as deputy director of the National Security Agency, said disaster could be creeping instead of sudden, as broad swaths of data become unreliable.
In an interview, he said some of Geer’s ideas, including product liability, deserved broader discussion.
“Doing nothing at all is a worse answer,” said Inglis, who now advises security firm Securonix.
Some said more disclosures about cyber attacks could allow insurance companies to set reasonable prices. The cost of cyber insurance varies, but $1 million in yearly protection might cost$25,000, experts say.
High-profile data breaches, such as at Target Corp. and eBay Inc., have spurred demand for cyber insurance, but the insurers say they need more data to determine how common and how severe the intrusions are.
The ideas presented by Geer and other speakers would not give the government more control of the Internet itself. In that area, security professionals said they support technology companies’ efforts to fight surveillance and protect users with better encryption.
Instead, the speakers addressed problems such as the pervasive number of severe flaws in software, which allow hackers to break in, seemingly at will.
Geer said the United States should try to corner the market for software flaws and outspend other countries to stop the cyber arms race. The government should then work to fix the flaws instead of hoarding them for offense, he said.
Black Hat founder Jeff Moss said he was reminded of the importance of data security while advising a government agency that had no way to tell which of its millions of records were accurate and which had been tampered with.
In the security industry, Moss said, “we’re so day-to-day that we forget we’re a piece of a bigger system, and that system is on the edge of breaking down.”
Dire projections have led some professionals to despair, but others say the fact that their concerns are finally being shared by political leaders gives them hope.
Alex Stamos, who joined Yahoo Inc. earlier this year as chief information security officer, said the Internet could become either a permanent tool of oppression or a democratizing force, depending on policy changes and technology improvements.
“It’s a great time to be in the security industry,” Stamos said. “Now is the time.”
(Reporting by Joseph Menn; Editing by Tiffany Wu)