21 March 2015

Information Warfare: Good Guys Allowed To Hire Bad Boys

http://www.strategypage.com/htmw/htiw/articles/20150319.aspx

March 19, 2015: The U.S. Department of Defense was recently given permission to hire 3,000 Internet and software engineers without going through the standard screening process for such civilian specialists. While the top pay was not great ($143,000 a year) the big thing was people with real software and Internet skills could be hired. There was also apparently an understanding that some types of youthful indiscretions (black hat hacking) could be overlooked. All this leeway was allowed, which is rare, because the Department of Defense is the largest user of networks and computers on the planet. Since it was Department of Defense research (and money) that developed the Internet it has also the most vulnerable to attack. Unfortunately the attackers (spies, mercenary hackers or just very skilled and bored but talented hackers) have a lot more skills than the people the Department of Defense currently has playing defense. In effect there is a Cyber War and the Department of Defense finds itself outnumbered and outgunned. Desperate measures are required.

Cyber War has a problem with the fact that many of the most effective Cyber Warriors are criminals. That's because Cyber War operators are basically expert programmers who prefer to hack (find ways to break or misuse software). There is not a lot of demand for these skills on the job market. While most hackers are not criminals, many of the best ones find that there is easy (and safe) money to be made by exploiting hacking skills to steal via the Internet. Many, if not most, of the best hackers are honest folks who make a lot of money fighting the criminal hackers, often as a hobby. But the criminals go where the money is, so the "white hat" (honest) hackers find the highest paying jobs protecting financial institutions and other wealthy corporations. The military and government in general cannot compete (in terms of pay and benefits) for the best people and are further restricted by rules that eliminate a lot of the most talented Internet security people. The top people (working for civilian firms with more realistic hiring practices) can be hired temporarily as consultants but the government has to pay the going rate. Thus the new effort to try and attract some superior Cyber War talent by dispensing with some of the usually red tape.

It has long been realized that eventually, and preferably sooner rather than later, the military would have access to the expensive and capable talent they need. That's because this sort of thing has happened before. The Internet is but the latest new technology to arrive and upset the traditional way of doing things. This sort of thing got going in a big way during the 19th century, when telegraph, steam powered ships, and railroads quickly became key military technologies. The military was almost entirely dependent on civilian experts to use these technologies and it took decades before the military was able to establish its own supply of experts.

Going into the 20th century it was the same problem with the flood of new technologies (radio, flight, still more electronic devices, modern cryptography, and major advances in medical tech). In all these cases the military had to compete with better paying civilian organizations for the people who knew how to use and exploit these technologies.

The Internet is worse because the tech spread faster and farther than anything in the past and had bigger payoffs for criminals who could exploit the web. This led to more talented people coming in to take advantage of high pay offered to Internet security experts. As usual, the government and military were least able to recruit these experts. Some countries, like China, worked with Internet criminals, offering them sanctuary and high pay for obtaining data from other nations. This did not make Chinese Internet users immune from Internet scams, because there were so many Internet gangsters out there and the Chinese government only worked with some of them (who had to restrict their attacks in China to obtain sanctuary).

Most Western nations were slow to appreciate how effective Internet spying could be and how much more vulnerable the industrialized nations were. China, and to a lesser extent Russia, obtained hundreds of billions of dollars' worth of technology and commercial secrets with their Internet espionage (which is still going on). Tremendous quantities of military and government data were taken as well. It will take a decade or more for nations to restore the degree of security they had before the Internet came along.

No comments: