LAS VEGAS – The founder of Black Hat and Facebook’s top security officer used their opening speeches here Wednesday to urge colleagues in the cyber research and security fields to focus more on cyber defense and the less “sexy” everyday threats confronting users of the internet.
Jeff Moss, who founded the Black Hat infosecurity conference 20 years ago, and Facebook chief information security officer Alex Stamos – who said he attended the companion DEF CON conference as a teenager – hit similar notes at a keynote session before 10,000 or more jammed into the arena at the Mandalay Bay casino and resort.
“Where we’re going as an industry is social,” Moss said. “Your success going forward will depend more on social skills than technical skills.”
He explained that playing offense in cyberspace – hacking and attacking – “is clean and technical. But defense is hideously social.” That includes factors such as how much to spend and on what, and how to measure success.
“For defense to ever be greater than offense, immediately you start jumping into all these social, political and economic problems,” he said, adding that the cyber community has a “responsibility.”
“If we can move to security-by-default, we have a responsibility to do that,” he exhorted the crowd.
Stamos built on those points in his keynote. “We’re still really focused on the sexy ‘difficulty’ questions – it’s like we’re trying to impress the East German judge” at the Olympics in the ‘70’s and ‘80’s, he quipped.
He said researchers spend most of their time working on the most sophisticated kind of attacks and “we don’t even talk a lot about targeted attacks that use common malware.”
Stamos also warned against thinking that “if only the user were smarter” the problems could be solved by technologists, and against what he called “security nihilism,” in which “any compromise designed to make security more accessible” is viewed as a fatal flaw.
“Every day we ask billions of people to walk a tightrope,” he said. “We need to put ourselves in the shoes of users.”
He noted that Facebook has set up award programs – featuring $1 million in prizes – for research focused on everyday issues like why patches aren’t used, how to stop contagions from spreading when email addresses are compromised, and the security of “the real mobile ecosystem as actually deployed,” noting that billions of people use smart phones without the latest security elements.
Stamos called for “broadening the scope of what we consider the security industry and broadening our areas of responsibility.” He pointed to an effort Facebook has undertaken with Harvard’s Belfer Center to protect the election system as an example, noting this was “only partially cybersecurity.” – Charlie Mitchell (firstname.lastname@example.org)