I am sometimes befuddled at just how much press (negative and otherwise) hackers receive. Truth be told, perhaps my befuddlement contains just a twinge of jealousy (okay, maybe more than a twinge). Although hackers may not have attained the status of rock stars yet, I can imagine throngs of hacker groupies hanging around just outside the back door waiting to pounce on the clueless geeks as they emerge from an all-night hacking session.
Sure, I’ve done some white-hat hacking. I have had training through a university, SANS, and multiple visits to the Idaho National Laboratory. I’ve used many of the tools that are commonly available. What I have gathered in all this time is that hacking is easy. Let me explain. It’s easy in the sense that typically the hacker is not creating vulnerabilities (such can only be done by system designers and software developers), but taking advantage of vulnerabilities discovered. The adoration heaped on hackers strikes me as akin to admiring a clever thief because they found the back door unlocked. Granted, the thief may have scoured hundreds of neighborhoods with an advanced algorithm searching for this one unlocked door, but that is hardly a remarkable let alone admirable feat.
On the contrary, as any cyber defender will attest, they have to be way more than just lucky. The defender (and the systems they’ve employed in the defense) have to be on their game 24 hours a day, 365 days a year. This seems like a much more difficult posture to sustain and the constant stream of media reports on the latest breaches that get more spectacular every day would tend to support my position.
I just Googled “smart refrigerator hack” and I got 444,000 hits. I then Googled “cyber defense of ‘nuclear power plants'” and got 59,900 hits (I was pleased to note that a whitepaper I wrote was listed at the number two spot). Nonetheless, in my decidedly unscientific sample there was nearly an order of magnitude more Google entries on the topic of hacking a refrigerator. I would posit that providing effective cyber defense of an operating nuclear power plant is infinitely more important that getting your refrigerator to spew spam.
I will grant you, many hackers are well intended and their findings are sometimes acted upon by vendors and asset owners alike. In fact, with the various hacker reward programs promulgated by the likes of Google and Microsoft, skilled hackers may even find ways to legitimately fund their continued activities. I wish them well. But, from where I sit, hacker skills rarely translate well to defender skills.
Therefore, speaking as a defender to other defenders, the next time you ponder booking that flight to attend the next hacker conference, ask yourself just how whatever skills you may garner will help improve your defensive posture. Perhaps you can avert your gaze from the glitzy world of hackers (and the wannabes) to the mundane realm of staid process-based cyber security such as The Langner Group’s Robust Industrial Control Systems Planning and Evaluation (RIPE) program. Your smart refrigerator, which is worried more about a cyber-induced power blackout than getting hacked, will thank you for it.
Perry Pederson