Cyber Monday Deal: Up to 60% off InvestingProCLAIM SALE

Security experts call for government action against cyber threats

Published 09/08/2014, 20:31
Updated 09/08/2014, 20:40
Security experts call for government action against cyber threats

By Joseph Menn LAS VEGAS (Reuters) - Alarmed by mounting cyber threats around the world and across industries, a growing number of security experts see aggressive government action as the best hope for averting disaster.

Even though some experts are outraged by the extent of U.S. Internet spying exposed by former NSA contractor Edward Snowden, they are even more concerned about technologically sophisticated enemies using malware to sabotage utilities, wipe out data stored on computer drives, and steal defence and trade secrets.

Such fears and proposals on new laws and executive action to counter these threats were core topics this week in Las Vegas at Black Hat and Def Con, two of the world's largest gatherings for security professionals and hackers.

At Black Hat, the keynote speech by respected researcher Dan Geer went straight for national and global policy issues. He said the U.S. government should require detailed reporting on major cyber breaches, in the same way that deadly diseases must be reported to the Centers for Disease Control and Prevention.

Critical industries should be subjected to "stress tests" like the banks, Geer said, so regulators can see if they can survive without the Internet or with compromised equipment.

Geer also called for exposing software vendors to product liability suits if they do not share their source code with customers and bugs in their programs lead to significant losses from intrusion or sabotage.

"Either software houses deliver quality and back it up with product liability, or they will have to let their users protect themselves," said Geer, who works for In-Q-Tel, a venture capital firm serving U.S. intelligence agencies. Geer said he was speaking on his own behalf.

"The current situation - users can't see whether they need to protect themselves and have no recourse to being unprotected - cannot go on," he said.

Several of Geer's proposals are highly ambitious given the domestic political stalemate and the opposition of major businesses and political donors to new regulation, Black Hat attendees said. In an interview, Geer said he had seen no encouraging signs from the White House or members of Congress.

But he said the alternative would be waiting until a "major event" that he hoped would not be catastrophic.

Chris Inglis, who retired this year as deputy director of the National Security Agency, said disaster could be creeping instead of sudden, as broad swaths of data become unreliable.

In an interview, he said some of Geer's ideas, including product liability, deserved broader discussion.

"Doing nothing at all is a worse answer," said Inglis, who now advises security firm Securonix.

SOFTWARE FLAWS

Some said more disclosures about cyber attacks could allow insurance companies to set reasonable prices. The cost of cyber insurance varies, but $1 million in yearly protection might cost$25,000, experts say.

High-profile data breaches, such as at Target Corp and eBay Inc, have spurred demand for cyber insurance, but the insurers say they need more data to determine how common and how severe the intrusions are.

The ideas presented by Geer and other speakers would not give the government more control of the Internet itself. In that area, security professionals said they support technology companies' efforts to fight surveillance and protect users with better encryption.

Instead, the speakers addressed problems such as the pervasive number of severe flaws in software, which allow hackers to break in, seemingly at will.

Geer said the United States should try to corner the market for software flaws and outspend other countries to stop the cyber arms race. The government should then work to fix the flaws instead of hoarding them for offence, he said.

Black Hat founder Jeff Moss said he was reminded of the importance of data security while advising a government agency that had no way to tell which of its millions of records were accurate and which had been tampered with.

In the security industry, Moss said, "we're so day-to-day that we forget we're a piece of a bigger system, and that system is on the edge of breaking down."

Dire projections have led some professionals to despair, but others say the fact that their concerns are finally being shared by political leaders gives them hope.

Alex Stamos, who joined Yahoo Inc earlier this year as chief information security officer, said the Internet could become either a permanent tool of oppression or a democratizing force, depending on policy changes and technology improvements.

"It's a great time to be in the security industry," Stamos said. "Now is the time."

(Reporting by Joseph Menn; Editing by Tiffany Wu)

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.