During his State of the Union address last month, President Obama singled out hackers as one of America’s principal cyber enemies and called for stiffer criminal penalties against them. Fans of this tough rhetoric should beware: a war on hackers could actually chill legitimate security efforts.
From the National Security Agency to Google, US government agencies and businesses are turning to hackers to develop, test, and secure their critical systems and products. Hackers succeed by thinking outside of the box. They break the rules and oftentimes cheat. While many types of hacks – remotely disabling a car’s engine or cracking heavily encrypted data using only a microphone – sound criminal, they aren't. Rather, they are routinely conducted by leading academic or independent security researchers.
In fact, hacking plays a critical role in securing everything from ATM machines to smartphones. Defenders develop better security measures only after a new attack is invented. Both government and industry recruit skilled white hat (good) hackers to test their systems and defend against black hat (malicious) hackers.
Perhaps the best example of the Washington’s ambivalent attitude toward hackers is the FBI. It plays a critical role protecting Americans from cyberattacks and prosecuting cybercrimes (as recently depicted in the motion picture "Blackhat"). In 2014, Congress authorized the FBI to hire up to 2,000 new staff, including numerous “ethical hackers,” to tackle cyber criminals.
But according to FBI Director James Comey, the Bureau is struggling to fill its recruitment quota because its hiring policy typically disqualifies candidates who have smoked marijuana in the previous three years.
“I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview,” Mr. Comey said at an industry event. The stereotype of the pot-smoking hacker may be exaggerated, but it highlights a critical culture gap that exists between law enforcement and many computer security experts.
While the bureau tries to loosen up its no-tolerance policy on marijuana, that culture gap can turn into a chasm when it comes to cybercrime.
What's more, vocal FBI support for White House efforts to strengthen and broaden the scope of the Computer Fraud and Abuse Act (CFAA), the main federal law used to punish white hat hackers, is causing anxiety among white hat hackers about the chilling effects of the legislation, which would make their jobs riskier.
Proposed amendments to the CFAA would give the FBI new tools to prosecute cyber criminals (such as racketeering offenses for certain types of hacking), but also risk criminalizing legitimate security research. The aggressive manner in which the US government investigates and prosecutes relatively minor, alleged hacking incidents reinforces the concerns of ethical hackers. This approach is dangerous not only because it deprives Washington of much-needed technical skills, but even more importantly, because it isolates hackers from critical cybersecurity policy debates.
The current public dialogue on cybersecurity is already highly fragmented with key actors – ranging from government to the private sector to civil society – interacting little and failing to work together. This contributes to a lack of new ideas about how to solve the complex technical and nontechnical suite of policy issues.
Further complicating matters is a severe shortage of people invited in to the discussion with the right combination of policy expertise and technical knowledge. Hackers bring unique technical skills and insights to the cybersecurity debate and must be more actively engaged and encouraged to participate.
The US government is taking some steps to embrace certain forms of hacking. In January, Obama and British Prime Minister David Cameron announced the MIT-Cambridge hackathon to hone the skills of future white hat hackers. Washington also funds an extensive, nationwide cybersecurity education program, in part to train future hackers.
And on Thursday night, Stanford University and the White House hosted a cybersecurity research and education panel that touched upon the crucial role of hackers, setting the stage for Friday's Summit on Cybersecurity and Consumer Protection on the Palo Alto, Calif., campus.
Now is a chance for the government to close the Washington culture gap by signaling a desire to learn from hackers instead of alienating them. Real cyber criminals must be punished, but in a manner that does not stifle legitimate security research. Failure to differentiate between good and bad hackers undermines US national security by sidelining many of the individuals best able to confront malicious nation-state actors.
Let’s hope that Obama uses the Cybersecurity Summit to extend an olive branch to hackers and give them a voice in the policy debate. After all, “hacker” shouldn’t be a dirty word.
Eli Sugarman manages the Cyber Initiative at the William and Flora Hewlett Foundation and is a Truman National Security Fellow. Follow him on Twitter @EliSugarman.