12. Hackers and Feds – Unlikely Partners
However varied our journeys into security are, we tend to come from two very different but specific backgrounds. One segment consider themselves hackers. The other originates in “milfed”, that is, the military, signal intelligence and law enforcement.
We are two tribes, distinctive enough that we each even call our industry by different names. To Hackers it is infosec. To Feds it is cybersecurity.
Hackers
Hackers are those that messed about with computers at home or university, meeting up with others online or a hackerspace if one happened to be nearby. This is the world of phreakers and explorers, cypherpunks, IRC and phrack.org, which published seminal papers such as Smashing the Stack for Fun and Profit and The Hacker Manifesto. In this group you find high levels of support for Wikileaks and Snowden (at least initially), and Anonymous, Occupy, or BLM, if not active participation. Unsurprisingly, this tribe trends anti-authoritarian, even anarchist/libertarian.
This group dominates in Europe, and specifically, on the European continent. Germany especially, with its Chaos Computer Club, combines the hacker ethic with a social consciousness, focusing strongly on the effect of technology on society, and actively pursuing campaigns towards privacy protection of security of citizens. The L0pht notwithstanding, security seemed less of a topic in American hacker culture to me, as a European who moved to Silicon Valley. The Homebrew Computer Club, for instance, always struck me more as makers rather than breakers. Either way, this tribe has a natural playfulness.
Feds
Feds include those with a military, intelligence or law enforcement background. This group dominates in the US, other “Five Eyes” countries and Israel, coming from agencies such as NSA, GCHQ or Unit 8200, etc. but also the FBI or other police forces.
Culturally, with ranks and orders, this means a more hierarchical, authoritarian outlook, and its members are used to operate in far more structured environments. This is a much more serious tribe, coming up within a context of fighting crime or conflicts. This group believes in rules, policies and procedures, and expects them to be followed.
Natural Enemies
I remember the outrage in the hacker community when General Keith Alexander, at the time head of the NSA and US Cyber Command gave the keynote at Defcon 20. Known already for being attended by a variety of Feds leading to its nickname “Fedcon”, many (at least for a while) turned their back on the conference.
The Feds were the enemy. They went after Hackers that weren't cybercriminals – at least in the eyes of the Hackers. They were the ones that turned Sabu. They were the ones that started the Crypto Wars and pushed NIST to include a flawed algorithm in their encryption standard.
And Then We Had Bills to Pay...
As Hackers got older and Feds left the service, we got married and got mortgages. We found ourselves thrown together in the companies and organizations building up security teams and functions, or developing security tooling, protecting systems against ever more professional and sophisticated attackers. We became colleagues, partners, vendors and buyers, and had to work together, whether we liked to or not.
But it has largely worked out. More even than paying the bills, I am convinced that our shared deep concern for security and privacy allowed us to look beyond our differences and build relationships. Still unquestionably a Hacker, I work closely with and for Feds, with great shared mutual respect. They have been and are mentors just as dear as Aleph One.
In hindsight, now about 10 years later, General Alexander's keynote sounds like a brave – if sometimes awkward – invitation to a justifiably reluctant audience. It also sounds far less controversial and even prescient, stressing a “shared responsibility” and working together with industry and the hacker community that is now manifested through CISA and still echoes through the White House's National Cybersecurity Strategy published this week.
If Hackers and Feds Can Do It
What is so fascinating is how we manage to work together and trust each other without losing our respective identities. I am still a Hacker, I don't feel I have “sold out” or anything. My Fed colleagues and partners haven't suddenly become Hackers, either. The Venn diagram of Hackers and Feds remains pretty much two circles. With shared goals to protect society against cyber threats, these unlikely partners rise above our differences to drive meaningful security programs, though.
That gives me hope for society as a whole, and our ability to build bridges across different tribes, cultures, subcultures and other divisions. If Hackers and Feds can do it...
cloud security posts without corporate approval @jaythvv@infosec.exchange