“Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get. Some have the eye to discern cyber policies that are ‘the least worst thing;’ may they fill the vacuum of wishful thinking.”
At the beginning of the Black Hat conference in 2014, Dan Geer presented a speech on the future of cybersecurity, which is only becoming more relevant in today’s landscape. In his speech, he analyzes the current and future of the cybersecurity industry and puts forth ten policies for consideration as the industry moves forward.
Mandatory Reporting
Mandatory reporting is the policy that if a cybersecurity incident is discovered, it must be reported to a central entity. Geer suggests that cybersecurity reporting follow a similar model to the CDC, with mandatory reporting for a specific tier of threats, with anonymous voluntary reporting of other incidents. I think this would be a good solution, because companies may be unwilling to report incidents due to reputation or financial damages, even though accurate data of current threats based on these incidents could be a great tool to mitigate future attacks.
Net Neutrality
Net neutrality means that ISPs cannot charge different rates for the data that they are moving. Because of the varied situations and opinions within the industry, Geer proposes a two-option system. Different rates can be charged for different content, but the ISP is liable if the content they inspect is harmful, or, ISPs are not liable for their content if they charge a single rate. While both of these options are reasonable, how they would be implemented in tandem without conflicts could prove more hassle than a single solution to the net neutrality argument.
Source Code Liability
Given the current digital landscape and importance of software, Geer states that the designers of code should be liable for damage to users caused by weaknesses or errors, just like construction workers, manufacturers, and most products and services today. To do this, software companies would need to either accept liability for their products or allow the user enough control over the code to remove that liability. While I think this proposal is very reasonable, given that software is a product that should adhere to rational standards, I think it would be incredibly difficult to implement properly given the predictable pushback from large software companies.
Strike Back and Fall Back
Strike back is the practice of retaliating against an attacker, but unfortunately, this often backfires. Because of shared infrastructure, Geer recommends not striking back due to unintended negative consequences, except in very specific situations. Fall back on the other hand, refers to mitigating risk and damage from an eventual attack. In the new realm of embedded systems, Geer highlights one major issue: software expires, but not all embedded devices get updated. Thus, either embedded devices must have a limited lifespan, or have a remote-management service to maintain function and security.
Vulnerability Discovery
With the monetization of vulnerability discovery in recent years, fewer vulnerabilities are being made public, and as a result, zero-day attacks have skyrocketed. Geer’s proposal to this is simply to lean into it, to control the market. He recommends that the United States offers to purchase vulnerabilities, and then publish all of them publicly. While this may help prevent vulnerability hoarding, it also could flood the internet with vulnerabilities, making it easier for threat actors to identify and exploit them, and if organizations don’t have the resources to provide patches at a very quick rate, this approach could backfire significantly.
Right to be Forgotten
The right to be forgotten was introduced in the EU’s GDPR as the right of a user to request for their data to be wiped from records. Geer emphasizes the importance of this right as a positive first step but proposes that internet privacy should not only encompass protection and control of digital data, but also the right of someone to misrepresent themselves when they choose. As digital identification becomes more advanced, it is increasingly difficult to protect a singular identity, thus obfuscation through misrepresentation is a path to privacy. While somewhat fraught with the ethical implications of misrepresentation for the sake of privacy vs malicious misrepresentation, I agree with Geer here that having control of one’s online presence(s) is important to maintain a modicum of privacy among increasing levels of surveillance.
Internet Voting
Geer only touches on internet voting briefly, in that it would be impossible to secure results beyond a shadow of a doubt, and thus should not be implemented in any form. I agree that internet voting would place critical decisions at too much risk, and the convenience of it should not outweigh the significant effects that failure to secure a voting system would have.
Abandonment
Abandonment is what happens when a piece of software becomes deprecated and stops receiving the support and updates to keep it up to date. Not only does abandonment negatively impact any remaining users, but it can also leave security holes in systems that still use the software. Geer recommends that when a piece of software is officially abandoned its code base should become open source. I find this reasonable, as it would allow users to continue maintaining the software, and if a company is really against open-sourcing it, they would always have the option to continue to maintain it themselves.
Convergence
As the digital world continues to expand into the physical, the line between these two worlds is rapidly blurring. As that happens, critical infrastructure has developed a dependence on the internet, and this leaves it vulnerable. Geer defines risk as directly related to dependence, and more dependence on the internet means more risk to cyber-attacks. This critical common dependence can have a huge effect, so Geer proposes that all critical infrastructure should demonstrate a capacity to operate without the internet. I agree that this is rational, even though unlikely, critical infrastructure must be able to function in some capacity without the internet, should that dependence ever be exploited.
Despite happening in 2014, Dan Geer’s speech is still a pertinent analysis of the cybersecurity landscape, and his policy suggestions as outlined in it provide a solid roadmap on which to develop the policies that are desperately needed to keep up with the evolution of cyberspace.
– Alec Miller
Source: Geer, D. (2014, August 7). Cybersecurity as Realpolitik. geer.tinho.net/geer.blackhat.6viii14.txt
RIT Cyber Security Policy and Law Class Blog 