Cybersecurity specialists must remember they are defenders of information, not athletes vying for gold, Facebook’s cyberchief told a Las Vegas audience on Wednesday.
Security teams focus too much on potential complex threats and not enough on simple, everyday ”abuses” such as spam and harassment that harm people, said Alex Stamos, who is responsible for protecting 2 billion Facebook users as the social media company’s chief security officer. Such issues should be considered part of the cybersecurity realm.
“It is a little bit like we are still in the ’80s watching the Olympics. We are expecting the East German judge to have a score for the difficulty of the gymnastics routine. That is not how hacking is judged,” Stamos told cybersecurity experts gathered Wednesday at the Mandalay Bay Convention Center for the industry’s annual Black Hat conference and expo.
Security professionals are still too focused on the really “sexy” problems while the overwhelming majority of security breaches are not very technically advanced, such as compromised passwords. Cybervillains will choose the simplest path available to steal information, Stamos said.
Black Hat, which runs through Thursday and is closed to the public, attracts more than 15,000 industry professionals from about 100 countries. The conference hosts dozens of courses and briefings for cybersecurity specialists over six days.
Stamos said he would like cyberspecialists to come up with solutions that would stop contagion when an email address gets compromised and improve security of cheap smartphones that hundreds of millions of people buy each year for $100 or less with outdated chips.
Cloud Computing, WhatsApp
Stamos highlighted two other problems he sees impeding cybersecurity.
Some industry experts assume the worst possible threat scenario and tarnish any security solution that is not perfect, sowing doubt among consumers.
That hinders the rollout and adoption of new products that would nonetheless be a step forward in security protection, Stamos said.
The security chief cited as examples criticism of cloud computing as well as last year’s rollout of encryption for Facebook’s texting system WhatsApp.
Facebook had to make some “trade-offs” to make the encryption available to 1 billion users, Stamos said.
“We need to start pushing back on some of these ideas because it is making it difficult for us to affect change. It really does cause harm.”
The cybersecurity community needs to improve the way it engages with the world, especially government officials and investigators, Stamos said.
Security specialists tend to be too quick to criticize and unwilling to engage officials seeking access to private information in criminal cases.
“Put yourselves in the shoes of somebody whose job it is to put child molesters in jail or to stop the growth in terrorist networks,’’ Stamos told them.
“Think about what are the kinds of solutions we may be able to offer that don’t require back doors or violate some of the principles we hold dear.’’
Stamos said Facebook will use its cybersecurity expertise to help find solutions to election hacking.
Facebook is joining a new project launched by Harvard University’s Belfer Center called Defending Digital Democracy. The project was launched this month amid accusations that Russian hackers attempted to influence the 2016 presidential elections.
The U.S. will host thousands of elections in November 2018, including 435 U.S. House races, 33 U.S. Senate races and about 36 gubernatorial races.
Each campaign for each election will be like a small startup built from scratch, Stamos said. The vast majority of campaigns run their own IT, some with volunteer staff. They may not have the resources to fight off sophisticated attacks, he said.
“It is very difficult to find people who have experience dealing with incredible advanced threat adversaries,’’ Stamos said.
Defending Digital Democracy will try to find solutions to help these campaigns defend themselves.
Contact Todd Prince at firstname.lastname@example.org or 702-383-0386. Follow @toddprincetv on Twitter.