LAS VEGAS—Facebook Chief Security Officer Alex Stamos outlined his views in an hour-long keynote at the Black Hat USA conference here on how the security industry should improve and also announced new investments to boost security.
Stamos is no stranger to Black Hat, which is celebrating its 20th anniversary this year. He said that in the early days there was a much more adversarial atmosphere at the event. He noted that in the early years, the true impact of internet security wasn’t well understood, but today that’s no longer the case with security breaches making headlines on a regular basis.
“We’re no longer the hacker kids fighting against corporate conformity,” Stamos said. “We don’t fight the man anymore, we are the man, but we haven’t changed how we view our responsibilities.”
In Stamos’ view the security industry as represented at Black Hat has a responsibility to help improve security in ways that it still hasn’t achieved to actually help make people live’s safer. He noted that often security research is focused on complexity and not the actual harm of cyber-attacks.
As a community, he said that there is an over-weighted focus on incredible security exploits and zero-days, though that’s not what the bulk of actual security issues are. The vast majority of things that end up harming internet users are items that he labels as abuse, which includes be things as simple as spam, password re-use or harassing someone online.
“As a community overall we not yet living up to our potential,” Stamos said. “We have perfected the art of finding problems without fixing the root issues.”
Security nihilism is a condition that Stamos said is prevalent in the industry, with many people holding that view that most threats are from advanced hacker and nation-state adversaries. Stamos emphasized that while zero-day issues are important there needs to be more conversations about standard security issues. He also wanted the audience to remember that users aren’t the problem.
“The modern world of technology is built on tightropes and we haven’t put nets underneath,” Stamos said. “Every single day we ask people to walk the tightrope and if they fall off, we say sorry can’t help you.”
Facebook’s CSO didn’t just take the stage just to deliver a sermon to his Black Hat audience on what they should do. He also used his time to explain what his company is doing to make the internet safer for everyone. Facebook recently renewed its’ support of the Internet Bug Bounty which pays security researchers for finding vulnerabilities in open-source software.
Stamos also announced $1 million in new funding for the Internet Defense Fund to help encourage original research into practical defensive technologies. Topics that Stamos is interested in include research on how to improve security patching. Stamos added that Facebook is already working on making sure that its users can stay safe while working on unpatched operating systems.
“This room is full of $800 fully patched smartphones, but that’s not how it is in the rest of the world,” Stamos said. “There are lots of unpatched devices and we can’t say they aren’t worth protecting.”
Stamos also recognized the role that Facebook played in the recent U.S. election and in elections around the world. To that end, Facebook is now also a founding sponsor of the Defending Digital Democracy Project, which is an initiative at the Harvard University’s Belfer Center to help secure elections.
“We’re working with Harvard to help protect democracy,” Stamos said. “We are thinking about how to help election campaigns help themselves and setup good IT infrastructure.”
Stamos also advocated for more diversity in the security industry, both in terms of gender and background to better reflect the broader internet community that the security industry is supposed to be protecting.
“It’s a critical moment for our industry. We have been asking people to pay attention to us and now they are,” Stamos said.
With that focus he wants security professionals to have empathy for the people that use the technology that the security industry builds. He also wants to shift the focus from the spectacular hacks to actually fixing real problems.
“I want as much thought a possible put into out how we eliminate entire classes of vulnerabilities and not just how to do spectacular demos on stage,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.