US Cybersecurity Chief Defends Use Of Hacking Talent

The director of the US National Cybersecurity Center (NCSC) has admitted that the US government must “walk a line” when it comes to hiring individuals who could be perceived as “hackers”.

Speaking to eWeek Europe UK at the RSA Conference Europe security event in London this week, Philip Reitinger, who also serves as deputy undersecretary of the Homeland Security Department’s National Protection and Programs Directorate (NPPD), said that his organisation was struggling to find enough talented security professionals to meet its recently announced hiring targets. “We need to grown that pool of cyberprofessionals so we are not all fighting over a too small a pool of experts,” he said.

While that means in the long term improving basic levels of security understanding and ability in general IT courses at universities, Reitinger also admitted that the US government needs individuals who are able to wear a “black hat” when necessary.

“We have to know that they are going to have the people’s interest at heart. That said the good guys need to be able to put on their black hat perspective,” Reitinger explained.

Homeland Security was recently granted permission to hire up to a 1000 new IT security experts over the next 3 years to help in its mission to defend US private and public sector IT systems. “We can now be much more aggressive in bringing people in from the public sector rapidly,” said Reitinger.

While he refused to comment on the case of so-called NASA hacker Gary McKinnon (pictured below) directly, Reitinger admitted that it was important to have access to staff who could embrace the dark side of IT security which inevitably raised a certain “tension” with a stance of actively tracking down and prosecuting individuals for hacking offences.

“You need to be able in software development to do things like threat monitoring so you can figure out, ‘How would I exploit this kind of system?’. You need to understand where the weaknesses are to do a good job of securing the system. Is there a tension there? Absolutely, but it is a line that we try to walk in the right way.”

McKinnon was indicted in late 2002 for hacking into military computers between February 2001 and March 2002. The US alleged his hacking caused it to shut down critical systems and networks in the aftermath of the 9/11 attacks, and caused damages of approximately £435,000.

In August, the US military reportedly admitted to attending two major hacker shows in the United States in order to find recruits while at the same time threatening McKinnon with a lengthy jail term for breaking into government systems.

US news site NetworkWorld reported that the US Department of Defense’s director of futures exploration Jim Christy claimed that he attended the Defcon hacking show as far back as 1999 and “several thousand federal employees” attended the event this year. The show describes itself as “one of the oldest continuous running hacker conventions around, and also one of the largest”.

US Air Force Colonel Michael Convertino also claimed to have attended Defcon in 2009 and 2008 when he reportedly found “about 60 good candidates for both enlisted and civilian positions”, according to NetworkWorld.

Both Black Hat and Defcon were set up by US hacker Jefff Moss who despite going by the moniker Dark Tangent – sits on the US Homeland Security Panel.

Earlier this week it emerged that the UK government has agreed to give McKinnon more time before he is required to seek help from European courts in his quest to avoid extradition to the US to face charges for breaking into government systems.

According to BBC reports released this week, while the Home Office considers new evidence from McKinnon’s lawyers, it has agreed not to commence a 14-day count down mandated for any application to the European courts.

It has also emerged that NASA has not yet fully implemented key parts of its information security program despite the publicity around McKinnon.

According to a report from the US Government Accountability Office released on 15 Oct., “NASA [does] not consistently implement effective controls to prevent, limit and detect unauthorised access to its networks and systems.”