Reuters – LAS VEGAS — The U.S. government’s efforts to recruit talented hackers could suffer from the recent revelations about its vast domestic surveillance programs, as many private researchers express disillusionment with the National Security Agency.
Though hackers tend to be anti-establishment by nature, the NSA and other intelligence agencies had made major inroads in recent years in hiring some of the best and brightest, and paying for information on software flaws that help them gain access to target computers and phones.
Much of that goodwill has been erased after the NSA’s classified programs to monitor phone records and Internet activity were exposed by former NSA contractor Edward Snowden, according to prominent hackers and cyber experts.
A turn in the community’s sentiment was on show at two major security conventions in Las Vegas this week: Black Hat, which attracts more established cyber professionals, and Def Con, which gets a larger gathering of younger, more independent hackers.
“We’ve gone backwards about 10 years in the relations between the good guys and the U.S. government,” said Alex Stamos, a veteran security researcher who was to give a Def Con talk on Saturday on the need to revisit industry ethics.
Stamos has willingly briefed FBI and NSA officials on his work in the past, but said that he would now want their questions in writing and he would bring a lawyer to any meeting.
With top intelligence officials warning in March that cyber attacks and cyber espionage have supplanted terrorism as the top security threat facing the United States, the administration is trying to boost security in critical infrastructure and the military is vastly increasing its ranks of computer specialists.
The NSA, working with the Department of Homeland Security, has been lending more of its expertise to protect defense contractors, banks, utilities and other industries that are being spied upon or attacked by rival nations.
These efforts rely on recruiting talented hackers and working with professionals in the private sector.
Some security experts remain supportive of the government. NSA Director Keith Alexander’s talk at the Black Hat conference was well received on Wednesday, despite a few hecklers.
But at the larger and less expensive Def Con, where attendance is expected to top last year’s 15,000, conference founder and government advisor Jeff Moss asked federal agents to stay away.
Moss last year brought Alexander as a keynote speaker to woo the hacking community. But he said the relationship between hackers and the government has worsened since then.
“I haven’t seen this level or sort of animosity since the 90s,” Moss said in an interview. “If you aren’t going to say anything in these circumstances, then you never are.”
Villain or hero?
The NSA’s surveillance programs target foreigners outside the United States who pose potential threats to U.S. security or who can provide intelligence for foreign policies. But the secret projects also scooped up huge amounts of American data, according to documents leaked by Snowden, triggering sharp criticism from many lawmakers and civil liberties advocates.
“A lot of people feel betrayed by it,” said HD Moore, an executive at security firm Rapid 7, though he said he would continue to brief the NSA on software flaws that the agency uses for both offensive and defensive cyber activities. “What bothers me is the hypocritical bit – we demonize China when we’ve been doing these things and probably worse.”
Alexander took a conciliatory tone during his Black Hat speech, defending the NSA but saying he looked forward to a discussion about how it could do things better.
Black Hat attracts professionals whose companies pay thousands of dollars for them to attend. Def Con costs $180 and features many of the same speakers.
At Black Hat, a casual polling station at a vendor’s exhibition booth asking whether Snowden was a villain or a hero produced a dead heat: 138 to 138. European attendees were especially prone to vote for hero, the vendor said.
Def Con would have been much rougher on Alexander, judging by interviews there and the reception given speakers who touched on Snowden and other government topics.
Christopher Soghoian, an American Civil Liberties Union technologist, drew applause from hundreds of attendees when he said the ACLU had been the first to sue the NSA after one of the spy programs was revealed.
Peiter Zatko, a hacker hero who funded many small projects from a just-departed post at the Pentagon’s Defense Advanced Research Projects Agency, told another large audience that he was unhappy with the surveillance programs and that “challenging the government is your patriotic duty.”
The disenchanted give multiple reasons, citing previous misleading statements about domestic surveillance, the government’s efforts to force companies to decrypt user communications, and the harm to U.S. businesses overseas.
“I don’t think anyone should believe anything they tell us,” former NSA hacker Charlie Miller said of top intelligence officials. “I wouldn’t work there anymore.”
Stamos and Moss said the U.S. government is tilting too much toward offense in cyberspace, using secret vulnerabilities that their targets can then discover and wield against others.
Closest to home for many hackers are the government’s aggressive prosecutions under the Computer Fraud and Abuse Act, which has been used against Internet activist Aaron Swartz, who committed suicide in January, and U.S. soldier Bradley Manning, who leaked classified files to anti-secrecy website WikiLeaks.
A letter circulating at Def Con and signed by some of the most prominent academics in computer security said the law was chilling research in the public interest by allowing prosecutors and victim companies to argue that violations of electronic “terms of service” constitute unauthorized intrusions.
Researchers who have found important flaws in electronic voting machines and medical devices did so without authorization, the letter says.
If there is any silver lining, Moss said, it is that before Snowden’s leaks, it had been impossible to have an informed discussion about how to balance security and civil liberties without real knowledge of government practices.
“The debate is just starting,” he said. “Maybe we can be a template for other democracies.”