Dan Geer Helping CIA, Enjoying 'Gee-Whiz' Moments

Security luminary Dan Geer talks with CSO about all the fun he's having as the new CISO of In-Q-Tel, the investment arm of the U.S. intelligence community. He also revisits the Microsoft monoculture debate that lead to his firing from @Stake five years ago.

It's been five years since security pioneer Dan Geer was fired from @Stake for co-writing a paper warning that a Microsoft monoculture threatened national security.

The firing actually helped cement Geer's status as a security luminary and has led to a wealth of opportunities, including a stint as president and chief scientist at Verdasys Inc. and his latest role as CISO for In-Q-Tel, the investment arm of the U.S. intelligence community - particularly the Central Intelligence Agency (CIA).

Geer - a member of the Athena Project at MIT during the creation of the widely-used Kerberos authentication protocol - recently sat down with CSO to discusses the "gee-whiz" moments he now enjoys as he gets a peek at some of the latest intelligence technology.

He also explains the goal behind his recently-released book, "The Economics and Strategies of Data Security," and revisits the monoculture debate, which he believes played a role in security improvements at Microsoft.

Dan Geer, CISO In-Q-Tel

CSO: Last time we spoke, you were at Verdasys. Why the move to In-Q-Tel?

Dan Geer: The role I have is new, partly the classic job of CISO, and they have information that needs to be handled properly. Information security and digital identity management are important for this company and I was hired to help with that. I'm obviously on the technical side. So far, the gee-whiz fascination value is pretty high. I'm finding that the elements that are not my specialties are the most fascinating part of the job.

Such as? LEDs (light-emitting diode, a semiconductor diode that emits light when an electrical current is applied in the forward direction of the device) which is paper-thin and can be cut with a scissors; and the ability to extract power from the room you are in. Powering things without a power cord is of huge interest to commercial and intelligence entities.

A ground cover that changes color when its roots touch land mine residue, so you can plant it and find land mines without having to use your water buffalo; what looks like a sheet of paper which is actually lit up, three times the efficiency of

I've also found that the nanotechnology world is full of fascinating things, and I've also seen a hand-held spectrometer that lets you tell what material you're looking at—a tool that came out of carpet recycling, of all things. In the carpet recycling business it's evidently a bad idea to melt down your polypropylene with your nylon. As obvious as that sounds, I had no idea. The spectrometer was invented so the recycling people could sort the shreds into the proper piles.

What's the most difficult issue you've dealt with so far at In-Q-Tel?

The hardest question I've been asked is about how you conduct surveillance in a place like Second Life [the Internet-based virtual world video game developed by Linden Research Inc]. The question specifically is how you do collections in Second Life, where it's abundantly obvious that real money changes hands and people who talk to each other aren't necessarily who they appear to be. It's the hardest question I've heard to date. Marketing people who are exploring this for entirely different reasons are bound to stumble across things that are of interest to the intelligence community.

Let's talk about the book. If there's one point you want readers to take from it, what would it be?

Information is an asset and is quite likely something that must be valued in the way you would value other assets, like oil and the refinery that processes it. If you are at Exxon, it is clear you have a complex equation for how you value the current and predictable lifetime of your oil refinery. Why should it not be the same case for data? The goal is to assist managers in understanding the risks and costs associated with data loss; to encourage discussion around the economics of data security; to define intelligent data-centric strategies and to develop a forward looking approach that will address data security needs now and in the future.

You're probably immensely tired of this topic, but let's revisit the Microsoft monoculture paper. It was, in hindsight, one of the best things for your career &

That rather dark cloud had a rather big silver lining.

Much has happened with Microsoft security since then. Does the basic warning of that paper still stand, or is your position more relaxed given their security efforts?

In my view they accepted the paper. The proof of that is how they addressed the location randomization that's in [Windows] Vista. That's a direct attempt to insert diversity in the name of creating as a side effect non-predictability. The argument in our paper was that there was a lack of diversity that produced a level of predictability [that could be easily figured out and exploited]. The change in Vista has made it so that a certain class of exploits has gone from easy to hard. Who can argue with that?

On the other hand, it's only a drop in the bucket. There are other monocultures out there. Dan Kaminsky's Domain Name System (DNS) flaw is an example of that, as is the fact that Cisco infrastructure is sitting atop the backbone of the Internet.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?