For cybersecurity, US government seeks a few good hackers

The Washington Post
October 26, 2015 10:15 MYT
The US government is seeking hackers to protect the homeland.
Alejandro Mayorkas, a high-ranking Department of Homeland Security official, opened a speech over the summer in Las Vegas before hundreds of hackers with a dare.
"I challenge you all to make my phone ring during my remarks," he said, brandishing a flip phone the size of a soda bottle. "Take a shot," he said, urging the crowd to hack his phone. Then he sweetened the deal: There would be a government job for anyone who succeeded.
The conference's volunteer organizers, known as goons, soon interrupted Mayorkas for a long-standing tradition at the cybersecurity convention DEF CON: First-time speakers take a shot of whiskey on stage.
"That was my first of the day, by the way," Mayorkas said after downing the Jack Daniels, "but it won't be my last."
Mayorkas was just one of a fleet of federal officials who attended Black Hat and DEF CON this year. The two gatherings have grown into annual pilgrimages for security researchers, hackers and hangers-on. Their mission? Enlist hackers to protect the homeland.
Black Hat attracts cybersecurity companies that are eager to mingle with government officials and secure government work. The DEF CON crowd skews toward the Hollywood hacker stereotypes of geeks in casual or slightly punk attire. But people at both events share a passion for tearing apart computer code to figure out how to make systems safer.
And they jut might be the government's best hope as cyber threats, including financially motivated hacks and digital espionage, continue to increase.
That's why Mayorkas was just one of many government officials to descend on Las Vegas over the summer. Elsewhere at the conferences, a Justice Department official tried to calm fears about a controversial computer crimes law that security researchers often say criminalizes their work. And Federal Trade Commission representatives were seeking hackers to help find technical threats to consumers.
They are all struggling with a cybersecurity recruitment gap: Federal agencies trying to beef up their cyber skills are battling everyone from tech giants such as Google and Microsoft to Nike for talent - and all too often losing.
Even when trying to recruit for its most elite roles, the federal government is striking out. In July, the Justice Department's inspector general reported that the FBI's flagship cybersecurity program had not filled 52 of the 134 computer scientist jobs authorized under the Justice Department's Next Generation Cyber Initiative, a 2012 effort to predict and prevent cyberattacks.
The audit cited the agency's relatively low salaries and extensive background checks as roadblocks. One agency official told auditors that "the FBI loses a significant number of people" to its drug policies, namely that applicants must not have used marijuana in the previous three years and other illegal drugs in the past 10.
In some hacking circles, that's a deal breaker.
"I got weird looks from some computer security friends in the Bay Area when I turned down pot because, among other reasons, I was considering jobs in the government," said Jonathan Mayer, a Stanford computer scientist and lawyer who recently relocated to Washington.
FBI Director James Comey acknowledged the pot problem during a 2014 speaking engagement, according to the Wall Street Journal. "I have to hire a great workforce to compete with those cyber criminals, and some of those kids want to smoke weed on the way to the interview," he said, adding that the agency was "grappling with the question" of its evolving talent pool.
The background check can be particularly drawn-out for those who self-identify as hackers, said Peiter Zatko - better known by his online handle Mudge - who worked at the Defense Advanced Research Projects Agency's cybersecurity research division for three years starting in 2010 and later at Google. "Because I came from an area that included the word 'hacker,' I had a huge target on my back," he said, citing his extensive background check.
It took more than five years to receive a security clearance, Zatko said.
And then there is the issue of pay. "Quite frankly, we're not going to be able to match some of the private-sector opportunities financially," Mayorkas said in an interview.
The trick is to convince prospective candidates that government work is worth the effort, he said, including the "unique privilege in working on behalf of the American public." There are training opportunities that can help sweeten the deal, especially for hacker types who "generally like to expand their skill sets," said David Raymond, deputy director of Virginia Tech's IT Security Lab and an Army veteran who taught at West Point.
But even when a government agency manages to hire a cyber expert, there can still be a culture clash that makes retention difficult. The sometimes bureaucratic nature of government work can be tough for hackers. And some say there is a lack of respect for their technical skills within the walls of government agencies.
Many pointed to an interview that White House cyber czar Michael Daniel gave to the trade publication Gov Info Security last year. A lack of technical experience actually may be an "asset" to his job, Daniel said, rankling some cyber experts.
Said Zatko: "That attitude, whether intentional or not, doesn't allow you to recruit significant talent. And if you don't have a career path for it, why would you go work there if you can go do that elsewhere and can actually make real money and have your efforts recognized?"
The government has made some progress. Princeton computer science professor Ed Felten, who is widely respected in the cybersecurity community, joined the Obama administration as deputy chief technology officer earlier this year. The government also has set up new agencies, 18F and the U.S. Digital Service, that aim to improve how the government delivers services online.
Until last year, a U.S. soldier who wanted to pursue a cyber career had few options. "You would have these people at Annapolis and West Point study information security and they'd be sent to infantry - not allowed to essentially make use of anything they've studied and learned," Zatko said.
The service recently created a new cyber branch - a "huge step forward," Raymond said.
Zatko says such efforts are important because they bring in people with the technical know-how to serve as ambassadors to the hacking community.
These gains are the result of years of government effort with many setbacks. Government recruiters have been attending cybersecurity conferences for decades - and at times being made fun of for doing so. At DEF CON, there is a "spot the fed" contest, which awards T-shirts for humorously outing law enforcement officials trying to keep a low profile. (Internally, the FBI took note of the competition, according to documents obtained by MuckRock, calling it "of interest to all personnel who may be working" at the conference.)
Still, top leaders seemed to realize the value of making friends with hackers: In 2012, then-National Security Agency chief Keith Alexander spoke at DEF CON. "In this room, this room right here, is the talent our nation needs to secure cyberspace," he said. "You folks understand cybersecurity. You know that we can protect the networks and have civil liberties and privacy - and you can help us get there."
But by 2013, in the wake of revelations by former NSA contractor Edward Snowden about government surveillance programs, conference organizers asked government officials not to attend. When Alexander gave a keynote speech at the Black Hat conference that year, hecklers interrupted him.
And an uphill battle still remains. Many former government employees among the crowds in Vegas cited the government's failure to protect systems at the Office of Personnel Management from a major hack disclosed earlier this year as a betrayal - and a sign of incompetence.
"There's a level of distrust of the federal government we have to overcome," Mayorkas said.
And at almost every turn at the conference, he tried to overcome that hurdle - even as he downed that shot of whiskey.
"It's very difficult to talk about a trust deficit, and how to bridge that trust deficit, and build trust when I'm a fraud," he said to the crowd, deadpanning: "This is actually water."
Then he asked for a real shot, but only a small one. He had a meeting with the Transportation Security Administration after the speech, he said.
#annual pilgrimages for security researchers #cyber security #cyber threats #financially motivated hacks #hackers
;