It is not uncommon to hear revolutionary ideas at the Black Hat conference. It is, after all, where some of the greatest minds in information security converge. Dan Kaminsky, a security researcher and founder of White Ops, is one of these individuals. In his recent keynote speech at Black Hat, Kaminsky covered his proposed solution for InfoSec professionals to advance security. Kaminsky instructed software developers to “start releasing your code,” and urged security professionals to share ideas as a unified entity to prevent the Internet from being “regulated into destruction.”
The regulation Kaminsky is referring to is the clash that the InfoSec world has had with the NSA and other government forces. In Kaminsky’s view, it is vital that this unified force of cybersecurity emerges from a bureaucratic angle to combat this resistance. As Kaminsky said in his speech, “We need institutions and systems. We need something like NIH [National Institutes of Health] for cyber with good and stable funding.” In this model, a single government agency would be responsible for cybersecurity and receive the funding necessary to deal with emerging security threats, similar to what the NIH does with emerging health threats. Additionally, the proposed agency would, in Kaminsky’s view, allow for a greater sharing of ideas rather than competition among private companies.
There are some major holes in this line of thinking, however, and ironically Kaminsky mentions one such case. The National Institute of Standards and Technology is the de facto leader in cybersecurity policy for the U.S. government, and as Kaminsky noted, “NIST couldn’t keep NSA out” with regards to promoting encryption with backdoor capabilities. It is admirable that Kaminsky looks for a greater method of cybersecurity professionals working together rather than as competitors, but I fail to see how this hypothetical agency would be any less corruptible than the NIST.
Kaminsky is onto something, however, as the world of information security has trouble acting in greater unity. Sometimes we, as security professionals, like to keep our solutions and innovations secretive for the sake of glory or earning clients. In this present time, however, there are too many threats globally to simply engage in petty competition. There are far more significant issues that we as a community must solve, because in many ways we are playing catch-up with threat response.