Lessons of the HBGary Hack

The following is a guest post from my friend Nick Selby:

“My father was in the secret service, Mr Manfredjin St. John, and I know that you don’t ‘keep the public informed’ when you are debriefing KGB defectors in a safe house.”

– Wendy, A Fish Called Wanda

I’ve been speaking quite a bit lately about how information security professionals can work with law enforcement – in fact, I’m speaking about it next week at BSidesSanFrancisco. The attacks by Anonymous against HBGary, and the accompanying defecation-hitting-the-ventilation raises some important rules of the road for this.

Private-public sector cooperation is at the heart of nearly all successful initiatives. The public sector relies on private-sector innovation and expertise – indeed, organizations like In-Q-Tel and the Chesapeake Innovation Center count on it to make crucial advances in security. There’s great satisfaction in working for the greater good – which can come in a warm, fuzzy feeling of accomplishment, or even in the warmth of some “non-recurring engineering funds” from some grinning, creepy guys in “Maryland”. Trying to get the specifics of your good deeds into the limelight, though, for personal or company public-relations gain is just bad business.

When speaking with journalists and analysts, executives at information security companies – especially venture-funded, non-profitable, non-cash-flow-positive ones – have long used implication, hints, wink-wink gestures and other sometimes adorable intimations that they ‘work with’ ‘three-letter agencies’* or law enforcement in darkly secret and very important ways. They do this because they are trying to build their brand credibility.

They often end up sounding like a tool.

Now, often-times, they actually are using their technologies and their skills to support the work of law enforcement, but they’re not supposed to talk about it. Nor should they want to, necessarily. If I sound snarky, let me be clear that public service is not to be mocked, it is absolutely to be lauded, and anyone helping a law enforcement agency fight crime, whether for money or service, is to be encouraged.

But don’t forget that, as you help out, it is just that: public service. You can’t publicize the specifics of your assistance without jeopardizing its very value. This is the line, apparently, that HBGary employees inadvertently crossed, and the results were terrible.

[Let me say that, while I am using this as a cautionary tale, everything I know about the HBGary folks is that they are good, innovative and really smart people who care, who are passionate about technology and security. They’re good people who made a tactical marketing blunder.]

In the Financial Times last Saturday, in an article entitled, “Cyberactivists warned of arrest,” Joseph Menn quoted HBGary researcher Aaron Barr as saying that, “he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data.”

They could be arrested if? What hubris! Now, I don’t know much about law enforcement, but I do think that, if you’re planning, say, to serve a felony warrant, it’s a bad idea to phone ahead and let the guy know you’ll be by in 15 minutes. If?

A good rule of thumb is that you don’t tip your hand about the specifics of your work on any case for any reason. And drumming up business through publicizing your specific public service is as bad a reason as any.

Reasons for this fall into two categories. The first is that fighting crime is, you know, dangerous. Criminals generally engage in criminal enterprises for the money (few people have a driving passion to establish, say, an industry-leading counterfeiting ring for the societal benefit), and those who stand between criminals and their goal risk the ire of the criminals. This is not fair or just, but it is so.

Now, stating in a newspaper that you possess the secret identity of a criminal? This falls squarely into the category of “standing between a criminal and his goal.” That’s a tip, kids. Write it down. To paraphrase Wendy in A Fish Called Wanda, one only briefs the public on an upcoming law enforcement action if one is congenitally insane or irretrievably stupid.

Second, law enforcement officers, agents and agencies fight crime for a living. It’s dangerous and often thankless; it’s a calling, and these folks work hard under difficult conditions that require dedication, passion and purpose. Implying that they’re somehow not up to the task by stating that you have the X-factor that can be the secret of their success alienates those you seek to help.

Security firms and security professionals who want to help law enforcement should recognize a few things:

1. Helping law enforcement is rarely a straightforward task. Sure, in movies, “we need your help” is followed by specific tasks that lead to the capture of the bad guys, the breaking up of the crime syndicate and windsurfing at Disneyland.

2. Relationships in law enforcement must be carefully cultivated. Sworn officers and agents need to learn that you are trustworthy. You must learn the extents of their capabilities and authority. This takes time.

3. Your help can’t be more trouble than it’s worth. In the movies, the brilliant but eccentric mathematician/hacker/systems expert can be un-bathed, wild-eyed and unpredictable. When you’re working with the fuzz, one press release costs you any and all good-will you’ve developed to date.

4. The time to talk about arrests is a year later. The people to talk about arrests are cops. You’re helping law enforcement as part of your civic duty. While the cops will often be happy to mention your help in a press release at some point down the road, your primary driver for helping is public service, not self-promotion. If you’re in it for the publicity, get a cooking show.

5. Criminals are dangerous. Criminals seek profit, and seek through illegal means to thwart those who would prevent these profits from being realized. Fighting criminals can absolutely be a cooperative exercise between public and private sector, but private sector people should keep the details of their cooperation as secret as the “sauce” they love to say makes their product work.

In short, companies wishing to help out might consider following the advice of Chris Rock, as he described some of the best ways Not to Get your Ass Kicked by the Police.

* Obey the law;

* Use common sense;

* Be polite; and

* Shut the #!@k up.

Nick Selby is CEO of a stealth-mode technology start-up. He is a sworn law enforcement officer in Texas, and will speak at BSIdes San Francisco on February 14th about ways in which information security professionals can work with law enforcement.