Hackers in the national cyber security Csaba Krasznay IT Security Consultant Hewlett-Packard Hungary Ltd. News headlines U.S. response • „The Department of Homeland Security is looking to recruit white-hat hackers to help defend the US's critical internet infrastructure” – DHS hunts for white-hat hackers, http://www.theregister.co.uk/2009/04/20/dhs_hacker_recruitment_drive/ The United States Congress this week delved further into the country's cybersecurity preparedness as members introduced two bills designed to protect federal networks and electric power grids from attacks. One bill, dubbed the US Information and Communications Enhancement Act of 2009, would mandate the formation of hacker teams that would actively try to penetrate government networks. – US Congress wants hack teams for self-penetration, http://www.theregister.co.uk/2009/05/01/cybersecurity_bills/ US President Barack Obama will create a new White House post that's responsible for protecting the country's critical computer networks, a step he said was crucial to confronting one of the biggest national security challenges. – Obama fights cyber threats with new White House post, http://www.theregister.co.uk/2009/05/29/obama_creates_cyber_post/ • • U.S. Cyberspace Policy Review • The Nation is at a crossroads. The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. The status quo is no longer acceptable. The United States must signal to the world that it is serious about addressing this challenge with strong leadership and vision. The national dialogue on cybersecurity must begin today. The government, working with industry, should explain this challenge and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action. The United States cannot succeed in securing cyberspace if it works in isolation. The Federal government should enhance its partnership with the private sector. • • • U.S. Cyberspace Policy Review • The Federal government cannot entirely delegate or abrogate its role in securing the Nation from a cyber incident or accident. The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and wellbeing of citizens. Working with the private sector, performance and security objectives must be defined for the next-generation infrastructure. The United States should harness the full benefits of technology to address national economic needs and national security requirements. The White House must lead the way forward. The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously. Source: http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf • • • What is about the rest of the world? • We’re in the same situation: • Our critical infrastructures are in the focus of foreign intelligence services, armies, terrorists, (h)acktivits... • The places of war are ground, sea, air, space and cyberspace • All of our critical infrastructures are working on IT systems • These infrastructures are operated by private companies – and protected by private companies • One successful attack against a critical infrastructure can start a chain reaction and can take effect on the nation’s economy • Do we really prepared for cyberspace war? What’s about the new member states? • Special problems: • Unprepared governments • Changing armed forces (Warsaw Pact -> NATO) • IT systems and networks don’t have long history in governmental and military usage • No money for this kind of unconventional warfare • Compelling power: • Estonian-Russian, Georgian-Russian conflict • NATO Cooperative Cyber Defence (CCD) Centre of Excellence (COE) in Tallinn • U.S steps Lessons to learn •USA has billions of dollars for hacking – and you? •Officials said China and Russia also have many hackers – and you? •If you (officially) don’t have cyber corps, use your youth movement! How can we build up our cyber defense? • All of the new member states have some kind of cyber defense (CERTs, CSIRTs, national security agencies, etc.) • Most of the critical infrastructures are protected mainly by private companies • But we have two problems: • Defense is not coordinated nation wide (never forget the holistic view!) • The nations have never suffered a coordinated cyber attack -> no experience Proposed steps • Establish a small cyber defense headquarter with military, government, market and university experts (like U.S. does) • Coordinate the information security of critical infrastructures (like U.S. does) -> encourage public-private partnership • Cooperate with different hacker groups in the country -> it’s better to test preparness with patriots Coordination with hackers • The big questions: • Can we trust in hackers? • Where can we find these experts? • How can we gain their trust? • How much money do we need for the cooperation? • How can we cooperate with them? • What can they really do? • How can we control them? Hacker conferences •Trust is beginning with personal meetings •In some new member countries hacker conferences are organized annually •Officials shall participate in these conferences! •Hacktivity conference has ~300 attendees in every year in Hungary Hacker attitudes • As far as I know, hacker’s opinion about the national (cyber)security was never asked • In practice these guys are the main workforce source of public and private organizations • I want to know whether they want to participate in national defense or no • Questionnaire was published on Hacktivity’s website and an e-mail was sent out to ~600 subscribers • Cca. 20% answered the questionnaire (187 respondants)! Questionnaire • 4 questions: • • • • • • • • Your homeland needs you, what do you do? With which motivation of IT security do you agree? What is your job? What do you think about the Hungarian Army? The level of patriotism The place of hackers in cyber warfare The current place in the market The honest opinion about military • To measure: The level of patriotism • 3 possible answers: • I must help to my homeland • I can help if they pay • Leave me alone! • Presumption: • Most of the respondents love the country and help for free The level of patriotism Attack or defense • Cyber defense is the role of official agencies not hackers • The place of hackers is attacking/simulating attacks or counter striking in case of foreign attacks • 3 possible answers: • I attack • I defend • I counter strike • Presumption: • Most of the respondants want to attack Attack or defense Current jobs • The country has some professional ethical hackers who can be the core of cyber corps • We have many students who can be professional ethical hackers in the future • And we have so many other pro’s who are working on other fields • 3 possible answers: • I’m a professional ethical hacker • I hack just for fun but work on other field • I’m a student • Presumption: • We have only a few ethical hackers but a strong university background Current jobs Opinion about the army • If the army (or other agency) wants to cooperate with hackers, the positive image is a must. • 3 possible answers: • Hungarian Army is an important and appreciated organization • Hungarian Army is not serious but I’m not against the military • I’m pacifist • Presumption: • Most of the respondants are not pacifist but have a negative image about the Hungarian Army Opinion about the army Conclusions • The so called „hackers” love their country and ready to protect it • Half of them are ready to attack or counter strike • Hungary has some professional ethical hackers and a huge background on universities • The Hungarian Army should begin to build a positive image in this area if it accepts my theory Interesting correlations • One half of the professional ethical hackers wants to help for money the other half for free • Most of the pro’s have negative image about the Hungarian Army • For fun hackers have the most positive image about the Army • The patriots are not pacifists • For fun hackers are ready to protect and counter strike • Students are patriots and not pacifists Closing ideas • If I was the responsible officer: • I’d actively participate on hacker conferences • I’d build the image of army • I’d get the support for a mimic warfare in cyberspace • I’d involve the patriot hackers to this event • I’d be horrified at the result of this event and begin to shout for laws and coordination Thank you!