(image credit: American Free Press)
Until very recently, US policy has been to treat hackers much like terrorists. This is terribly unfortunate for the US at large, since the talents these hackers posses can be directed toward protecting US governmental and corporate interests. But our government insists on treating all hackers as dangerous. Why? Policy makers have a lack of working knowledge of computer science and security. And the unknown is always a scary thing. The result? We have stunted the growth of prospective computer science and security experts and developed a counter-culture of irresponsible hackers. As you may have noticed in recent headlines, we increasingly tracing large-scale hacking attempts to foreign governments. We need thousands of our own hackers, and we need them yesterday.
It is hard to keep ahead of advances in technology, but computers have been ubiquitous for nearly thirty years. Today, even our phones are hand-held computers. We are more likely to stay in touch with our family and friends via computer than by phone or postal letters. There is no reason for current policy makers to view those talented at manipulating these devices as an automatic threat. And since computing and network connectivity have become so commonplace, security exploits have more far-reaching effects.
Colleges and universities have shown an unwillingness to teach students how to take advantage of programming security weaknesses. The closest correlate I could draw to this sort of fear is that the US refuse to train any more special forces, for fear that they would get loose and run amok on our city streets. The sad result of this sort of shortfall is that hackers train themselves, and those hackers often have something to prove, instead of seeking the rewards we all seek in our own careers.
Another fault lies in the fact that computers have become incredibly easy to use. We now have “intuitive” interfaces (Windows, OSX, iOS, Android, etc.) with high levels of abstraction. At first, computers had very low levels of abstraction. We had to send information bit-by-bit to allow computers execute commands. That required a high level of knowledge – everyone who used computers had to be a hacker. Later, programming languages moved into common use. This allowed a higher level of abstraction, and you had to learn a programming language to manipulate computers. Now, working with a computer requires almost no fundamental computing knowledge – the highest level of abstraction in computing so far. All we need to do is touch, or click, or type a request in our own language and we get the results we expect.
As a result of this simplification, we have fewer people in the US who are developing fundamental computing and security skills. Computer science programs in US colleges and universities are seeing fewer and fewer entrants to their programs and those who do enter often have no previous programming experience. High school programs designed to prepare students for a major in computer science often only include a some HTML development (website development), but little to no instruction in programming languages. Some institutions have pegged a 70% decline in computer science course entry at the college level since the 1990s. There is little to no encouragement to pursue this sort of career path in the US, and hackers most often learn on their own as a hobby, rather than learning coding and computer security skills through a formal education. Representatives from the NSA have stated that almost all the people they recruit started their hacking career with no formal computer science training and were self-taught. And then we bring the hammer down on these people when they attempt to exhibit their skills in public.
The NSA, DHS (Department of Homeland Security) and CIA have recently hosted a national hacking competition, but there were only three hundred participants. Three hundred! That so few talented hackers attempted to solve the puzzles presented by our government in a competition is astounding. We literally need thousands more to protect US and corporate interests. There are informal annual hacking conventions (DEFCON/Black Hat, in Las Vegas, for one), but the participants are generally the kind of people who are not interested in working with governmental or corporate interests. In fact, many have had run-ins with government and tend to look at any organization outside of their own with contempt and apprehension.
Don’t get me wrong, the NSA hiring hackers from DEFCON to protect against internal threats has its merits. But national governments around the world are sponsoring hacking efforts against the US. We are years behind this kind of recruiting, organization and training. And we are that far behind because we have cultivated a hacker-phobic culture instead of encouraging those skills in a productive environment.
While we may currently be able to defend against or react to these kind of government-sponsored attacks, defense cannot be the only strategy to keep our information and systems safe. Even when we can trace an attack directly to China or North Korea or Iran, we often do not have any means of proving guilt or petitioning an international regulatory body to exact penalties for the attack(s). I suggest that we need to be able to field our own hacking resources, an army if you will, to keep others occupied with our exploits against their systems. Perhaps one of the most effective ways to keep international hackers busy is to take the fight to them – to keep them occupied in protecting and defending themselves. We don’t do that yet, even if Hollywood might want you to think we do. Certainly not on the scale we need to.
So, the answer really comes down to two points – we need to stop marginalizing talented hackers in the US, and we have to start encouraging interest in computer science and security in our youth. Hacking is a valuable talent that we desperately need to protect our interests. Other countries have a years-long head-start on us, and if we want to continue to be able to protect our information and systems in the future, we have to get cracking. I’m doing my part – I have purchased a Raspberry Pi to introduce my son and daughter to programming. I hope they will have an interest in how a computer works, but at the very least they will be more informed users in the future and better able to protect himself. Let’s hope we encourage additional talent before we lose our valuable information to other countries. Our stability may very well depend on it.
Decline in computer science majors in the US: http://ars.to/MZEpCS
From where are hackers attacking?: http://gtnr.it/10qIkjI
The NSA recruits hackers, but what about other federal agencies?: http://bit.ly/LIlKrv
Edit 5/25/2013, Additional hacking attempts at US utility companies: http://bit.ly/12THKtk