Open source lessons for the cyber security industry
The only way to win the war against cyber "bad guys" is if cyber security follows the example set by the open source movement and democratises, making it everyone's responsibility.
That's the view of Marten Micklos, CEO of HackerOne, the bug bounty and vulnerability coordination platform. Speaking at the recent Linux Foundation's Open Source Leadership Summit in California, he told delegates that the security industry could benefit from the way in which open source had built the functionality and conflict resolution governance that enabled people, including those who disagreed, to work together to achieve a common goal.
According to Micklos, while organisations like HackerOne could identify security vulnerabilities - and had in fact identified over 65 000 in its customers' software to date - it was ultimately up to users to fix them. Unfortunately, this was not happening as it should be despite the fact that cyber security had grown into a $100-bllion industry.
In fact, Micklos reckoned that half of the money spent on walls and security products and technology was wasted because, he said, true security required working together and sharing information.
"You can't be secure if some people are secure and others not; you can't have secure software if just some of your software engineers are in charge of security; and you can't delegate or relegate security to a security team," he added.
He dismissed the excuse that cyber security was virtually impossible to manage because cyber threats were "asymmetrical" in the sense that it took only one malicious attacker to do so much harm that many more were required to defend against it.
The solution, he said, was a "pooled defence".
"The number of defenders is far larger than the number of bad guys. If companies can get together and pool the defence - share the information, share the defence, share best practices and share the act of responding to threats, then you overcome the asymmetry and turn it around because and suddenly you have 10 times the power of the attackers," he explained.
He offered these five key suggestions for dealing effectively with the cyber security pandemic:
- Learn from open source about sharing information, working together and being transparent.
- Embed security in everything and democratise it - make it everyone's responsibility.
- Fix all software - and if it can't be fixed, get rid of it. This applies particularly to software that is not designed for today's connected world - software that was designed before the Internet, or that assumed that not everybody would be connected.
- Deal with all cyber security issues quickly and efficiently: the winner in cyber security is not the one with the strongest tools, but the one who acts the fastest. One of the biggest problems with software today is that the update cycle is too slow.
- Discipline and diligence is key. The devil in cyber security is in the detail and doing it every single time. It does not matter how many times you do it right - it's about ensuring you never fail to do it.