Threatpost Op-Ed is a regular feature where experts contribute essays and commentary on what’s happening in security and privacy.
Alex Stamos’ keynote last week was preachy and melded a lot of hopes and concepts we’d all heard before, but never from that kind of pulpit, and certainly never from a Las Vegas arena with close to 10,000 people in-house rapt on every word.
The message was pretty simple when you cut right to it: It’s time to grow up. Hackers and researchers and pundits—all the good guys—are suddenly on the front page every day, above the fold. Cybersecurity is mainstream and at the core of geopolitics, national security, policy decisions, human rights and physical safety.
That’s why the Twitter echo chamber has to end. That’s why it can’t be cute to be snarky anymore when someone gets breached out of business, or when another Flash bug is abused by an APT.
There was a time not so long ago when security management begged for a seat at the table. CISOs wanted to report to the board. IT wanted to matter more than managing email and configuring new laptops. Well that time is here and this year’s hacker summer camp in the desert may be that benchmark we look back to when the adolescents among us found their big-people voices.
The board is listening. Law enforcement is listening. Political leaders are listening. And they’re looking for leaders among you. There are many of you who know how to lead. Most of the L0pht wear suits to work these days—or at least a clean t-shirt. The @stake folks are everywhere—Stamos included—running companies and moving things like encryption everywhere forward at a rapid pace. Many of you spoke out against Apple-FBI, the U.S. Wassenaar rules and a lot more, and made real progress with things that matter.
But as Stamos pointed out last week, it’s still not enough. There are still so many content to bloviate on Twitter and elsewhere about how impossible it is to secure anything, or take a pot-shot at victims; look no further than those organizations hit by EternalBlue for some recent victim-shaming.
Growing up means it’s time to care about things that matter. Finding a zero-day is an incredibly difficult and expensive endeavor, and vendors and users should be grateful to those who do ferret these issues out and privately disclose in order to get them patched. But there’s too much fanfare around 0days and spectacular hacks. There’s not enough energy devoted to simple hacks that affect businesses and everyday people. We—and by “we” I mean Microsoft—turned everyone into an admin during the last decade and that attitude still pervades today. We expect everyone to be patched everywhere, and everyone to be running the latest version of everything everywhere, when that just isn’t possible all of the time.
Adversaries will go the simplest route to their end gain, as Stamos pointed out. And for the security community to ignore, forget or believe that these problems are beneath it, is negligent.
“The unfortunate truth is that our community overall, we’re not yet living up to our potential,” Stamos said. “We have perfected the art of finding problems over and over without addressing the root issues. That doesn’t mean we should stop finding bugs, but we need to think carefully about what we do downstream after that initial moment of discovery.”
Parse every word there, and it’s a heavy message. It’s also heavy when, as Stamos pointed out during his talk, that there are too many topics that the community thinks are outside its purview. It’s not a universal attitude by any means, but there are still plenty who don’t do enough to counter doxing, harassment or sexual exploitation carried out over the internet. “It’s your fault you used same password for more than one service.” “It’s your fault you’re using IE 8.” “Flash? You still have Flash enabled?!?”
This is part of the security nihilism Stamos talked about. It is time to bring those into the fold who believe only top-tier hacks matter, that only complicated crypto matters, and that one should never compromise on security to bring it to the masses.
It’s about responsibility and practicality, and it’s about giving back for real and solving problems and bending once in a while.
“We bring an important way of looking at the world and a very important set of skills and tools, but that doesn’t mean we need to denigrate others when we point out their mistakes,” Stamos said. “The only way systems are going to get better in the long run is by eliminating entire classes of bugs, building systems that are resilient to failure, and by building relationships between the security side and builder side and move forward together.”