Notes From Crazytown, Day Two: How To Fix Everything

Did you know the CIA has a venture fund? Of course the CIA has a venture fund. It’s called In-Q-Tel, and yesterday its Chief Information Security Officer, Dan Geer, a world-weary man with white Wolverine sideburns, stepped forth from the shadows to give the keynote address at Black Hat. It was a remarkable speech and I want to signal-boost it.

He made it clear that he was speaking in a private capacity, not officially, which explains why he mused: “Is the ever-wider deployment of sensors in the name of cybersecurity actually contributing to our safety? Or is it destroying our safety in order to save it?” at a time when the CIA is under angry investigation for spying on the Senate. He stressed that he had no insider knowledge1.

And he made a number of interesting policy proposals, three of which in particular I thought worthy of serious consideration:

1. Net neutrality. Let ISPs opt out of it — as long as they then accept legal responsibility for all the data they carry. If they inspect and shape their traffic, then they become responsible for it. They shouldn’t get to have it both ways.

2. Product liability for software. “The only two products not covered by product liability today are religion and software,” Geer observes sardonically, “and software should not escape for much longer.” He suggested that software should become subject to product liability law if, and only if, its source code is not made available to its users. (With a license that allows them to disable features they don’t want.)

3. Mandatory reporting of security breaches. Just as the CDC is empowered by mandatory reporting of outbreaks of communicable diseases, businesses which suffer cybersecurity breaches beyond some severity threshold should be legally required to report the breach and how it happened. This echoes yesterday’s B-sides keynote; the best way to improve everyone’s online security is through transparency and data-sharing when attacks happen.

I talked with him afterwards and asked him if he thought mandatory reporting was pie in the sky or could actually be implemented. He suggested that the impetus might come from the insurance and reinsurance industries, rather than from legislators.

Geer’s an interesting guy, with a history of standing up for his principles: in 2003 he published a paper arguing that the then-near-monopoly enjoyed by Microsoft amplified online threats to the extent that it was a national security issue, and was promptly fired by his employer, for whom Microsoft was a major client.

His entire address, the text of which is here, is worth reading, though you can safely skim past the opening platitudes to get to his actual proposals. I certainly don’t agree with everything he suggests; in particular, I’m skeptical of his argument that the new “right to be forgotten” which is being forced on Google et al by the European Court of Justice is necessary in the face of the “ubiquitous sensor fabric” amid which we will all soon live.

But if you’re at all interested in computer security–and I fear we’re approaching a time in which few people can afford not to be interested–then take some time and read it. Incisive and interesting thoughts are hard to come by these days.

1Well, almost none; he did mention that “in the intelligence trade, crafting good cover is getting harder and harder” thanks to the need for digital/online identities, backgrounds, Facebook friends, a plausible data shadow when Googled, etc.