BlackHat 2018: More Industry Collaboration Vital in Cyber Crime Battle

Hunting down one cyber vulnerability only to find another new hole to patch, hard-pressed security practitioners might be excused for wondering whether they’ll ever shake free from playing an endless game of catch-up with attackers. But as the BlackHat USA 2018 security conference gets underway in Las Vegas this week, the executive who manages the information security team at Google said there’s new reason for optimism.

“We’ve made great strides in computer security in the last decade,” said Google’s Parisa Tabriz, who delivered the conference keynote presentation on Wednesday at the Mandalay Bay Events Center.

Tabriz, who also heads up Google’s Project Zero bug-hunting squad, also struck an optimistic chord about the general state of security that she said was improving. “I actually believe that security’s getting better,” she said.

In particular, Tabriz touted a 4-year effort involving a diverse coalition of people and organizations to nudge the computing world toward the HTTPS web protocol and have Chrome label non-HTTPS webpages as insecure. What’s more, Chrome’s connection indicators were confusing and there also was a need to raise awareness about the risk of unencrypted traffic.

Tabriz recounted the collaborative efforts necessary to pull this off.

“We knew it would take years to get there,” she said, adding that success ultimately depended upon forging a collective industry-wide effort.

The web wasn’t owned by a single entity and she said the development platform would have to be defined by standards groups consisting of individuals representing different organizations and interests from around the world. As part of the initiative, Tabriz said that Google had partnered with Mozilla to push for HTTPS adoption.

Since the effort began, desktop HTTPS adoption has nearly doubled to 87% from 45% in 2015. Over the same time period, HTTPS use on Android mobile devices has soared to 77% from 29%.

“That’s major, major progress,” said Tabriz. As a result, she said that the web is more secure today because of what she described as a “loose coalition of people working in a complicated ecosystem.”

Tabriz pointed to the participatory spadework that went into the effort behind HTTPS, suggesting that it can serve as a blueprint for the future as she called for more cooperation within the industry to promote stronger cyber security.

“There’s so much more security collaboration we can do,” she said, explaining how collaboration can better tackle long-standing security challenges which otherwise can’t be handled by any single company on their own. “While we don’t always agree on tactics, we generally agree on working toward similar goals. I would love to see more ambitious collaboration. The effort is so worth it.” 

That would also spell more relief for overburdened security teams scrambling to meet the escalating security demands that go along with the increasing digitization of their organizations.

“The world’s dependence on safe, reliable technologies is increasing and as things get more and more connected, we have to stop playing Whack-a-Mole,” said Tabriz.

She later urged the thousands of listeners in the audience who braved the city’s triple digit heat wave to adopt a more strategic approach to their work and focus on the root causes of insecurity. That involves setting goals and targets with buy-in from both management and staff.

“This room represents the world’s best experts in computer security and we know where the problems are,” she said. “We need to do more to solve them and it’s up to us.”

Speaking with reporters after the keynote, Tabriz allowed that “defense happens over the long arc,” making it more difficult to measure increments of progress.

“We don't have great objective ways to measure it and some metrics are bad. It takes a long time, positive signals are very rare, and I think that's why it's harder to celebrate and recognize and talk about defenders," she said. "But I think it's really important to do and I hope that we can take some attention because at the end of the day, that's what actually makes things better.”