April 28, 2009, 3:20 PM — I should never be surprised at things related to government security efforts, but I did think the concept of hiring hackers was pretty much dead in government circles. Then comes the recent headline, " U.S. Looks to Hackers to Protect Cyber Networks." Frankly, I think it set the security profession back at least three years.
The story, widely quoted throughout the U.S. and the world, makes people think that hackers are superior to the best security professionals. Now, admittedly, recent stories have made it appear that the government's security efforts are poor at best. We've had foreign intelligence agencies infiltrating the power grid, and The Wall Street Journal recently reported that the F-35 designs have been hacked for years. All of that is something to ponder. But hiring hackers to fix security breaches? Hackers are not security experts. A recent, and most telling, survey from Verizon basically found that hackers' skills reside in the ability to exploit very basic mistakes on the part of their victims.
Some people will contend that this is all a misunderstanding, because "hackers" are not computer criminals by definition. Criminals are "crackers," they will point out. Others will say that the story used the word "hackers" for sensationalist purposes and that the workers actually being sought were people to perform professional penetration tests. There's some truth to that argument, but there's no mistaking the article's implication that hackers are criminals. To quote from the introduction, "Federal authorities are looking for hackers -- not to prosecute them, but to pay them to secure the nation's networks."
It's one thing for moronic CEOs of small companies such as exqSoft Solutions to hire the Twitter hacker for the publicity, but the U.S. government and General Dynamics, its proxy in this case, should know better. And it could be that this ad was just a misstep. But it was a misstep with unfortunate consequences.
General Dynamics wouldn't return my calls, but Department of Homeland Security (DHS) personnel told me off the record that they were not pleased with the company's ad. General Dynamics seems to have gotten the message, since the advertisement for hackers can no longer be found. Instead, there are new vacancy announcements for "vulnerability assessors" and "cybersecurity subject-matter experts" Unfortunately, though, the damage has been done.
Let's establish some fundamentals. If I throw a glass against a wall and it breaks, does that mean I am qualified to make a glass or repair the broken one? If I drive a Ferrari into a wall and wreck the car, does that make me qualified to repair it? Clearly, the analogies are infinite, and the answer is always a definitive, "No!" Most people acknowledge that it is infinitely easier to break something than create it or even fix it. Why then do people think it is different with computers -- which most people believe are much more complicated than a glass?
Likewise, how would you feel if police departments went around hiring sex offenders to investigate rapes? Frankly, I believe that sex crimes are almost always more critical than computer crimes. Why wouldn't the logic of hiring people who think like criminals to go after the criminals hold true for sex crimes? Why don't police departments go out and hire rapists and murderers? The answer is clear: It would be insane.
Just because a person knows how to break into a computer, it doesn't mean he knows how to break into all computers. Many hackers are one-trick ponies who know how to use a few specific tools but are clueless after those fail.
Yes, having a group of people who are constantly looking for vulnerable systems on a network serves a purpose. But the best people to do this work are skilled systems administrators and hands-on security professionals who are familiar with systems' internals. Fundamentally, in this specific case, the "hackers" would need to obtain top-secret-plus security clearances, and a background of committing computer crimes eliminates that person.
I should add here that I often hear comments such as, "How come those security professionals aren't breaking into systems themselves?" and "Why are their systems vulnerable if they're so good?" In response to the first question, I would say that the average person would not normally perform criminal acts. And on those occasions when they have been given permission to hack, the more technically adept professionals have proved to be incredible. The Red Teams at the National Security Agency and the military information warfare commands have had successes that dwarf even the most noted hacker exploits, and what makes them even better is that you will never hear about them.
As for the vulnerability of systems, it should be noted that there are thousands of potential vulnerabilities on any given system, so a hacker only has to find one of them.
I know that the General Dynamics ad was a case of a bad decision being made to hype job openings, but it demonstrates the misperceptions of the media and general public. General Dynamics and the DHS clearly understand how anyone can break into a computer, and only skilled professionals can fix them.
However, the message went out that when it comes to computer security, the U.S. government believes that you need criminals to think like criminals. The general public didn't need their gross misperceptions supported by a hyped-up advertisement.