In a far-ranging speech, Geer outlined 10 policy proposals “on a suite of pressing current topics,” such as government surveillance, embedded systems security, net neutrality, the right to be forgotten, and the state of vulnerability research and disclosure, to name just a few. Geer warned the proposals were not fully formed, but what they lacked in details, they made up for it in the range covered.
As the chief information security officer of In-Q-Tel, the venture capital arm for the Central Intelligence Agency, Geer commands a lot of respect from security executives and researchers alike. When he talks, the industry listens.
Geer called for mandatory reporting of vulnerabilities for all types, and not just those with Internet-wide implications such as Heartbleed, for all organizations, small and large. The mandatory reporting should follow the U.S. Centers for Disease Control model where disease outbreaks above a certain threshold must be reported to the public. CDC doesn't care about the individual patient or health information, but the second the patient poses a risk to the society at large, the hospital is legally required to report the illness. A similar approach for breaches and security incidents would benefit victims because they are made aware. Currently, when companies keep quiet, victims wind up never knowing.
“People are willing to do it [mandatory reporting] as long as everyone else has to do it, too,” Geer said during the press conference after the speech. They don't want to feel as if they are being singled out or being asked to bear the costs of increased reporting alone, he said.
Software vendors have to take responsibility for bugs in the code and be liable for what happens to customers while using the products under normal conditions, or let users see the source code and chop out bits they choose not to run, Geer said. He cited the Code of Hammurabi: “If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death,” he said. He wasn't advocating the dealth penalty, but vendors should be subject to criminal and civil liabilities for not adequately securing their products, he said.
“Either software houses deliver quality and back it up with liability, or allow users to help themselves,” Geer said. “You’d better do it well, or be responsible if it goes poorly.”
Geer would like to see a similar approach applied to Internet service providers to settle the question of net neutrality. ISPs can charge what they want based on content, but then they have to accept responsibility for that content if it is hurtful, he said. Otherwise, ISPs would be allowed to abandon content inspection, support net neutrality, and still enjoy common carrier protections.
“Choose wisely,” Geer said. “ISPs should get one or the other, not both.”
Geer suggested the U.S. government corner the zero-day vulnerability market by buying up all vulnerabilities from researchers and then disclose them publicly. This way, software makers are aware of the vulnerabilities and can fix them. Security companies can figure out ways to protect systems. Public disclosure would take away the ability of criminal hackers, nation-states, and spy agencies from weaponizing these vulnerabilities and using them against attack targets.
“Once vulnerability finding became a job and not a hobby, those finding vulnerabilities stopped sharing,” Geer said. When bug hunting was just for bragging rights, the finders shared the information immediately because they didn't want someone else to take credit for it. If the U.S. government became the buyer offering the biggest bucks, then hunting for flaws can become profitable without being destructive, he said.
As for the right to be forgotten, as defined recently by the European Union's legislation mandating that individuals had the right to have information about them removed from search engine results, Geer said it was “appropriate and advantageous.” “There is a something important about being able to reinvent ourselves,” Geer said during the press conference folling the keynote.
“When a strongly held belief is proven wrong, that the humble person changes their mind.
I expect that my proposals will result in considerable push-back, and changing my mind may well follow,” Geer said. But the proposals are a first step.
“Those who don't play the game don't make the rules,” Geer warned.
People are willing to do it [mandatory reporting] as long as everyone else has to do it, tooDan Geer