LAS VEGAS, NV - "Cyber Apocalypse, Cyber Pearl Harbor it could happen” is the endless refrain from media news sources, magazines and advertising. With all of the predictions of doom and gloom, it’s enough to make someone hide all their money in a mattress in a cabin in the woods and live off grid. Still, there remains a light at the end of the tunnel. At DEFCON 2014, the biggest “hack” unveiled was against cynicism, helplessness and the mistaken belief that network security is futile.
It’s absolutely true that 2014 so far has reached new heights of massive data breaches due to foreign nation state activity and cyber-criminal takeovers. So, what happened? Why are the good “hackers” optimistic, why are these normally brooding, black-hoodie wearing and sometimes angry (but always generally surly) people suddenly optimistic?
It’s pretty simple to understand. The Cyber Apocalypse happened, but in a way no one suspected it would. It was Snowden, with his revelations about NSA spying and the 180 Billion dollars Gartner estimates will vaporize from American companies in the technology space if America can’t figure out how to protect the privacy of their customers. The people that are charged with protecting privacy are a big percentage of the folks attending DEFCON. These are no longer “the lone wolf hackers” of lore, these are corporate security officers, White House policy advisers, lawyers, doctors and many other professionals, all interested in information security and the security of the information they are charged to protect. They also have families now, and the world changes when you are a parent.
Another perspective is the situation in cyberspace could be a lot worse than it is. The internet’s own complexity could crash it - resulting in prolonged outages. More importantly, the cyber-predators, criminals and offensive forces could run out of targets to prey upon. As crazy as it sounds, what happens when illegal activity on the Internet exceeds legitimate financial activity? We always talk in terms of the “loss” inflicted by cybercrime, but very little is said about how much legitimate profit is made from the Internet. It would be a startling situation to suddenly discover that being on the Internet is more financially risky than not being on the Internet. This very real scenario became a catalyst for changing “we want to be better at cyber defence” into “we must be better at cyber defence”.
Our current way of life depends on it; we need to sustain cyber space.
Wired news broke a story on Google's Project Zero on 15 Aug 14. Being at DEFCON (and a member of Canada’s largest hacker space), provided access to a sit-down with these brilliant people at an exclusive round-table “anything goes” briefing. Bottom line: Google is tasking their most brilliant minds into a project to make the Internet a safer place. The cynical view is that Google recognizes the public relations beating over National Security Letters and a perceived sell-out of customer privacy and they are doing everything they can to redeem themselves in the eyes of the millions of people that use their services. But why does it matter? Making the Internet a safer place for everyone is a noble pursuit; the political correctness of the answer to my question about whether the project team has Adobe and Oracle (Java) on speed dial was all too predictable. “We have a great relationship with Adobe, but we don’t interact with Oracle than much.” (Really!? <delete expletive> maybe you < delete expletive > should).
The US government’s complete disregard for the Bill of Rights and US Constitution in its relentless hunt for terrorists has provided a clear direction to the info sec community. All the talented young and old hackers have identified the weaknesses and vulnerabilities in our digital society. When you mention $180 Billion loss over the next three years, info sec practitioners are not going to simply give up their jobs without a fight. Economic loss on this scale means job loss in information security - the correlation is pretty easy to make. But still, there is more to it than just economics, protecting your livelihood and ability to put food on the table.
Five or six great ideas have now become a new hacker manifesto. This happened because, despite the unfriendly reputation many info sec practisers have, they care and they care a lot about their friends, their families and their collective futures. The mad rush to incorporate computer code, wireless and IP addresses into everyday devices has identified an opportunity to “Hack things that matter”. Cars should not be subject to software flaws which when exploited, could kill people. Medical device manufacturers should not be subject to design or software flaws which when exploited, could kill people. The people in question are the sons, mothers, daughters, spouses and relations of info sec professionals.
“Learn to speak cyber”. Many info sec professionals scoffed at the constant use of the word cyber in front of most nouns. Now that many of our senior leadership in IT security can get invited to congress and advise the US Senate, as well as the White House, the language to use has to be the language the law makers understand. Info Sec has to come down from the arrogance tree and learnt to fight Fear, Uncertainty and Doubt (FUD) with facts.
The less enlightened and “let’s make a fast buck” crowd jumped on the idea of an NSA/FBI/CIA proof privacy bandwagon. This use of this marketing language was completely detrimental to advancing the argument and importance of privacy. The mention of these “features” evoked universal disdain from the real information security professionals at DEFCON. In general it’s hard for anyone, especially a law maker, to back a product or service that defeats legitimate, court-ordered surveillance of criminals. Thus, the only alternative is to revert to the argument of “if encryption is outlawed; only outlaws will have encryption.” Mass state surveillance is undesirable but so are criminals in our society. Hackers have been called to unite around a delicate balance of privacy and surveillance.
So, why did Intel allow four security engineers to come to DEFCON and reveal all the amazing ways Unified Extensible Firmware Interface (UFI) and Secure Boot was broken? An excellent question! There is power in hubris, revealing weakness and insecurity. Intel (or rather a director/VP), decided that honesty, openness and, uncensored information was the key to regaining the respect and support of the information security community. Being open about vulnerabilities engenders a communal reaction, comparable to the way weaker members of the herd are protected by the stronger animals. We know there are ways to exploit the basic system boot, but this was the first time a major technology company admitted defeat.
If any central theme can be identified in the 168 hours I spent in Las Vegas it is this: Information Security is not going to take it (cue Twisted Sister). Our senior leaders have reached the point where they get meetings with the people in power. It’s not bragging rights and it’s not trying to sell an agenda. The message is simple and pretty clear: “We love the Internet. It’s awesome and has ushered in an era of unprecedented growth and prosperity.” More importantly it’s our jobs. Our families have “Skin in the Game”. We can’t sit idly by and drink beer when our networks are being attacked and exploited. It’s the first time I have seen our community ask for help. We need the help (not technical, we are awesome at that). We need the help in navigating the halls of power to put in place the governance structure and mandate to do our jobs – make the Internet a safe place to live and work.