US Justice Department works to woo hackers
LAS VEGAS: The Department of Justice’s (DOJ’s) relationship with the cybersecurity research community has historically been tempestuous, but Leonard Bailey is on a mission to improve it.
That’s what brings him here, to the BSides cybersecurity conference. The head of the cybersecurity unit of the DOJ’s computer crimes division is extending an open invitation today to ethical hackers to air some grievances and offer policy advice, in a talk called “Let’s Hear from the Hackers: What Should DOJ do Next?”
Bailey wants to ensure hackers are willing to work with government on improving cybersecurity – instead of staying away because they’re suspicious of government.
“It’s about figuring out how to make sure their ability to help us improve [the nation’s] cybersecurity isn’t taken off the playing field,” Bailey tells me. “They have a valuable resource and they can be helping everyone.”
This marks a drastic change – in both outreach and attitude – from previous years. Tensions have soared as ethical hackers accused DOJ of being too quick to prosecute them for benign research aimed at improving cybersecurity – and of not being transparent enough about the rules for what constitutes a digital crime.
Bailey’s office has worked for four years to ease some of these tension points, he said, including by helping develop Copyright Office rules, which make it tougher for companies to use copyright laws to scare off ethical hackers from searching for dangerous bugs in their software, and publishing guidance that clarifies when hackers are likely to fall foul of the nation’s major anti-hacking law, the 1986 Computer Fraud and Abuse Act.
“Before, we were building a bridge” of trust, he told me. “Now, we’ve developed some strong relationships where we can have policy discussions.”
Bailey’s likely to run into some serious headwinds, though. While most cybersecurity experts surveyed by The Cybersecurity 202 said this week that the relationship between hackers and government officials had got better in the last several years, they also pointed out some major points of conflict.
Most ethical hackers strongly oppose Attorney General William P Barr’s push to stop companies from offering encrypted communication systems that prevent police from accessing communications with a warrant. And they say the Computer Fraud and Abuse Act is still used too broadly to punish hackers – with many pointing to the case of Marcus Hutchins, a British security researcher who helped stem the damage from the massive WannaCry ransomware attack in 2017 but was charged under the CFAA a few months later for developing and selling malicious software.
Bailey acknowledged the conflict. He joked in a 2016 address that when he first met with ethical hackers at the Black Hat cybersecurity conference in 2015 “only half [of the meeting] was being yelled at”. In succeeding years, he says, those conversations have become far less hostile and more productive. Now, he says, ethical hackers frequently call him to talk over policy disagreements.
One of the big things Bailey wants to talk with ethical hackers about today is ways they can work with government to help warn young people who are skilled with computers away from criminal hacking or digital vandalism that might land them in trouble with the law.
“Kids who are tech savvy are having earlier and earlier access to valuable tools for learning hard skills like coding, but they may not also be getting information about how to use that power responsibly,” he said.
The DOS is examining offering grants for organisations to write ethical hacking curricula for high schools or community organisations, he said. They’re also looking for ways to reach out to places where they might find tech savvy teens.