Security specialists spend too much time on targeted attacks and not enough on the cause. Imperfect solutions are unnecessarily punished. Responsibility for security must be broadened and the industry suffers from a lack of diversity. And, oh yes, everyone needs to get off of the opinion that hackers are perfect.
These are just a few of the blunt characterizations that Alex Stamos, chief security officer at Facebook, delivered during his keynote address last week at the Black Hat USA 2017 cybersecurity conference in Las Vegas, Nevada. As malicious virus attacks, data breaches, and ransomware spread daily in computer systems around the globe, the security industry seems to resemble that proverbial deer in the headlights.
“The modern world of technology is filled with tightropes,” said Stamos. “But the problem is that we haven’t put any nets under those tightropes.”
The task of making the cyber world safer is not about to get any easier either. Last week’s gathering of security professionals from around the globe included research presentations that showed how to hack Tesla cars, windmills, home routers, drones, hoverboards, and – most chillingly – power grids.
Hacks escalate to the power grid
The power grid attacks are perhaps most relevant to Stamos’ concerns about the consequences if the security industry falls too far behind. Researchers from Dragos and ESET presented an analysis at the conference of a 2016 remote attack on the power grid in Ukraine that struck electricity distribution substations, assumed control of circuit breakers, and caused hours of blackouts.
More ominously, the malware exhibited functionality that could detect and resist efforts to overcome its handiwork. “Human adversaries learned grid operations and put them into an attack framework,” explained Robert Lee, CEO of Dragos. “I think we’re seeing an evolution in adversary tradecraft.”
The Ukraine attack did not go unnoticed.
It received plenty of coverage in the international news media and was also referenced by agencies in the U.S. government. Stamos viewed this as a positive sign. “People now know how important it is to build secure systems,” said the Facebook executive. “Security topics are now on the front page of every newspaper every week.”
WhatsApp encryption trade-offs defended
However, Stamos also delivered remarks that appeared to be at odds with some of the more vocal critics of governmental intrusion in technology.
In his remarks, Stamos defended Facebook’s trade-offs in delivering encryption for WhatsApp and took issue with the “online snark and argument” generated by people who criticized the FBI over the fight to unlock an Apple phone during a terrorism investigation.
Stamos pressed the case for continuing to recognize the work of individuals who actually make the Internet safer. This includes giving out cash awards for finding software bugs. “I’m a big fan of bug bounties,” said Stamos.
He also said that Facebook will continue to support the Internet Defense Prize, which rewards meaningful research to make the Web more secure. According to Stamos, Facebook will give out $1 million in prizes next year.
Facebook continues to be sensitive to accusations that its popular news service facilitated the dissemination of fake news which could have played a role in presidential candidate Hillary Clinton’s 2016 defeat. Stamos mentioned that his company would fund a nonprofit at Harvard University to defend against cyberattacks that affect political groups or elections.
The Facebook executive expressed particular concern about the lack of diversity in the security industry and challenged the community to reach out to people with different backgrounds and thinking. “We do not have the diversity that reflects the people we are trying to protect,” Stamos noted.
The blunt messages from Stamos underscored the urgency that the security industry is feeling as much of the world is waiting to see how new tools and technologies will make the Internet safer. “Things are not getting better, things are getting worse,” said Stamos. “It’s a critical moment and we have the world’s attention.”