Dan Geer at SFI
/"Optimality and Fragility on the Internet"
- There are 3 professions that “beat practitioners into a state of humility—farming, weather, cyber security.”
- Cybersecurity—there is a dual use inherent to all internet tools.
- Offensive protection is where expensive innovation is happening today.
- There is an outcome differential between good
- “The most appealing ideas are not important, the most important ideas are not appealing.”
- 10% of all internet traffic is unidentifiable by protocol, and more identification is simply not accurate.
- Between security, convenience and freedom we can choose two, maybe, but not all three.
- Some suggestions to help:
- 1 Mandatory reporting—CDC has it with regard to disease appearances and they store data with skillful analysis. It would make sense to have mandatory reporting for cybersecurity problems. With real problems, hacks, require them to be reported. With attempted hacks/near misses we can build a reporting system like the FAA has for near misses. Let people report this anonymously and get voluntary entrants into the program.
- 2 Network neutrality—is Internet access an information or a communication service? So far we have not named it a communication service, but in reality, which is it? This has consequences for whether there will be common carrier protection or a duty to monitor. Right now, ISPs have it both ways. They should get one or the other, not both.
- 3 Source code liability—“Security will be exactly as bad as it can be and still function.” There should be software liability regulation. “Intent or willfulness.” Build only liability for intent, not unintentional.
- 4 Strike back—research the attacker, build cyber smartbombs to learn about them. The issue here is the shared infrastructure.
- 5 Fall back on resilience. The code base on low-end routers today is 4-5 years old. Many networked components use old technology. Embedded systems should not be immortal.
- 6 Vulnerability finding has been a good job for 8/9 years. We as a society should buy out (overpay) for finding vulnerabilities. This can expand the talent pool of vulnerability finding. Are “vulns” scarce or dense? “Exploitable areas are scarce enough.”
- 7 Right to be forgotten. “We are all intelligence agents now…all our digital exhaust is identifiable.” Misrepresentation of identity online is getting harder and harder. The CIA wouldn’t have to fabricate an identity anymore, they can borrow one close to what they need. The new EU rule on this is appropriate, but doesn’t go far enough. “In public” means something very different today, than in the recent past.
- 8 Internet voting. Most experts think it’s a bad idea.
- 9 Abandonment. If a company abandons a code base (like Microsoft or Apple pulling support of an old OS), then it should become open source.
- 10 Convergence. Are the physical and digital one world or 2? They are converging rapidly today. Need to ask “on whose terms will convergence occur?” The cause of risk today is dependence. We will be secure if there can be no unmitigable surprises.
- Security breaches/viruses follow power law distribution. Target and Home Depot both fit on the curve.