Share

Govt action needed against cyber threats

Las Vegas - Alarmed by mounting cyber threats around the world and across industries, a growing number of security experts see aggressive government action as the best hope for averting disaster.

Even though some experts are outraged by the extent of US internet spying exposed by former NSA contractor Edward Snowden, they are even more concerned about technologically sophisticated enemies using malware to sabotage utilities, wipe out data stored on computer drives, and steal defense and trade secrets.

Such fears and proposals on new laws and executive action to counter these threats were core topics this week in Las Vegas at Black Hat and Def Con, two of the world's largest gatherings for security professionals and hackers.

At Black Hat, the keynote speech by respected researcher Dan Geer went straight for national and global policy issues.

He said the US government should require detailed reporting on major cyber breaches, in the same way that deadly diseases must be reported to the Centres for Disease Control and Prevention.

Critical industries should be subjected to "stress tests" like the banks, Geer said, so regulators can see if they can survive without the Internet or with compromised equipment.

Geer also called for exposing software vendors to product liability suits if they do not share their source code with customers and bugs in their programs lead to significant losses from intrusion or sabotage.

"Either software houses deliver quality and back it up with product liability, or they will have to let their users protect themselves," said Geer, who works for In-Q-Tel, a venture capital firm serving US intelligence agencies. Geer said he was speaking on his own behalf.

"The current situation - users can't see whether they need to protect themselves and have no recourse to being unprotected - cannot go on," he said.

Several of Geer's proposals are highly ambitious given the domestic political stalemate and the opposition of major businesses and political donors to new regulation, Black Hat attendees said. In an interview, Geer said he had seen no encouraging signs from the White House or members of Congress.

But he said the alternative would be waiting until a "major event" that he hoped would not be catastrophic.

Chris Inglis, who retired this year as deputy director of the National Security Agency, said disaster could be creeping instead of sudden, as broad swaths of data become unreliable.

In an interview, he said some of Geer's ideas, including product liability, deserved broader discussion.

"Doing nothing at all is a worse answer," said Inglis, who now advises security firm Securonix.

Software flaws

Some said more disclosures about cyber attacks could allow insurance companies to set reasonable prices. The cost of cyber insurance varies, but $1m in yearly protection might cost $25 000, experts say.

High-profile data breaches, such as at Target and eBay, have spurred demand for cyber insurance, but the insurers say they need more data to determine how common and how severe the intrusions are.

The ideas presented by Geer and other speakers would not give the government more control of the Internet itself. In that area, security professionals said they support technology companies' efforts to fight surveillance and protect users with better encryption.

Instead, the speakers addressed problems such as the pervasive number of severe flaws in software, which allow hackers to break in, seemingly at will.

Geer said the United States should try to corner the market for software flaws and outspend other countries to stop the cyber arms race. The government should then work to fix the flaws instead of hoarding them for offence, he said.

Black Hat founder Jeff Moss said he was reminded of the importance of data security while advising a government agency that had no way to tell which of its millions of records were accurate and which had been tampered with.

In the security industry, Moss said, "we're so day-to-day that we forget we're a piece of a bigger system, and that system is on the edge of breaking down".

Dire projections have led some professionals to despair, but others say the fact that their concerns are finally being shared by political leaders gives them hope.

Alex Stamos, who joined Yahoo earlier this year as chief information security officer, said the Internet could become either a permanent tool of oppression or a democratising force, depending on policy changes and technology improvements.

"It's a great time to be in the security industry," Stamos said. "Now is the time."

We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
18.94
-0.2%
Rand - Pound
23.91
-0.1%
Rand - Euro
20.43
+0.2%
Rand - Aus dollar
12.34
+0.1%
Rand - Yen
0.13
-0.2%
Platinum
910.50
+1.5%
Palladium
1,011.50
+1.0%
Gold
2,221.35
+1.2%
Silver
24.87
+0.9%
Brent-ruolie
86.09
-0.2%
Top 40
68,346
+1.0%
All Share
74,536
+0.8%
Resource 10
57,251
+2.8%
Industrial 25
103,936
+0.6%
Financial 15
16,502
-0.1%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders