We Need Hackers and We Need Them Yesterday

Image

(image credit: American Free Press)

Until very recently, US policy has been to treat hackers much like terrorists. This is terribly unfortunate for the US at large, since the talents these hackers posses can be directed toward protecting US governmental and corporate interests. But our government insists on treating all hackers as dangerous. Why? Policy makers have a lack of working knowledge of computer science and security. And the unknown is always a scary thing. The result? We have stunted the growth of prospective computer science and security experts and developed a counter-culture of irresponsible hackers. As you may have noticed in recent headlines, we increasingly tracing large-scale hacking attempts to foreign governments. We need thousands of our own hackers, and we need them yesterday.

It is hard to keep ahead of advances in technology, but computers have been ubiquitous for nearly thirty years. Today, even our phones are hand-held computers. We are more likely to stay in touch with our family and friends via computer than by phone or postal letters. There is no reason for current policy makers to view those talented at manipulating these devices as an automatic threat. And since computing and network connectivity have become so commonplace, security exploits have more far-reaching effects.

Colleges and universities have shown an unwillingness to teach students how to take advantage of programming security weaknesses. The closest correlate I could draw to this sort of fear is that the US refuse to train any more special forces, for fear that they would get loose and run amok on our city streets. The sad result of this sort of shortfall is that hackers train themselves, and those hackers often have something to prove, instead of seeking the rewards we all seek in our own careers.

Another fault lies in the fact that computers have become incredibly easy to use. We now have “intuitive” interfaces (Windows, OSX, iOS, Android, etc.) with high levels of abstraction. At first, computers had very low levels of abstraction. We had to send information bit-by-bit to allow computers execute commands. That required a high level of knowledge – everyone who used computers had to be a hacker. Later, programming languages moved into common use. This allowed a higher level of abstraction, and you had to learn a programming language to manipulate computers. Now, working with a computer requires almost no fundamental computing knowledge – the highest level of abstraction in computing so far. All we need to do is touch, or click, or type a request in our own language and we get the results we expect.

As a result of this simplification, we have fewer people in the US who are developing fundamental computing and security skills. Computer science programs in US colleges and universities are seeing fewer and fewer entrants to their programs and those who do enter often have no previous programming experience. High school programs designed to prepare students for a major in computer science often only include a some HTML development (website development), but little to no instruction in programming languages. Some institutions have pegged a 70% decline in computer science course entry at the college level since the 1990s. There is little to no encouragement to pursue this sort of career path in the US, and hackers most often learn on their own as a hobby, rather than learning coding and computer security skills through a formal education. Representatives from the NSA have stated that almost all the people they recruit started their hacking career with no formal computer science training and were self-taught. And then we bring the hammer down on these people when they attempt to exhibit their skills in public.

The NSA, DHS (Department of Homeland Security) and CIA have recently hosted a national hacking competition, but there were only three hundred participants. Three hundred! That so few talented hackers attempted to solve the puzzles presented by our government in a competition is astounding. We literally need thousands more to protect US and corporate interests. There are informal annual hacking conventions (DEFCON/Black Hat, in Las Vegas, for one), but the participants are generally the kind of people who are not interested in working with governmental or corporate interests. In fact, many have had run-ins with government and tend to look at any organization outside of their own with contempt and apprehension.

Don’t get me wrong, the NSA hiring hackers from DEFCON to protect against internal threats has its merits. But national governments around the world are sponsoring hacking efforts against the US. We are years behind this kind of recruiting, organization and training. And we are that far behind because we have cultivated a hacker-phobic culture instead of encouraging those skills in a productive environment.

While we may currently be able to defend against or react to these kind of government-sponsored attacks, defense cannot be the only strategy to keep our information and systems safe. Even when we can trace an attack directly to China or North Korea or Iran, we often do not have any means of proving guilt or petitioning an international regulatory body to exact penalties for the attack(s). I suggest that we need to be able to field our own hacking resources, an army if you will, to keep others occupied with our exploits against their systems. Perhaps one of the most effective ways to keep international hackers busy is to take the fight to them – to keep them occupied in protecting and defending themselves. We don’t do that yet, even if Hollywood might want you to think we do. Certainly not on the scale we need to.

So, the answer really comes down to two points – we need to stop marginalizing talented hackers in the US, and we have to start encouraging interest in computer science and security in our youth. Hacking is a valuable talent that we desperately need to protect our interests. Other countries have a years-long head-start on us, and if we want to continue to be able to protect our information and systems in the future, we have to get cracking. I’m doing my part – I have purchased a Raspberry Pi to introduce my son and daughter to programming. I hope they will have an interest in how a computer works, but at the very least they will be more informed users in the future and better able to protect himself. Let’s hope we encourage additional talent before we lose our valuable information to other countries. Our stability may very well depend on it.

Decline in computer science majors in the US: http://ars.to/MZEpCS

From where are hackers attacking?: http://gtnr.it/10qIkjI

The NSA recruits hackers, but what about other federal agencies?: http://bit.ly/LIlKrv

Edit 5/25/2013, Additional hacking attempts at US utility companies: http://bit.ly/12THKtk

Advertisements

2 thoughts on “We Need Hackers and We Need Them Yesterday

  1. Interesting – thanks! I
    would love to give you some numbers for graduates / hackers available / hackers needed in Europe, but I have always found it very difficult to tell the PR stories of IT industry lobbies from truth.
    Every once in a while some lobby claims and “proves” that there are way too many experts in sub-field X in IT, on the other hand many skilled IT professionals are unemployed. In some fields – probably not security / hacking – companies / agencies are actually looking for rather *cheap* “IT resources” who would enjoy being available 24/7.

    However, regarding hacking I mostly trust the lobbies 🙂 I have worked in IT security for more than 10 years and I can confirm the field is “hot”. I have also taught a university for the last years, in a master’s degree program on security, and my feelings related to “self-taught” versus formal education are mixed: In my opinion (probably this is a European thing) the academic education has become extremely standardized and driven by formal criteria, benchmarks, your usual management consultant mantras (sorry, but a bit of sarcasm is intended – as I feel really sorry for my colleagues in academia who are bothered with an over-arching bureaucracy mixed with Dilbert cartoon style management ideology).
    All I wanted to say is: I am not sure if a true hacker at heart would enjoy this learning environment 🙂

    When I entered IT (as a physics PhD) more than 15 years ago people with diverse background were welcomed with open arms. I have adopted the hacker community’s way of learning and judging skills of others myself: Hackers are not at all impressed by grades and certifications but want you to demonstrate your skills in front of him.

    I hope my comment was not too random, I don’t have a solution for the “lack of hackers problem” either – thanks for posting again!

    1. You definitely were not random at all – you always add to conversation. This is the post that I have spent to most time debating. I knew what my opinions were based on articles I had recently read, and a lifetime of paying attention to the computer science field. And not much else.

      But I did see the PR vs. reality in my research – many security professionals think that the idea of “Black Hats” taking over in some meaningful way is laughable. But there is evidence in the US, at least, to show a stunning drop in the numbers of people seeking a degree in the field. And in the UK, or the Raspberry Pi would never have been developed.

      And I certainly admit to a smoothing over of the type of personalities needed for “White Hat” hacking. No doubt, accomplishment is all that matters to all the Hats, but providing more opportunities and encouragement is likely (in my opinion) to produce more hackers interested in picking up a white hat. When you marginalize, you create enemies.

      And my apologies for stepping into your field – I know I don’t have the expertise to really ground this article in solid fact, but I had to get these observations out – this has been boiling in me since the death of Aaron Swartz. A poster child for the mishandling of the hacker situation, if there ever was one.

      I am glad you found a welcoming platform years ago – I did as well (although my IT work was in systems and desktop support) with only undergrad in English.

      Although I didn’t get it into my post, your work had a lot to do with my background concern in this field. Especially the vulnerabilities exhibited in “Smart” grids. If we’re not careful, we’ll have a Hollywood movie hacker reality come up if that isn’t fixed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s