Dan Geer – the Chief Information Security Officer at In-Q-Tel (the US Intelligence Community’s venture capital firm) and all-around-cyber-guru - recently gave a keynote speech to the Recorded Future RFUN 2015 conference entitled simply “Intelligence.” Like so many of Geer’s talk, it is flecked with wisdom, references to a broad mix of thinkers, insights into information security, a bit of philosophy, math and statistics, rhetorical questions, and brilliant nuggets like this...
“…What I want is to predict the future. I want it for reasons that are no doubt emotionally clear, but I also want it because of my own definition of security: The absence of unmitigatable surprise. As always in cybersecurity, we are now talking tradeoffs. One of those is in deciding how many failures is the right number of failures. It can't be unbounded; that's obvious. It can't be zero, either, as zero quite likely means that you are overspending and, in any case, learning from failure is especially crisp; as Francis Bacon said "Truth emerges more readily from error than from confusion."
Defining a state of security as the absence of unmitigatable surprise mirrors what I know to call "the availability calculus," namely that we can get 100% availability by driving the time between failures to infinity or by driving the time to repair to zero. I am searching for prediction because I want to drive to infinity the time between failures for which I have no mitigation and drive to zero the time to repair failures for which I do have mitigation(s)…”
The speech is very much worth a read, and like all of Geer’s talks ends with his perpetual conclusion: “There is never enough time. Thank you for yours.”
Geer, like Bruce Schneier, is an information security professionals’ information security professional - highly in demand as a speaker and a leader in thinking about these issues. Unlike Schneier, Geer does not have a large canon of books that encapsulate and memorialize the many ideas he has shared with audiences. It is with this relative paucity of Geer’s published work (at least outside of more technically minded journals) that it seems worthwhile to catalogue some of his more interesting work for a broader audience.
When Geer keynoted recently at the RSA conference, as well as when did so the year before at Black Hat, there was wide media coverage and much publicity. However those that follow Geer’s writing and speaking know that both those talks drew heavily on some of his earlier, and lesser-known, work. Indeed, Black Hat’s Cybersecurity as Realpolitik was not the first time Geer unleashed his pithy gem for Internet users “Freedom. Security. Convenience. Choose two.”
Below are a sample – and a small sample - of some of Geer’s somewhat lower profile (at least when compared to RSA or Black Hat) writings and talks that are of exceptional value for anyone thinking about information or cyber security, or security more generally. Note also his consistent desire to attribute those ideas that are not his own to their originators - a breath of fresh air!
- The 2010 book Economics and Strategies of Data Security - written while Geer was with Verdasys - is a phenomenal introduction to the economics of information security. While no longer in print, the book is widely available online for very little money. The current landscape of Geer’s broad and practical approach is presaged in this volume.
- The 2007 book chapter The Physics of Digital Law: Searching for Counterintuitive Analogies, from the volume Cybercrime: Digital Cops in a Networked Environment (edited by JM Balkin et al) reminds us of something we forget too often, namely “Network Boundaries Have Zero Alignment with Political Boundaries"
Articles and Texts
- The 2013 IEEE article On Abandonment brings up key security questions, like what should happen if there is “a certifying authority that goes bankrupt: Who gets the keys? Some things are too valuable to allowed to be abandoned.”
- The 2013 ACM QUEUE article Resolved: The Internet is No Place for Critical Infrastructure features numerous themes and examples that showed up in later high profile Geer talks.
- The 2011 IEEE article A Time for Choosing is summed up by the subtitle: “As the Internet becomes more important, the claims on it increase. Those claims cannot all be met. Now is the time for choosing.”
- The 2010 essay Cybersecurity and National Policy in the Harvard National Security Journal is part analysis, part aggregation of hacker koans... “When I think about cybersecurity and national policy, I can only conclude that the problem is the problem statement.”
- The 2007 ACM QUEUE article The Evolution of Security, subtitled “What Can Nature Tell Us About How to Manage Our Risks” draws on Geer’s training as a bio-statistician to approach security and risk management.
- The 2003 paper Cyber Insecurity: The Cost of Monopoly, with Pfleeger, Schneier, Quartermann, Metzger, Bace and Gutmann, was one of the more controversial pieces of information security analysis of the past twenty years, and drew widespread attention to the vulnerabilities of computer “monocultures.”
- The 2003 Comments on the National Strategy to Secure Cyberspace, in the form of an email to senior government officials, show an unusual direct commenting on a particular policy document, with predictable insight and pragmatism.
- The recent Q&A session with Geer and former NSA technical director Brian Snow following a joint keynote talk (M3AAWG) was a fascinating discussion with two unique minds focused on these issues, in which they found much common ground.
- The talk We Are All Intelligence Officers Now (RSA 2014) is one of Geer’s best and most intellectually fertile, which gives huge insight into the rate of change in cyber security, the implications for national security, and the implications for individual privacy.
- The talk Identity as Privacy (2013 B-Sides Boston) gives exceptional insights into observability, identifiability, and privacy.
- The moderated discussion with members of the aviation industry in 2013 (AIAA) has some of Geer’s most trenchant insights on engineering, how cyber security applies to various industries, and the development of the field over time.
- The talk Criticality, Rejectionists and Risk Tolerance (2012 Source Boston) is perhaps one of the best snapshots of defining critical infrastructure, its relationship to the internet, and how dependency is - or should be - one of the key concerns of modern technological society.
- The seemingly spotty attendance in the audience of Geer’s talk A Quant Looks at the Future (2010 CERIAS) should not be read as a commentary on the quality of the analysis… this talk shows well Geer’s mathematical bent, his focus on security metrics, and the complexities of measuring security. An article version is also available.
- The keynote talk on the future of security (2008 Source Boston) is a somewhat earlier version of his modern broad analytic talks.
- And of course, don’t miss the vintage Geer description of Kerberos