Black Hat: Come Together, Over Security

At his Black Hat keynote on Thursday, Rod Beckstrom, director of the National Cyber Security Center in the U.S. Department of Homeland Security, took conference attendees on a ride in his wayback machine to look for guidance about the future of cybersecurity in America's past.

Four months into figuring out just what the NCSC is going to do, Beckstrom came with more questions than answers. He said that we as a country and as users of the global Internet still have to figure out how our networks should function in the context of democracy, justice, governance, and international relations.

"How do we figure out how much to invest in security?" Beckstrom asked.

And he asked because, as he put it, "all of us are smarter than any of us."

(Though this truism is much beloved by those besotted with Wikipedia, its limits can be seen in the mediocrity of committee-written Hollywood scripts.)

"Offense is so much easier than defense," Beckstrom said. "And that's the fundamental challenge that we face."

Beckstrom's detour through American history served as the framework for an analogy he made between American democratic traditions and the way today's open source community works. He talked about Lincoln, who he insisted would have been an e-mail junkie in today's world, based on his affinity for telegraphic intelligence during the Civil War.

Lincoln, Beckstrom explained, "led this open source community [that was the United States]. ... The community had been in a huge dispute over membership that had gone on since the community was founded. ... The community could not come together. He tried to sit down with those who wanted to fork the code, [the secessionist South]. ... And Lincoln said no. ... As a result, the community went into a massive battle, the bloodiest battle in our history."

(Beckstrom did not address whether Linus Torvalds is today's Lincoln.)

By way of his elaborate analogy, Beckstrom sought to clarify his job: to foster collaboration and information sharing in the interest of cyberdefense.

Other historical figures were conjured up in the service of Beckstrom's message: George Washington, who learned from fighting in the French and Indian War about the value of guerrilla tactics; George Mason, whose open source module, known as the Bill of Rights, became a community standard; and Alan Pinkerton, protector of the Union and of Lincoln.

And let's not forget Benedict Arnold. "Benedict Arnold was the insider threat," said Beckstrom. "We have the same threats today, just with different technology and in a different medium."

That left the question of how much to invest in security. Given that there's a point of diminishing returns for security spending, Beckstrom suggested the limit should be when a dollar spent for security saves a dollar of loss. But he suggested that the curve that describes the relationship between dollars lost to security incidents and dollars spent to prevent such incidents can be flattened by investing in protocol security.

"Why invest in protocols? It may the cheapest security dollars we can invest," Beckstrom said.

Given the worries about Dan Kaminsky's recently revealed DNS bug, there's obvious value in making the networking environment less vulnerable to abuse.

Beckstrom concluded with a call for the computer security community and Internet stakeholders to work together to define what we want the Internet to become. He evoked the Latin motto found on the Great Seal of the United States: E Pluribus Unum, which means Out of Many, One.

Perhaps along the way we can settle the Mac vs. Windows vs. Linux debate, too.