"Why A Hacker Conference’s Fed Ban Is Bad News For U.S. Cybersecurity"
“For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.
When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.”
But the announcement is not just a disappointment for the government cybersecurity rank and file who will be left out of the party, it signals a setback in the government’s attempt to bolster cybersecurity ranks by using the hacker community as a resource to recruit new talent.
Earlier this year, the Pentagon announced plans to increase its cybersecurity forces fivefold within the next several years, but across the board the government is struggling to find the right people to build that capacity — sometimes resulting in the outsourcing of those responsibilities to contractors with less than stellar records of defending themselves.
The government tried to make in-roads in the hacker community to help close that cybersecurity talent gap, including hiring noted hacker and security researcher Peiter “Mudge” Zatko to manage a DARPA initiative to provide resources (and funding) to security research done by hackers from 2010 through April 2013. DEF CON was also part of this strategy: In 2001, federal authorities arrested security researcher Dmitry Sklyarov for exposing an e-book vulnerability at the conference, but by 2012 NSA Director Gen. Keith B. Alexander gave the keynote speech.
During his keynote, Alexander made an impassioned plea for more hackers to join forces with the government, noting that they “shared” goals, principles, and responsibility for U.S. cybersecurity — but also denied that the the government was collecting “dossiers” on American citizens. Some at the time, including William Binney, a former technical director at the NSA, called his claims “word game” that deflected from the reality of NSA datamining practices.
Based on the reaction of DEF CON organizers, it appears that after the revelations about government snooping in the the NSA leaks they concur with that assessment. While it’s unclear if and how that ban will be enforced, it shows just how much the NSA leaks have reduced the credibility of the government within the hacker community. And that’s a problem, because as Alexander stated in his 2012 keynote, “this community better than anyone understands” the real cyber-threats facing the U.S., and what measures are needed to mitigate them.
Beyond the potential security implications, there is a tinge of irony to DEF CON’s banishment of government workers: In the early days of hacker conferences government employees were urged to stay away because of the questionable legality of hacker tactics, now the hackers are asking the feds to stay away because they don’t approve of government tactics.