Hackers, feds say govt. net security stinks

LAS VEGAS—Hackers and feds faced off at the Black Hat Briefings last month but
also found they had something in common: a lack of respect for the government’s
network security tactics.

“In general, we don’t have a clue what the threat is and what ought to be
done about it,” said a Defense Department employee who identified himself only as

“Everybody basically does whatever he likes,” said Marcus Ranum, a former
hacker who characterized himself as a white hat.

“That’s one of the reasons government security is so lame,” Ranum said.
“I’ll believe the government is serious about security when somebody at the
Pentagon gets fired.”

The briefings brought hackers face to face with public- and private-sector systems
administrators for two days of talks. Most panelists were identified by handles or first
names only. The federal session barred photographers.

The hacker panel, despite casual attire, nevertheless represented corporate officials
and consultants. Ranum, for instance, is president and chief executive officer of Network
Flight Recorder Inc. of Woodbine, Md., a network monitoring tools maker.

One hacker, identified only as Artimage, said, “Right now I’m a college
student, so I’m doing it for the grade. But next year, I’m in it for the money.
I’m a whore; I admit it.”

For the most part, the panelists presented themselves as ethical hackers who
distinguished between breaking into systems and breaking code to identify weaknesses.

“The only people who really break into machines are malicious kids,” said a
hacker who called himself Peter.

The federal participants had even more complaints about government security practices
than they did about hackers.

“A lot of managers have no idea where to start looking” for vulnerabilities,
said a government auditor who identified herself as Ceil.

“I have become very cynical about the people who manage government systems and the
vendors who are selling them things to secure those systems. You wouldn’t sell a
Porsche to a 3-year-old who wanted a Matchbox car, but that’s what they’re
doing—selling Porsches to dumb little 3-year-olds,” Ceil said.

She said parochial attitudes and stovepipe mentalities within agencies make it
difficult to assess problems, let alone find solutions.

One federal employee, who performs vulnerability assessments for the Defense
Information Systems Agency, defended government security efforts.

“We’ve got old management with old ways of thinking who need to be
educated,” he said, but “the government is not sitting idly by.”

Flaws are getting identified and closed, he said. “It’s a problem that is
never-ending. Congress is throwing a lot of money at it.”

Making a system Internet-accessible is asking for trouble, said a hacker identified as

“There should be liability for not doing due diligence on your system when
you’ve invited people in to take a look,” he said.    

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected