Hackers & Federal Agencies: Broken Connections

Over the past 20 years, the annual so-called “hacker” conference (DEF CON), has served as a welcome and much needed opportunity for collaboration among computer hackers. Attendees have included government agents, commercial industry professionals, and private citizens seeking to learn more about the tradecraft of cyber security – including the latest technologies and methodologies used for legal (and perhaps less than legal) data access.

For its 1-4 August 2013 conference in Las Vegas, Nevada, the organization’s “call for papers” noted that a special focus would be on “new ways to approach security and privacy, as well as building a community that is open to new ideas. Everything from the most complex modern technology to hacking grandma’s toaster through Bluetooth is fair game,” the announcement continued. “Show us and the world what you have been up to and what attack exploits, defensive techniques, or unique research you have been working on.”

A Strained Relationship vs. “The Greatest Demand” 

Presenters from previous years included National Security Agency (NSA) chief General Keith Alexander, USA (Ret.), who delivered the 2012 DEF CON keynote speech and, in it, directly solicited the assistance of the hacker community to improve U.S. cyber security operations so that, “We can protect privacy and civil liberties as we improve security.” He also noted that the expertise of DEF CON attendees is now – and for the foreseeable future, he implied – “in the greatest demand for our nation.”

However, following the recent public revelations of Edward Snowden – the system administrator who leaked top-secret information to the press about U.S. and British surveillance programs, including the NSA’s own “PRISM” surveillance and information-gathering program – the “trust relationship” between the government and nongovernment sectors has become strained. So much so, in fact, that DEF CON founder Jeffrey Moss asked federal representatives not to attend the conference this year.

The impact of this “unvite” could have significant implications for the federal government’s ability: (a) to learn more about the latest trends in cyber security; (b) to attract the cyber industry’s “best and brightest” to government service; and (c) to continue to improve homeland security and, by doing so, further protect the nation’s political, military, and economic interests.

In 2012, the NSA manned its own recruitment table on the vendor floor at DEF CON. The agency’s unusual public presence was not a major surprise, though. With an annual attendance at DEF CON of 8,000-10,000 security experts, the NSA and the other so-called “three-letter” government agencies usually represented find themselves in a truly unique recruitment environment – one in which there are literally thousands of highly skilled hackers in the same place at the same time. At least some of them may find the idea of helping the federal government protect itself against local and international threats to be not only personally and politically appealing but also professionally rewarding.

A Perceived Betrayal & The Chinese Challenge 

On the international front, it is well known that other nations, notably China, are relentlessly working to hack into both U.S. government and commercial sites for both strategic and economic gain. Recognizing the proficiency of the Chinese hackers, DEF CON attendees might find it the ultimate challenge to help protect U.S. interests from the best hackers in China.

Unfortunately, there will be no formal government recruitment at DEF CON 2013 – at least partly because of the perceived betrayal among some members of the hacker community who believe that the Snowden revelations violated the unwritten trust agreement between the U.S. government and the nation’s hacker communities.

Of course, DEF CON is not the only hacker conference available for government attendance (formal or clandestine), but it has clearly become one of the most collegial. In previous years, in fact, DEF CON hosted an entertaining “spot the fed” competition – in recognition of the fact that not every government employee at the conference was participating under his or her true credentials. However, the “spotting” game has become increasingly irrelevant in recent years as national security agencies recognized that it was better, and more productive, to be open about their true professional status. Perhaps the most important result of this new openness is that government professionals have been welcomed, and sometimes even sought out, at the DEF CON meetings by their counterparts in the hacker community.

Today, the trust factor has become relevant again, and the impact of the new and somewhat cooler relationship could go well beyond recruitment, in which case the end result could be significant economic losses as well as additional jeopardy for U.S. national security interests.

Billions of Reasons to Work Together 

On 22 July 2013, the Center for Strategic and International Studies released a stunning report, underwritten by Intel/McAfee, that estimates the economic losses associated with cyber crime and cyber espionage to be many billions of dollars annually. The potential losses could be significant: (a) the direct loss of intellectual property and research to sensitive strategic business information; (b) stock market manipulation; and (c) the costs of networking infrastructure and human resources charged with improving cyber security.

Although the original (2009) Intel/McAfee estimate that was cited by President Barack Obama of up to a trillion dollars lost to cyber crime every year was later found to be exaggerated, the revised (2013) figures – “billions, and perhaps hundreds of billions” – are nonetheless impressive.

In addition, on 23 July 2013, the Cloud Security Alliance released the results of a survey designed to assess the potential impacts of the disclosure of the U.S. PRISM program on the international cloud services community. Gartner estimates the global cloud services market to be $131 billion in 2013, an increase of more than 18 percent during 2012. Of the 500 survey respondents, 56 percent of non-U.S. residents indicated that they were less likely to do business with U.S.-based cloud providers due to the Snowden revelations on PRISM. This could result in another significant impact to the nation’s economy, which has historically led the international cloud services market.

This leads back to the need for the federal government to take a leadership role in engaging, rather than alienating, the private-sector hacker community. Unfortunately, the revelations related to the NSA’s PRISM program may have squandered the good will established post-9/11. Today, the nation’s “best and the brightest” in cyber might find their work in other industries. The most obvious and most immediate result would be that economic losses would continue to mount. More important, though, would be the obvious fact that the lack of in-house expertise might further dilute the effectiveness of the government’s future cyber security operations.

NSA Chief Alexander is continuing his attempts to repair the damage caused by the Snowden disclosures – primarily through a media blitz aimed at both the Congress and the general public (and, presumably, the hacker community). He not only has emphatically defended PRISM, but also asserted during a session at the 2013 Aspen Institute Security Forum in Aspen, Colorado, that the U.S. government does not “have the technical capabilities” [to listen to everyone’s phone calls or read their emails]. At the same time, he added that the disclosure of the PRISM operations to potential enemies of the United States has already caused “significant and irreversible damage to our nation.” Assuming that those statements are accurate, recruiting the significant talents of current and future DEF CON attendees will be of critical importance in protecting the security of U.S. national interests – both human and economic – not only today, but also far into the future.

Rodrigo (Roddy) Moscoso

Rodrigo (Roddy) Moscoso is the executive director of the Capital Wireless Information Net (CapWIN) Program at the University of Maryland, which provides software and mission-critical data access services to first responders in and across dozens of jurisdictions, disciplines, and levels of government. Formerly with IBM Business Consulting Services, he has more than 20 years of experience supporting large-scale implementation projects for information technology, and extensive experience in several related fields such as change management, business process reengineering, human resources, and communications.

SHARE:

TAGS:

No tags to display

COMMENTS

Translate »