Defendable internet

Keynote Blackhat 2017: Why We are Not Building a Defendable Internet

In IT security, offensive problems are technical - but most defensive problems are political and organisational. Attackers have the luxury to focus only on the technical aspects of their work, while defenders have to navigate complex political and regulatory environments. In a previous talk named Rearchitecting a defendable internet, keynote speaker Thomas Dullien (aka Halvar Flake) discussed what technical measures would yield defendable devices - and intentionally omitted the political and economics side. This talk explored the economics and incentive structures in IT security: Who is incentivized by who to do what - and how these incentives fail to produce the security level we desire.

The talk discusses different players in IT security: CISOs, security product vendors, computer manufacturers, cyber insurances - and examine their economic incentive structures, their interplay, and reasons for failure. The talk also discusses an alternate reality where things work smoothly, and examine the differences to our current (which was 2017) reality.


Keynote BlackHat 2022: Our Kryptonite: A Defendable Internet

This talk by Daniel Cuthbert follows up on that. Five years in Internet years is a long time, so what has changed for the better or worse? Does good security mean a lock-in approach or are we actually capable of building an open, transparent, and yet secure internet for all to enjoy? Can we stop the cycle of building tools to fix the tools that aren’t secure enough?


Thank you both for mentioning the unmentionables. I wish to argue that it is a systematic problem, not a conglomeration or loose confederation of separate disciplines and individual choices. If that is true, merely improving the parts of a system will not improve the whole. Every problem is part of “The Mess”, and the “Big Security Mess” includes all the messes that besiege globalising complex capital, and the incentives it instills.