GovDefenders Wednesdays | The Hacker's Place in Government Cybersecurity
Interested in learning more about cybersecurity? The GovDefenders Virtual Event is a free online cybersecurity conference on April 24. Join us from your desk as experts from NetApp, Symantec, ForeScout, Red Hat, Quest Software, SolarWinds, and DLT Solutions, discuss trends, best practices, and the future of public sector cybersecurity. Register today!
Andrew "weev" Auernheimer will spend the next 41 months in federal prison. His crime? In 2010, he exposed a security flaw in AT&T's iPad user database, gaining access to the information of over 100,000 people - including Michael Bloomberg and Diane Sawyer. He never released the information to the public himself, however, he also didn't go directly to AT&T with it. He went to a journalist, who wrote a story about it that exposed bits of the stolen data, and Andrew's infamy spread across the internet at the speed of a Trojan worm - which is what Andrew wanted: attention.
I don't want to debate the merits of his sentencing, or his lewd characteristics, or whether AT&T's unrelenting persecution of Andrew was an act of revenge for getting embarrassed, or whether a piece of legislation - commonly used in hacking sentencings, including this one - from 1986 on computer fraud and abuse is obsolete and needs rewriting (on that note, there is nothing to discuss: it needs rewriting). I want to ponder this question: What role can hackers play in government cybersecurity?
White-Hats: Public Sector Hackers
A recent FISMA bill, now finding its way around the House, on cybersecurity included this nugget: Among the requirements of the bill would be penetration testing in which so-called white-hat hackers break into government IT systems to identify vulnerabilities.
What it means is that a team, probably of US "cyberwarriors", will purposely try to hack your networks, disrupt your services, and steal your data. The bill also clears any responsibility confusion. If the white-hats succeed, blame falls on the shoulders of department secretaries and agency directors.
That's a good thing. It would force agencies to get smarter about their cybersecurity. Instead of relying on a checklist of requirements, it will test their defenses in life-like situations, and the blame game is over - we now know who's in charge.
But aren't they forgetting something important? A few months back, representatives from the DoD and Pentagon both said that they didn't have the training to properly defend our nation's networks, nor the professionals, nor even a defined cybersecurity workforce. There is a long list of reasons for this shortage of computer professionals in the government sector (here and here are good places to start).
But that's the main issue: With the lack of resources the government has at its disposal, how will they ensure those government cyberwarriors attacking your cyberdefenses are good enough?
The Best Hackers Aren't Found in an Office, They're Probably in Their Bedroom
Of the major hacks the government, banks, critical infrastructure providers, and corporations have faced, with the exception of foreign attacks, none have been from individuals working for large corporations or government entities. Those, like Andrew and Anonymous and Aaron Swartz and the multitudes of others, are misfits, genius (and bored) college kids (or dropouts), and "social activists." The government has spent years, and billions, securing their networks, but they are still getting hacked, seemingly at a monthly pace, by these people. It's obvious the tests they are performing now do not meet the standards set by these hackers.
So the next question is: In the cyberworld, is a government cyber-task-force enough, or should we try to engage an untapped cybersecurity resource?
If we truly want to protect our networks and data from more nefarious enemies, we need to invite the outside community to break in. It's bad when someone hacks into a state Department of Revenue and steals citizen social security and credit card numbers. It can be detrimental if an enemy hacks into an atomic energy database and steals secret information.
As Prince once said, "Let's go crazy!" What we, as a US-citizen-serving-community, need to do is establish a set of rules for government hacking.
It's like pulling off a bandaid: It's better to find out all at once that there are 500 weaknesses in your database, than find out piece by piece, situation by situation, over a decade; with each instance involving a different person gaining access to your data.
What would happen if you sent out an invitation to the hacking community and asked them to do their worse? Tell them in black and white terms, "You have permission to attempt to bypass our security; however, you must immediately report any weaknesses. And if you access a single piece of data or don't report a weakness you discover, you will be prosecuted" - under a revised Computer Fraud and Abuse Act, of course.
Yes, it's dangerous, and possibly foolish. However, if recent events prove one thing, it's you will be hacked eventually. Agencies are already reporting hundreds of thousands, for some millions, of cyberattacks a day. We cannot continue to wait for successful breechs to happen before we patch security holes. And we cannot just rely on government cyberwarriors and ignore the other experts at our disposal.
A final question I'm left to ponder is: Wouldn't inviting people to submit weaknesses also invite more nefarious hackers to try and penetrate agency defenses for ill purposes, under the legal guise of helping?
I'm sure. And I know this is a crazy idea, but it's the germ of one that if fully developed, could help the US catch-up with its cybersecurity challenges quickly.
Unless we find a way to bridge the gap between government cyberwarriors and state-side black-hat hackers (and white-hat), the cyberworld will remain a battleground. And we cannot continue learning from our mistakes the hard way, because the next breech may be catastrophic.