Misha Glenny’s TED talk entitled “Hire the Hackers” was sent to me about a dozen times today.
I was reminded of the excerpt below taken from my 1995 thesis. Reviewing it after all these years, it is not perfect, but does raise some important points and the central theme still rings true.
Step Seven: Use Hackers as a National Resource
The digital underground should be viewed as an asset to the United States.
They use illegal means to satisfy their curiosity about the workings of computer
technology because the system has denied them other means of accessing the
digital realm they love. Harvard Law professor Laurence H. Tribe even suggests
that access to technology may be a required goal of democratic society. He
states:
It’s true that certain technologies may become socially indispensable –
so that equal or at least minimal access to basic computer power, for example,
might be as significant a constitutional goal as equal or minimal access to the
franchise, or to dispute resolution through the judicial system, or to
elementary and secondary education. But all this means (or should mean) is that
the Constitution’s constraints on government must at times take the form of
imposing “affirmative duties”: to assure access rather than merely
enforcing “negative prohibitions” against designated sorts of invasion
or intrusion.(133)
Some hackers are loyal to the ideals of their nation. For example, when
news of Stoll’s German hacker selling U.S. secrets to the KGB hit the
underground many hackers responded with hatred towards the guy who had
associated their movement with national espionage and threats to national
security. They were willing to use their abilities to combat this problem, and
were even willing to target Soviet computers for the Central Intelligence
Agency. One case of a hacker making a contribution to society is the story of
Michael Synergy and his quest for presidential credit information. Synergy
decided one day that it would be interesting to look at the credit history of
then President Ronald Reagan. He easily found the information he was looking
for and noticed that 63 other people had requested the same information that
day. In his explorations he also noticed that a group of about 700 Americans
all appeared to hold one credit card, even though they had no personal credit
history. Synergy soon realized that he had stumbled upon the names and
addresses of people in the U.S. government’s Witness Protection Program. A good
citizen, he informed the FBI of his discoveries and the breach of security in
the Witness Protection Program.(134)
One of the basic benefits to United States national security is the lack of
a coherent movement among the members of the digital underground. Hackers are
by nature individualistic. They lack a common bond that allows them to focus
their energies on one target. If there is a common target among hackers, it is
corporate America, especially the telephone companies. These corporations have
become targets because hackers rely on their service to access cyberspace, which
can be a very expensive proposition. The United States government has a vested
interest in not providing them with another target, especially if that target is
the government itself. The United States should utilize hackers, and give them
recognition in exchange for the service they provide by finding security holes
in computer systems.
The United States should not discontinue efforts to stop credit fraud and
other computer activities that are unquestionably criminal. But, the United
States should allow the hackers to conditionally roam the realm of cyberspace.
These conditions would include the following: (1) If computer access is gained,
the security hole should be immediately reported to the government or
centralized agency and should not be given to anyone else, and (2) information
files should not be examined, modified or stolen from the site. In return the
United States acknowledges the hackers’ accomplishments, thus feeding their
competitive egos.
Why should the United States government trust hackers? No trust is
necessary. The United States is not offering the hackers anything that they
don’t already have, except recognition for their ability to discover security
flaws. The hackers will remain on the networks regardless of what policy the
United States follows concerning their activity. It is simply giving them the
forum they need to meet people with similar interests on a legitimate basis,
rather than a secret one. Robert Steele argues, “If someone gets into a
system, that is not a violation of law, it is poor engineering. When we catch a
hacker, rather than learn from him, we kick him in the teeth. When the Israelis
catch a hacker, they give him a job working for the Mossad.”(135)
Many U.S. corporations already allow the hackers to identify security
weaknesses in their computer systems. The Legion of Doom, the most notorious
group of hackers in the U.S., briefly entered the computer security business
with the formation of their company called Comsec Security. Bruce Sterling
reports, “The Legion boys are now digital guns for hire. If you’re a
well-heeled company, and you can cough up enough per diem and air-fare, the most
notorious computer hackers in America will show up right on your doorstep and
put your digital house in order – guaranteed.”(136) Some argue that this
is simply extortion, but individuals are not saying “pay up or else we
will enter your system.” They are offering their skills to secure
vulnerable computer systems from possible electronic intrusion.
Hackers can be used to secure the United States’ digital interests. Every
effort should be made not to alienate them from the newly emerging digital
infrastructure. In the same Congressional hearing where his publication was
branded as manual for computer crime, Emmanuel Goldstein made the following
remarks about access to technology and computer crime:
This represents a fundamental change in our society’s outlook.
Technology as a way of life, not just another way to make money. After all, we
encourage people to read books even if they can’t pay for them because to our
society literacy is a very important goal. I believe technological literacy is
becoming increasingly important. But you cannot have literacy of any kind
without having access…. If we continue to make access to technology
difficult, bureaucratic, and illogical, then there will also be more computer
crime. The reason being that if you treat someone like a criminal they will
begin to act like one.(137)
It is ridiculous to assume that the entire hacker subculture is motivated by
criminal intentions. Hackers, like all other groups or subcultures, contain a
diverse array of individuals. Every group has a criminal element and the
hackers’ criminal element is no different than the criminal element that exists
within the law enforcement community. A General Accounting Office report on
threats to the nations National Crime Information Center, found that the
greatest threat to this centralized criminal database was not from outside
hackers but from corrupt insiders.(138)
Most hackers are still young and have not formulated complete ideologies
regarding right and wrong behavior. Bob Stratton, a former hacker who now works
as a highly trusted security expert, argues that “These people (hackers)
haven’t decided in some cases, to be good or evil yet and it is up to us to
decide which way we want to point them.”(139) Mr. Stratton argues that we
can mentor these individuals and thereby utilize their technological skills.
Mitch Kapor, founder of one of America’s most successful software companies
notes that “the image of hackers as malevolent is purchased at the price of
ignoring the underlying reality – the typical teenage hacker is simply tempted
by the prospect of exploring forbidden territory…A system in which an
exploratory hacker receives more time in jail than a defendant convicted of
assault violates our sense of justice.”(140)
There does seem to be a trend in the past year to utilize hacker
capabilities, both in the public and private sectors. This needs to increase,
and perhaps some evaluation of our own laws might be necessary if we wish to
continue knowing where the holes in the United States’ information
infrastructure are.