If you throw enough money at a problem there’s bound to be a solution, some think. That’s the logic of security expert Dan Geer, who this week told the Black Hat conference in Las Vegas that the U.S. government should throw a heck of a lot of greenbacks at people who discover vulnerabilities.
How much? Ten times more than anyone else, he said in a keynote address.
Geer, chief information and security officer at In-Q-Tel, a not-for-profit venture capital company that invests in early stage companies making products aimed at U.S. intelligence agencies, maintained the U.S. should corner the market on vulnerabilities.
“Then we make them public and reduce to zero the inventory of cyber weapons that others have,” he was Geer said. “I believe that exploitable software vulnerabilities are scarce enough that if we corner the market, we can make a difference.” including eSecurity Planet and ThreatPost.com.
A number of companies have so-called bug bounty programs, including Microsoft and Google. Nor is Geer the first to say governments should open their wallets. In January, researchers at NSS Labs issued a report arguing that only drastic measures can bring cyber threats under control.
As a keynote speaker, Geer might have been merely trying to be provocative. On the other hand who could argue with his declaration that IT security weaknesses “are a riveting concern?” — especially this year with revelations spanning from the loss of data from Target, the Heartbleed-related theft from the Canada Revenue Agency to this week’s report of a Russian gang that has a stash of some 1.2 billion pairs of passwords and usernames.
Here’s a few of his other suggestions:
–mandatory bug reporting. He didn’t say who would be the enforcer, governments or regulators, but the idea is that when an organization or vendor discovers a vulnerability it can’t be kept a secret;
–vendor liability for problems created by bugs. In a world of interoperability where products have to work with software and hardware from others this may be impossible, but Geer seems to believes with no one to blame vendors aren’t doing enough to prevent vulnerabilities;
–make abandoned software open source. When Microsoft ended support for Windows XP, vulnerabilities stopped being patched, yet millions of people are still running the OS. Support a product or give it to the public, Geer said.