Black Hat: We need agency focused on fixing internet’s problems

The agency needs the funding and bureaucratic bulk to fend off the NSA, says Dan Kaminsky

The country needs a federal agency akin to the National Institutes of Health in order to fix the problems with the internet, keynoter Dan Kaminsky yesterday told a record crowd of more than 6,400 at Black Hat 2016.

Private companies are dealing with the security problems they face without sharing the solutions or pushing for the underlying engineering changes that are needed to make the internet more secure, says Kaminsky, who famously discovered a serious vulnerability in DNS, which underpins the internet.

The solution is a central agency to address those engineering challenges. He says all the money that is spent piecemeal on battling security needs to be channeled to this agency so it has the resources and bureaucratic bulk to escape being derailed by transient public officeholders whose policies can change dramatically and quickly.

“The policy people are coming for us,” he says. “We need institutions and systems. We need something like NIH for cyber with good and stable funding.”

+ Follow all the news out of Black Hat 2016 +

He says the National Institute of Standards and Technology tries to play that role, but it has been subverted in the past, notably when the NSA steered it toward an encryption standard that could be backdoored. “NIST couldn’t keep NSA out. We need to be able to keep the NSA out,” he said after his keynote.

The problem is that private security vendors and corporate security teams must fight the threats of the moment and lack the time and resources and authority to plan structural changes. “I’m supporting Civil Service nerds being left alone to do what they do,” he says. They need to be free to work with focus on a project for 10 years without being interrupted and without being harassed, he says.

The internet is a key part of running our economy, and changes – particularly to strengthen security – are needed in order to keep that use viable, he says. The fundamental change he points to is making the cloud secure enough that people trust it to handle data and applications. The cloud, he says, needs a mechanism to return corrupted instances to a known good state such as containers to run virtual machines in that can be reset if corrupted.

On a smaller scale, enterprises need to share the security fixes they now work out for themselves. This would save time, money and effort, and it’s a model already followed by financial institutions. It’s more important for them to share so they can quickly respond to threats they face as a group. “Banks don’t compete on security,” he says.

He says security fixes should be shared just as coding is shared on GitHub. “It’s cheaper and cost effective to give it to the world,” he says.

Kaminsky calls for an end to the current battle over encryption and the push by law enforcement to have backdoors so they can decrypt communications. He says it’s necessary in order for businesses and individuals to continue using the internet. Without encryption, he says, there would be no cloud because no one would trust it.

He cited a statistic from the National Telecommunications and Information Administration that about half of Americans backing away from using the internet because of concerns about security and privacy. “The encryption debate is shutting down trust,” he says.

He says he set up a website that acts as a browser for PCs and found that it was used without people worrying about security or whether the sites they went to were being logged.

Improving trust and actual security are important, he says, because the internet is helping drive commerce. “We need to help the thing that’s running our economy right now.”

Join the CSO newsletter!

Error: Please check your email address.

Tags black hat

More about NSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place