Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Black Hat: We need agency focused on fixing internet's problems

Tim Greene | Aug. 5, 2016
The agency needs the funding and bureaucratic bulk to fend off the NSA, says Dan Kaminsky.

The country needs a federal agency akin to the National Institutes of Health in order to fix the problems with the internet, keynoter Dan Kaminsky yesterday told a record crowd of more than 6,400 at Black Hat 2016.

Private companies are dealing with the security problems they face without sharing the solutions or pushing for the underlying engineering changes that are needed to make the internet more secure, says Kaminsky, who famously discovered a serious vulnerability in DNS, which underpins the internet.

The solution is a central agency to address those engineering challenges. He says all the money that is spent piecemeal on battling security needs to be channeled to this agency so it has the resources and bureaucratic bulk to escape being derailed by transient public officeholders whose policies can change dramatically and quickly.

"The policy people are coming for us," he says. "We need institutions and systems. We need something like NIH for cyber with good and stable funding."

He says the National Institute of Standards and Technology tries to play that role, but it has been subverted in the past, notably when the NSA steered it toward an encryption standard that could be backdoored. "NIST couldn't keep NSA out. We need to be able to keep the NSA out," he said after his keynote.

The problem is that private security vendors and corporate security teams must fight the threats of the moment and lack the time and resources and authority to plan structural changes. "I'm supporting Civil Service nerds being left alone to do what they do," he says. They need to be free to work with focus on a project for 10 years without being interrupted and without being harassed, he says.

The internet is a key part of running our economy, and changes - particularly to strengthen security - are needed in order to keep that use viable, he says. The fundamental change he points to is making the cloud secure enough that people trust it to handle data and applications. The cloud, he says, needs a mechanism to return corrupted instances to a known good state such as containers to run virtual machines in that can be reset if corrupted.

On a smaller scale, enterprises need to share the security fixes they now work out for themselves. This would save time, money and effort, and it's a model already followed by financial institutions. It's more important for them to share so they can quickly respond to threats they face as a group. "Banks don't compete on security," he says.

He says security fixes should be shared just as coding is shared on GitHub. "It's cheaper and cost effective to give it to the world," he says.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.