Black Hat 2014: The Ten Commandments of Modern Cybersecurity

At the Black Hat USA 2014 conference at Las Vegas' Mandalay Bay Resort and Casino, security is the main event. And in that vein, Dan Geer, the chief information security officer of non-profit investment firm In-Q-Tel, shared 10 cyber security policy recommendations during his keynote speech on Wednesday, Aug. 6.

Geer, the conference's first and only keynote speaker, framed his recommendations within the context of today's confusing, precarious cybersecurity landscape amid diminishing personal privacy and increased government spying and surveillance. 

He read an hour-long essay to thousands in attendance, addressing a crowd who represented, in his opinion, an industry that's becoming more and more prominent in public policy because of software's ubiquitous presence in every facet of modern life. The security of the technology that supports society is something no one can ignore, but cyber threats are so constant and pervasive that accomplishing total privacy and security seems futile

Geer opened his talk by reading aloud the abstract for his speech, which summed up the importance of cybersecurity policy, even as strong cybersecurity itself seems almost impossible to achieve.

"Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get," Geer said. "Some have the eye to discern cyber policies that are, 'The least worst thing.' May they fill the vacuum of wishful thinking."

Geer's cybersecurity advice was comprehensive and called for more accountability — and less legal leeway — for the software vendors and their technology's source code.

Geer said that the following 10 policy proposals were his and his alone, based on his experience in the industry. He also gave a verbal disclaimer that listeners were free to disagree and attempt to prove him wrong on these ideas, in the interest of greater legal and personal agency in the never-ending cybersecurity effort. 

1. Create a mandatory reporting system for severe breaches, similar to how the United States Centers for Disease Control has a mandatory reporting system for medical diseases. If the breaches are less severe, then reporting should be voluntary.
2. Offer Internet service providers one of two net neutrality options. Providers can charge customers for service, but that also makes the providers responsible for the harmful content within that service. Providers can alternatively choose a "common carrier" option that frees them from liability for damaging content, but they're unable to inspect or act on the contents of what they carry.
3. Make software developers legally liable for their source code. Under the regulation procedures, developers should give buyers the ability to disable pieces of code they don't want to use, and the developers are held liable for any damage their software causes under normal usage.
4. Strike back at attackers when necessary with cyber counter attacks or targeting campaigns to truly identify the attackers. The ability to do this, however, will require entities to share infrastructure and resources because not every organization has the power of Microsoft or the federal government.
5. If people have no way to remotely shut down computer systems when necessary because those systems are too deeply embedded, then those embedded systems should be designed with the ability to self-terminate after a fixed amount of time has passed, and computer systems that can be remotely controlled should be designed with the ability to refuse certain remote commands for security purposes.
6. The government should pay people competitively for finding vulnerability exploits, and then make those exploits public.
7. Uphold people's right to be forgotten and operate autonomously, even as a connected society makes this increasingly more difficult, and give people the ability to misrepresent themselves online under certain circumstances to confound those who would "watch" them digitally.
8. Voting online is a bad idea because it opens the process and results up to cyber manipulation.
9. Software code should be open sourced after companies discontinue it and stop releasing updates for it. The open source community can patch and update software code for the greater good if companies decide that the code is no longer useful.
10. Critical infrastructure systems' dependence on the Internet and electrical grid leaves them open to cyber attack, so their managers and network administrators should find ways to operate them off the grid, if necessary.

Geer concluded his speech by espousing political realism. The international world is anarchic when cyberspace is involved, and governments are the most important players in the digital world.

"States' investment in offensive cyber is entirely about survival in such a world," he said. "States are driven to this by the dual, simultaneous expansion of what is possible and what their citizens choose to depend on."