A Solution to Hackers? More Hackers

The topic of ethical hacking was on everyone’s mind at Def Con, the hacker convention this week in Las Vegas. It’s the security community’s annual gathering, where thousands of hackers gathered to show their latest exploits, discuss new security research and swap cyberwar stories. In the most talked-about session at Def Con, hackers were let loose on a series of computerized voting machines.

Check out this fascinating report from published in the NewYork Times by Kevin Roose.

If there’s a single lesson Americans have learned from the events of the past year, it might be this: Hackers are dangerous people. They interfere in our elections, bring giant corporations to their knees, and steal passwords and credit card numbers by the truckload. They ignore boundaries. They delight in creating chaos.

But what if that’s the wrong narrative? What if we’re ignoring a different group of hackers who aren’t lawless renegades, who are in fact patriotic, public-spirited Americans who want to use their technical skills to protect our country from cyberattacks, but are being held back by outdated rules and overly protective institutions?

In other words: What if the problem we face is not too many bad hackers, but too few good ones?

Many of the hackers I spoke to at Def Con were gravely concerned about Russia’s wide-ranging interference in last year’s election. They wanted to know: How can we stop attacks like these in the future?

The problem, they told me, is that the government doesn’t make it easy for well-meaning hackers to pitch in on defense. Laws like the Computer Fraud and Abuse Act make poking around inside many government systems, even for innocent research purposes, a criminal offense. More than 209,000 cybersecurity jobs in the United States currently sit unfilled, according to a 2015 analysis of labor data by Peninsula Press, and the former head of the National Security Agency said last year that the agency’s cybersecurity experts “are increasingly leaving in large numbers” for jobs in the private sector.

Partly, that’s because private sector jobs tend to pay more. But it’s also because the government can be an inhospitable place for a hacker. Talented hackers can be disqualified for government jobs by strict background checks, and dissuaded by hiring processes that favor candidates with more formal credentials. At Def Con, I heard stories about hackers who had interviewed for government security jobs only to be turned away because they’d smoked pot as a teenager, or violated copyright law by jail-breaking their video game console.

An exemption to the Digital Millennium Copyright Act gave researchers a temporary pass to experiment on voting machines. Without that, the hackers at Def Con would not have been able to test the machines’ security

These rules may keep a few bad apples away from critical government systems, but they also prevent many talented hackers from contributing. At Def Con, I spoke with Sean Kanuck, a former C.I.A. intelligence analyst who served as the federal government’s national intelligence officer for cyberissues from 2011 to 2016. He said that hackers could be enormously valuable, if they were properly enlisted in the fight against attacks.

“These people may be all hackers, and they may occasionally break the law, but they all still want the banking system to work,” Mr. Kanuck said. “All of them, if they end up in a hospital room, they want the infusion pump working. There’s common ground. And the knowledge here is incredible.”

The private sector has already discovered the benefits of hackers. Most major tech companies — including Facebook, Apple and Microsoft — offer “bug bounty” programs, in which they offer financial rewards to hackers who find holes in their security measures. These companies know that paying hackers up front for their expertise is significantly cheaper than cleaning up after a breach, and they understand that the risk of a hacker going rogue inside their systems is outweighed by the benefits of having well-trained experts catch bugs and vulnerabilities before the bad guys do.

Government agencies are beginning to experiment with a similar approach. The Defense Department offered the first-ever federal bug bounty program last year, called Hack the Pentagon. The agency allowed more than 1,400 hackers to take aim at its public-facing websites without fear of punishment, and the effort resulted in 138 legitimate vulnerabilities being reported. A similar program involving the Department of Homeland Security has been proposed in the Senate.

The most talked-about session at this year’s Def Con was when hackers were let loose on a series of computerized voting machines. These machines had been used in recent American elections, and most ran on comically outdated software. Hackers eventually broke into every machine and were able to manipulate the software to register fake ballots and change vote totals. (One enterprising hacker even rigged a voting machine to play the music video for Rick Astley’s “Never Gonna Give You Up.”)

There is, of course, the problem of outdated software. But some of the world’s best security researchers have also been prohibited from poking and prodding at these machines by a thicket of copyright and anti-tampering laws. (The reason Def Con was able to test them at all is a 2015 exemption to the Digital Millennium Copyright Act that gave researchers a temporary pass to experiment on voting machines.) Now that white-hat hackers have found flaws in these machines, they can pass that knowledge on to the manufacturers and election officials, who can secure the machines ahead of the next election cycle.

Hackers, it turns out, respond to incentives. But current laws don’t allow hackers to test critical government systems outside of official agency-sponsored programs. As a result, we’re missing out on important advice.

Take it from me. Several years ago, as part of an article on ethical hacking, I invited a pair of world-class hackers to hack me, using all of the tools at their disposal. The results were shocking. Within days, the hackers had gained access to nearly every piece of my digital life: my cellphone, my bank account, all of my email inboxes and social media profiles. The hackers showed me how, with a few more clicks, they could have stolen all of my data and used it to ruin my life. Then, they helped me protect myself against a future attack by strengthening my passwords, fortifying my devices and teaching me what suspicious activities to look out for.

Not all hackers are so helpful. But many are, and we should take advantage of their willingness to help secure our national infrastructure. Maybe federal workers should be subjected to a simulated hack before being allowed to access sensitive information. Or perhaps the government could create a white list of approved security researchers with a track record of ethical hacking, who would be given legal immunity for their work. Private sector companies have figured out how to bring in outside security expertise carefully, without creating a hacker free-for-all, and the government can, too.

Spending a weekend at Def Con is a good way to learn how many dangers lurk in the digital world. (It wasn’t just voting machines, hackers also demonstrated hacks on cars, kitchen appliances and all manner of other connected devices.) It’s also a way to appreciate how necessary ethical hackers are to a modern democracy, especially one that is under siege from foreign online attackers.

To paraphrase an organization with close ties to the government: The only thing that stops a bad guy with a hack is a good guy with a hack.