PINDROP BLOG

Kaminsky: We Need an NIH for Cybersecurity

LAS VEGAS–The security field needs an NIH-like organization for the deep study of defensive and offensive techniques and technology to help fix the systemic problems facing the industry, a prominent security researcher says.

Dan Kaminsky, a longtime researcher, said the Internet is plagued by a number of serious issues right now, problems that threaten the future of the network. The approaches that the security industry and the technology community as a whole have taken to solving these problems have largely failed, he said. He proposed a new method that involves the establishment of an independent organization that would use scientific methods to study and help solve the big technical and security issues.

“We need something like NIH for cyber and it needs to have good and stable funding,” Kaminsky said in his keynote at the Black Hat conference here Wednesday. “I want an organization dedicated to the extended study of our field.”

The National Institutes of Health is a part of the Department of Health and Human Services and does long-term research on biomedical topics. Kaminsky said that security problems aren’t simple and short-term thinking won’t address the long-term effects they’re having on technology and the ways in which people use it.

“We make promises in technology, and people are starting not to believe them,” he said. “People who say they absolutely know all the answers, really don’t know. Possible isn’t enough. We need easy.”

“We make promises in technology, and people are starting not to believe them.”

Two of the major problems Kaminsky mentioned specifically as needing serious attention are IoT security and encryption. Both have gotten a lot of attention in the last year or two, mainly the negative kind. And Kaminsky singled out the embedded devices that make up the emerging Internet of Things as a glaring example of what’s going wrong in security at the moment.

“The Internet of Things is the first technology that people are assuming to be insecure right out of the box,” he said. “And they’re right. But we don’t usually assume that right away. It usually takes a while to get there.”

The long-running public discussion about strong encryption and where and how it should be used also could use some serious study, he said. Encryption is at the heart of what security the Internet has, and Kaminsky said the anti-crypto sentiment is problematic.

“We’re allowed to use encryption. We’re allowed to fix encryption. The crypto debate is a signal to the world that this freedom thing that America has been defending for so long, yeah we’re kind of done with it too,” he said.

Kaminsky also lamented the failure of security professionals, researchers, and companies to learn from past mistakes and apply those lessons to current problems.

“We’re not taking all of the lessons from this stuff and learning from them,” he said. “We have work to do.”

The stakes, Kaminsky said, are as high as they can be.

“We have an Internet to hold on to. People think it’s a zero sum game, that if you’re going to get security, someone else has to suffer. Let’s make life easier for everybody.”