Analytics

8/10/2016
07:35 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Government, Hackers Learn To Make Nice

It's still an uneasy alliance, but the hacking community and government are finding their way toward more constructive dialog and cooperation

It's not every day you hear the chief technologist at the Federal Trade Commission brag about learning how to pick a lock. But that small side trip during the recent Black Hat USA conference in Las Vegas proved illuminating for the FTC's Lorrie Faith Cranor and underscored the changing relationship between government and the hacker community.

Cranor, along with Cris Thomas, aka "Space Rogue" and strategist for Tenable Network Security, were part of a panel discussion in Washington today that examined how this relationship has shifted from its adversarial nature to something more cooperative -- and even trusting. The discussion was part of a "cyber risk" discussion series sponsored by the Atlantic Council, a Washington think tank.

The AC panelists noted that legislators, agency personnel, and policymakers are more welcome now at events like Black Hat and DEF CON, where "Spot the Fed" contests have given way to "Meet the Fed" panels, a sign that the hacker community is growing up.

But there's still some mutual fear between the two communities, panelists agreed. "For many people in government, 'hacker' still means criminal," Thomas told the audience. "And there's still a lot of distrust of government from the hacker community."

The FTC's Cranor said her goal at Black Hat was to do outreach in the hacker community. "We are interested in hearing about research that can help us understand vulnerabilities in the Internet of Things and protect consumers from scams and fraud," she said. She met a forensics expert who studies the language of phone scammers to see how they operate.

"It's a vibrant community with lots of scary things going on," she said of her Black Hat experience.

The AC speakers pointed to shifting government attitudes and practices, with the advent of DoD's "Hack the Pentagon" (a name that would have been unthinkable five years ago) bug bounty program, and active recruitment of white hat hackers to work in government. "Despite all that baggage, we're still trying to reach across the aisle and help each other out," Thomas said.

The upside is that the two sides are working together more in key areas like protecting critical infrastructure, addressing the security skills talent gap and having more dialog around "cyber" legislation and policy.

"Hackers don't like that word but that's how they speak about security here in Washington," Thomas said in an interview with Dark Reading after the panel discussion.

Thomas acknowledged the hacker community has gotten more sophisticated with lobbying and making sure their voices get heard. Ten years ago when Congress passed the Digital Millennium Copyright Act, "there was a lot of complaining but not a lot of doing – there was no organized effort and no participation in the process" on the part of hackers and security researchers, Thomas said. "With the Cybersecurity Information Sharing Act, people want to know how to comment and are trying to influence the decision and are taking a more active role," he said.

To handle the shortfall in security hiring, the federal government is considering removing certain requirements for job candidates, a move Thomas thinks is a huge mistake. Many candidates are driven by personal values regarding public service, which is something government should emphasize in its recruiting, he said.

Want to work with the top researchers in cryptography? Encourage candidates to apply to the NSA. "There's a patriotic pride in working for the government that some people are really attracted to."

Related Content:

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 1:52:16 PM
Re: Desperate times?
If history is any guide, the color of the hat won't determine who wins the cyber security war. The constant, ongoing tit-for-tat, offensive/counter-offensive dynamic that's marked whitehat-blackhat interactions for years shows no signs of going away any time soon.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
8/11/2016 | 1:41:00 PM
Desperate times?
Though i applaud the effort and new discussion, it also makes me think that such an initiative from the government feels like desperate measures in a cyber reality where hackers are in control.  We surely can only hope the white hats will overpower the black ones.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 11:16:44 AM
Re: Finally
Agreed, Whoopty... it's all mostly encouraging. The culture of the federal government, not to mention the military, change very slowly. But in the case of "cyber" security, they move slowly at their peril -- and ours. And it's pretty clear that most of the parties involved understand that.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/11/2016 | 8:11:58 AM
Finally
It's about time more officials in positions of power learned about real digital security. The people who know this the most aren't the suited IT technicians in federal organisations, it's those in the trenches right now trying to break things. Those guys know more about cracking open systems than anyone so it's them who the authorities should be listening to.

I'm really pleased to see they're starting to do that. 
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVE-2019-3858
PUBLISHED: 2019-03-21
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.