As cy­ber wor­ries grow, Un­cle Sam asks hack­ers to help the home­land.

The Washington Post Sunday - - BUSINESS - BY AN­DREA PETER­SON an­drea.peter­son@wash­

Ale­jan­dro May­orkas, a high­rank­ing Depart­ment of Home­land Se­cu­rity of­fi­cial, opened a speech over the sum­mer in Las Ve­gas be­fore hun­dreds of hack­ers with a dare.

“I chal­lenge you all to make my phone ring dur­ing my re­marks,” he said, bran­dish­ing a flip phone the size of a soda bot­tle. “Take a shot,” he said, urg­ing the crowd to hack his phone. Then he sweet­ened the deal: There would be a gov­ern­ment job for any­one who suc­ceeded.

The con­fer­ence’s vol­un­teer or­ga­niz­ers, known as goons, soon in­ter­rupted May­orkas for a long­stand­ing tra­di­tion at the cy­ber­se­cu­rity con­ven­tion DEF CON: First-time speak­ers take a shot of whiskey on stage.

“That was my first of the day, by the way,” May­orkas said af­ter down­ing the Jack Daniels, “but it won’t be my last.”

May­orkas was just one of a fleet of fed­eral of­fi­cials who at­tended Black Hat and DEF CON this year. The two gath­er­ings have grown into an­nual pil­grim­ages for se­cu­rity re­searchers, hack­ers and hang­ers-on. Their mis­sion? En­list hack­ers to pro­tect the home­land.

Black Hat at­tracts cy­ber­se­cu­rity com­pa­nies that are ea­ger to min­gle with gov­ern­ment of­fi­cials and se­cure gov­ern­ment work. The DEF CON crowd skews to­ward the Hol­ly­wood hacker stereo­types of geeks in ca­sual or slightly punk at­tire. But peo­ple at both events share a pas­sion for tear­ing apart com­puter code to fig­ure out how to make sys­tems safer.

And they jut might be the gov­ern­ment’s best hope as cy­berthreats, in­clud­ing fi­nan­cially mo­ti­vated hacks and dig­i­tal es­pi­onage, con­tinue to in­crease.

That’s why May­orkas was just one of many gov­ern­ment of­fi­cials to de­scend on Las Ve­gas over the sum­mer. Else­where at the con­fer­ences, a Jus­tice Depart­ment of­fi­cial tried to calm fears about a con­tro­ver­sial com­puter crimes law that se­cu­rity re­searchers of­ten say crim­i­nal­izes their work. And Fed­eral Trade Com­mis­sion rep­re­sen­ta­tives were seek­ing hack­ers to help find tech­ni­cal threats to con­sumers.

They are all strug­gling with a cy­ber­se­cu­rity re­cruit­ment gap: Fed­eral agen­cies try­ing to beef up their cy­ber skills are bat­tling ev­ery­one from tech gi­ants such as Google and Mi­crosoft to Nike for tal­ent — and all too of­ten los­ing.

High hur­dles

Even when try­ing to re­cruit for its most elite roles, the fed­eral gov­ern­ment is strik­ing out. In July, the Jus­tice Depart­ment’s in­spec­tor gen­eral re­ported that the FBI’s flag­ship cy­ber­se­cu­rity pro­gram had not filled 52 of the 134 com­puter sci­en­tist jobs au­tho­rized un­der the Jus­tice Depart­ment’s Next Gen­er­a­tion Cy­ber Ini­tia­tive, a 2012 ef­fort to pre­dict and pre­vent cy­ber­at­tacks.

The au­dit cited the agency’s rel­a­tively low salaries and ex­ten­sive back­ground checks as road­blocks. One agency of­fi­cial told au­di­tors that “the FBI loses a sig­nif­i­cant num­ber of peo­ple” to its drug poli­cies, namely that ap­pli­cants must not have used mar­i­juana in the pre­vi­ous three years and other il­le­gal drugs in the past 10.

In some hack­ing cir­cles, that’s a deal­breaker.

“I got weird looks from some com­puter se­cu­rity friends in the Bay Area when I turned down pot be­cause, among other rea­sons, I was con­sid­er­ing jobs in the gov­ern­ment,” said Jonathan Mayer, a Stan­ford com­puter sci­en­tist and lawyer who re­cently re­lo­cated to Wash­ing­ton.

The trick is to con­vince prospec­tive can­di­dates that gov­ern­ment work is worth the ef­fort, he said, in­clud­ing the “unique priv­i­lege in work­ing on be­half of the Amer­i­can pub­lic.” There are train­ing op­por­tu­ni­ties that can help sweeten the deal, es­pe­cially for hacker types who“gen­er­ally like to ex­pand their skill sets,” said David Ray­mond, deputy di­rec­tor of Vir­ginia Tech’s IT Se­cu­rity Lab and an Army vet­eran who taught at West Point.

Mak­ing progress?

The gov­ern­ment has made some progress. Prince­ton com­puter sci­ence pro­fes­sor Ed Felt en, who is widely re­spected in the cy­ber­se­cu­rity com­mu­nity, joined the Obama ad­min­is­tra­tion as deputy chief tech­nol­ogy of­fi­cer ear­lier this year. The gov­ern­ment also has set up new agen­cies, 18F and the U.S. Dig­i­tal Ser­vice, that aim to im­prove how the gov­ern­ment de­liv­ers ser­vices on­line.

Un­til last year, a U.S. soldier who wanted to pur­sue a cy­ber ca­reer had few op­tions. “You would have th­ese peo­ple at An­napo­lis and West Point study in­for­ma­tion se­cu­rity and they’d be sent to in­fantry — not al­lowed to es­sen­tially make use of any­thing they’ve stud­ied and learned,” Zatko said.

The ser­vice re­cently cre­ated a new cy­ber branch — a “huge step for­ward,” Ray­mond said.

Th­ese gains are the re­sult of years of gov­ern­ment ef­fort with many set­backs. Gov­ern­ment re­cruiters have been at­tend­ing cy­ber­se­cu­rity con­fer­ences for decades — and at times be­ing made fun of for do­ing so. At DEF CON, there is a “spot the fed” con­test, which awards T-shirts for hu­mor­ously out­ing law en­force­ment of­fi­cials try­ing to keep a low pro­file. (In­ter­nally, the FBI took note of the com­pe­ti­tion, ac­cord­ing to doc­u­ments ob­tained by Muck Rock, call­ing it “of in­ter­est to all per­son­nel who may be work­ing” at the con­fer­ence.)

Still, top lead­ers seemed to re­al­ize the value of mak­ing friends with hack­ers: In 2012, then-Na­tional Se­cu­rity Agency chief Keith Alexan­der spoke at DEF CON. “In this room, this room right here, is the tal­ent our na­tion needs to se­cure cy­berspace,” he said. “You folks un­der­stand cy­ber­se­cu­rity. You know that we can pro­tect the net­works and have civil lib­er­ties and pri­vacy — and you can help us get there.”

But by 2013, in the wake of rev­e­la­tions by former NSA con­trac­tor Ed­ward Snow­den about gov­ern­ment sur­veil­lance pro­grams, con­fer­ence or­ga­niz­ers asked gov­ern­ment of­fi­cials not to at­tend. When Alexan­der gave a key­note speech at the Black Hat con­fer­ence that year, heck­lers in­ter­rupted him.

And an up­hill bat­tle still re­mains. Many former gov­ern­ment em­ploy­ees among the crowds in Ve­gas cited the gov­ern­ment’s fail­ure to pro­tect sys­tems at the Of­fice of Per­son­nel Man­age­ment from a ma­jor hack dis­closed ear­lier this year as a be­trayal — and a sign of in­com­pe­tence.

“There’s a level of dis­trust of the fed­eral gov­ern­ment we have to over­come,” May­orkas said.

And at al­most ev­ery turn at the con­fer­ence, he tried to over­come that hur­dle — even as he downed that shot of whiskey.

“It’s very dif­fi­cult to talk about a trust deficit, and how to bridge that trust deficit, and build trust when I’m a fraud,” he said to the crowd, dead­pan­ning: “This is ac­tu­ally wa­ter.”

Then he asked for a real shot, but only a small one. He had a meet­ing with the Trans­porta­tion Se­cu­rity Ad­min­is­tra­tion af­ter the speech, he said.


Home­land Se­cu­rity of­fi­cial Ale­jan­dro May­orkas says the gov­ern­ment faces an up­hill bat­tle in re­cruit­ing hack­ers: “There’s a level of dis­trust of the fed­eral gov­ern­ment we have to over­come.”


Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.