LAS VEGAS—A single well-designed cyber weapon could “take down the entire internet,” according to Dan Geer, chief information security officer for In-Q-Tel, the CIA’s venture capital company.
Geer took to the stage at the Black Hat cybersecurity conference on Aug. 6 not simply to highlight growing cyber-vulnerabilities to the 8,000-plus experts in attendance, but also to offer a series of policy solutions that are far-reaching, creative and, as Geer himself acknowledged, likely to antagonize the software industry and its friends in Congress.
Here are his 10 policy proposals for protecting the internet from cyber attacks:
We report big disease outbreaks the moment that they happen and the Centers for Disease Control sends out an advance team to deal with them. Why not mandate that companies must do the same thing when they experience a big hack or breach on the federal level? It’s a proposal that goes well beyond the largely toothless White House Cybersecurity Framework released earlier this year. It’s a move that companies would likely fight, arguing that most of the hacks they face don’t constitute the sort of threat that they need to inform the public about. Geer says large companies or the government should have no expectation of privacy in the wake of major cyber attacks, just as individuals with a highly communicable disease lose any expectation of privacy in the event of an Ebola or other major disease outbreak.
“Wouldn’t it make sense to have a regime of mandatory reporting for cyber-security failures?” Geer said. “Should you face criminal charges if you fail to make such a report?” He points out that 46 states require mandatory reporting of some cyber attacks in the form of their cyber-breach laws, but 70 to 80% of data breaches are discovered by unrelated third parties. Geer says every security failure “above some threshold we have yet to negotiate” should be reported to the federal government. In broaching this, he drew from a recent paper by former Navy Secretary Richard Danzig titled Surviving On a Diet of Poisoned Fruit, in which Danzig argues that software hacks should be treated with the same urgency as airplane near-misses.
He recommends not one single proposal, but stresses that what’s most important to understand is that the Federal Communications Commission is not the sort of agency that can effectively manage something as important to the future as internet traffic.
“What I can say is that the varied tastes need to be reflected in constrained choice rather than the idea that… some … agency can assure happiness if and only if it—rather than corporations or individuals—does the choosing.”
It’s a measure that, had it been in place 20 years ago, Microsoft would be on the hook for every time some piece of malware crashed a computer and Bill Gates would be nowhere near the richest man in the world list.
“The software houses will yell bloody murder the minute legislation like this is introduced, and any pundit and lobbyist they can afford will spew their dire predictions that ‘this law will mean the end of computing as we know it!’ To which our considered answer will be: ‘Yes, please! That was exactly the idea.’”
Strike back is the ability to attack those that attack you. “I suspect that a fair number of you have, in fact, struck back at some attacker somewhere or, at least, done targeting research even if you didn’t pull the trigger,” Geer said. “I’d trust many of you to identify targets carefully enough to minimize collateral damage, but what we are talking about here is the cyber equivalent of the smart bomb. As I implied earlier, cyber smart bombs are what the national laboratories of several countries are furiously working on. In that sense, you do know what is happening behind the curtain, and you know how hard that targeting really is because you know how hard attribution—real attribution—really is.” He called it “expensive therapy” not open to most small players.
Software makers should be legally obliged to have fallbacks in place in the event of a major attack of service disruption and those fallbacks should be in place prior to deployment of the software. Geer calls this resiliency. The best way to assure resiliency is to build systems that can be managed from afar, so-called remote managed systems. If you can’t build remote management into your system, you should design in an expiration date.
“Resiliency is an area where no one policy can be sufficient, so I’ve suggested a trio of baby steps: Embedded systems cannot be immortal if they have no remote management interface, embedded systems must have a remote management interface if they are to be immortal, and swap-over is preferable to swap-out when it comes to data protection.”
This is called vulnerability finding and Geer says the US should corner the market on it and pay people who find vulnerabilities 10 times what anyone else could pay them for keeping the vulnerability secret. Once the government learns of a new vulnerability, the next step is to make it public.
“If a couple of Texas brothers could corner the world silver market, there is no doubt that the US government could openly corner the world vulnerability market. That is, we buy them all and we make them all public. Simply announce: ‘Show us a competing bid, and we’ll give you 10 times.’” In a subsequent Q&A session, Geer elaborated further. “Vulnerabilities that you keep to yourself for use as a future weapon is a hostile act. So let’s corner the market…If there are a limited number of them…by making them no longer weaponizable, have we not contributed to world peace?”
The European Union’s Right to Be Forgotten initiative, which mandates that European citizens have a right to have some information kept off the web (or at least out of Google search results), is “appropriate, advantageous [but] doesn’t go far enough,” Geer said. The definition of privacy that he lives by is this: “You have privacy if you have the effective capacity to misrepresent yourself.”
It’s becoming a hugely important issue for individuals, but it’s not a small issue for the military either. Intelligence agents, Geer says, are having an ever more difficult time keeping their identities a secret. “Crafting good cover is getting harder and for the same reasons. Misrepresentations are getting harder.”
In a sense, we are moving toward a post-spy world, according to the guy that runs the CIA’s venture capital arm. And protecting the right to be forgotten is one way around that. But more importantly, “a right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now—observability that changes the very quality of what ‘in public’ means.”
The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace is a “case-in-point; it ‘calls for the development of interoperable technology standards and policies—an Identity Ecosystem’—where individuals, organizations, and underlying infrastructure—such as routers and servers—can be authoritatively authenticated.”
Anonymity is something we give government witnesses and whistleblowers. He says it should be a right for everyone. Moreover, if the US were to follow the European lead on right to be forgotten, it would help curb the balkanization of the Internet, and decrease foreign suspicion of US tech companies.
Geer said very little on the question of whether or not the United States or other countries should allow for voting over the internet or become more reliant on internet-connected voting machines. But as soon as he said the words, “internet voting,” the crowd in the ballroom of the Mandalay Hotel erupted in laughter and he quickly moved on to the next subject.
If any company abandons a software codebase then the same rules that apply to discarded furniture should apply to the software—it becomes public and open-source. That means that there would in effect never be any devices out there using software that was proprietary but that wasn’t supported. “Apple computers running 10.5 or less get no updates (comprising a significant fraction of the installed base). Any Microsoft computer running XP gets no updates (likewise comprising a significant fraction of the installed base). The end of security updates follows abandonment. It is certainly ironic that freshly pirated copies of Windows get security updates when older versions bought legitimately do not….Either you support it or you give it to the public.”
“The more we put on the internet, the broader and more unmitigable internet surprises become,” Geer said. He called this “dependence,” and it’s a growing problem.
He cited a recent Bloomberg story pointing out that some of the nation’s largest banks were calling on the government to protect them the threat of cyber attack. The article was titled “Banks Dreading Computer Hacks Call for Cyber War Council.”
“The biggest financial firms [are] saying that their dependencies are no longer manageable, and that the state’s monopoly on the use of force must be brought to bear. What they are talking about is that they have no way to mitigate the risk of common mode failure.”
Bottom line: Everything that is a critical infrastructure component must show that it can run without the Internet and the makers have to be able to prove it. Geer is proposing a massive stress test for every bank, utility, or any other company that fulfills a critical public role to see how well they operate when they are thrown offline. We stress tested the banks after the 2008 market crash, he points out. “We need stress tests in our field even more.”
In his remarks, Geer acknowledged that cyber attacks would get worse before they get better, that maintaining online anonymity would become ever more difficult and inconvenient, and that in the present political environment, many of the proposals would face enormous, if not insurmountable, resistance. Only the second policy proposal has any real chance of passing. But that could change—if things get worse. “There’s the political will to do a stress test but only after a bad event. Let’s hope it’s not catastrophic,” he said.