Cybersecurity Solution for Anonymous: Hire Hackers vs. 20 Years Jail Time?

An underworld investigator says the cybersecurity solution is to hire hackers instead of jail them. However, in light of Anonymous, the Obama administration is pushing an opposing viewpoint; that the answer is to send hackers to prison for 20 years. Should hackers be hired or imprisoned like organized crime thugs?

I've always thought hackers could save the world if they chose to, so a post on MSDN blogs my eye. I stopped on Terry Zink's Cyber Security Blog and watched the TED video, Hire the hackers!

Misha Glenny is, among other things, a journalist and "underworld investigator." This TED talk, Hire the hackers! opens with a clip from Anonymous. His presentation is described as "Despite multibillion-dollar investments in cybersecurity, one of its root problems has been largely ignored: who are the people who write malicious code?"

After talking about Anonymous, Glenny said, "We are at the beginning of a mighty struggle for control of the Internet. The Web links everything, and very soon it will mediate most human activity. Because the Internet has fashioned a new and complicated environment for an old-age dilemma that pits the demands of security with the desire for freedom." He then profiles several convicted coders from around the world and concluded with:

Now I think we're missing a trick here, because I don't think people like Max Vision should be in jail. And let me be blunt about this. In China, in Russia and in loads of other countries that are developing cyber-offensive capabilities, this is exactly what they are doing. They are recruiting hackers both before and after they become involved in criminal and industrial espionage activities -- are mobilizing them on behalf of the state. We need to engage and find ways of offering guidance to these young people, because they are a remarkable breed. And if we rely, as we do at the moment, solely on the criminal justice system and the threat of punitive sentences, we will be nurturing a monster we cannot tame.

Although the idea of hiring hackers is not a new one, I enjoyed Glenny's talk. So much so, that if you have a spare 18 minutes, I'd recommend watching it. He covers a great deal of territory in a relatively short time, including the moral compass of hackers and Asperger syndrome which is a common card played in defense after hackers are caught. If you don't watch, then maybe you can browse the interactive transcript and jump right to the parts that interest you?

A few of the comments on Glenny's talk caught my eye. Toby Dillon wrote, "Hackers are problem solvers and the only question is: do you want us working for you or against you? The moral thing to do is to hire them, work with them, and integrate them, not force them into a lifetime of serving criminal organizations."

Most security professionals are also hackers. Shaya Nerad pointed out that hacking is a skill set; it's what hackers choose do with those skills that sets them apart. "Anonymous is a pack of happy canines running under a full moon. There are a few really clever wolves and a bunch of dogs pretending they are wolves who are really on leashes in their parents basements, and a few coyotes who wish that they were wolves but don't have the class." As Nerad said, it will be the "script kiddies" who will be busted.

Meanwhile, as if sending a loud message to Anonymous hackers, or a threat to keep people from joining and participating in the hacking collective, the Obama administration is cracking down on cyber attacks. The White House is pushing for the Computer Fraud and Abuse Act (CFAA) to be updated so that hacking or other digital crimes can be investigated and prosecuted as organized crime. PressTV reported, "Under the proposed law, hackers who endanger national security would be put in prison for up to 20 years. The proposal would also double current prison times and increase fines in each category of computer crimes." Holy wowza! 20 years?

CDT, the ACLU, the EFF and a coalition of other groups asked Congress to be cautious with the language in CFAA. "Violations of terms of service or computer use policies are not computer crimes," said the group. "Our primary concern -- that this will lead to overbroad application of the law -- is far from hypothetical. Three federal circuit courts have agreed that an employee who exceeds an employer's network acceptable use policies can be prosecuted under the CFAA. At least one federal prosecutor has brought criminal charges against a user of a social network who signed up under a pseudonym in violation of terms of service." Here is the letter [PDF] in its entirety.

Yet at the hearing about updating CFAA, James A. Baker, associate deputy attorney general, disagreed. According to InformationWeek, Baker said the Obama administration "will resist any attempts to restrict the CFAA's use of 'exceeds authorized access' as a benchmark for determining when a crime had been committed, especially when malicious insiders were involved."

Cybersecurity experts from the Secret Service, the FBI and DHS work together to combat cybercrime. This week, during Congressional testimony, witnesses from the three organizations warned of continuing attacks and evolving cyber-threats against the financial sector. The FBI reported that it is currently investigating 400 wire transfer cases. Assistant director of the Secret Service, A.T. Smith, said cybercrooks are taking advantage of the growing amount of personal information online as well as the ability to share attack tools and strategies over the Internet. "The Secret Service has observed a marked increase in the quality, quantity and complexity of cybercrimes targeting private industry and critical infrastructure."

While I believe hackers could save the world if they chose to, do you see a clear-cut right or wrong in these opposing viewpoints about hiring hackers or sending them to prison for 20 years? I'm not talking about crackers, cybercriminals stealing for financial gain, those who are taking advantage of innocent bystanders who have had their personal information dumped online, but instead asking about some of the hackers involved in Anonymous. Like Glenny suggested, how about hiring those with skills for cyber-warfare? Both the NSA and FBI were looking to hire cyberguns at DefCon. Homeland Security was headhunting cyber-warriors even before that. Although some hackers would never go over to what they consider "the dark side," surely working for the government would beat prison? I might know a couple brilliant but excessively curious dudes who dabbled in this or that, and then were swept up into G-man life faced with such options. It didn't kill them.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.