Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/10/2016
07:35 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Government, Hackers Learn To Make Nice

It's still an uneasy alliance, but the hacking community and government are finding their way toward more constructive dialog and cooperation

It's not every day you hear the chief technologist at the Federal Trade Commission brag about learning how to pick a lock. But that small side trip during the recent Black Hat USA conference in Las Vegas proved illuminating for the FTC's Lorrie Faith Cranor and underscored the changing relationship between government and the hacker community.

Cranor, along with Cris Thomas, aka "Space Rogue" and strategist for Tenable Network Security, were part of a panel discussion in Washington today that examined how this relationship has shifted from its adversarial nature to something more cooperative -- and even trusting. The discussion was part of a "cyber risk" discussion series sponsored by the Atlantic Council, a Washington think tank.

The AC panelists noted that legislators, agency personnel, and policymakers are more welcome now at events like Black Hat and DEF CON, where "Spot the Fed" contests have given way to "Meet the Fed" panels, a sign that the hacker community is growing up.

But there's still some mutual fear between the two communities, panelists agreed. "For many people in government, 'hacker' still means criminal," Thomas told the audience. "And there's still a lot of distrust of government from the hacker community."

The FTC's Cranor said her goal at Black Hat was to do outreach in the hacker community. "We are interested in hearing about research that can help us understand vulnerabilities in the Internet of Things and protect consumers from scams and fraud," she said. She met a forensics expert who studies the language of phone scammers to see how they operate.

"It's a vibrant community with lots of scary things going on," she said of her Black Hat experience.

The AC speakers pointed to shifting government attitudes and practices, with the advent of DoD's "Hack the Pentagon" (a name that would have been unthinkable five years ago) bug bounty program, and active recruitment of white hat hackers to work in government. "Despite all that baggage, we're still trying to reach across the aisle and help each other out," Thomas said.

The upside is that the two sides are working together more in key areas like protecting critical infrastructure, addressing the security skills talent gap and having more dialog around "cyber" legislation and policy.

"Hackers don't like that word but that's how they speak about security here in Washington," Thomas said in an interview with Dark Reading after the panel discussion.

Thomas acknowledged the hacker community has gotten more sophisticated with lobbying and making sure their voices get heard. Ten years ago when Congress passed the Digital Millennium Copyright Act, "there was a lot of complaining but not a lot of doing – there was no organized effort and no participation in the process" on the part of hackers and security researchers, Thomas said. "With the Cybersecurity Information Sharing Act, people want to know how to comment and are trying to influence the decision and are taking a more active role," he said.

To handle the shortfall in security hiring, the federal government is considering removing certain requirements for job candidates, a move Thomas thinks is a huge mistake. Many candidates are driven by personal values regarding public service, which is something government should emphasize in its recruiting, he said.

Want to work with the top researchers in cryptography? Encourage candidates to apply to the NSA. "There's a patriotic pride in working for the government that some people are really attracted to."

Related Content:

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 1:52:16 PM
Re: Desperate times?
If history is any guide, the color of the hat won't determine who wins the cyber security war. The constant, ongoing tit-for-tat, offensive/counter-offensive dynamic that's marked whitehat-blackhat interactions for years shows no signs of going away any time soon.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
8/11/2016 | 1:41:00 PM
Desperate times?
Though i applaud the effort and new discussion, it also makes me think that such an initiative from the government feels like desperate measures in a cyber reality where hackers are in control.  We surely can only hope the white hats will overpower the black ones.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
8/11/2016 | 11:16:44 AM
Re: Finally
Agreed, Whoopty... it's all mostly encouraging. The culture of the federal government, not to mention the military, change very slowly. But in the case of "cyber" security, they move slowly at their peril -- and ours. And it's pretty clear that most of the parties involved understand that.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/11/2016 | 8:11:58 AM
Finally
It's about time more officials in positions of power learned about real digital security. The people who know this the most aren't the suited IT technicians in federal organisations, it's those in the trenches right now trying to break things. Those guys know more about cracking open systems than anyone so it's them who the authorities should be listening to.

I'm really pleased to see they're starting to do that. 
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35519
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
CVE-2021-20204
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
CVE-2021-30473
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2021-32030
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
CVE-2021-22209
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.