Analytics
8/10/2016
07:35 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Government, Hackers Learn To Make Nice

It's still an uneasy alliance, but the hacking community and government are finding their way toward more constructive dialog and cooperation

It's not every day you hear the chief technologist at the Federal Trade Commission brag about learning how to pick a lock. But that small side trip during the recent Black Hat USA conference in Las Vegas proved illuminating for the FTC's Lorrie Faith Cranor and underscored the changing relationship between government and the hacker community.

Cranor, along with Cris Thomas, aka "Space Rogue" and strategist for Tenable Network Security, were part of a panel discussion in Washington today that examined how this relationship has shifted from its adversarial nature to something more cooperative -- and even trusting. The discussion was part of a "cyber risk" discussion series sponsored by the Atlantic Council, a Washington think tank.

The AC panelists noted that legislators, agency personnel, and policymakers are more welcome now at events like Black Hat and DEF CON, where "Spot the Fed" contests have given way to "Meet the Fed" panels, a sign that the hacker community is growing up.

But there's still some mutual fear between the two communities, panelists agreed. "For many people in government, 'hacker' still means criminal," Thomas told the audience. "And there's still a lot of distrust of government from the hacker community."

The FTC's Cranor said her goal at Black Hat was to do outreach in the hacker community. "We are interested in hearing about research that can help us understand vulnerabilities in the Internet of Things and protect consumers from scams and fraud," she said. She met a forensics expert who studies the language of phone scammers to see how they operate.

"It's a vibrant community with lots of scary things going on," she said of her Black Hat experience.

The AC speakers pointed to shifting government attitudes and practices, with the advent of DoD's "Hack the Pentagon" (a name that would have been unthinkable five years ago) bug bounty program, and active recruitment of white hat hackers to work in government. "Despite all that baggage, we're still trying to reach across the aisle and help each other out," Thomas said.

The upside is that the two sides are working together more in key areas like protecting critical infrastructure, addressing the security skills talent gap and having more dialog around "cyber" legislation and policy.

"Hackers don't like that word but that's how they speak about security here in Washington," Thomas said in an interview with Dark Reading after the panel discussion.

Thomas acknowledged the hacker community has gotten more sophisticated with lobbying and making sure their voices get heard. Ten years ago when Congress passed the Digital Millennium Copyright Act, "there was a lot of complaining but not a lot of doing – there was no organized effort and no participation in the process" on the part of hackers and security researchers, Thomas said. "With the Cybersecurity Information Sharing Act, people want to know how to comment and are trying to influence the decision and are taking a more active role," he said.

To handle the shortfall in security hiring, the federal government is considering removing certain requirements for job candidates, a move Thomas thinks is a huge mistake. Many candidates are driven by personal values regarding public service, which is something government should emphasize in its recruiting, he said.

Want to work with the top researchers in cryptography? Encourage candidates to apply to the NSA. "There's a patriotic pride in working for the government that some people are really attracted to."

Related Content:

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 1:52:16 PM
Re: Desperate times?
If history is any guide, the color of the hat won't determine who wins the cyber security war. The constant, ongoing tit-for-tat, offensive/counter-offensive dynamic that's marked whitehat-blackhat interactions for years shows no signs of going away any time soon.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Moderator
8/11/2016 | 1:41:00 PM
Desperate times?
Though i applaud the effort and new discussion, it also makes me think that such an initiative from the government feels like desperate measures in a cyber reality where hackers are in control.  We surely can only hope the white hats will overpower the black ones.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 11:16:44 AM
Re: Finally
Agreed, Whoopty... it's all mostly encouraging. The culture of the federal government, not to mention the military, change very slowly. But in the case of "cyber" security, they move slowly at their peril -- and ours. And it's pretty clear that most of the parties involved understand that.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/11/2016 | 8:11:58 AM
Finally
It's about time more officials in positions of power learned about real digital security. The people who know this the most aren't the suited IT technicians in federal organisations, it's those in the trenches right now trying to break things. Those guys know more about cracking open systems than anyone so it's them who the authorities should be listening to.

I'm really pleased to see they're starting to do that. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.