The relationship between ethical hackers and the federal government is better now than it was in 2013, when then-National Security Agency chief Keith Alexander first spoke at the Black Hat cybersecurity conference — not long after Edward Snowden revealed the government's sweeping surveillance programs.
That’s the conclusion of 72 percent of experts who responded to an informal survey by The Cybersecurity 202 before the kickoff of this year’s conference in Las Vegas.
The experts are part of the The Network, an ongoing survey of more than 100 cybersecurity experts from government, academia and the private sector. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
When Alexander spoke in 2013, many security researchers were enraged about the newly disclosed surveillance programs, which they said ran roughshod over Americans’ privacy rights and made their jobs harder. Alexander's defense of the programs fell especially flat, many survey respondents said, since at that time the U.S. government often failed to distinguish between ethical hackers, who tried to make the Internet safer by finding and patching computer bugs, and criminal hackers who tried to exploit those bugs to steal people’s money and information.
But over the past six years, the U.S. government has made a greater effort to work with ethical hackers and to shield them from legal jeopardy, most respondents said.
“Only the purely cynical could say that this relationship has not improved,” said Joe Hall, chief technologist at the Center for Democracy and Technology.
One of the biggest ways the federal government has helped ethical hackers in recent years is by shielding them from copyright lawsuits brought by companies after they point out hackable vulnerabilities in their computer code, said Harley Geiger, director of public policy at the cybersecurity firm Rapid 7.
The Library of Congress first approved those protections in 2016 — “with the full-throated support of the Department of Justice,” Geiger noted — and renewed them in 2018. Before the protections, companies frequently used copyright law to punish researchers who found bugs in their products and to scare off other researchers from looking for those flaws.
The government has also embraced bug bounties, contests pioneered in the private sector in which hackers get cash or other prizes for finding and disclosing bugs in federal agency websites and online tools, noted Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub. “The U.S. government not only sees the value of engaging ethical hackers, but increasingly borrows their tools,” Cooper said.
“Government agencies operating bug bounty programs has helped build trust between the government and the security community after it fell off a cliff from the Snowden revelations,” noted Chris Wysopal, chief technology officer at the cybersecurity company Veracode.
Those bug bounty contests not only give ethical hackers an incentive to work with government, but also help government officials gain more trust in the cybersecurity community, said Katie Moussouris, founder and CEO of Luta Security, who helped organize the first government bug bounty called “Hack the Pentagon” in 2016.
“It's been a journey with many ups and downs,” Moussouris said. “I'm happy to see more members of Congress, various government departments, as well as law enforcement take outreach with the hacker community seriously.”
Respondents also pointed to the positive message from government officials and lawmakers increasingly participating in the Black Hat conference itself — and in two related conferences this week in Las Vegas, Def Con and BSides, which are collectively referred to as “hacker summer camp.”
The agendas this year include officials from the Department of Homeland Security, the NSA, the Food and Drug Administration and other agencies, as well as Sen. Ron Wyden (D-Ore.) and Reps. Jim Langevin (D-R.I.), Ted Lieu (D-Calif.) and Eric Swalwell (D-Calif.).
Black Hat founder Jeff Moss, a hacker also known as the Dark Tangent, said that “2013 was the low-water mark” for relations between government and the ethical hacking community, and he praised several federal agencies for trying to work with hackers to improve the relationship since then.
The ethical hacking community is also playing nicer with government officials, noted Jay Kaplan, co-founder of the cybersecurity company Synack.
“Pre-2013, U.S. government officials attending Black Hat were required to attend special [operational security] training and not publish who they actually worked for. There were even contests at Def Con called ‘Spot the Fed,’ ” Kaplan said.
Today, on the other hand, “collaboration between private and public organizations is pervasive and it is largely assumed that a number of government officials attend,” he said.
About 28 percent of survey respondents, however, said the relationship between government and the ethical hacking community was no better now than in 2013 at the height of the Snowden drama.
One big reason they cited was the government's continued demands that tech companies allow law enforcement to access encrypted communication systems — which cybersecurity experts say would result in all digital communications being less secure.
That effort, which was reinvigorated in recent weeks by Attorney General William Barr and FBI Director Christopher Wray, “is eroding most of the good will” government created in the hacking community over recent years, said Ashkan Soltani, a former chief technologist for the Federal Trade Commission who now does independent privacy and security research.
Others criticized Congress and the Justice Department for failing to update the government’s main anti-hacking law, the 1986 Computer Fraud and Abuse Act — which most cybersecurity experts say is far too vague to govern what’s legal and illegal in the modern Internet.
“If the NSA wanted to improve relations, it would stand with the security community … with regard to much-needed changes to the Computer Fraud and Abuse Act, protecting encryption and election security,” said Cindy Cohn, executive director of the Electronic Frontier Foundation.
Tarah Wheeler, a cybersecurity policy fellow at the New America think tank, pointed specifically to the case of Marcus Hutchins, a British cybersecurity researcher who helped stem the damage from the massive WannaCry ransomware attack in 2017 but was arrested a few months later — on his way home from that year’s Black Hat conference — and charged under the CFAA for developing and selling malicious software.
Hutchins faced up to 10 years in prison but was released last week with no additional jail time.
“If anything can be done to help repair the fractured and fractious relationship between the information security community and USG, it would be to repeal the useless and damaging Computer Fraud and Abuse Act,” Wheeler said.
More responses to The Network survey on whether the government's relationship with ethical hackers is better today than it was in 2013:
- YES: “I was a civilian at Fort Meade when General Alexander was mocked for showing up at Black Hat in jeans and a T-shirt [in 2013]. It was an unprecedented show of transparency and public relations for an [NSA director]. It was also a turning point in relations [between] two of the most skilled communities of ethical hackers in the world.” — David Weinstein, vice president of threat research at Claroty, an industrial cybersecurity firm
- NO: “Ethical hackers view the continuing unethical hacking, surveillance, and anti-encryption stances of the U.S. government with rightful and growing suspicion; the U.S. government's failure to enact meaningful reforms, and complete intransigence toward transparency and accountability, are anathema to core values of the ethical hacking community.” — Sascha Meinrath, a Penn State professor and founding director of X-Lab, a think tank focusing on the intersection of technologies and public policy
- YES: “There is a contrast … between what plays out in public view and what happens behind the scenes where people are collaborating and working hard to keep our nation safe.” — Mark Weatherford, a former top DHS cybersecurity official who’s now a global information security strategist at Booking Holdings
- NO: “Barr's recent renewal of DOJ's drive to gain backdoor access to citizens' encryption only serves to further alienate members of the community from the government . . . The government's approach to these issues is reminiscent of a serial abuser promising his spouse he's sorry and won't do it again.” — Tor Ekeland, an attorney focused on defending hackers
- YES: “I think generally, the U.S. government is aware that the hacker community has good intentions … However, I would like to see more active participation of the U.S. government in the hacker community's efforts in securing elections and advocacy of privacy regulations.” — Whitney Merrill, a privacy and information security attorney and technologist who runs the DEF CON conference’s Crypto and Privacy Village
- NO: “It is simply not enough for officials to show up to events wearing hoodies when law and policy is hostile to security.” — A respondent who responded to the survey under condition of anonymity
- YES: “The increasing threat from foreign nations hacking American institutions, and the fading of public enthusiasm for WikiLeaks and Edward Snowden have aided a rapprochement between ethical hackers and the NSA.” — Stewart Baker, a Steptoe and Johnson attorney and former NSA general counsel
- NO: “It was getting better with the DoD bug bounties and other government engagement with the community. But Attorney General Barr stating tech companies ‘can and must’ put back doors in encryption has eroded much of the trust that was being established.” — Vikram Phatak, CEO of cybersecurity company NSS Labs
- YES: Some of the ethical hacking community have a solid understanding of the global dynamics driven by nation-states and organized crime adversaries continuously impacting the [United States] and they wish to help the government. There are many other ethical hackers who are dead-set against any support for the U.S. government … We still have a long way to go to utilize the full abilities of the U.S. ethical hacking community.” — Tony Cole, chief technology officer at Attivo Networks
- NO: “Incidents like the Shadow Brokers exposures, [in which an unknown group stole a cache of NSA hacking tools] cast a negative light on [U.S. government] offensive and collection efforts.” — Laura Galante, founder of Galante Strategies and a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative
PINGED: Cybersecurity researchers generally praised the decision by Cloudflare, a company that protects websites from cybersecurity attacks, to boot 8chan after authorities revealed a the El Paso shooter likely used the site to post his racist manifesto before murdering 22 people. But they also warned that industry or government will have to work on a bigger fix for determining what is acceptable content to be posted online.
United Nations special rapporteur on freedom of opinion and expression David Kaye welcomed the news:
i cry no tears for 8chan or more particularly the creators of its most vile content. two v quick reflections: https://t.co/G6CDN5kSLC— David Kaye (@davidakaye) August 5, 2019
But he also warned that a single cybersecurity company shouldn't be responsible for making the determination on 8chan or other potential hate speech:
2. 8chan is low-hanging fruit, given its failure to moderate even obvious incitement or control its most egregious cesspools of hatred. beware the pressure likely to be placed on companies like cloudflare to deny service for less clear-cut instances of 'problem content'.— David Kaye (@davidakaye) August 5, 2019
8chan “crossed [a] line,” Cloudflare CEO Matthew Prince wrote in a blog post explaining the company’s decision. But Prince added that the “law may need additional remedies” to prevent companies like his from having to make moderation decisions in the first place. “We continue to feel incredibly uncomfortable about playing the role of content arbiter and do not plan to exercise it often.”
Cloudflare still has business partnerships with dozens of organizations classified as hate groups, journalist Aaron Sankin noted.
Cloudflare may have kicked 8chan off its service, but I found that it still takes money for DDoS protection from 56 other hate groups https://t.co/IWgszKxH2Y— Aaron Sankin (@ASankin) August 5, 2019
After Cloudflare terminated its service, 8chan moved to BitMitigate. That company also took on the Daily Stormer after Cloudflare kicked off the neo-Nazi site in 2017. “But by Monday afternoon, both 8chan and the Daily Stormer plunged into darkness when Voxility, a tech firm that has leased servers to BitMitigate, announced that it would no longer provide those services,” Drew reported.
From Alex Stamos, a professor at the Stanford Internet Observatory and former chief security officer at Facebook:
BitMitigate turned out to be just a thin layer on top of systems actually hosted by @voxility. When Voxility shut them down for ToS violations, it took down all of their customers and Epik's public facing systems. https://t.co/tlQdnyWkFY— Alex Stamos (@alexstamos) August 6, 2019
Stamos, who has testified about 8chan before Congress, told NBC News that refusal of service by major hosts could force 8chan to use spam and malware-filled Russian hosts blocked by many U.S. providers.
PATCHED: A multimillion-dollar effort to shore up election security in Texas could be undermined because nearly 25 percent of counties in the state plan on sticking with paperless voting machines that experts say are far more vulnerable to hacking, Politico's Eric Geller reports. As intelligence experts ramp up warnings about the vulnerabilities posed by paperless machines, a lack of local and federal leadership as well as funding issues have plagued attempts by local Texas election officials to shore up security, Geller reports.
Several county officials said they wouldn't upgrade their systems until state legislation “mandated it,” while election officials in Hood County, Texas wanted to upgrade but were unable to do so without local government approval, Geller found. Susan Greenhalgh, the policy director at the National Election Defense Coalition, told Geller that without state guidance counties are “left to their own devices” and more easily manipulated by vendors.
The problem isn't isolated to Texas. Election officials in 14 states where paperless ballots are still used expressed frustrations with the processes required to upgrade, Politico found in a survey that dug down to the county level.
PWNED: The top Republican on the House Administration Committee is demanding the Election Assistance Commission provide more answers about how it’s preparing for potential threats to the 2020 election. Rep. Rodney Davis (R-Ill.) wants the EAC to provide more details about how its coordinating with DHS to prepare for potential threats against election infrastructure.
Davis also wants to know how the commission settled on specific recommendations in Voluntary Voting Systems Guidelines that it recently approved and what the agency has been doing to educate the public about election security for 2020, the Hill reports.
“I remain committed to ensuring that local election officials have every resource they need to provide for a secure election in 2020,” Davis wrote in the letter. “Effective and focused oversight over the EAC is critically important in this mission.” The EAC has until Sept. 2 to respond to the letter.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
— Cybersecurity news from abroad: