As cyber worries grow, Uncle Sam asks hackers to help the homeland.
Alejandro Mayorkas, a highranking Department of Homeland Security official, opened a speech over the summer in Las Vegas before hundreds of hackers with a dare.
“I challenge you all to make my phone ring during my remarks,” he said, brandishing a flip phone the size of a soda bottle. “Take a shot,” he said, urging the crowd to hack his phone. Then he sweetened the deal: There would be a government job for anyone who succeeded.
The conference’s volunteer organizers, known as goons, soon interrupted Mayorkas for a longstanding tradition at the cybersecurity convention DEF CON: First-time speakers take a shot of whiskey on stage.
“That was my first of the day, by the way,” Mayorkas said after downing the Jack Daniels, “but it won’t be my last.”
Mayorkas was just one of a fleet of federal officials who attended Black Hat and DEF CON this year. The two gatherings have grown into annual pilgrimages for security researchers, hackers and hangers-on. Their mission? Enlist hackers to protect the homeland.
Black Hat attracts cybersecurity companies that are eager to mingle with government officials and secure government work. The DEF CON crowd skews toward the Hollywood hacker stereotypes of geeks in casual or slightly punk attire. But people at both events share a passion for tearing apart computer code to figure out how to make systems safer.
And they jut might be the government’s best hope as cyberthreats, including financially motivated hacks and digital espionage, continue to increase.
That’s why Mayorkas was just one of many government officials to descend on Las Vegas over the summer. Elsewhere at the conferences, a Justice Department official tried to calm fears about a controversial computer crimes law that security researchers often say criminalizes their work. And Federal Trade Commission representatives were seeking hackers to help find technical threats to consumers.
They are all struggling with a cybersecurity recruitment gap: Federal agencies trying to beef up their cyber skills are battling everyone from tech giants such as Google and Microsoft to Nike for talent — and all too often losing.
Even when trying to recruit for its most elite roles, the federal government is striking out. In July, the Justice Department’s inspector general reported that the FBI’s flagship cybersecurity program had not filled 52 of the 134 computer scientist jobs authorized under the Justice Department’s Next Generation Cyber Initiative, a 2012 effort to predict and prevent cyberattacks.
The audit cited the agency’s relatively low salaries and extensive background checks as roadblocks. One agency official told auditors that “the FBI loses a significant number of people” to its drug policies, namely that applicants must not have used marijuana in the previous three years and other illegal drugs in the past 10.
In some hacking circles, that’s a dealbreaker.
“I got weird looks from some computer security friends in the Bay Area when I turned down pot because, among other reasons, I was considering jobs in the government,” said Jonathan Mayer, a Stanford computer scientist and lawyer who recently relocated to Washington.
The trick is to convince prospective candidates that government work is worth the effort, he said, including the “unique privilege in working on behalf of the American public.” There are training opportunities that can help sweeten the deal, especially for hacker types who“generally like to expand their skill sets,” said David Raymond, deputy director of Virginia Tech’s IT Security Lab and an Army veteran who taught at West Point.
The government has made some progress. Princeton computer science professor Ed Felt en, who is widely respected in the cybersecurity community, joined the Obama administration as deputy chief technology officer earlier this year. The government also has set up new agencies, 18F and the U.S. Digital Service, that aim to improve how the government delivers services online.
Until last year, a U.S. soldier who wanted to pursue a cyber career had few options. “You would have these people at Annapolis and West Point study information security and they’d be sent to infantry — not allowed to essentially make use of anything they’ve studied and learned,” Zatko said.
The service recently created a new cyber branch — a “huge step forward,” Raymond said.
These gains are the result of years of government effort with many setbacks. Government recruiters have been attending cybersecurity conferences for decades — and at times being made fun of for doing so. At DEF CON, there is a “spot the fed” contest, which awards T-shirts for humorously outing law enforcement officials trying to keep a low profile. (Internally, the FBI took note of the competition, according to documents obtained by Muck Rock, calling it “of interest to all personnel who may be working” at the conference.)
Still, top leaders seemed to realize the value of making friends with hackers: In 2012, then-National Security Agency chief Keith Alexander spoke at DEF CON. “In this room, this room right here, is the talent our nation needs to secure cyberspace,” he said. “You folks understand cybersecurity. You know that we can protect the networks and have civil liberties and privacy — and you can help us get there.”
But by 2013, in the wake of revelations by former NSA contractor Edward Snowden about government surveillance programs, conference organizers asked government officials not to attend. When Alexander gave a keynote speech at the Black Hat conference that year, hecklers interrupted him.
And an uphill battle still remains. Many former government employees among the crowds in Vegas cited the government’s failure to protect systems at the Office of Personnel Management from a major hack disclosed earlier this year as a betrayal — and a sign of incompetence.
“There’s a level of distrust of the federal government we have to overcome,” Mayorkas said.
And at almost every turn at the conference, he tried to overcome that hurdle — even as he downed that shot of whiskey.
“It’s very difficult to talk about a trust deficit, and how to bridge that trust deficit, and build trust when I’m a fraud,” he said to the crowd, deadpanning: “This is actually water.”
Then he asked for a real shot, but only a small one. He had a meeting with the Transportation Security Administration after the speech, he said.
Homeland Security official Alejandro Mayorkas says the government faces an uphill battle in recruiting hackers: “There’s a level of distrust of the federal government we have to overcome.”