A few quick notes to share on the keynote yesterday at Black Hat 2014 in Las Vegas:
The keynote speaker was Dan Geer. Dan Geer is currently Chief Information Security Officer for In-Q-Tel. In-Q-Tel is the venture funding arm associated with the CIA.
The keynote was largely a policy speech with proposals related to security in a variety of technology domains, with roughly a dozen proposals.
His first proposal was a set of mandatory reporting guidelines for exploits and infections, on par with how the CDC mandates infectious disease reporting. He made several parallels between meatspace and cyberspace in handling disease, with this proposal being the most obvious response to the current state of affairs.
Of note to software companies (such as the one that currently employs me and those that have employed me in the past), he proposed that software be subject to product liability law as a means to improve software and service security. This is a provocative proposal, given that it was delivered during the keynote at the premier annual security conference by someone who leads information security for intelligence-related investments. He also noted, to great laughter, that “The only two products in America not covered by product liability law are religion and software, and software should not escape for much longer.” Ha.
There was also an interesting proposal for Net neutrality that suggests an approach I have not heard of before. He suggested that ISPs should be able to opt out of net neutrality, but by doing so they would be inspecting their packets and thus would no longer enjoy Common Carrier liability protections that they enjoy because they claim no knowledge of the packets they carry.
And he also proposed that, for devices in the Internet-of-Things world, devices should have an expiration date after which they no longer operate as a means to ensure that older devices with security vulnerabilities do not render the IoT space completely exploitable. This is a common theme for device security in general, as older, no-longer-supported devices tend to be primary attack vectors for offensive exploits.
One of the more interesting ideas he presented (in my opinion) was the idea that the US should attempt to corner the market in offensive exploit technologies in much the same way the US has used its wealth as foreign aid to influence events on the ground. He cited the surge in Iraq as an example of how the distribution of money to enemy combatants had more of an effect on the ground than did the arrival of more troops.
The full text of the keynote, including all of his proposals, is available here:
And TechCrunch has a decent writeup here: