Are Cyber Stress Tests the Way of the Future?
Regulators forced banks to test themselves against a powerful financial hurricane in the wake of the worst financial crisis since the Great Depression, in the hopes the frightening events won’t repeat themselves.
#FBNBlackHat: Click Here for Full Coverage of Black Hat 2014
Dan Geer, the information-security chief at In-Q-Tel, made the case Wednesday for stress testing a wide range of firms against cyber invasions in a bid to prevent a crisis in the first place.
“The 2008 financial crisis proved we can build systems more complex than we can operate,” he said in his keynote address to about 8,000 computer-security experts attending the Black Hat conference in Las Vegas. “We need stress tests in our field.”
Geer’s pitch revolved around the need for transparency in an ever-evolving world. He envisions “mandatory reporting” in which firms small and large are legally required to disclose any breaches whose severity exceeds a pre-determined threshold.
He likened it to how the medical world operates: Generally patient privacy is tightly guarded. The government isn’t too interested in knowing the details of an individual’s health. But the second a patient presents with an illness that can put society at large at risk – think Ebola, SARS or avian flu – hospitals are obligated to inform the Centers for Disease Control and Prevention.
And don’t think cyber afflictions are any less troubling than infectious diseases. Geer, whose employer acts as the venture capital arm of the U.S. Intelligence Community, said many state labs are “furiously working” to develop the “cyber equivalent of a smart bomb.”
He warned that attackers with only a moderate level of sophistication could launch an attack that could seriously damage the Internet at large by focusing on the low-level hardware that connects computers together.
Geer also said the current system where software vendors often don’t have direct liability for attacks against their software needs to come to an end.
“For better or poorer, the only two products not held up to liability are religion and computer software,” he remarked, inciting laughter among the tech-focused audience.
Geer said, as he sees it, software companies should either have to take liability for what happens to customers while using their software under normal conditions, or make the source code available for peer review. He added that when companies stop supporting software, like Microsoft (NASDAQ:MSFT) XP, the firm should be forced to make the code available so users can support themselves.
The talk from Geer comes at a time when companies are facing a massive increase in cyber breaches. Just one day ago, security researcher Alex Holden revealed research suggesting a Russian cyber gang managed to steal 1.2 billion unique emails and passwords – perhaps the largest cache in history. Earlier this week, Target (NYSE:TGT) also said the Black Friday 2013 data breach will generate gross expenses of $148 million.