Military Bid for Next Stuxnet Confronts Hacker ResistanceChris Strohm and Jordan Robertson
U.S. military and intelligence officials make a pilgrimage each year to Las Vegas, where the annual Black Hat conference showcases how hacking has gone mainstream, creating a virtual digital-arms supermarket.
This year, however, the pilgrims found few sellers as they shopped for computer bugs and exploits to develop a new generation of offensive and defensive cyberweapons.
“I don’t want to be part of a machine that tracks innocent Americans,” Shane MacDougall, who writes computer programs and finds network security vulnerabilities, said in an interview. “You can lose control of your baby and all of a sudden your technology is being used to track down who the government determines is the enemy of the state.”
There is a ghost at this year’s Black Hat gathering, billed as the world’s largest meeting of computer-security experts. It’s former U.S. contractor Edward Snowden, whose disclosures about classified spying programs has made some hackers who previously were eager to work for or sell products to the U.S. think twice, said Jonathan Pollet, founder of Red Tiger Security LLC in Houston. The company provides cybersecurity services to protect industrial-control systems.
At Black Hat, U.S. military officers and intelligence-agency officials mingled with more than 7,500 executives, security researchers and hackers who came to confer, party, test products and buy and sell their wares. Yet underscoring the change in attitude, some heckled Army General Keith Alexander, head of the National Security Agency, as he asked for their continued help in fighting cyberattacks during a keynote speech.
The work of researchers who find vulnerabilities in computer systems and let companies and the government know they exist has become crucial to U.S. cybersecurity efforts.
Military and intelligence agencies began sending delegations to hacker conferences like Black Hat about five years ago, seeking to hire talented researchers and buy software used to exploit computers, Pollet said in an interview.
“A number of people walking around here at Black Hat are professional bug sellers,” Alex Stamos, an independent security researcher, said in an interview. “They find these bugs, they write exploits and then they sell them to the government.”
The use of “exploits” to develop weapons like the Stuxnet computer worm, used against Iran’s nuclear facilities and discovered in 2010, was a wake-up call for hackers as to how their technology can be employed offensively, Stamos said.
“There’s a real ethical problem I think with selling bugs to the U.S. government,” he said. “You didn’t know before what they’re doing with it, and now you know.”
Among the 131 companies showcasing their products and services with booths above the bustling Caesars Palace casino were McAfee Inc., based in Santa Clara, California, Sourcefire Inc., the Columbia, Maryland-based company that recently agreed to be acquired by Cisco Systems Inc.; and Juniper Networks Inc., based in Sunnyvale, California.
Snowden’s leaks, however, renewed old grievances among some hackers that the government has treated them as free labor or used their products or services for objectionable purposes.
“Most of us in the community are going to be distrustful of anyone in the government at this point because it seems like their motivation is really for self-serving purposes,” Pollet said.
Snowden, who faces U.S. espionage charges, revealed in June that the government secretly collected telephone records of millions of U.S. customers of Verizon Communications Inc. under a classified court order. Another program known as Prism collects Internet data from Apple Inc., based in Cupertino, California, and Google Inc., based in Mountain View, California, and other companies.
Yesterday, Snowden received asylum in Russia, where he had holed up at a Moscow airport since June.
In Washington, President Barack Obama yesterday tried to head off the concerns being raised about the surveillance programs at a meeting with a bipartisan group of nine lawmakers.
Representative Bob Goodlatte, a Virginia Republican and chairman of the House Judiciary Committee, called the meeting a “frank discussion” and said he would hold future hearings about the NSA’s programs and possible legislation to add privacy protections for U.S. citizens.
“I stressed to the president that Congress must ensure that the laws we have enacted are executed in a manner that is consistent with congressional intent and that protects both our national security and our civil liberties,” Goodlatte said in a statement.
In Las Vegas, computer security professionals said they also were alienated by the surveillance because their phone logs and other personal information might have been swept up in government databases, said Brian Meixell, an engineer with Cimation LLC, a Houston-based maker of control systems for the oil and gas industries.
Some researchers may be less inclined to share with the government security vulnerabilities they find, Meixell said in an interview.
“It almost feels like your government is betraying you,” he said. “You’re the enemy and you didn’t do anything. It’s like your citizens have been treated as terrorists and government is out to get you.”
The NSA’s Alexander made a personal appeal for hackers to continue working with the government in his July 31 speech. It was his first public remarks to security researchers since Snowden’s disclosures.
Alexander asked his audience to examine “the facts” about the spy programs.
Hackers who resist cooperating with the government are short-sighted, said Howard Teicher, a vice president for the network-security company Radware Ltd., based in Tel Aviv and with offices in New Jersey.
“The tension I think is going to be short-lived,” Teicher said in an interview at his company’s Black Hat booth.
“All of the military services and all of the intelligence agencies have always used the technical skills of American engineers and scientists to devise solutions to protect our security,” he said. “Other people will fill the gap.”