The man in charge of cybersecurity security at Facebook has criticised the security industry and issued a call for it to become more responsible for Internet safety globally.
The comments of Alex Stamos came during the opening keynote of the 2017 Black Hat conference in Las Vegas.
In his speech, Stamos said that the security industry should have more empathy not only for the victims of cybercrime but also for law enforcement who often call for controversial changes to encryption and information sharing.
Stamos urged his speech to first scold the cyber security industry and said that security professionals criticism of end users, software, and its fascination with overly complex hacks and the next zero day should cease.
The security industry needs to worry less about technology and more about people, he said.
“Unfortunately, the truth is our community is not yet living up to its potential,” Stamos was quoted by Threatpost as saying.
“We’ve perfected the art of finding problems over and over without addressing root issues. We need to think carefully about what to do about it downstream after discovery.”
Stamos took issue with the way that zero day flaws make all the headlines, when in reality these attacks are rarely seen in mainstream life, such as the headlines made when it was revealed that insulin pumps could be hacked.
He pointed out that cyber security in real life tends to be dominated not by complex cyber attacks, but more mundane issues such as password re-use, phishing and spam.
“We focus on the complexity of a flaw rather than the potential human harm,” Stamos said, before highlighting the real danger posed by abuse related to technology (i.e sexual exploitation of children), which is not viewed as areas of responsibility for security pros.
“This is real harm, and these are areas we don’t focus on at all,” Stamos was quoted as saying.
He said that current attitudes in the cyber security industry needs to change in light of the threats that hacking poses to democracy, national security, and critical infrastructure.
“The security community has the tendency to punish those who implement imperfect solutions in an imperfect world,” Stamos said. “We have no empathy. We don’t have the ability to put ourselves in the shoes of people we are trying to protect.”
Stamos touched upon the industry’s siding with Apple over its refusal last year to help the FBI unlock the iPhone of a dead terrorist, saying their input did little to advance discussion on the topic.
“If you look at law enforcement, it turns that like infosec, they are a family, a community,” Stamos reportedly said. He revealed that he frequently talks to authorities worldwide about privacy and safety issues. “We need to have more empathy for those whose job it is to put child molesters in jail. If we do that, we won’t look childish, we won’t look like people who don’t want to engage in a difficult topic.”
This year’s Black Hat conference is the 20th time it has been held. The conference provides security consulting, training, and briefings to both hackers, corporations, and government agencies.