Let me get this out of the way first, this blog always represents my own opinion, and not Trend Micro’s official view.
Yesterday I made a posting about the release of the UK government’s National and Cyber Security Strategy documents. I spent some time talking to the press and broadcast media and one of the recurring questions was; “What do you think of the government hiring hackers for national security?”
I have been trying to follow all the official government comments made yesterday and it has been an “enlightening” experience to say the least.
I appreciate that Lord West has a distinguished naval and military career behind him – having enlisted in the navy in 1965. Looking over his career history though, he doesn’t appear to have many of the qualities discussed in this excellent ITPro article from the 19th June mulling potential candidates for the job.
In my personal view, Lord West does not appear to have the background required to understand the real technical nature of the threat we face. In many quotes yesterday he came across sounding almost like the kind of person you meet in the pub who says “Oh no, I don’t trust those interwebs with my credit card, things were much easier when it was all pens and paper“.
In an article on the BBC News website I was very surprised to read this;
“Launching the strategy earlier Lord West, who has been appointed as the UK’s first cyber security minister, said the government had recruited a team of former hackers for its new Cyber Security Operations Centre, based at the government’s secret listening post GCHQ, in Cheltenham, to help it fight back.
They had not employed any “ultra, ultra criminals” but needed the expertise of former “naughty boys”, he added.
“You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” he said.”
Wait, stop, rewind, what!? The government has actually hired a team of people known to have committed criminal acts using computers and is rewarding them for that activity with civil service jobs. It is also giving these same criminals access to signals intelligence at extremely high levels of clearance and relying on them for national defence. It must also have putting these people through a minimum of SC level, but more likely DV clearance given the kinds of intelligence they must be handling, doesn’t that make a mockery of those clearances?
This is supposedly all OK though, because they didn’t hire the “ultra, ultra criminals“, the ones who really know how the cybercriminal economy functions, they have only taken the “slightly naughty boys” because they might “enjoy” stopping other part-timers and bottom-feeders. This sounds like the kind of people that have been disparagingly referred to as script-kiddies for many years now and I really can’t see their value to national security or law enforcement. Would it be fair to paraphrase this as “We have hired some hackers, but don’t worry, we didn’t hire the successful ones“?
Section 1.13 of the report itself states “A clear ethical foundation and appropriate safeguards on use are essential to ensure that the power of these tools is not abused.” You have to ask yourself how this statement can be reconciled with the active recruitment of known hackers and criminals.
In an article published in the Telegraph newspaper Lord West is quoted as saying “In the age of quill pens you had knock someone out to steal their documents, now it can all be done by computer.” Quill pens, what? (Besides, knocking someone out isn’t always necessary as you can see if you take a squint at the Wikipedia article about Lord West).
In a Radio 4 interview, when questioned about whether the UK had the capability for launching proactive cyber-offensives Lord West replied “We have an ability to do things and we have got very good and very talented people who have worked on this” and followed that with “I know for example, when we were fighting in the Falkland Islands, we used this capability to help save lives in the Falklands and to defeat the Argentinean attack on those islands.”
Did they? The Falklands war took place in 1982; the first TCP/IP based wide area network was only operational by 1983 and wasn’t opened to commercial interests until 1988. I’d love some detail on the cyber-capabilities deployed in the Falklands war.
Later in the same interview, Lord West was asked if he had concerns about his own security and privacy online, he replied “I work on the assumption that actually when I go onto it [my computer] someone is going to be able to see what I am writing. I’ve always said to people that work for me “less people will see what you write on a postcard that what you write on your computer”, and people are very naive about this and people, you know, you’ll get sent a message and that message people will open it up, look at it and my goodness me it suddenly lets all sorts of data be taken from them, and we need to educate people and make sure that doesn’t happen”
I’m definitely with you on the educational initiatives Lord West, in fact it’s one of my pet topics, but with statements like that, I really have to question whether Gordon Brown has picked the man most suited to the task. In fact, the interview only further reinforced my image of him as a person with very little real involvement with cybercrime or even information technology.
It would be really beneficial if instead of inviting criminals and hackers to assist you in your endeavours, you approached the application, network and content security communities who have, for many years, been combating malicious, criminal computer and network related activity Please concentrate your activity on the creation of meaningful and sustainable detective and enforcement alliances with international partners. Involve Internet Service Providers in initiatives aimed at cleaning up the huge population of home computers already being exploited by cybercriminals. Don’t waste your time telling schoolboy tales of hiring “naughty boys” for hi-tech derring-do.