At the most recent Black Hat conference, Lorrie Faith Cranor of the FTC took part in a panel that showed a frivolous effort to make nice with hackers. In this panel, Cranor stated “We” (i.e. the government) “are interested in hearing about research that can help us understand vulnerabilities… and protect consumers from scams and fraud.” This is just one of many instances that the government has made recently to try to show that they are not the boogieman and that they need top-level hackers. From the Pentagon’s recent bug bounty program to aggressively pursuing white hats and grey hats to work for the NSA and US Cyber Command, it is clear that the U.S. is desperate for some good hackers.
There is a problem with this, however, as it will never come to pass that hackers and the government will trust each other. In the same panel, Cris Thomas (handle “Space Rogue”), a strategist for Tenable Network Security, admitted that “for many people in government, ‘hacker’ still means criminal, and there’s still a lot of distrust of government from the hacker community.” You could probably write an entire anthology of all the times that the government and hacking community have clashed. The government throughout the years has led witch hunts against all types of hackers, from your run-of-the-mill cybercriminal to the grey hat attempting to help companies find vulnerabilities “off the books.” The final example is especially ironic as the FBI had no problem working with grey hats when they were helping crack an iPhone that belonged to the San Bernardino shooter.
Further compounding the issue is the hacker ethos. The “no gods, no masters,” anti-corruption, and “live outside the system” mentality that many in the hacking world have simply clashes with federal infrastructure. What incentive is there, outside of money, to work for a government that has actively hunted down hackers who are not black hats, but simply trying to improve the world of security? This is a government that released propaganda claiming organizations like Wikileaks are cyberterrorists for exposing war crimes. This is a government that effectively declared a war on hackers via updated laws that can easily be abused to go after individuals that hack systems where the law is not as clearly defined.
If the government wishes to move beyond once-in-a-blue-moon panels at Black Hat, they will have to massively overhaul how they treat the hacking community. It is the only way forward.