Analytics

8/10/2016
07:35 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Government, Hackers Learn To Make Nice

It's still an uneasy alliance, but the hacking community and government are finding their way toward more constructive dialog and cooperation

It's not every day you hear the chief technologist at the Federal Trade Commission brag about learning how to pick a lock. But that small side trip during the recent Black Hat USA conference in Las Vegas proved illuminating for the FTC's Lorrie Faith Cranor and underscored the changing relationship between government and the hacker community.

Cranor, along with Cris Thomas, aka "Space Rogue" and strategist for Tenable Network Security, were part of a panel discussion in Washington today that examined how this relationship has shifted from its adversarial nature to something more cooperative -- and even trusting. The discussion was part of a "cyber risk" discussion series sponsored by the Atlantic Council, a Washington think tank.

The AC panelists noted that legislators, agency personnel, and policymakers are more welcome now at events like Black Hat and DEF CON, where "Spot the Fed" contests have given way to "Meet the Fed" panels, a sign that the hacker community is growing up.

But there's still some mutual fear between the two communities, panelists agreed. "For many people in government, 'hacker' still means criminal," Thomas told the audience. "And there's still a lot of distrust of government from the hacker community."

The FTC's Cranor said her goal at Black Hat was to do outreach in the hacker community. "We are interested in hearing about research that can help us understand vulnerabilities in the Internet of Things and protect consumers from scams and fraud," she said. She met a forensics expert who studies the language of phone scammers to see how they operate.

"It's a vibrant community with lots of scary things going on," she said of her Black Hat experience.

The AC speakers pointed to shifting government attitudes and practices, with the advent of DoD's "Hack the Pentagon" (a name that would have been unthinkable five years ago) bug bounty program, and active recruitment of white hat hackers to work in government. "Despite all that baggage, we're still trying to reach across the aisle and help each other out," Thomas said.

The upside is that the two sides are working together more in key areas like protecting critical infrastructure, addressing the security skills talent gap and having more dialog around "cyber" legislation and policy.

"Hackers don't like that word but that's how they speak about security here in Washington," Thomas said in an interview with Dark Reading after the panel discussion.

Thomas acknowledged the hacker community has gotten more sophisticated with lobbying and making sure their voices get heard. Ten years ago when Congress passed the Digital Millennium Copyright Act, "there was a lot of complaining but not a lot of doing – there was no organized effort and no participation in the process" on the part of hackers and security researchers, Thomas said. "With the Cybersecurity Information Sharing Act, people want to know how to comment and are trying to influence the decision and are taking a more active role," he said.

To handle the shortfall in security hiring, the federal government is considering removing certain requirements for job candidates, a move Thomas thinks is a huge mistake. Many candidates are driven by personal values regarding public service, which is something government should emphasize in its recruiting, he said.

Want to work with the top researchers in cryptography? Encourage candidates to apply to the NSA. "There's a patriotic pride in working for the government that some people are really attracted to."

Related Content:

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 1:52:16 PM
Re: Desperate times?
If history is any guide, the color of the hat won't determine who wins the cyber security war. The constant, ongoing tit-for-tat, offensive/counter-offensive dynamic that's marked whitehat-blackhat interactions for years shows no signs of going away any time soon.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
8/11/2016 | 1:41:00 PM
Desperate times?
Though i applaud the effort and new discussion, it also makes me think that such an initiative from the government feels like desperate measures in a cyber reality where hackers are in control.  We surely can only hope the white hats will overpower the black ones.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 11:16:44 AM
Re: Finally
Agreed, Whoopty... it's all mostly encouraging. The culture of the federal government, not to mention the military, change very slowly. But in the case of "cyber" security, they move slowly at their peril -- and ours. And it's pretty clear that most of the parties involved understand that.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/11/2016 | 8:11:58 AM
Finally
It's about time more officials in positions of power learned about real digital security. The people who know this the most aren't the suited IT technicians in federal organisations, it's those in the trenches right now trying to break things. Those guys know more about cracking open systems than anyone so it's them who the authorities should be listening to.

I'm really pleased to see they're starting to do that. 
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Ohio Man Sentenced To 15 Months For BEC Scam
Dark Reading Staff 8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15667
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can...
CVE-2018-15668
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. The "send" command in the airmail:// URL scheme allows an external application to send arbitrary emails from an active account. URL parameters for the "send" command with the "attachment_" prefix designate atta...
CVE-2018-15669
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are...
CVE-2018-15670
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if t...
CVE-2018-15671
PUBLISHED: 2018-08-21
An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service.