Saturday, September 14, 2013

Can you trust them?

Let’s turn a common theme in InfoSec upside down:

Can you trust, and should you hire, former hackers government employees?

In the still-unfolding Snowden saga, we now have allegations that the US government, specifically the NSA, has attacked cryptography at scale, including the software, protocols, and algorithms we rely on for secure and private communications.  On one hand, I have to say “duh, that’s their job”, but it certainly appears to me that they have significantly overstepped their authority and damaged our ability to secure our data.  While I hold some senior NSA officials, notably General Alexander, partially responsible for part of this abuse, I believe that the real blame lies with past couple of presidents and the Congress for their utter abandonment of responsibility to the Constitution, and to us, the citizens it is designed to protect.  The NSA (as is true for much of the US federal government) is full of great people, working very hard to properly execute their assigned tasks.  But, if your assigned task is something like fighting terrorism, or combatting drugs, or child pornography- it is only natural that you will lose perspective in the face of the horrors you are trying to combat.  (Don’t get me wrong, I know that a lot of folks are in the “war on [whatever]as profiteers, but I believe most people are trying to do what they believe to be right).  That’s where the elusive property of “oversight” comes in.  Or in the case of things like the abuses of the NSA, oversight should come in, but presidents, congress critters, and others have abdicated their sworn duties.

Back to the question at hand…

Having “NSA” on your resume has traditionally been seen as an asset.  We now have credible claims that government agents have subverted the security of the systems we rely on, in some cases by covert infiltration of private enterprise.

Imbecile executives in the InfoSec industry like to make pronouncements like “We don’t hire hackers”, showing their ignorance of what “hacker” means to many people, and limiting their pool of talented recruits.  Computer criminals have a hard time concealing their past convictions, but covert agents have the power of the intelligence community behind them to create squeaky-clean résumés.  Is that former NSA researcher, the one who is now working on your software, really “former”?

Thus, we have to ask: Is it time for NSA to become scarlet letters on a résumé?

For the record, I don’t think so- but I do believe it is past time to reflect on “who can you trust” before hiring people and putting them in positions of responsibility, regardless of their past.

And that’s a belief I am confident the NSA shares with me…Edward_Snowden-2

(Image Attribution: Laura Poitras / Praxis Films)



[Note: I have not  provided links to anything in this post. There are so many sources, with so many revelations, counterclaims, and outright lies that I’ll leave you to use the sources you trust, and reach your own conclusions on the reality and implications of this mess].