The U.S. government is searching for a way to fight back against an onslaught of cyberattacks, yet faces one fatal flaw: It doesn’t know how to work with the hackers capable of solving the problem.
There are a few reasons for this. Skilled hackers are in high demand, and they get better offers from employers in the private sector. Hacker counterculture is also often far from what federal agencies, like the FBI, feel comfortable with in their agents.
“The level of thinking they have is 1940s. Until that changes, they’re not going to wrap their heads around this stuff,” said Walter O’Brien, co-producer of the hit CBS show “Scorpion” and the CEO of Scorpion Computer Services Inc.
In October, O’Brien, who is 40, was invited to a high-security military facility in San Diego, where he witnessed the problem firsthand.
“They tried to bring me on the base down in San Diego so I could help them with their command center in cyber,” he said, in a phone interview.
Yet, the visit almost ended before it began.
At the gate, they inspected O’Brien’s laptop for malware, and “when they scanned it, the thing lit up like a Christmas tree,” he said. O’Brien collects computer viruses so he can analyze them for work, and had to explain why his laptop was holding nearly every computer virus ever made.
To help in the discussion O’Brien had also brought along a hacker from the DefCon cybersecurity conference. The guards at the gate said they couldn’t let him on the base because he had a criminal record. “Of course he does,” O’Brien told them. “It’s because he’s a real hacker!”
While the meeting finally did happen, O’Brien said the encounter highlights one of the harsh realities in the world of cybersecurity: the Pentagon and U.S. government are looking for ways to defend against cyberattacks, but they don’t know how to work with the hackers who hold the solutions.
It’s also something O’Brien hopes to help them change.
Gathering of the Minds
O’Brien’s company, Scorpion Computer Services Inc., is filled with some of the brightest minds around, and while he has faced similar problems when it comes to hiring hackers, he worked out his own solutions.
One of the key problems O’Brien found with highly intelligent people, he said, is “the higher their IQ [intelligence quotient], the lower the EQ [emotional quotient].” In other words, his smart staff lacked people skills.
Yet, instead of firing them, and searching for the white whale hacker with a clean slate who gets along with everyone, O’Brien created a solution modeled after the human brain—where the left side is attributed to logic and analysis, while the right brain is associated with feeling and creativity.
To compensate for his smart employees who had trouble interacting with others, he hired people who are skilled at communicating, including former psychiatrists and teachers.
At the core of his solution is something that the government could take a lesson from when trying to hire from the same pool of individuals. Instead of forcing a highly demanded group of employees to adapt to his system, he adapted his company to make things work.
And adaptability is what the cultures in government and military still lacks. The problem appears in many areas relating to cybersecurity—and not just with their hiring practices.
Behind the Times
Things move fast when it comes to technology. Consider, for example, that Facebook has only been around since 2004, and that Twitter only started in 2006.
The government, on the other hand, does not move fast. “NSA has a six-year procurement cycle,” O’Brien said, noting that when this is applied to Internet security, “anything they buy, by definition, is hopelessly obsolete.”
He used the Office of Personnel Management (OPM), which was recently hacked by China, as another example. At the time of its breach, OPM was still running the 2003 version of Microsoft’s Internet Information Server.
Even for current systems, the government is slow to install critical updates. The Department of Homeland Security noted this problem in a 2014 report, stating in 2012, the Internal Revenue Service (IRS) had 7,329 “potential vulnerabilities” because it hadn’t installed software patches.
The report adds that at one point in 2011, “over a third of all computers at the IRS had software with critical vulnerabilities that were not patched.” While IRS officials expected critical patches to be installed within 72 hours, it adds, they found the department took an average of 55 days to patch their systems.
The result of the government’s slow pace in cybersecurity is that U.S. adversaries, unrestricted by bureaucracy and rigid protocol, are running circles around U.S. cyberdefenses.
As warfare moves into the cyberdomain, the importance of cybersecurity is only growing. Yet the government’s lack of hackers, and others skilled in cybersecurity, means that even fewer people with these skills are in positions where they can get things moving.
“As long as the government doesn’t take this seriously, it’s never going to be solved,” O’Brien said. “I think every single group admits it’s a huge problem.”
“We need to fast track stuff into the government,” he said, yet noted that doing so will require a change in thinking behind how things are done.