“The internet is not a safe place right now, and, more importantly, the tools we’re using to interact with it are relatively broken,” warns Dan Kaminsky in a podcast with O’Reilly’s Courtney Nash. As evidence, a large percentage of Americans are starting to back away from the internet due to security and privacy fears. “We shouldn’t be surprised,” adds Kaminsky in this CyberScoop column. “At this point, who hasn’t gotten a disclosure notice, a replacement credit card, or dealt with something worse?”
More to the point, Kaminsky adds, “We could lose this internet.”
If you are wondering why you should even pay attention to Dan Kaminsky—cofounder and chief scientist of WhiteOps, a security consultancy—he has a track record of uncovering fundamental flaws with the internet and the technology behind it. For example, Kaminsky discovered a vulnerability in the Domain Name System (DNS) that allowed attackers to redirect unsuspecting internet users to alternative malicious web servers.
Use the National Institutes of Health as a model
However, there is good news. Kaminsky believes if we work together, it is possible to save the internet. As to how, Kaminsky writes, “I firmly believe we need something akin to a National Institutes of Health (NIH) for cybersecurity.”
As to why he suggests using the NIH as a model, Kaminsky believes the healthcare industry—in particular pharmaceutical companies—face similar problems and are able to solve them successfully. “This is not the first time a new technology has shown up with tremendous potential and a lot of problems,” begins Kaminsky. “Pharmaceutical designs need reliable manufacturing and test regimes. We need to know what process and technology inputs reliably lead to desired outputs—not theoretically, but experimentally, across actual populations.”
Cybersecurity, according to Kaminsky, also relies on the same type of methodology. He adds, “The reason I talk about the NIH is because they actually fund work on these sorts of problems, and things do get better.”
Kaminsky suggests the following are ways the healthcare industry is doing it better.
- When things go wrong, the blame game is not brought out.
- Due to the nature of the industry, if a problem occurs it is investigated thoroughly.
- More data is shared between companies.
With regards to data sharing, Kaminsky feels most cybersecurity work takes place in silos. “Individuals are doing extraordinary engineering work in cybersecurity, but there’s more than just one guy working to cure cancer,” explains Kaminsky in his CyberScoop column. “Too much cybersecurity work depends on the spare time of too few. We need institutions, with good and stable funding—and a bureaucratic firewall against those with other motivations.”
Kaminsky has a novel idea
“This will be expensive, long term, difficult, and sometimes boring work, which needs armies of nerds, and funding not threatened by next quarter’s earnings.” Dan Kaminsky
Besides altering how cybersecurity problems are solved, Kaminsky believes that empathy or the ability to understand the thought processes of others must come into play. “Empathy is how you make things that don’t suck,” Kaminsky told O’Reilly’s Nash. “It is the process of putting your mind in someone else’s life experience and thinking, ‘Okay, this is where you’re coming from. What do you need?'”
Remember what’s at stake
Kaminsky understands that his novel solution will not happen overnight, adding, “This will be expensive, long term, difficult, and sometimes boring work, which needs armies of nerds, and funding not threatened by next quarter’s earnings.”
Besides the amount of hard work, Kaminsky offers an additional warning: “The reality is that who ever figures out how to make reliably secure code at scale is going to host the next Silicon Valley. I’d prefer it to be our Silicon Valley, but we’re not the only nation with talented programmers.”