Modern field guide to security and privacy

Opinion: Waging war on hackers actually hurts US cybersecurity efforts

While Obama wants tougher penalties for criminal hackers, the administration can't afford to alienate good hackers working to improve security. Friday's Cybersecurity Summit at Stanford is a chance to extend an olive branch to the security researchers the US needs working on its side. 

David Becker/AP
At last year's Black Hat cybersecurity conference, Joe Abbey (left), Jodi Wadhwa (center), and Jonathan Carter of Arxan Technologies prepared for a hacking demonstration.

During his State of the Union address last month, President Obama singled out hackers as one of America’s principal cyber enemies and called for stiffer criminal penalties against them. Fans of this tough rhetoric should beware: a war on hackers could actually chill legitimate security efforts.

From the National Security Agency to Google, US government agencies and businesses are turning to hackers to develop, test, and secure their critical systems and products. Hackers succeed by thinking outside of the box. They break the rules and oftentimes cheat. While many types of hacks – remotely disabling a car’s engine or cracking heavily encrypted data using only a microphone – sound criminal, they aren't. Rather, they are routinely conducted by leading academic or independent security researchers.

In fact, hacking plays a critical role in securing everything from ATM machines to smartphones. Defenders develop better security measures only after a new attack is invented. Both government and industry recruit skilled white hat (good) hackers to test their systems and defend against black hat (malicious) hackers.

Perhaps the best example of the Washington’s ambivalent attitude toward hackers is the FBI. It plays a critical role protecting Americans from cyberattacks and prosecuting cybercrimes (as recently depicted in the motion picture "Blackhat"). In 2014, Congress authorized the FBI to hire up to 2,000 new staff, including numerous “ethical hackers,” to tackle cyber criminals.

But according to FBI Director James Comey, the Bureau is struggling to fill its recruitment quota because its hiring policy typically disqualifies candidates who have smoked marijuana in the previous three years.

“I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview,” Mr. Comey said at an industry event. The stereotype of the pot-smoking hacker may be exaggerated, but it highlights a critical culture gap that exists between law enforcement and many computer security experts.

While the bureau tries to loosen up its no-tolerance policy on marijuana, that culture gap can turn into a chasm when it comes to cybercrime.

What's more, vocal FBI support for White House efforts to strengthen and broaden the scope of the Computer Fraud and Abuse Act (CFAA), the main federal law used to punish white hat hackers, is causing anxiety among white hat hackers about the chilling effects of the legislation, which would make their jobs riskier.

Proposed amendments to the CFAA would give the FBI new tools to prosecute cyber criminals (such as racketeering offenses for certain types of hacking), but also risk criminalizing legitimate security research. The aggressive manner in which the US government investigates and prosecutes relatively minor, alleged hacking incidents reinforces the concerns of ethical hackers. This approach is dangerous not only because it deprives Washington of much-needed technical skills, but even more importantly, because it isolates hackers from critical cybersecurity policy debates.

The current public dialogue on cybersecurity is already highly fragmented with key actors – ranging from government to the private sector to civil society – interacting little and failing to work together. This contributes to a lack of new ideas about how to solve the complex technical and nontechnical suite of policy issues.

Further complicating matters is a severe shortage of people invited in to the discussion with the right combination of policy expertise and technical knowledge. Hackers bring unique technical skills and insights to the cybersecurity debate and must be more actively engaged and encouraged to participate.  

The US government is taking some steps to embrace certain forms of hacking. In January, Obama and British Prime Minister David Cameron announced the MIT-Cambridge hackathon to hone the skills of future white hat hackers. Washington also funds an extensive, nationwide cybersecurity education program, in part to train future hackers.

And on Thursday night, Stanford University and the White House hosted a cybersecurity research and education panel that touched upon the crucial role of hackers, setting the stage for Friday's Summit on Cybersecurity and Consumer Protection on the Palo Alto, Calif., campus.

Now is a chance for the government to close the Washington culture gap by signaling a desire to learn from hackers instead of alienating them. Real cyber criminals must be punished, but in a manner that does not stifle legitimate security research. Failure to differentiate between good and bad hackers undermines US national security by sidelining many of the individuals best able to confront malicious nation-state actors.

Let’s hope that Obama uses the Cybersecurity Summit to extend an olive branch to hackers and give them a voice in the policy debate. After all, “hacker” shouldn’t be a dirty word.   

Eli Sugarman manages the Cyber Initiative at the William and Flora Hewlett Foundation and is a Truman National Security Fellow. Follow him on Twitter @EliSugarman.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.