Of all the topics I speak about the one that provokes the most controversy is related to hackers. The idea that respectable companies would ever work with people who are good at breaking into systems is seen, at best, as a counter intuitive strategy, and at worst as a trivialisation of what may be the most significant problem facing the criminal justice system today. A comment I’m often surprised by is: “can’t we just lock them all up”?
This “lock them up and throw away the key” approach is shared by several governments around the world, including the United States. The FBI recently charged 22 year old Marcus Hutchins - the security researcher that accidentally stopped the spread of the Wannacry ransomware - with selling banking malware. There is a substantial amount of evidence to suggest that a number of years ago Hutchins may have been involved in this sort of activity (at the age of 17), and he now faces 40 years in a federal prison. The US government’s response to the challenging issue of cyber crime is to make examples of people they’re able to arrest or extradite - regardless of whether it takes almost a decade (in the case of Kim Dotcom, an eccentric billionaire charged with copyright infringement) - or if the sentence seems hugely disproportional to the crime. In the sentencing of Ross Ulbright, the creator of the drugs marketplace Silk Road, the judge explicitly referenced the danger that cyber crime poses to society as a whole, and handed down a more severe sentence than even the prosecution asked for: life without the possibility of parole. For the judge in Ulbright’s case, the issue was simply one of deterrence.
Much like the war on drugs, this deterrence led approach isn’t working. Last week Equifax announced they were subjected to a data breach affecting 143 million Americans (nearly half the US population), a systems compromise that is just one of many high profile hacks this year. Ironically too as the US attempts to lock up every hacker they can lay their hands on it’s estimated that Europe faces a cyber security skills gap of 350,000 workers by 2022.
The Catch Me If You Can approach
What do you do with the best bank forger of his generation? Let him rot forever in prison? At the end of the film Catch Me If You Can Frank Abignail is offered a deal: work with us to catch other forgers and secure bank systems and we’ll reduce your sentence. Unless you’re a hardline absolutist this makes a lot of sense - why waste a talent when you can use it to prevent more bad occurring?
Many companies and governments are going a step further than this traditional method of collaboration in their attempts to work with hackers. Tesla encourages and rewards hackers that compromise their systems, as long as they disclose the vulnerability. This year a group of Chinese hackers did just this - and Tesla were thrilled about it.
In a similar way GCHQ in the UK have begun to work out that treating hackers as run of the mill criminals may not be the most effective approach. They recently trialled a rehab camp where young hackers that had been caught would be given the opportunity to work with the security forces. One of the quotes from an attendee of the programme was that they didn’t even realise that working to prevent hacks was a real profession.
When a developer found several security holes in in HMRC’s website it was hugely challenging to even report the problems - not the best indication that the government is interested in any sort of collaboration with the security community - let alone young hackers in their bedroom.
Even the US government is starting to think about different approaches to their cyber security problems - though their justice system doesn’t appear to be getting the memo. The US Army ran a scheme called “Hack the Pentagon” which encouraged ethical hackers to hack into the pentagon with a reward if they disclosed their exploits. It took just 13 minutes for the first issue to be reported.
One of the most interesting things about the “Hack the Pentagon” event was that generals admitted that it was actually quite difficult for hackers to collaborate with the US government.
There will always be hackers uninterested in collaboration & who will always aim to make money via illegal methods - this is criminal activity - but when companies or organisations make no effort to engage young hackers is it any wonder that they get drawn into the darker places on the web? There is another way; and creating a strategy and framework to allow external hackers to collaborate with you, rather than compromise you, has got to be the first step.