Andrew “weev” Auernheimer will spend the next 41 months in federal prison. His crime? In 2010, he exposed a security flaw in AT&T’s iPad user database, gaining access to the information of over 100,000 people – including Michael Bloomberg and Diane Sawyer. He never released the information to the public himself, however, he also didn’t go directly to AT&T with the information. He went to a journalist, who wrote a story about it, that exposed bits of the stolen data, and Andrew’s infamy spread across the internet at the speed of a Trojan worm – which is what he wanted, attention.

I don’t want to debate the merits of his sentencing, or his lewd characteristics, or whether AT&T’s unrelenting persecution of Andrew was an act of revenge for getting embarrassed, or whether a piece of legislation – commonly used in hacking sentencings, including this one – from 1986 on computer fraud and abuse is obsolete and needs rewriting (on that note, there is nothing to discuss – it needs rewriting). I want to ponder this question I asked myself after reading about Andrew: what role can public hackers play in government cybersecurity?

White-Hats: Public Sector Hackers

A recent FISMA bill, finding its way around the House, on cybersecurity included this nuget: Among the requirements of the bill would be penetration testing in which so-called white-hat hackers break into government IT systems to identify vulnerabilities.

What that means is that a team, probably of US “cyberwarriors”, will purposely try to hack your networks, disrupt your services, and steal your data. The bill also clears any responsibility confusion: if the white-hats succeed, it falls on the shoulders of department secretaries and agency directors, who will also be tasked with hiring Chief Security Information Officers for each organization to manage their cybersecurity initiatives.

That’s a good thing, in my opinion. It would force agencies to get smarter with their cybersecurity instead of relying on a checklist of requirements, it will test their defenses in life-like situations, and the blame game is over – we know who’s in charge.

Which is nice, but aren’t they forgetting something important? As recently as a few months back, representatives from the DoD and Pentagon both said that they didn’t have the training to properly defend our nation’s networks, nor the professionals, nor even a defined cybersecurity workforce. There is a long list of reasons for this shortage of computer professionals in the government sector (here and here are good articles on that topic).

But the main issue is: with the lack of resources the government has at its disposal, how will they ensure those cyberwarriors attacking your cyberdefenses are good enough?

The Best Hackers Aren’t Found in an Office, They’re Probably in Their Bedroom

Of the major hacks the government, banks, critical infrastructure, and corporations have faced, with the exception of foreign attacks, so far as the media reported, none have been from individuals working for large corporations or government entities. Those, like Andrew and Anonymous and Aaron Swartz and the multitudes of others, are misfits, genius (and bored) college kids (or dropouts), and social activists. The government has spent years, and billions, securing their networks, but they are still getting hacked, seemingly at a monthly pace, by these groups. It’s obvious the tests they are performing now do not meet the standards set by these hackers.

So the next question is: in the cyberworld, is a government cyber-task-force enough, or should we try to engage this untapped cybersecurity resource?

Public Cybersecurity Professionals Assemble

If we truly want to protect our networks and data from more nefarious enemies, we need to invite the outside community to break in. It’s bad when someone hacks into a state Department of Revenue and steals citizen social security and credit card numbers. It can be detrimental if an enemy hacks into an atomic energy database and steals secret information.

As Prince once said, “Let’s go crazy!” What we, as a US citizens serving community, need to do is establish a set of rules for government hacking.

To me, it’s like pulling off a bandaid: it’s better to find out all at once that there are 500 weaknesses in your database, than find out piece by piece, situation by situation, over a decade; with each instance involving a different person gaining acces to your data.

What would happen if you sent out an invitation to the hacking community and asked them to do their worse? Tell them in black and white terms, “You have permission to attempt to bypass our security; however, you must immediately report any weaknesses. And if you access a single piece of data or don’t report a weakness you discover, you will be prosecuted” – under a revised computer fraud and abuse act, of course.

Yes, it’s dangerous, and possibly foolish, however, if recent events prove one thing, it’s you will be hacked eventually. Agencies are already reporting hundreds of thousands, for some, millions, of cyberattacks a day. We cannot continue to wait for a successful breech to happen before we patch security holes, and we cannot just rely on government cyberwarriors and ignore the other experts at our disposal.

A final question I’m left to ponder is: wouldn’t inviting people to submit weaknesses also invite more nefarious hackers to try and penetrate agency defenses for evil purposes, under the legal guise of “helping”?

I’m sure. And I know this is a crazy idea, but it’s the germ of one that if fully developed, could help the US catch-up with its cybersecurity challenges quickly.

Unless we find a way to bridge the gap between government cyberwarriors and state-side black-hat hackers (and white-hat), the cyberworld will remain a battleground. And we cannot continue learning from our mistakes the hardway, because one time that breech may be catastrophic.