10 Ways to Make the Internet Safe from Cyber Attacks

Dan Geer, In-Q-Tel's chief information security officer, delivers the keynote at Black Hat 2014, on August 6, 2014.

Black Hat USA 2014

AA Font size + Print

Dan Geer, In-Q-Tel's chief information security officer, delivers the keynote at Black Hat 2014, on August 6, 2014.

The guy who invests in startups for the CIA lays out how to avert a massive cyber attack. By Patrick Tucker

LAS VEGAS A single well-designed cyber weapon could “take down the entire Internet,” according to Dan Geer, chief information security officer for In-Q-Tel, the CIA’s venture capital company.  

Geer took to the stage at the Black Hat cybersecurity conference on Wednesday not simply to highlight growing cyber-vulnerabilities to the 8,000-plus experts in attendance, but also to offer a series of policy solutions that are far-reaching, creative and, as Geer himself acknowledged, likely to antagonize the software industry and the its friends in Congress.

Here are his 10 policy proposals for protecting the Internet from cyber attacks:

1. Companies Should Be Mandated To Report Big Hacks

We report big disease outbreaks the moment that they happen and the Centers for Disease Control sends out an advance team to deal with them. Why not mandate that companies must do the same thing when they experience a big hack or breach on the federal level? It’s a proposal that goes well beyond the largely toothless White House Cybersecurity Framework released earlier this year. It’s a move that companies would likely fight, arguing that most of the hacks they face don’t constitute the sort of threat that they need to inform the public about. Geer says large companies or the government should have no expectation of privacy in the wake of major cyber attacks, just as individuals with a highly communicable disease lose any expectation of privacy in the event of an Ebola or other major disease outbreak.

“Wouldn’t it make sense to have a regime of mandatory reporting for cyber-security failures?” Geer said. “Should you face criminal charges if you fail to make such a report?” He points out that 46 states require mandatory reporting of some cyber attacks in the form of their cyber-breach laws, but 70 to 80 percent of data breaches are discovered by unrelated third parties. Geer says every security failure “above some threshold we have yet to negotiate” should be reported to the federal government. In broaching this, he drew from a recent paper by former Navy Secretary Richard Danzig titled Surviving On a Diet of Poisoned Fruit, in which Danzig argues that software hacks should be treated with the same urgency as airplane near-misses.

2. Net-Neutrality Shouldn’t Be Left to the FCC

He recommends not one single proposal, but stresses that what’s most important to understand is that the Federal Communications Commission is not the sort of agency that can effectively manage something as important to the future as Internet traffic.

“What I can say is that the varied tastes need to be reflected in constrained choice rather than the idea that… some … agency can assure happiness if and only if it — rather than corporations or individuals — does the choosing.”

3. Companies Should Be Held Liable for Making Hackable Software

It’s a measure that, had it been in place 20 years ago, Microsoft would be on the hook for every time some piece of malware crashed a computer and Bill Gates would be nowhere near the richest man in the world list.

“The software houses will yell bloody murder the minute legislation like this is introduced, and any pundit and lobbyist they can afford will spew their dire predictions that ‘this law will mean the end of computing as we know it!’ To which our considered answer will be: ‘Yes, please!  That was exactly the idea.’”

4. Striking Back Should Be Legal But There Should Perhaps Be Oversight

Strike back is the ability to attack those that attack you. “I suspect that a fair number of you have, in fact, struck back at some attacker somewhere or, at least, done targeting research even if you didn’t pull the trigger,” Geer said. “I’d trust many of you to identify targets carefully enough to minimize collateral damage, but what we are talking about here is the cyber equivalent of the smart bomb. As I implied earlier, cyber smart bombs are what the national laboratories of several countries are furiously working on. In that sense, you do know what is happening behind the curtain, and you know how hard that targeting really is because you know how hard attribution — real attribution — really is.” He called it “expensive therapy” not open to most small players.

5. Software Needs Resilient Fallbacks

Software makers should be legally obliged to have fallbacks in place in the event of a major attack of service disruption and those fallbacks should be in place prior to deployment of the software. Geer calls this resiliency. The best way to assure resiliency is to build systems that can be managed from afar, so-called remote managed systems. If you can’t build remote management into your system, you should design in an expiration date.

“Resiliency is an area where no one policy can be sufficient, so I’ve suggested a trio of baby steps: Embedded systems cannot be immortal if they have no remote management interface, embedded systems must have a remote management interface if they are to be immortal, and swap-over is preferable to swap-out when it comes to data protection.”

6. The Government Should Pay Top Dollar to Hackers To Find Vulnerabilities

This is called vulnerability finding and Geer says the U.S. should corner the market on it and pay people who find vulnerabilities 10 times what anyone else could pay them for keeping the vulnerability secret. Once the government learns of a new vulnerability, the next step is to make it public.

“If a couple of Texas brothers could corner the world silver market, there is no doubt that the U.S. government could openly corner the world vulnerability market. That is, we buy them all and we make them all public. Simply announce: ‘Show us a competing bid, and we’ll give you 10 times.’” In a subsequent Q&A session, Geer elaborated further. “Vulnerabilities that you keep to yourself for use as a future weapon is a hostile act. So let’s corner the market…If there are a limited number of them…by making them no longer weaponizable, have we not contributed to world peace?”

7.  The Right To Be Forgotten Should Be Put in Place in the United States

The European Union’s Right to Be Forgotten initiative, which mandates that European citizens have a right to have some information kept off the web (or at least out of Google search results), is “appropriate, advantageous [but] doesn’t go far enough,” Geer said. The definition of privacy that he lives by is this: “You have privacy if you have the effective capacity to misrepresent yourself.”

It’s becoming a hugely important issue for individuals, but it’s not a small issue for the military either. Intelligence agents, Geer says, are having an ever more difficult time keeping their identities a secret. “Crafting good cover is getting harder and for the same reasons. Misrepresentations are getting harder.”

In a sense, we are moving toward a post-spy world, according to the guy that runs the CIA’s venture capital arm. And protecting the right to be forgotten is one way around that. But more importantly, “a right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now — observability that changes the very quality of what ‘in public’ means.” 

The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace is a “case-in-point; it ‘calls for the development of interoperable technology standards and policies — an Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.”

Anonymity is something we give government witnesses and whistleblowers. He says it should be a right for everyone. Moreover, if the U.S. were to follow the European lead on right to be forgotten, it would help curb the balkanization of the Internet, and decrease foreign suspicion of U.S. tech companies.

8. Internet Voting? No

Geer said very little on the question of whether or not the United States or other countries should allow for voting over the Internet or become more reliant on Internet-connected voting machines. But as soon as he said the words, “internet voting,” the crowd in the ballroom of the Mandalay Hotel erupted in laughter and he quickly moved on to the next subject.

9. Abandoned Software Should Be Treated Like Abandoned Stuff

If any company abandons a software codebase then the same rules that apply to discarded furniture should apply to the software — it becomes public and open-source. That means that there would in effect never be any devices out there using software that was proprietary but that wasn’t supported. “Apple computers running 10.5 or less get no updates (comprising a significant fraction of the installed base). Any Microsoft computer running XP gets no updates (likewise comprising a significant fraction of the installed base). The end of security updates follows abandonment. It is certainly ironic that freshly pirated copies of Windows get security updates when older versions bought legitimately do not….Either you support it or you give it to the public.”

10. Make Sure There’s an Offline Backup

“The more we put on the Internet, the broader and more unmitigable Internet surprises become,” Geer said. He called this “dependence,” and it’s a growing problem.

He cited a recent Bloomberg story pointing out that some of the nation’s largest banks were calling on the government to protect them the threat of cyber attack. The article was titled “Banks Dreading Computer Hacks Call for Cyber War Council.

“The biggest financial firms [are] saying that their dependencies are no longer manageable, and that the state’s monopoly on the use of force must be brought to bear. What they are talking about is that they have no way to mitigate the risk of common mode failure.”

Bottom line: Everything that is a critical infrastructure component must show that it can run without the Internet and the makers have to be able to prove it. Geer is proposing a massive stress test for every bank, utility, or any other company that fulfills a critical public role to see how well they operate when they are thrown offline. We stress tested the banks after the 2008 market crash, he points out. “We need stress tests in our field even more.”

In his remarks, Geer acknowledged that cyber attacks would get worse before they get better, that maintaining online anonymity would become ever more difficult and inconvenient, and that in the present political environment, many of the proposals would face enormous, if not insurmountable, resistance. Only the second policy proposal has any real chance of passing. But that could change — if things get worse.  “There’s the political will to do a stress test but only after a bad event. Let’s hope it’s not catastrophic,” he said.

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • GBC Issue Brief: Supply Chain Insecurity

    Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.

    Download

When you download a report, your information may be shared with the underwriters of that document.