By Joseph Menn
| LAS VEGAS
LAS VEGAS Aug 9 Alarmed by mounting cyber
threats around the world and across industries, a growing number
of security experts see aggressive government action as the best
hope for averting disaster.
Even though some experts are outraged by the extent of U.S.
Internet spying exposed by former NSA contractor Edward Snowden,
they are even more concerned about technologically sophisticated
enemies using malware to sabotage utilities, wipe out data
stored on computer drives, and steal defense and trade secrets.
Such fears and proposals on new laws and executive action to
counter these threats were core topics this week in Las Vegas at
Black Hat and Def Con, two of the world's largest gatherings for
security professionals and hackers.
At Black Hat, the keynote speech by respected researcher Dan
Geer went straight for national and global policy issues. He
said the U.S. government should require detailed reporting on
major cyber breaches, in the same way that deadly diseases must
be reported to the Centers for Disease Control and Prevention.
Critical industries should be subjected to "stress tests"
like the banks, Geer said, so regulators can see if they can
survive without the Internet or with compromised equipment.
Geer also called for exposing software vendors to product
liability suits if they do not share their source code with
customers and bugs in their programs lead to significant losses
from intrusion or sabotage.
"Either software houses deliver quality and back it up with
product liability, or they will have to let their users protect
themselves," said Geer, who works for In-Q-Tel, a venture
capital firm serving U.S. intelligence agencies. Geer said he
was speaking on his own behalf.
"The current situation - users can't see whether they need
to protect themselves and have no recourse to being unprotected
- cannot go on," he said.
Several of Geer's proposals are highly ambitious given the
domestic political stalemate and the opposition of major
businesses and political donors to new regulation, Black Hat
attendees said. In an interview, Geer said he had seen no
encouraging signs from the White House or members of Congress.
But he said the alternative would be waiting until a "major
event" that he hoped would not be catastrophic.
Chris Inglis, who retired this year as deputy director of
the National Security Agency, said disaster could be creeping
instead of sudden, as broad swaths of data become unreliable.
In an interview, he said some of Geer's ideas, including
product liability, deserved broader discussion.
"Doing nothing at all is a worse answer," said Inglis, who
now advises security firm Securonix.
SOFTWARE FLAWS
Some said more disclosures about cyber attacks could allow
insurance companies to set reasonable prices. The cost of cyber
insurance varies, but $1 million in yearly protection might
cost$25,000, experts say.
High-profile data breaches, such as at Target Corp
and eBay Inc, have spurred demand for cyber insurance,
but the insurers say they need more data to determine how common
and how severe the intrusions are.
The ideas presented by Geer and other speakers would not
give the government more control of the Internet itself. In that
area, security professionals said they support technology
companies' efforts to fight surveillance and protect users with
better encryption.
Instead, the speakers addressed problems such as the
pervasive number of severe flaws in software, which allow
hackers to break in, seemingly at will.
Geer said the United States should try to corner the market
for software flaws and outspend other countries to stop the
cyber arms race. The government should then work to fix the
flaws instead of hoarding them for offense, he said.
Black Hat founder Jeff Moss said he was reminded of the
importance of data security while advising a government agency
that had no way to tell which of its millions of records were
accurate and which had been tampered with.
In the security industry, Moss said, "we're so day-to-day
that we forget we're a piece of a bigger system, and that system
is on the edge of breaking down."
Dire projections have led some professionals to despair, but
others say the fact that their concerns are finally being shared
by political leaders gives them hope.
Alex Stamos, who joined Yahoo Inc earlier this year
as chief information security officer, said the Internet could
become either a permanent tool of oppression or a democratizing
force, depending on policy changes and technology improvements.
"It's a great time to be in the security industry," Stamos
said. "Now is the time."
