From the events of the past year, Americans have learned that Hackers are dangerous. They interfere in our elections, bring giant corporations to their knees, and steal passwords and credit card numbers by the truckload. They ignore boundaries. They delight in creating chaos.
But what if that’s the wrong narrative? What if we’re ignoring a different group of hackers who aren’t lawless renegades, who want to use their technical skills to protect our country from cyberattacks, but are being held back by outdated rules and overly protective institutions? In other words: What if the problem we face is not too many bad hackers, but too few good ones?
The topic of ethical hacking was on everyone’s mind at Def Con. It’s the security community’s annual gathering, where thousands of hackers gathered to show their latest exploits, discuss new security research and swap cyberwar stories.
The problem is that the government doesn’t make it easy for well-meaning hackers to pitch in on defense. Laws like the “Computer Fraud and Abuse Act” make poking around inside many government systems, even for innocent research purposes, a criminal offense. More than 209,000 cybersecurity jobs in the United States currently sit unfilled, according to a 2015 analysis of labor data by Peninsula Press, and the former head of the National Security Agency said last year that the agency’s cybersecurity experts “are increasingly leaving in large numbers” for jobs in the private sector. Partly, that’s because private sector jobs tend to pay more. But it’s also because the government can be an inhospitable place for a hacker.
Talented hackers can be disqualified for government jobs by strict background checks, and dissuaded by hiring processes that favor candidates with more formal credentials. There are hackers who had interviewed for government security jobs only to be turned away because they’d smoked pot as a teenager, or violated copyright law by jail-breaking their video game console.
These rules may keep a few bad apples away from critical government systems, but they also prevent many talented hackers from contributing. Sean Kanuck, a former C.I.A. intelligence analyst, said that hackers could be enormously valuable, if they were properly enlisted in the fight against attacks: “These people may be all hackers, and they may occasionally break the law, but they all still want the banking system to work…There’s common ground. And the knowledge here is incredible.”
The benefits of hackers
The private sector has already discovered the benefits of hackers. Most major tech companies — including Facebook, Apple and Microsoft — offer “bug bounty” programs, in which they offer financial rewards to hackers who find holes in their security measures. These companies know that paying hackers up front for their expertise is significantly cheaper than cleaning up after a breach, and they understand that the risk of a hacker going rogue inside their systems is outweighed by the benefits of having well-trained experts catch bugs and vulnerabilities before the bad guys do.
Government agencies are beginning to experiment with a similar approach. The Defense Department offered the first-ever federal bug bounty program last year, called Hack the Pentagon. The agency allowed more than 1,400 hackers to take aim at its public-facing websites without fear of punishment, and the effort resulted in 138 legitimate vulnerabilities being reported. A similar program has been proposed in the Senate.
Hackers, it turns out, respond to incentives. But current laws don’t allow hackers to test critical government systems outside of official agency-sponsored programs. As a result, we’re missing out on important advice.
The necessity of ethical hackers
Many hackers are so helpful and we should take advantage of their willingness to help secure our national infrastructure. Maybe federal workers should be subjected to a simulated hack before being allowed to access sensitive information. Or perhaps the government could create a white list of approved security researchers with a track record of ethical hacking, who would be given legal immunity for their work. Private sector companies have figured out how to bring in outside security expertise carefully, without creating a hacker free-for-all, and the government can, too.
It’s time to appreciate how necessary ethical hackers are to a modern democracy, especially one that is under siege from foreign online attackers. The only thing that stops a bad guy with a hack is a good guy with a hack.