Recently I\u2019ve been reading the excellent work by Jamais Cascio\u00a0and thinking about the concept of "openness." Much of Jamais\u2019 work is focused on geoengineering, but the concept of openness has profound implications on many fields, including computer security.For those of you who have been following the unfolding story\u00a0of HBGary Federal and the Anonymous Group, this is what Hollywood movies are made of. In fact, I don\u2019t think a script writer could have penned this any better than the real life version. If you haven\u2019t been following the minute details of this story, this Tech Herald article\u00a0is an excellent read on how the whole thing started.A condensed version of the events is as follows: A week before RSA 2011, the CEO of HBGary Federal, Aaron Barr, said in a Financial Times interview\u00a0that his firm had infiltrated and discovered the identities of the high-level operatives for the well known Internet hacktivism\u00a0group Anonymous, and that he planned to publicly discuss his findings at the RSA conference. Anonymous responded in force and compromised the entire infrastructure of HBGary and HBGary Federal (HGF). They obtained confidential data, erased files, and defaced both companies\u2019 websites. Anonymous subsequently released \u00a04TB worth of confidential company emails. In the emails that have been disclosed to date, Barr was seen engaging in discussions with a major US bank (believed to be Bank of America) to use HGF\u2019s offensive attack tactics to launch a cyber attack against WikiLeaks. The rumor mill at RSA had it that the said US bank was going to pay HBGary $600,000 a month to carry out this attack campaign. Whoa, what seemed like a classic white hat-vs-black hat story just turned interesting. What\u2019s more interesting is that prior to this whole incident, WikiLeaks had been making noise that they were about to publish data from a major US financial institution. (What? Interesting, you say?) \u00a0What apparently was also discussed in those emails was that Barr would use, among other techniques, exclusive zero-days for the attack against Wikileaks. This will make the attack extremely dangerous.No one came out of this looking pretty. Not only was HBGary, a company that claims malware analysis is their business, unable to properly secure their infrastructure, it turns out the \u201cvictim\u201d is plotting a cyber war itself. HBGary is now claiming that the leaked data had been tampered with, implying that the discussion between BofA and Barr isn\u2019t authentic, while Anonymous (and other security researchers) is saying that Barr\u2019s initial research (which you can read here in PDF) was flawed in that some of the identities of the individuals that he claimed to be part of Anonymous group had nothing to do with the group. Anonymous argued that if Barr\u2019s research was allowed to continue, it could put innocent individuals in jail (as Barr was supposedly working with the FBI).At RSA last week, HBGary was noticeably absent from the conference; their booth instead displayed a sign that read: \u201cA group of aggressive hackers known as 'Anonymous' illegally broke into computer systems and stole proprietary and confidential information from HBGary, Inc. \u2026 In addition to the data theft, HBGary individuals have received numerous threats of violence including threats at our tradeshow booth\u2026\u201d \u00a0This event ignited an Internet debate storm; is it ethical for security companies to engage in offensive tactics? Traditionally, security\u2019s role is to defend, not offend. But as modern warfare migrates from physical battlefields to the digital frontier, more and more nation-states and companies engage in offensive campaigns. Persons with deep security expertise are hot commodities in this game\u2014it can be an extremely lucrative undertaking. But as you go down this road, is there really a difference between black hats and white hats anymore?This is where the link to openness (or the lack of it) comes in: As we all know, and the execs at BofA and HGF reinforce, zero-days can be powerful weapons. Exclusive knowledge of zero-days gives the possessor incredible power, and in cases such as these, almost always lead to corruption and misuse. It can be argued that we are better off as an industry if openness is employed as a means of elevating collective knowledge and also as a way to enforce checks and balances, so that no one company or individual is significantly more powerful in its knowledge and expertise than others. In such an industry, cyber offense is only a distant possibility, as you will be on a level playing ground with your adversaries.Creating such an open culture for the security community requires a shift in thinking, because this is an industry that thrives on secrecy and obscurity. It requires that we recognize that secrecy, obscurity, and the act to restrict information can ultimately do more harm than good. It requires that we promote open research and build an ecosystem that rewards openness.How to achieve this open culture is the question on the table. Let\u2019s discuss one specific example of how some form of openness is achieved \u2014 a bug bounty program. I was a skeptic in the beginning of the merits of such bounty programs, but I have come around. Indeed, I\u2019ve come to realize that economic incentives maybe one way we can achieve openness. In a bug bounty program, the researcher is encouraged to share his\/her findings, through economic incentives with the software vendor and ultimately with the entire community.Economic incentives alone don\u2019t always work, as that is one card the dark side can play as well. Other means, such as increasing collaboration, technological transparency, etc. must be explored. But the steps we take today to promote an open culture will shape the course of the industry and help to determine whether we head toward a scenario of digital apocalypse (as Eddie Schwartz\u00a0of NetWitness calls it on a recent RSA panel) or a more responsible, democratic, and open model for computer security. \u00a0Other sources of note: Jamais Cascio\u2019s Open the future\u00a0website Threat Post\u2019s Paul Roberts\u00a0wrote several excellent articles\u00a0on the HBGary story. \u00a0 Chenxi Wang, Ph.D. is a vice president and principal analyst at Forrester Research, where she serves Security & Risk Professionals.