‘Ware the L33t Hax0rz – Boo

It seems that the publication of the government’s new national security strategy is likely to spawn a wealth of depressingly stupid commentary on the subject of ‘cybercrime’ if early reactions are anything to go by.

Take the Telegraph, a newspaper with previous form for running planted stories on behalf of unnamed ‘sources’ in the security services, who’re going with the classic ‘Yellow Peril’ angle:

Last September it emerged that up to 10 Whitehall departments are being regularly targeted by computer hackers from countries such as China and Russia who want to find out state secrets.

Hackers from China’s People’s Liberation Army were said to have attacked the IT systems of the Foreign Office and other government departments.

Beijing is reported to be engaged in a battle to achieve “electronic dominance” over each of its global rivals by 2050, particularly the US, Britain, Russia and South Korea.

Meanwhile ‘Computing’ magazine, which ought to know better, are running with the ‘are we doing enough about it’ angle:

Although the report mentions investment in response to these new threats, it does not provide any details of where money is being invested, or how policy has changed, other than referring to a continued investment in modernising communications interception techniques.

The report goes on to highlight the importance of collaboration on these issues, without mentioning how it will facilitate this collaboration.

You don’t suppose that the reason why the government doesn’t publish details of where the money is being invested, etc might have something to do with not giving foreign governments useful information about the state and nature of the nation’s IT security infrastructure, do you?

D’oh!

Securing critical government (and business) systems is a multi-layered task, one that involves the security services, systems suppliers, software engineers, telecommunications companies, academics and a whole shed load of other people and interests…

…including hackers.

In netspeak, the words you’d be looking for would be ones like ‘white-hat’, ‘ethical hacker’ or ‘samurai’, hackers who take on or who hire out for legit jobs, who carry out penetration testing of IT security systems, find exploits and advise on their closure and, yes, take the occasional shot at worming their way into places they shouldn’t be going as well if the occasion demands.

For as long as I’ve been using computers there have been people who’ve been taking their hacking skills, often developed by breaking into systems illegally back in the early days, and crossing over to the other side to become security consultants. One of the very first top flight hackers I ever met did just that, they left university and set up in business straight away as a consultant specialising in securing IT systems in the financial services sector and made a damn good living out of it, as good as many of the city traders whose company’s asses they were covering…

…and, inevitably, there are some of these ‘samurai’ who find their way into working in less public arenas.

How true some of the stories are its impossible to say, but there have always been stories and rumours about the allegedly somewhat unorthodox recruitment methods used by security services here and in other countries, of how the best talent around – at least those who don’t develop too much of a public profile, would be offered the option of working for the state using their skills or working for sewing mailbags and making number plates – and even those are more the stuff of Le Carre than the real world, government do recruit by other more conventional means, much as they do for other branches of the security services.

We have our spooks and they have theirs and that’s the way the game’s played and always has been – and like anything else that comes with the label ‘national security’ attached to it, just don’t expect to be given the details.