Let's Get It Started
August 1, 2016

The Conversations That Won’t Happen at Black Hat & DefCon

blog image

Many of the world’s best hackers and reverse engineers (REs) will be in Las Vegas next week for two leading cybersecurity conferences – Black Hat and DefCon. Hackers will trade innovative ideas and demonstrate new technology designed to make businesses and consumers safer. They will plant the seeds for potential billion-dollar deals that could turn an entrepreneur into a cybersecurity guru. Headlines will be made of protecting infrastructure, car hacks, and the newest mobile security vulnerabilities.

While hackers and REs are in Vegas, Washington grapples with four enormous cybersecurity stories:
1) We just witnessed a foreign country (allegedly) steal information from a major political party to potentially influence an election. I asked Daniel B. Garrie, the Editor-in-Chief of The Journal of Law & Cyber Warfare and Executive Managing Partner at Law & Foresnics LLC, about the DNC hack. He answered with a provocative question: “What would happen if the Russians walked into the DNC with machine guns and stole that information? It would be considered an act of war.”

2) The Republicans inserted language into the GOP platform that encourages hacking victims of all kinds – corporations, individuals, and other non-government entities – to launch counter attacks against their attackers. Garrie believes retaliation is incredibly dangerous. He argues that this language allows a powerful company to hack back against a country perceived to be on the offense: “The next world war could be launched by a corporation.”

3) President Obama offered a policy directive to streamline America’s response to large-scale cyber-attacks. The administration hopes the directive will create clear swim lanes for the many federal law enforcement agencies now deployed to investigate hacking incidents.

4) After saying he is worried about a “terrorist diaspora” like that in Europe coming West, FBI Director James Comey re-ignited the debate over secured/cloaked electronic transmissions saying that encryption will “figure in a major event in this country.”

We will learn this week if the cybersecurity community is listening to Washington or if they care what lawmakers says. That’s not meant to sound trite. Black Hat and DefCon attendees also want to make the world safer, but many find themselves having to work around Washington, instead of with Washington.

We spoke to one gray hat hacker, who asked to be known as “lonegray.” He is a network security consultant for Fortune 500 companies. He said, “To catch crafty cyber criminals you have to know how they think. To truly understand a botnet’s inner workings you have to build one. Deploying or building a botnet is illegal on multiple levels. There are so many state and federal laws that are broken by doing this, they force me to go underground to do it. The reality is, in court I would win, but that can get very expensive and very time consuming. A prosecutor would say ‘he broke the letter of the law’ without even considering my intent. They will prosecute with extreme prejudice. I have had many friends that have been scared out of the business by these types of events. Its a real trust issue. That bad trust relationship is a two-way street between the government and the crowd at the conferences in Las Vegas.”

Lonegray would like to see the government offer a program for security hackers like TSA Precheck, the screening initiative at airports which allows travelers to move through security with greater ease. He would like to be put on a watch list so that if he had data he discovered “in the wild,” he could turn it in safely without likelihood of prosecution

“Cybersecurity is like gun control or many other complicated issues – legislative foundations are outdated, but cyber challenges are growing faster,” said former Chicago Police Officer and FBI Joint Terrorism Task Force Officer Dimitri Roberts, who now runs the tech/defense consulting firm SevenStar. “We’re ten years behind in policy. Our framework has infrastructure issues and only legislative action can address them. A forum like Black Hat is great place to educate policy makers on the problems – if we could some how bring the experts and the policy makers together.”

Shane Tews, co-author of the American Enterprise Institute’s new report, An American Strategy for Cyberspace, added: “White hat hackers are coding, building, and trying to catch up with the bad guys. The cybersecurity pros don’t have time to wait for Washington to catch up. The internet is increasingly being weaponized to attack innocents. One side has declared war, but the other side – the good guys – doesn’t even have a definition for what cyberwar is.”

Defining these criteria is just one problem we need Congress to address. We need to clarify the mixed messages from the Capitol about just what should be done. Do we want to create an army of quasi-deputized cyber-cowboys? Can we assure the white/gray hats that they can pursue lawbreakers without creating liability for themselves?

Garrie supports the creation of Good Samaritan laws for those white/gray hats trying to catch the shadowy criminals launching online attacks. You might think that the RNC platform language would make protections for hackers automatic, but there are still laws that would make the protections from prosecution uncertain. He would like to ask Black Hat/DefCon attendees “what law do they see that allows for offensive cyber operations?” Provisions in both the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) make hackers like lonegray nervous about going on offense. The CFAA makes any hack of 10 or more computers – including a hack back – a crime.

Inviting this “cybervigilantism” without codifying what is an appropriate hack back will make it harder discern whether an online posse is pursing legitimate bug bounty or carrying out personal vendettas.

Empowering cybersecurity professionals is a good thing. Encouraging them to take the law into their own hands, without clarifying the parameters of legal action, potentially creates more problems for gray hats than it solves.

“The government is missing a huge opportunity at Black Hat and DefCon. There is a significant amount of brain power all in one spot, financed on their own dime,” said lonegray. “This is a place where you can build relationships that lead to action. When I find stolen credit cards online, I hand them over to someone in law enforcement that I trust. When he retires, I don’t know who I will go to. The government is routinely making laws that cast a wide net, this allows them to pursue you. If they want you, they will get you, even if you were researching black hat tactics and not researching for personal gain or for theft. It is absolutely asinine and ridiculous.”

AEI’s Tews, who worked in the White House and on Capitol Hill, said: “We need the white hats to start speaking up. Our country’s infrastructure is vulnerable to nation-state and non-state actors. We are at a tipping point right now. It might seem like Washington won’t listen, but there will come a day when the politicians and regulators have to pay attention.”

Unfortunately, that may be too late.

Read More