Opinion: Waging war on hackers actually hurts US cybersecurity efforts
During his State of the Union address last month, President Obama hackers聽as one of America鈥檚 principal cyber enemies and called for stiffer criminal penalties against them. Fans of this tough rhetoric should beware: a war on hackers could actually chill legitimate security efforts.
From the 聽to Google, US government agencies and businesses are turning to hackers to develop, test, and secure their critical systems and products.聽Hackers succeed by thinking of the box. They break the rules and oftentimes cheat. While many types of hacks 鈥 remotely a car鈥檚 engine or cracking heavily data using only a microphone 鈥 sound criminal, they aren't. Rather, they are routinely conducted by leading academic or independent security researchers.
In fact, hacking plays a critical role in securing everything from ATM machines to smartphones. Defenders develop better security measures only after a new attack is . Both government and industry recruit skilled white hat (good) hackers to test their systems and defend against black hat (malicious) hackers.
Perhaps the best example of the Washington鈥檚 ambivalent attitude toward hackers is the FBI. It plays a critical role protecting Americans from cyberattacks and prosecuting cybercrimes (as recently depicted in the motion picture "Blackhat"). In 2014, Congress the FBI to hire up to 2,000 new staff, including numerous 鈥渆thical hackers,鈥 to tackle cyber criminals.
But according to FBI Director James Comey, the Bureau is 聽to fill its recruitment quota because its hiring policy typically disqualifies candidates who have smoked marijuana in the previous three years.
鈥淚 have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview,鈥 Mr. Comey said at an industry event. The stereotype of the pot-smoking hacker may be exaggerated, but it highlights a critical culture gap that exists between law enforcement and many computer security experts.
While the bureau tries to loosen up its no-tolerance policy on marijuana, that culture gap can turn into a chasm when it comes to cybercrime.
What's more, vocal FBI support for White House to strengthen and broaden the scope of the Computer Fraud and Abuse Act (CFAA), the main federal law used to punish white hat聽hackers, is causing anxiety among white hat hackers about the of the legislation, which would make their jobs riskier.
Proposed amendments to the CFAA would give the FBI new tools to prosecute cyber criminals (such as racketeering offenses for certain types of hacking), but also risk criminalizing 聽security research. The manner in which the US government investigates and prosecutes relatively minor, alleged hacking incidents reinforces the concerns of ethical hackers.聽This approach is dangerous not only because it deprives Washington of much-needed technical skills, but even more importantly, because it isolates hackers from critical cybersecurity policy debates.
The current public dialogue on cybersecurity is already highly with key actors 鈥 ranging from government to the private sector to civil society 鈥 interacting little and failing to work together. This contributes to a of new ideas about how to solve the complex technical and nontechnical suite of policy issues.
Further complicating matters is a severe of people invited in to the discussion聽with the right combination of policy expertise and technical knowledge. Hackers bring unique technical skills and insights to the cybersecurity debate and must be more actively engaged and encouraged to participate. 聽
The US government is taking some steps to embrace certain forms of hacking. In January, Obama and British Prime Minister David Cameron announced the hackathon to hone the skills of future white hat hackers. Washington also funds an extensive, nationwide program, in part to train future hackers.
And on Thursday night,聽聽and the White House hosted a聽cybersecurity research and education panel that touched upon the crucial role of hackers,聽setting the stage for Friday's Summit on Cybersecurity and Consumer Protection on the Palo Alto, Calif., campus.
Now is a chance for the government to聽close the Washington culture gap by signaling a desire to聽聽from hackers instead of alienating them.聽Real cyber criminals must be punished, but in a manner that does not stifle legitimate security research. Failure to differentiate between good and bad hackers undermines US national security by sidelining many of the individuals best able to confront malicious nation-state actors.
Let鈥檚 hope that Obama uses the Cybersecurity Summit to extend an olive branch to hackers and give them a voice in the policy debate. After all, 鈥渉acker鈥 shouldn鈥檛 be a dirty word. 聽聽
Eli Sugarman manages the Cyber Initiative at the William and Flora Hewlett Foundation and is a Truman National Security Fellow. Follow him on Twitter聽.
