The British government announced at the end of July that it was planning to recruit "clever young people" to fight the cyberwars against domestic and especially foreign cyberoperatives. Journalists immediately labeled these potential employees "hackers," which has become synonymous in the public mind with what some security specialists – myself included – continue to call "criminal hackers" to distinguish them from, well, from people like us! Alas, journalists have blurred the distinction and seem to refer to everyone who pushes the boundaries of computing, whether law-abiding or not, as hackers.
In the early days of computer technology, a hacker was someone who was willing to explore computer technology with or without formal training; see for example Steven Levy's book Hackers: Heroes of the Computer Revolution for a good account of the early days of computing. In contrast, those of us who use the distinction refer to people who break laws using and targeting computer and networks as "criminal hackers."
Some security experts reacted with fury to the U.K. announcement by Lord West, the Home Office security minster. Rob Cotton, writing in ComputerWeekly.com, was full of scorn. "You have to wonder whether this is actually some kind of huge joke."
He raised a legitimate question, though: "[W]e should be asking ourselves if we really want reformed criminals defending our national security. If you used to get your kicks from undermining national security, can you really be trusted to protect it?" and "I like my criminals inside a jail cell, not defending the country." Even more seriously, he wrote, "I am sure that some hackers are skilled in breaking through government defences but this doesn't automatically equate to the same level of skill the other way round. It might sound boring but a national cyber security outfit should be made up of professionals who spend their days researching and dealing with real threats and can respond appropriately to any potential dangers, not a bunch of amateurs who would probably cause World War III by playing fast and loose with international protocol." Cotton also demands to know why we would choose to focus on amateurs instead of on professionally trained security experts.
John Leyden, writing in The Register, also quotes a number of security professionals who heap criticism on the Minister for his suggestion. Leyden also casts doubt on the technical competence of Lord West, who apparently claimed that "proactive cyber-offensives played a role in the Falklands War of 1982" even though "the war in the south Atlantic happened a year before the first TCP/IP based wide area network became operational."
Next time, some suggestions on how to evaluate people with a hacking or a criminal-hacking background for employment in your firm.
On another note: join me online for three courses in October and November 2009 under the auspices of Security University. We will be meeting via conference call on Saturdays and Sundays for six hours each day and then for three hours in the evenings of Monday through Thursday. The courses are "Introduction to IA for Non-Technical Managers," "Management of IA," and "Cyberlaw for IA Professionals". Each course will have the lectures and discussions recorded and available for download – and there will be a dedicated discussion group online for participants to discuss points and questions. See you online!