'Hackers Wanted' Ad Fed Security Misconception
Ira Winkler writes on IT World:
I should never be surprised at things related to government security efforts, but I did think the concept of hiring hackers was pretty much dead in government circles. Then comes the recent headline, " U.S. Looks to Hackers to Protect Cyber Networks." Frankly, I think it set the security profession back at least three years.More here.
The story, widely quoted throughout the U.S. and the world, makes people think that hackers are superior to the best security professionals. Now, admittedly, recent stories have made it appear that the government's security efforts are poor at best. We've had foreign intelligence agencies infiltrating the power grid, and The Wall Street Journal recently reported that the F-35 designs have been hacked for years. All of that is something to ponder. But hiring hackers to fix security breaches? Hackers are not security experts. A recent, and most telling, survey from Verizon basically found that hackers' skills reside in the ability to exploit very basic mistakes on the part of their victims.
Some people will contend that this is all a misunderstanding, because "hackers" are not computer criminals by definition. Criminals are "crackers," they will point out. Others will say that the story used the word "hackers" for sensationalist purposes and that the workers actually being sought were people to perform professional penetration tests. There's some truth to that argument, but there's no mistaking the article's implication that hackers are criminals. To quote from the introduction, "Federal authorities are looking for hackers -- not to prosecute them, but to pay them to secure the nation's networks."
It's one thing for moronic CEOs of small companies such as exqSoft Solutions to hire the Twitter hacker for the publicity, but the U.S. government and General Dynamics, its proxy in this case, should know better. And it could be that this ad was just a misstep. But it was a misstep with unfortunate consequences.