Realpolitik (rāˈälˌpōliˌtēk): a system of politics or principles based on practical rather than moral or ideological considerations.
Vegas in July. The only attraction to that proposition is the fact that I got to see old friends, meet new acquaintances and put my brain to work early in the morning during the keynote at Black Hat. I had never met Dan Geer before, although of course I was familiar with his work and his reputation of being one of the most renowned industry pioneers. He kicked off the conference by giving a thought-provoking presentation, bringing to light the use of power in security and politics.
Geer offered the audience a variety of recommendations in regards to today’s evolving cyber security landscape. “Cybersecurity has reached a level of attention necessary,” said Geer. “Whether somebody does anything useful with it is another thing.” My view is that once cybersecurity receives the attention it deserves, it is up to the professionals to respond in an equally deserving matter – taking security seriously and like Jeff Moss, founder of BlackHat, would say “Don’t F it up.”
The talk had ten points to consider and it was impossible for me to grasp them all so early in the morning–especially since they were profound ideas that need dedicated time to comprehend and assimilate. However, I would like to point out a few that stood out for me.
The Need for Mandatory Policy
With cybersecurity becoming increasingly entrenched in nearly everybody’s life, Geer highly advocated for the necessity of policy to be implemented in the industry, including mandatory reporting. Geer argued the cybersecurity failures could be reduced by the required reports. “All security tools are dual use, offense and defense. Innovation is in the offense.”
Another idea reasoned by Geer revolved around sourcecode. He asked us to imagine how our world would be if software makers would be liable for how their products are used. He said, “If you make something, you should be liable for it” and, “you’d better do it well.” However, I’m sure the thought could scare away many vendors and their accompanying counsels.
Additionally, Geer discussed the problem with “abandonment,” stating if software is abandoned, it should become open source. “Either you support it, or it becomes public,” stated Geer. This issue in particular became a popular debate after the recent end-of-life of Windows XP, affecting numerous enterprises that still used the old software.
Geer argued for the criticality of searching for vulnerabilities, as hackers continue to exploit zero-day flaws and the number of organizations affected grows on a daily basis. Geer said this task for security researchers is no longer a hobby, and should not be a part-time job. He did not talk much about responsible disclosure, and that is a concept that I believe more people should engage with.
The Right to be Forgotten
He made a very strong case for our right to be forgotten. He mentions that everything we do is identifiable and that misrepresentation is getting harder and harder. “I do not support having one digital identity,” he said, claiming to have the option of misinterpreting himself as his right.
All in all, I thoroughly enjoyed Geer’s presentation and listening to his way way of rationalizing the issues beginning to plague our industry today. If you missed Black Hat this year, here’s a video of the presentation: