Opinion: Waging war on hackers actually hurts US cybersecurity efforts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0213/Opinion-Waging-war-on-hackers-actually-hurts-US-cybersecurity-efforts


During his State of the Union address last month, President Obama singled
out hackers as one of America’s principal cyber enemies and called for
stiffer criminal penalties against them. Fans of this tough rhetoric should
beware: a war on hackers could actually chill legitimate security efforts.

> From the National Security Agency to Google, US government agencies and
businesses are turning to hackers to develop, test, and secure their
critical systems and products. Hackers succeed by thinking outside of the
box. They break the rules and oftentimes cheat. While many types of hacks –
remotely disabling a car’s engine or cracking heavily encrypted data using
only a microphone – sound criminal, they aren't. Rather, they are routinely
conducted by leading academic or independent security researchers.

In fact, hacking plays a critical role in securing everything from ATM
machines to smartphones. Defenders develop better security measures only
after a new attack is invented. Both government and industry recruit
skilled white hat (good) hackers to test their systems and defend against
black hat (malicious) hackers.

Perhaps the best example of the Washington’s ambivalent attitude toward
hackers is the FBI. It plays a critical role protecting Americans from
cyberattacks and prosecuting cybercrimes (as recently depicted in the
motion picture "Blackhat"). In 2014, Congress authorized the FBI to hire up
to 2,000 new staff, including numerous “ethical hackers,” to tackle cyber
criminals.

But according to FBI Director James Comey, the Bureau is struggling to fill
its recruitment quota because its hiring policy typically disqualifies
candidates who have smoked marijuana in the previous three years.

“I have to hire a great work force to compete with those cyber criminals
and some of those kids want to smoke weed on the way to the interview,” Mr.
Comey said at an industry event. The stereotype of the pot-smoking hacker
may be exaggerated, but it highlights a critical culture gap that exists
between law enforcement and many computer security experts.

While the bureau tries to loosen up its no-tolerance policy on marijuana,
that culture gap can turn into a chasm when it comes to cybercrime.

What's more, vocal FBI support for White House efforts to strengthen and
broaden the scope of the Computer Fraud and Abuse Act (CFAA), the main
federal law used to punish white hat hackers, is causing anxiety among
white hat hackers about the chilling effects of the legislation, which
would make their jobs riskier.

Proposed amendments to the CFAA would give the FBI new tools to prosecute
cyber criminals (such as racketeering offenses for certain types of
hacking), but also risk criminalizing legitimate security research.
Theaggressive manner in which the US government investigates and prosecutes
relatively minor, alleged hacking incidents reinforces the concerns of
ethical hackers. This approach is dangerous not only because it deprives
Washington of much-needed technical skills, but even more importantly,
because it isolates hackers from critical cybersecurity policy debates.

The current public dialogue on cybersecurity is already highly fragmented
with key actors – ranging from government to the private sector to civil
society – interacting little and failing to work together. This contributes
to alack of new ideas about how to solve the complex technical and
nontechnical suite of policy issues.

Further complicating matters is a severe shortage of people invited in to
the discussion with the right combination of policy expertise and technical
knowledge. Hackers bring unique technical skills and insights to the
cybersecurity debate and must be more actively engaged and encouraged to
participate.

The US government is taking some steps to embrace certain forms of hacking.
In January, Obama and British Prime Minister David Cameron announced the
MIT-Cambridge hackathon to hone the skills of future white hat hackers.
Washington also funds an extensive, nationwide cybersecurity education
program, in part to train future hackers.

And on Thursday night, Stanford University and the White House hosted a
cybersecurity research and education panel that touched upon the crucial
role of hackers, setting the stage for Friday's Summit on Cybersecurity and
Consumer Protection on the Palo Alto, Calif., campus.

Now is a chance for the government to close the Washington culture gap by
signaling a desire to learn from hackers instead of alienating them. Real
cyber criminals must be punished, but in a manner that does not stifle
legitimate security research. Failure to differentiate between good and bad
hackers undermines US national security by sidelining many of the
individuals best able to confront malicious nation-state actors.

Let’s hope that Obama uses the Cybersecurity Summit to extend an olive
branch to hackers and give them a voice in the policy debate. After all,
“hacker” shouldn’t be a dirty word.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!