LAS VEGAS—In a wide-ranging keynote speech at the Black Hat information security conference today, computer security icon Dan Geer gave attendees a sort of personal top 10 list of things that could be done to make the Internet more secure, more resilient, and less of a threat to personal privacy. Among his top policy picks: the US government should move to “corner the market” on security vulnerabilities by paying top dollar for them and then publish them to the world.

Geer is the chief information security officer for In-Q-Tel, the not-for-profit venture capital firm funded by the Central Intelligence Agency to incubate technologies that aid intelligence operations. However, he noted that he was speaking in a private capacity at the event and not as a public official.

“We could pay 10 times the market price" for zero-day vulnerabilities, Geer said. “If we make them public, we zero the inventory of cyber weapons where it stands.”

The effectiveness of the strategy, he admitted, was “contingent on vulnerabilities being sparse—or at least less numerous.” And he expressed concern that the growth of vulnerabilities created by machine-written code could outstrip the ability of human researchers to keep up—rendering bug-hunting as a form of “security theater.”

Geer expressed a personal interest on reducing his personal exposure to the “dependencies” of the Internet because of his concerns about the rapidly increasing risks to privacy and security. At the same time, he advocated for greater monitoring of Internet traffic for the purpose of forensic examination of security threats—“looking backward for evidence of something you don't know about before has value,” he observed.

A passel of policies

Geer’s suggestions also included a number of proposed policies aimed at forcing corporations, software vendors, and Internet service providers toward an environment that would be more friendly to both security and privacy. He suggested a mandatory reporting regimen built on the Centers for Disease Control model that would apply to all breaches above an agreed level of severity.

“The US CDC is respected the world around,” he noted.

Geer said CDC is so effective because of the mandatory reporting scheme, its analytical data store, and its ability to send a response team to the source of an outbreak.

“We have well established rules of medical privacy, based on a need-to-know regime—most days, that is. But if you check in with bubonic plague, Ebola, or anthrax, you have zero privacy.”

For less severe breaches, Geer used another model for reporting: the voluntary, anonymized reporting approach similar to the Aviation Safety Reporting System (ASRS) used by the Federal Aviation Administration (FAA) for “near miss” incidents between aircraft. ASRS allows airlines to report accidental safety rule violations voluntarily without facing penalties, demonstrating what the FAA describes as a “positive safety attitude.”

The reason for this approach, he reasoned, was that currently over 75 percent of security breaches are reported by a third-party and not the target of the breach.

“The victim might not even know if the breach is never reported,” Geer underscored.

"Net neutrality is not a panacea"

Geer also recommended fixes for software liability that he believes would correct much of the underlying cause of security vulnerabilities—or at least give companies financial incentive to do more thorough testing.

“Clause one would be, if you deliver code with build able source, your liability is restricted to a refund,” he proposed.

Developers would provide a “bill of materials—what came from who,” so that the licensee could recompile without the parts that they don’t trust.

“All your copyrights are still yours, leaving everything unchanged," he noted. The alternative, he said, was “you are liable for any damage your software causes in normal usage.”

While he added that "normal usage" was something that courts would have to define, there were some obvious things software shouldn't do. "Plugging a USB into a computer should not make your computer part of a botnet. That's not something that an operating system should do as part of normal usage."

Additionally, Geer said, “abandoned” software—such as older versions of operating systems no longer supported by their developers—should be treated the same way as other abandoned property—“either you support it, or you give it over to the public."

The bearded guru also weighed in on network neutrality and its relationship to the health of the Internet.

“Net neutrality is not a panacea,” he said, adding that Internet providers’ ability to claim the protections of being a common telecommunications carrier while avoiding liability for what passes over them allowed them to duck any responsibility for security.

He declared that ISPs needed to be “restricted to a constrained set of choices. You can charge whatever you want, but you are responsible for what you carry; or you can be a common carrier and not monitor traffic. You get one or the other, but you don’t get both.”

Convergence “cold civil war”

Geer also expressed a range of concerns about privacy and government efforts to monitor and control the Internet. He addressed the convergence of the “meatspace” world of government and society with cyberspace.

He said that there is a “cold civil war” underway over how that convergence will happen as governments and institutions fight to exert control over what happens online, and as the Internet engulfs more of commerce and human interaction.

The natural tendency of that convergence, Geer postulated, pushes the physical world to move toward the rules of cyberspace. He pointed to what has happened with newspapers in the age of the Web as an example, and said that the democratizing power of the Internet threatened to reduce the relevance of nation-states.

“People have more power [through the network], and those who used to have power want to act in a countervailing way,” Geer said. “The power that is growing in the network will soon challenge governments’ ability to control.”

One possible result, Geer hypothesized, is that “cyberspace may become more like meatspace,” with government moving to break the Internet into more easily controlled “chunks.”

That sort of balkanization of the Internet has been a feared result of the backlash to US dominance of the Internet following Edward Snowden’s leaking of NSA documents about broad surveillance, but it is also already being seen in countries trying to exert more control over Internet speech—be it Russia’s recent laws requiring individuals’ data be stored in Russia and the regulation of bloggers, China’s “Great Firewall," or Iran’s efforts to censor foreign Internet content.