The country needs a federal agency akin to the National Institutes of Health in order to fix the problems with the internet, keynoter Dan Kaminsky yesterday told a record crowd of more than 6,400 at Black Hat 2016.
Private companies are dealing with the security problems they face without sharing the solutions or pushing for the underlying engineering changes that are needed to make the internet more secure, says Kaminsky, who famously discovered a serious vulnerability in DNS, which underpins the internet.
The solution is a central agency to address those engineering challenges. He says all the money that is spent piecemeal on battling security needs to be channeled to this agency so it has the resources and bureaucratic bulk to escape being derailed by transient public officeholders whose policies can change dramatically and quickly.
“The policy people are coming for us,” he says. “We need institutions and systems. We need something like NIH for cyber with good and stable funding.”
He says the National Institute of Standards and Technology tries to play that role, but it has been subverted in the past, notably when the NSA steered it toward an encryption standard that could be backdoored. “NIST couldn’t keep NSA out. We need to be able to keep the NSA out,” he said after his keynote.
The problem is that private security vendors and corporate security teams must fight the threats of the moment and lack the time and resources and authority to plan structural changes. “I’m supporting Civil Service nerds being left alone to do what they do,” he says. They need to be free to work with focus on a project for 10 years without being interrupted and without being harassed, he says.
The internet is a key part of running our economy, and changes – particularly to strengthen security – are needed in order to keep that use viable, he says. The fundamental change he points to is making the cloud secure enough that people trust it to handle data and applications. The cloud, he says, needs a mechanism to return corrupted instances to a known good state such as containers to run virtual machines in that can be reset if corrupted.
On a smaller scale, enterprises need to share the security fixes they now work out for themselves. This would save time, money and effort, and it’s a model already followed by financial institutions. It’s more important for them to share so they can quickly respond to threats they face as a group. “Banks don’t compete on security,” he says.
He says security fixes should be shared just as coding is shared on GitHub. “It’s cheaper and cost effective to give it to the world,” he says.
Kaminsky calls for an end to the current battle over encryption and the push by law enforcement to have backdoors so they can decrypt communications. He says it’s necessary in order for businesses and individuals to continue using the internet. Without encryption, he says, there would be no cloud because no one would trust it.
He cited a statistic from the National Telecommunications and Information Administration that about half of Americans backing away from using the internet because of concerns about security and privacy. “The encryption debate is shutting down trust,” he says.
He says he set up a website that acts as a browser for PCs and found that it was used without people worrying about security or whether the sites they went to were being logged.
Improving trust and actual security are important, he says, because the internet is helping drive commerce. “We need to help the thing that’s running our economy right now.”