Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/10/2016
07:35 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Government, Hackers Learn To Make Nice

It's still an uneasy alliance, but the hacking community and government are finding their way toward more constructive dialog and cooperation

It's not every day you hear the chief technologist at the Federal Trade Commission brag about learning how to pick a lock. But that small side trip during the recent Black Hat USA conference in Las Vegas proved illuminating for the FTC's Lorrie Faith Cranor and underscored the changing relationship between government and the hacker community.

Cranor, along with Cris Thomas, aka "Space Rogue" and strategist for Tenable Network Security, were part of a panel discussion in Washington today that examined how this relationship has shifted from its adversarial nature to something more cooperative -- and even trusting. The discussion was part of a "cyber risk" discussion series sponsored by the Atlantic Council, a Washington think tank.

The AC panelists noted that legislators, agency personnel, and policymakers are more welcome now at events like Black Hat and DEF CON, where "Spot the Fed" contests have given way to "Meet the Fed" panels, a sign that the hacker community is growing up.

But there's still some mutual fear between the two communities, panelists agreed. "For many people in government, 'hacker' still means criminal," Thomas told the audience. "And there's still a lot of distrust of government from the hacker community."

The FTC's Cranor said her goal at Black Hat was to do outreach in the hacker community. "We are interested in hearing about research that can help us understand vulnerabilities in the Internet of Things and protect consumers from scams and fraud," she said. She met a forensics expert who studies the language of phone scammers to see how they operate.

"It's a vibrant community with lots of scary things going on," she said of her Black Hat experience.

The AC speakers pointed to shifting government attitudes and practices, with the advent of DoD's "Hack the Pentagon" (a name that would have been unthinkable five years ago) bug bounty program, and active recruitment of white hat hackers to work in government. "Despite all that baggage, we're still trying to reach across the aisle and help each other out," Thomas said.

The upside is that the two sides are working together more in key areas like protecting critical infrastructure, addressing the security skills talent gap and having more dialog around "cyber" legislation and policy.

"Hackers don't like that word but that's how they speak about security here in Washington," Thomas said in an interview with Dark Reading after the panel discussion.

Thomas acknowledged the hacker community has gotten more sophisticated with lobbying and making sure their voices get heard. Ten years ago when Congress passed the Digital Millennium Copyright Act, "there was a lot of complaining but not a lot of doing – there was no organized effort and no participation in the process" on the part of hackers and security researchers, Thomas said. "With the Cybersecurity Information Sharing Act, people want to know how to comment and are trying to influence the decision and are taking a more active role," he said.

To handle the shortfall in security hiring, the federal government is considering removing certain requirements for job candidates, a move Thomas thinks is a huge mistake. Many candidates are driven by personal values regarding public service, which is something government should emphasize in its recruiting, he said.

Want to work with the top researchers in cryptography? Encourage candidates to apply to the NSA. "There's a patriotic pride in working for the government that some people are really attracted to."

Related Content:

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 1:52:16 PM
Re: Desperate times?
If history is any guide, the color of the hat won't determine who wins the cyber security war. The constant, ongoing tit-for-tat, offensive/counter-offensive dynamic that's marked whitehat-blackhat interactions for years shows no signs of going away any time soon.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
8/11/2016 | 1:41:00 PM
Desperate times?
Though i applaud the effort and new discussion, it also makes me think that such an initiative from the government feels like desperate measures in a cyber reality where hackers are in control.  We surely can only hope the white hats will overpower the black ones.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 11:16:44 AM
Re: Finally
Agreed, Whoopty... it's all mostly encouraging. The culture of the federal government, not to mention the military, change very slowly. But in the case of "cyber" security, they move slowly at their peril -- and ours. And it's pretty clear that most of the parties involved understand that.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/11/2016 | 8:11:58 AM
Finally
It's about time more officials in positions of power learned about real digital security. The people who know this the most aren't the suited IT technicians in federal organisations, it's those in the trenches right now trying to break things. Those guys know more about cracking open systems than anyone so it's them who the authorities should be listening to.

I'm really pleased to see they're starting to do that. 
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...