Dan Geer has never been one to walk away from a fight. In 2003, he was fired from security firm @Stake after authoring a report released by the Computer and Communications Industry Association arguing that Microsoft’s monopoly over of the desktop was a national security threat. Given that Microsoft was a client of @Stake at the time, it’s not a shocker that he didn’t make employee of the month. Somewhat humorously, in an interview with Computerworld after the incident, Dan remarked, “It’s not as if there’s a procedure to check everything with marketing.” Somehow I think a guy with degrees from MIT and Harvard didn’t need to check-in with marketing to gauge what his firm’s reaction to the paper would be.
Fortunately for the Black Hat audience (and those of us who watched the presentation online), Dan continued to live up to his reputation. He outlined a 10-point policy recommendation (well summarized here) for improving cyber security. In the preamble leading up to the policy recommendations, he made two key points that provide critical support for his policy argument:
- The pace of technology change is happening so quickly now that security generalists can no longer keep up. Highly specialized security experts and governments are now needed to protect our information assets.
- If you want to increase information security, you have to be pragmatic and willing to make compromises. As Dan succinctly put it: “In nothing else is it more apt to say that our choices are Freedom, Security, Convenience—Choose Two.”
These points are important to keep in mind when listening to his presentation because they provide critical context for his potentially unpalatable policy recommendations.