DeepSec 2020 Talk: No IT Security Without Free Software – Max Mehl
IT security is one of the most challenging global issues of recent years. But apart from the establishment of countless “cyber security” authorities, politics doesn’t seem to come up with something substantial. However, Free Software can be the solution to many pressing security problems. In this session, we will look at pros and cons and use concrete examples to illustrate why security and openness are not contradictory.
For security professionals, the growing complexity of today’s digital world is no big surprise. But decision-makers are often overwhelmed by these new challenges and the uncertainties they entail. As a result, many fall for cheap selling arguments for black-boxed solutions and lose sight of a general strategy.
We don’t know the exact security threats in five or ten years, but it is obvious that nobody can face them alone. This is where Free and Open Source Software comes into play. However, transparency and openness may seem contra-intuitive when it comes to security.
Together, we will explore how this riddle can be solved sustainably. The talk will also cover potential disadvantages and cases of consideration as well as typical counterarguments.
We asked Max a few more questions about his talk.
Please tell us the top facts about your talk.
- This talk will not be in-depth IT security, but look over the rim of the tea cup, combining security, development, politics, economics, management, trying to draw a realistic picture of how Free Software and IT security interrelate.
- Decision-makers in politics and corporate environments are often misunderstanding security as a product. Instead, security is a process (Bruce Schneier already said this in 2000), composed of various components from pure absence of vulnerabilities to dependency management to business strategy.
- Free Software is a necessary but not sufficient component of IT security. Free Software offers various benefits on different steps of the whole security process, too many to ignore them. But of course, this does not make a product entirely secure.
- Security benefits by Free Software contain: transparency, everyone can look at the code, establishment of trust; synergies by community building and share of interest; accompanying open standards that reduce vendor lock-in; transparency of security and quality processes, e.g. review practices, tests etc; ability for everyone to fix security issues themselves.
- Free Software has undeniable advantages for IT security, but also challenges. That everyone can review code does not mean, somebody actually does. Good project governance is still needed, as well as dependency management and so on. Also, a common problem is the lack of resources, especially in community-driven projects.
- For better IT security, public bodies and companies have to take over more responsibility. They must make Free Software the standard for public, especially critical, infrastructure.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Security has always been part of my and the FSFE’s agenda. However, Heartbleed (OpenSSL) could be defined as the spark: a Free Software project, maintained by actually one person, was used in billions of devices and critical infrastructure all over the world. OpenSSL being Free Software didn’t make it insecure, probably the opposite, but the lack of responsibility and dependency thinking became strikingly apparent.
Why do you think this is an important topic?
I am convinced that Free Software is necessary if you want to maximise probability of having secure infrastructure. Instead, many decision-makers still believe in security by obscurity, or are rather convinced by shiny product advertisement.
Is there something you want everybody to know – some good advice for our readers maybe?
Think about critical infrastructure around you that you use day in, day out. Do you trust it, does it feel safe to use it? If not, what would change your mind? If it being Free Software would be one part, you do not really need my good advice any more.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
More proprietary companies and platforms will try to redefine IT security, and offer tools so that developers and decision-makers are told not to worry about it any more. On the other hand, more and more people will understand that this actually means a loss of control over technology and digital sovereignty.
Max Mehl is programme manager at the Free Software Foundation Europe (FSFE) and coordinates initiatives in the areas of politics, public awareness and licensing. But he is also frequently to be found in the virtual server room of the FSFE. He sees Free Software as an important component to solve urgent technical and social problems. Every day he is fascinated how many advantages software freedom brings for different aspects – from ethics to politics and economy to security technology.