Tuesday, August 9, 2011

Cyber-Defense Quandary

I work in the computer security industry (more or less). I recently had the occasion to attend the Black Hat and DEFCON conferences, both of which focus on computer security (more or less, with different perspectives). When I got back, I came across this article, which references one of the conferences and points out an ongoing problem in the US: there are not enough skilled computer security experts going to work for (and/or continuing to work for) the US government, specifically in the area of cyber-defense. This is a rather large problem, but presents a rather interesting quandary for the US government.

One of the side-themes of a few of the talks at DEFCON was that if you really wanted to hack things, you needed to be based outside the US, for a number of reasons. First, and probably the most obvious, is that the US has some of the harshest penalties for computer crimes in the world, and just the accusation of such can ruin your life. You don't have to look hard to find numerous "aggressive" actions against hackers by "law enforcement" (really, just government thugs), and/or civil lawsuits. Heck, you can barely write any code at all in the US without conceptually violating someone's patent on something, with how absolutely asinine our patent system is. It's a virtual minefield of legal problems, which can have very real and disastrous consequences for you if you get noticed (everyone's always guilty with the way the laws are, it's only a matter of if you do something significant enough to get one someone's radar).

Second, the US is the most technologically advanced country, so they have the most electronic surveillance. The CIA/NSA/others monitor all internet and phone traffic, the FBI can (and does) track people with GPS, warrants and court supervision are antiquated concepts, video surveillance is becoming ubiquitous, etc. If you find yourself on someone's radar, you will be hunted, tracked, monitored, and when someone feels the time is appropriate, scooped up and detained somewhere, where you may or may not be granted any rights, at the discretion of your particular captors. This is not science fiction, this happens right now: this is the country in which we live. The advice to would-be hackers (or anyone else not playing inside the guidelines the government has established) is to do everything you can to stay anonymous and off the radar; if you fail at either of these, your life is essentially over.

The problem, then, is that when the US needs the computer security expertise to defend itself from foreign attack, it finds that it has, to some extent, become a victim of its own success. Very few hackers want to operate in the US, at least openly. The ones that do, even when explicitly helping the government, can also find themselves ruined. The aggressive prosecution of hackers in the US has bifurcated the talent pool: some go into "white hat" security research, where they can make a good living applying their talents to solving problems in the corporate world, and some go "dark", inside or outside the country, working on their own projects and usually at least away from, if not against, the US government. This leaves very few skilled people to fill the gaps in national cyber-defense, leading to the current state.

I don't envy the challenge of the US government, and it is a serious one. However, I also don't harbor much, if any, sympathy for them. Like many other recent crises, they have manufactured this one themselves, and now find themselves somewhat uncomfortable with the inevitable results of their own plans and actions. As someone who nominally could do that job, I have a somewhat unique perspective; this doesn't help the situation much, though, other than to be more acutely aware of the many failures which have brought us to the current state. I would wish the US luck in their recruitment efforts, but it would be a false gesture: as I would not help the government trample on the rights of its people more than it already does, nor would I want anyone else to, especially people with actual skills. It's interesting to see the US at least acknowledging the problem, though, even if they are miles away from acknowledging the root issues, or finding any sort of solution.

No comments:

Post a Comment