Feds reach out to hacker community

Feds reach out to hacker community

At Las Vegas conference, two officials concede infrastructure is vulnerable

By William Jackson

GCN Staff

NSC's Jeffrey Hunker lists security plan components

  • Identify and fix vulnerabilities.
  • Detect attacks and intrusions.
  • Develop robust law enforcement and intelligence capabilities.
  • Develop a mechanism to share attack warnings and information between government agencies and corporations.
  • Create a response and recovery system.
  • Improve information security R&D.
  • Train and employ more security specialists.
  • Form partnerships with the private sector and with state and local governments.
  • Adopt legislation and appropriate the funds.
  • While pursuing all these goals, ensure full protection of civil liberties and privacy rights.

LAS VEGAS'Under Presidential Decision Directive 63, the government is supposed to serve as a national model by safeguarding its critical infrastructure.

'I can assure you the federal government is a model'for the most part, a model for what you don't want to do,' said Jeffrey A. Hunker, the National Security Council's senior director for infrastructure protection. He spoke at the opening session of this month's Black Hat Briefings conference.

A few federal officials showed up, hats in hand, at the annual gathering for hackers, systems administrators and security experts. They were looking for help from those who exploit system vulnerabilities for fun and profit.

'We find out about holes and vulnerabilities from hackers,' said Phillip J. Loranger, chief of the Command and Control Protection Division at the Army's Office of Information Assurance.

Loranger and several private-sector experts said the Defense Department finally is getting serious about security, but they agreed that it has a long way to go.

DOD is applying Band-Aid solutions, Loranger said.

Because the economic incentives to produce and upgrade software are more powerful than the incentives to secure existing software, 'we'll be playing catch-up' for a long time, he said.

His hypothetical answer for securing DOD systems: 'Separate .mil [domains] and make it an intranet, every last bit of it. I have trouble keeping people out because I have too many gateways and back doors.'

The place to be

In its third year, the Black Hat Briefings conference has become an annual precursor to the DefCon hackers convention, also in Las Vegas.

Unlike past years, when federal visitors hovered at the edges of meetings or were downright covert, Hunker and Loranger took part in high-profile presentations and panel discussions at both events.

They said they want to build bridges to the hacker community. The National Security Agency's National Computer Security Center was even one of the Black Hat sponsors this year.

Overall, hackers at the conference said there has been little improvement in computer security in the last year.

'It is really kind of frustrating,' said Dr. Mudge, the nom de hack of the chief scientist at Boston's hacker think tank, L0pht Heavy Industries. 'But I'm starting to see some encouraging changes in small pockets.'

One change is the government's increasingly self-protective stance, he said. Recent exploits that have shut down government Web sites show there is a long way to go, however.

'We know of foreign governments creating offensive attack capabilities against U.S. networks,' Hunker said. Russia and China have publicly announced such programs, and other countries are pursuing them secretly, he said.

PDD 63 sets a 2003 deadline for establishing a viable self-defense capability. 'I'm optimistic we will have it in place,' Hunker said, 'but we won't be able to stop there. This is an issue we will be working on the rest of our lives.'

Bipartisan support

Hunker said the initial version of the protection plan will have 10 parts.

The effort has bipartisan congressional support, and the government's overall computer security budget will increase 40 percent in fiscal 2000 to $1.5 billion, Hunker said. Another $508 million will go to information technology R&D that will contribute to better security, he said.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected