LAS VEGAS—Twenty years of Black Hat seemed to be the appropriate marker in time for Alex Stamos to remind security professionals of their unique position to affect change, not only in technology and business, but also in geopolitics and human rights.
Facebook’s chief security officer delivered the keynote address Wednesday, opening the annual hacker conference with a stern message to colleagues and friends that the days of snarky insular criticisms of users, software, and awe of overly complex hacks and the next zero day must end.
Instead, he urged hackers to have empathy not only for victims of cybercrime but also for those such as law enforcement who may take unpopular stances on encryption and information sharing. Stamos also reinforced the importance of reliance on a diversity of backgrounds and ideas to influence decisions.
“Unfortunately, the truth is our community is not yet living up to its potential,” Stamos said. “We’ve perfected the art of finding problems over and over without addressing root issues. We need to think carefully about what to do about it downstream after discovery.”
Stamos pointed out that while zero days garner the bulk of headlines and admiration among white-hats, the fact is that most of those attacks never see the mainstream, and most of us are not the targets of complex, advanced adversaries. In fact, he said, maladies such as password re-use, phishing and spam have much more of an impact on security and privacy, yet are dismissed as uninteresting problems.
“We focus on the complexity of a flaw rather than the potential human harm,” Stamos said, adding that instances of abuse related to technology such as doxing or sexual exploitation of children are not viewed as areas of responsibility for security pros. “This is real harm, and these are areas we don’t focus on at all,” Stamos said.
Given that attacks on physical security, democracy and critical infrastructure are permeating every day life and are regularly front-page fodder, prevailing attitudes in the community can no longer be the norm, Stamos said.
“The security community has the tendency to punish those who implement imperfect solutions in an imperfect world,” Stamos said. “We have no empathy. We don’t have the ability to put ourselves in the shoes of people we are trying to protect.”
Stamos said the “hot takes” against the government’s side in last year’s Apple-FBI encryption fight did little to advance discussion on the topic. Nor did criticism of security tradeoffs WhatsApp made in bringing end-to-end encryption to 1 billion users, or even early theoretical security research on cloud computing that may have scared away some organizations from moving to the cloud and virtualization.
“If you look at law enforcement, it turns that like infosec, they are a family, a community,” Stamos said, who said he frequently talks to authorities worldwide about privacy and safety issues. “We need to have more empathy for those whose job it is to put child molesters in jail. If we do that, we won’t look childish, we won’t look like people who don’t want to engage in a difficult topic.”
Stamos stressed the need to focus on defense, which he called the child of good offensive red-teams. Facebook is putting its money where its mouth is, re-upping its sponsorship of the Internet Bug Bounty, and increasing its commitment to the Internet Defense Prize to $1 million that will be handed out throughout the year. Stamos said that hand-in-hand he hopes the prizes will supplement new research in areas such as the continued struggles companies have in patching software, as well as new solutions for practical account lifecycle management, and new work on securing the mobile ecosystem as it’s currently deployed.
“When you have two billion users and you realize that hundreds of millions around the world are using smartphones that cost less than $200 and are shipping with two-year-old versions of Android out of the factory, they are vulnerable from Day 1,” Stamos said.
“We have to focus on defense,” Stamos said, “and broaden our scope of what we consider our responsibility.”