This content is part of the Conference Coverage: Black Hat 2017: Special conference coverage

Stamos preaches defensive security research in Black Hat keynote

Facebook's Alex Stamos used his Black Hat 2017 keynote to address a wide variety of issues, including defensive security research and diversity in the infosec community.

LAS VEGAS -- Black Hat 2017 marks the 20th anniversary of the conference and during the show's opening keynote,...

Facebook CSO Alex Stamos urged the community to take advantage of the voice it had and focus on bigger problems than just those that make good presentations and to expand that focus beyond traditional defensive security efforts.

In his keynote, Stamos described the early days of the Black Hat conference -- the legal conflicts leading to speakers being arrested or speakers quitting their jobs in order to be able to speak about security issues openly.

"Our community has always been very thoughtful about anticipating the practical, economic and societal impact of our work and in the early years those concerns were pretty easily dismissed," Stamos said. "Over the last 20, 10, five and I would say especially over the past year, we've been completely vindicated. People now know how important it is to build secure systems to underline our civilization. A topic that was once considered fringe, a topic that we had to fight for respect for, is now on the front page of every newspaper pretty much once a week."

Stamos noted that the culture of being the "upstart hacker kids" no longer applies to those at Black Hat 2017 and the infosec community needs to use the voice it has responsibly and effectively. Part of that culture change may include highlighting problems beyond the technical issues of defensive security.

Substance over zero days

While he appreciated the work done by Black Hat attendees, Stamos said the overall conversation was too often "dominated by zero-day problems" and attention-grabbing defensive security flaws while losing sight of much larger issues.

"We have perfected the art of finding problems over and over again while ignoring the root issues," Stamos said. "We have a tendency to focus on the complexity of a flaw instead of focusing on the real human harm. The truth is that adversaries will do the simplest thing to affect [the] cause that they want. And in security academia and security research, we're still really focused on the really sexy difficult problems."

Stamos said this limited view led to the vast majority of human harm and abuse being outside the traditional scope of defensive security research.

During a Q&A session after the keynote, Stamos described a few potential reasons for this limited view of defensive security, including the intellectual curiosity that drives hackers to the infosec space, the incentive structure surrounding finding bugs, and the marketing and media impact of showing off a previously undiscovered flaw.

Alex Stamos, Facebook CSO, gives Black Hat USA 2017 keynote
Alex Stamos gives the keynote presentation at Black Hat USA 2017

Defensive security compromises

Related to this focus on "sexy" vulnerabilities and perfect solutions to those issues, Stamos said the infosec community "punishes imperfect solutions in an imperfect world" and has an "inability to put ourselves in the shoes of the people we're trying to protect."

Stamos said IT professionals have become affected by security nihilism, which he defined as "an overlapping set of beliefs that includes the assumption that all attackers are perfect, that everybody faces the worst possible threat scenario, or that any compromise to make a security feature more widespread should be considered a bug."

Examples Stamos used were calls that the public cloud wouldn't be secure enough for enterprise when it was first being introduced, as well as the media coverage of the "trade-offs" WhatsApp needed to make in order to scale its end-to-end encryption to hundreds of millions of users.

"We have not been very effective in engaging the world and that's true both on a micro level in our individual engagements, as well as on a geopolitical level. This is a truth that it took me a while to figure out: We are no smarter than the people whose systems we break," Stamos said. "It's really seductive to think of us this way, but the truth is that security people aren't brilliant; we're not that much smarter than everybody else. We bring a very important way of looking at the world and an important set of skills and tools, but that doesn't mean that we need to denigrate others when we point out their mistakes. We aren't going to bug-squash our way out of this current situation."

Diversity in defensive security

Stamos said the infosec community "celebrates breaking much more than defense" and needs to work harder to eliminate entire classes of bugs, build architectures that are resilient to failure and build relationships between the security side and developers.

Part of the answer, according to Stamos, is to broaden what infosec considers to be its responsibility and to focus more on root causes of widespread issues.

"Our focus on technical complexity means we are not applying the intellectual framework that we've built about the adversarial use of technology against the problems that actually affect millions of people every single day," Stamos said. "I think if we change the balance a little bit, it would actually impact a lot of people."

Stamos suggested a major way that infosec can change the way it approaches defensive security issues is to ensure a diversity of people, backgrounds and thought. This means not just gender and ethnic diversity but ensuring viewpoints outside of technical backgrounds, including those specialized in international relations, foreign languages and more.

"Building a diverse team and diverse backgrounds is really key because you never know what kind of problems you're going to get and so it's much better to have a toolbox with all different kinds of tools than to only have the best screwdrivers in the world," Stamos said.

Stamos urged the attendees at Black Hat 2017 to keep in mind issues of inclusion and exclusion because he said behavior here will impact who feels welcome in the infosec community going forward.

"This isn't just about doing the right thing. It's not just about diversifying our community. It's about building the ability for us to address these problems over the next decades. Things are not getting better. Things are getting worse. We don't have enough people and we don't have the right people, and a lot of that starts here," Stamos said. "It's a critical moment. We've been asking people to pay attention to us for over 20 years and they are. We have the world's attention, what are we going to do with it?"

Next Steps

Learn more about the shared responsibility for cloud providers

Work together to offer the best security 

Read more about plugging the cybersecurity skills gap

Dig Deeper on Security operations and management