US Intelligence not recruiting blackhats
DHS Needs to Change Rules to Recruit Hackers into U.S. Security Agencies
Members of the hacker community are leery of working with the government and sharing their skills, if it means navigating through outdated regulations and being viewed as potential security risks.
Hackers and other computer experts willing to collaborate with the Department of Homeland Security to bolster the nation’s cyber-defense are unable to do so because of red tape, according to the former head of the department.
to others on both ends of the situation. No names or agencys
named.
they treat them both as felonys.
be guilty regardless. The prevailing theory is they must have got off on
a technicality, no consideration given to actual innocence.
Most of the Intelligence agencys in US are connected to Law Enforcement.
And all the agencys will make assurances they have policys preventing
these kind of reactions, but in the end they said that is how they are handled
on a practical basis.
And a low credit rating or collections will mark them as a security risk.
As a stockbroker I had to have a perfect credit report, I had a dentist,
I had with held partial payment for substandard work, and I had to pay
him off before the regulating agency would accept my application.
And that is the paradigm Intelligence agencys are functioning under.
If you know a good hacker who is poor, that may be evidence he is honest.
At least an indication he isn't stealing from the WWW.
Many don't want to hire a Black hat because of the perceived risk.
If they turn out to be a bad actor, the person hiring them gets the blow
back, and may be risking their career.
Agencys that operate in CONUS are used to the civilian paradigm.
But the CIA is used to hiring / bribing Bad guys, and have found ways
to handle the risk, lie detectors, surveillance, etc to manage them.
The agencys that operate in the USA however sounds like they just
reject those that pose any possible risk.
And I'm not implying that Black hats are bad guys, I'm just pointing
out that the CIA has methods of reducing the risk to manageable proportions
rather than not using them. Its possible to reduce the risk to where they
can be hired.
Black Hats Speak:
And from the Black hats point of view I was told, dealing with Feds is like
making a honey sandwich, can be sweet, but very sticky.
TRUST:
The trust issue is big on their minds.
If I partner with the Feds, will they at
some point come after me for past activities?
Do they investigate my past forever?
Is this a set up, when they are done with me,
will they burn me?
"YOU DON'T EVEN HAVE TO DO ANYTHING WRONG
OR ILLEGAL TO HAVE FBI COME AFTER YOU"
"IF YOU UNJUSTLY GET ONE OF THESE BULLDOGS
ON YOU YOUR LIFE IS DONE"
"ARE THE REWARDS EQUAL TO THE RISKS"
"IF I TURN LEGAL, AND STAY LEGAL AM I STILL AT RISK?"
The background checks could be scary, many smoke mary jane,
or have in the past. Some hackers said they do some of
their best work buzzed, which is problematic.
And once they apply to the Feds they are 'ON the Radar'
for life. And past exploits in earning their wings may have
involved illegal activities, making a Federal association
uncomfortable.
ARE BLACK HATS NEEDED?
But do we need black hats?
We have White hats.
Besides the shortage problem,
my experience has been, in general
they are two different skill sets.
White hat defends, and black hats attack.
Difference between a a mechanic and
a race car driver, both work with autos
but from entirely different perspectives.
The other consideration we face is the risk.
At no time in the past has the WWW been so
vulnerable or has security been so bad.
The security threats the world faces are monumental.
Cyber Bank robberies, Stuxnet, Confliker, rampant ID theft,
Worms, rootkits, virus, malware, SLQ, etc.
The list just goes on and on.
Stuxnet is a proof of concept that the infrastructure
is at risk, Confliker is a proof of concept that the WWW
and maybe even civilization is at risk.
Internet Anthropologist Think Tank: CYBERWARS's Pearl Harbour
MicroSoft does patches every tues, about 5 of them.
Every week for at least 5 years, thats 1,250 holes patched,
in the worlds most used Operating System.
And there are what, 100's of security vendors
trying to secure it also, and FAILING.
Is MS OS ever going to be patched, secure?
Doesn't look like it.
China and Russia recognize the value of black hats
and support and reward them. And that puts them
ahead of the Game.
Even NSA admits their network isn't secure,
the best secured network in the world isn't safe.
Internet Anthropologist Think Tank: I'm on your PC,know your IP
And stuxnet has proven your not safe EVEN
if your not connected to the WWW.
You can't even hide.
Internet Anthropologist Think Tank: Stuxnet 3.0 most powerful ...
In view of what the world is facing on the WWW
US agencys may want to consider changing the
employment paradigm, the current paradigm
is placing the USA at a significant disadvantage.
But I expect nothing will happen until there is a
cyber 911, then there will be investigations and
Congressional hearings, finger pointing, and then
changes made.
But its quite possible the Cyber 911 will kill
many more than the last 911, and may not be
so fixed quickly, and maybe untraceable.
The question becomes one of leadership,
the current paradigm is too concerned with
CYA but the law of untended consequences
looms large in the rear view mirror.
And may bite them hard.
Rome is burning and the Feds fiddle.
DHS seems to be on the right path
but so far its just all talk, no action.
Gerald
War Anthropologist
.