Explore Black Hat '24 key insights: Moxie Marlinspike on software development, Jen Easterly on secure-by-design, and Harry Coker on cybersecurity workforce.
The 2024 Black Hat conference in Las Vegas brought together some of the most influential voices in cybersecurity, offering critical insights for security professionals navigating an increasingly complex digital landscape. From the philosophical underpinnings of software development to practical strategies for securing critical infrastructure, the keynote speakers provided a comprehensive view of the industry's challenges and opportunities.
The Magic of Software Development
Moxie Marlinspike, the founder of Signal, opened his Day Two Keynote with a thought-provoking analogy comparing software development to magic in the Harry Potter universe. He argued that software is one of the few domains where individuals can create powerful, transformative tools with minimal resources:
"To make amazing things with software, you don't need to motivate and assemble large groups of people. You don't need a permit or license. You don't need to allocate large sums of capital. The only thing that you need is a computer, and it doesn't even have to be a good one."
Marlinspike contends that this unique characteristic of software development makes it the "actual magic of the Harry Potter variety." However, he also expressed concern that this magical quality has been diminishing over time, partly due to the increasing complexity of software ecosystems and the reliance on abstraction layers.
The Intertwined Nature of Vision and Engineering
Marlinspike challenged the conventional view of software development as a straightforward engineering process, arguing instead for a more nuanced understanding:
"I think this relationship between vision and engineering is actually intertwined and bidirectional, rather than linear, and that the whole of software development is filled with discovery, even though it exists within a completely known universe."
He illustrated this point with historical examples, such as the development of color cycling techniques in early computer graphics, demonstrating how a deep understanding of systems can lead to unexpected and innovative results.
The Danger of Black Box Abstractions
One of Marlinspike's key concerns is the trend toward treating abstraction layers as black boxes rather than as shorthands for understood processes:
"The problem in computing with using abstractions as black boxes is that these interfaces are never perfectly computing. Understanding what they're doing can sometimes have negative results, and those negative results usually compound with the size, scale, or complexity of an application."
He argues that this approach not only limits the potential for innovation but also creates challenges in developing truly secure and efficient systems.
Implications for Organizational Structure
Marlinspike extended this critique to the structure of software development organizations, suggesting that the trend towards autonomous teams can sometimes mirror the problems of black box abstractions:
"Autonomous teams look a lot like black box extraction layers that they almost seem like a microservices architecture inside an organization. When you have teams of people that are treated as black boxes, I think it can be difficult for autonomous teams to have the insights that are necessary for excellent outcomes."
A Call to Action for the Security Community
In concluding his talk, Marlinspike issued a challenge to the security professionals in the audience:
"What I'm trying to say is that you all are the ones who have been sitting in the library, learning the spells and secrets, actually understanding how all of this works. All you have to do is look at the things you understand really deeply, look at the problems in the world around you that you're acutely aware of, and think about the ways the things you understand really deeply can be applied to the problems you're acutely aware of."
Shifting the Narrative: From Villains to Vendors
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), took the main stage to reframe the cybersecurity narrative, shifting focus from the traditional "villains and victims" story to the role of technology vendors in creating secure systems.
The Myth of Inevitable Vulnerabilities
Easterly challenged the industry's acceptance of software vulnerabilities as unavoidable:
"We have absolutely normalized vulnerabilities. We have bought into the myth of the software vulnerability as an inevitable act of nature. It's like a monsoon. We are powerless to prevent these unpredictable acts of God. All we can do is just respond as rapidly as possible."
She argued that this mindset has allowed technology vendors to continue producing insecure software without sufficient accountability.
The Need for Secure by Design Products
Easterly emphasized the importance of shifting responsibility to those most capable of effecting change:
"We don't have a cybersecurity problem. We have a software quality problem. We don't need more security products, we need more secure products."
To this end, CISA has launched the Secure by Design initiative, aiming to drive a fundamental shift in technology development and deployment.
The Secure by Design Pledge
Easterly highlighted the growing momentum behind the Secure by Design movement:
"We now have nearly 200 visionary vendors committed to a new, more secure technology ecosystem, working with those members to track progress to the technology ecosystem."
This pledge commits vendors to progress in seven key secure-by-design areas, including increasing multifactor authentication and reducing or eliminating default passwords.
Empowering Customers Through Secure by Demand
Recognizing that change requires action from both vendors and customers, Easterly introduced new resources for organizations:
"Earlier this week, we released secure by demand guide for software customers, and it has questions that organizations can ask the technology vendors to find out how they're prioritizing product security."
She urged all organizations to use their purchasing power to drive the adoption of secure-by-design practices across the industry.
Addressing the Cybersecurity Workforce Shortage
Harry Coker, Jr., the White House National Cyber Director, addressed one of the industry's most pressing challenges: the shortage of qualified cybersecurity professionals.
Multiple Pathways to Cybersecurity Careers
Coker emphasized the need for diverse approaches to building the cybersecurity workforce:
"In order for this nation to address the nearly 500,000 open cyber jobs, we put the strategy in place, and we are executing it again with our public partners. We provide multiple pathways to a career that's good paying and has a noble purpose."
These pathways include initiatives at community colleges, programs for military veterans and spouses, and efforts to introduce cybersecurity concepts earlier in education.
Hands-On Experience for Students
One key strategy Coker highlighted was the establishment of Security Operations Centers (SOCs) on college campuses:
"One of the best practices is SOCs having a spot on campus. The students get hands-on relevant experience while they're still undergrads. For students, that's number one. So when they do decide to leave school, they have relevant experience."
This approach benefits students and can also provide valuable support to local communities and small businesses that might otherwise lack access to cybersecurity resources.
Broadening the Definition of Cybersecurity Skills
Coker emphasized that cybersecurity roles are not limited to those with technical backgrounds:
"It used to be that folks thought cybersecurity was focused merely technical industries. That's just not the case. Cybersecurity, infrastructures, I dare say, every industry in this nation, we all have to have a level of cybersecurity."
This broader view allows individuals from diverse backgrounds to contribute to the field.
Looking to the Future: Continuity in Cybersecurity Policy
As the conference takes place in an election year, Coker addressed the importance of maintaining a consistent approach to cybersecurity regardless of political changes:
"We delighted that cybersecurity is a non-partisan issue. Our work has been non-partisan. The National Cyber Security Strategy has been backed by partners and all across the political space because it is there to have an affirmative vision of the digital foundation for this nation."
He emphasized the need for transparency, accountability, and continued collaboration between the public and private sectors to address ongoing cybersecurity challenges.
Conclusion: A Call for Collective Action
The keynotes at Black Hat 2024 painted a picture of a cybersecurity landscape at a critical juncture. Marlinspike's call for a deeper understanding of software systems, Easterly's push for secure-by-design practices, and Coker's strategies for building a robust cybersecurity workforce all point to the need for a collective, multi-faceted approach to securing our digital future.
As security professionals, our challenges are to combine deep technical knowledge with a broader understanding of the societal impacts of our work, demand more from technology vendors while fostering innovation, and actively participate in building a diverse and skilled cybersecurity workforce.
The speakers' messages underscored that cybersecurity is not just a technical challenge but a shared responsibility that requires collaboration across sectors, disciplines, and political divides. By embracing this holistic view and taking action on multiple fronts, the cybersecurity community can work towards a more secure and resilient digital ecosystem for all.
Comments