Reporting Hacks Should be Like Disease Control, Say Experts

Dan Geer, famed cyber security expert, has called on mandates to be put in place on all companies that force them to disclose hacks and breaches, much like disease control.


Photo: Black Hat

During his keynote speech at this year’s Black Hat conference, Geer made the suggestion that companies should face mandatory requirements, which need to be stronger than those seen in the White House Cybersecurity Framework.

“Wouldn’t it make sense to have a regime of mandatory reporting for cyber-security failures?” he remarked. “Should you face criminal charges if you fail to make such a report?”

Geer suggested that attacks and breaches “above some threshold” simply must be reported to authorities, making reference to the paper Surviving on a Diet of Poisoned Fruit, penned by ex-Navy man Richard Danzig, who makes the case for hack reports to be treated as seriously aviation issues.

Geer’s remarks have been likened to disease control to prevent an outbreak and given the speed that computer viruses can spread, it appeared as an apt comparison amongst those at Black Hat.

The keynote speech all tied into Geer’s calls for greater accountability in software. He also suggested stress tests, similar to that in the banking sector.

“The only two products not covered by product liability today are religion and software, and software should not escape for much longer.”

“The current situation – users can’t see whether they need to protect themselves and have no recourse to being unprotected – cannot go on,” said Geer.

He was also firm on the practices of handling metadata, saying that users should have absolute assurance that this information is deleted and not held.

“If you can’t give me assured deletion, why should I not assume that it’s being stored permanently?”