The annual "Hire a Hacker!" cry from someone affiliated w/ the Pentagon took a new turn this year with the additional suggestion such hirings would have ended the War on Terror long ago...
With the added innuendo about turning hackers into Patriots.
I'm not here to say don't hire the (alleged) criminal element - that's an area, whether consultants or informants, that the Government has a lot of experience in.
However, there are some things I want people to ponder...
- Lets say you're looking for "Master Hackers", as they've denoted them... what's to say the criminal element you catch is that? And if they are, what's to say that doesn't end badly on the "inside"? Where does this leave prior victims or collateral damage?
- The issue of playing in the exploit market, and the problems that brings, are now further exasperated on two fronts: Potentially sending the wrong message to potential criminal element and (again) driving up costs for the private sector - making the vicious Government dependence loop grow.
- This is a subtle way of furthering the idea that even Security Research is property of The State. This is the same road Academics ended up being pushed down after 9/11. The "should you be doing" allegations of criminality.
My main concern here is the second and third bullets - this is another way Government is interfering with Private development of these important assets and Security as a whole.
And it leaves the already ambiguous issues of what constitutes Cyber Crime in the hands of people who might have even more incentive of leveraging potential allegations into State gain.
A cynical view - yeah, perhaps...
Now, while I've said many times I think Cyberwarfare is different and negatively self-fulfilling - I still think the reality is offensive Cyber assets are going to be developed. And some argue - rightfully should be.
So, in the new direction of my rants, how do you win in this?
Government of Private industry can encourage legitimate bake-offs and talent development by setting up real matching Production instances, w/ dummy data, for "open range" time - not controlled pen-tests...
In the era of Clouds and VMs, this is entirely doable and could even be integrated in your business structure moving forward. Keep the process reasonably transparent, market based, and with associated rules of engagement. If you want to harness the dynamic of the culture you can add team play and a charitable donation structure.
Why not controlled pen-tests? The question is what advantage to they really provide anymore? In an era where OSINT creeps in and out of every crevice soon enough - Production secrets are basically obfuscation failures. The presentation and attack layers are out there anyway.
The whole idea of PWN2OWN could become a veritable franchise of sorts. And - not to put too fine a point on it - you've got @Dragosr's cultural proof it can work. There are some transparency issues and disputes but that's mild in comparison to the potential upside - and besides, I think Government could fix that problem too.
And - Free Weev...
For some related background thought you might want to read:
- Who fights for the users?
- Who fights for the users? Part II - FBI's AntiSec
- The Next War on Terror Will Be (Lost) Online
Cross-posted from Packetknife's Space