Here's how the Justice Department wants to befriend ethical hackers
LAS VEGAS - The Justice Department's relationship with the cybersecurity research community has historically been tempestuous, but Leonard Bailey is on a mission to improve it.
That's what brings him to the BSides cybersecurity conference. The head of the cybersecurity unit of DOJ's computer crimes division is extending an open invitation to ethical hackers to air some grievances and offer policy advice, in a talk called: "Let's Hear from the Hackers: What Should DOJ do Next?"
Bailey wants to ensure hackers are willing to work with government on improving cybersecurity - instead of staying away because they're suspicious of government.
"It's about figuring out how to make sure that their ability to help us improve [the nation's] cybersecurity is not taken off the playing field," Bailey tells me. "They have a valuable resource and they can be helping everyone."
This marks a drastic change - in terms of both outreach and attitude - from previous years. Tensions have soared as ethical hackers accused DOJ of being too quick to prosecute them for benign research aimed at improving cybersecurity - and of not being transparent enough about the rules for what constitutes a digital crime.
Bailey's office has worked for four years to ease some of these tension points, he said, including by helping develop Copyright Office rules, which make it tougher for companies to use copyright laws to scare off ethical hackers from searching for dangerous bugs in their software, and publishing guidance that clarifies when hackers are likely to fall afoul of the nation's major anti-hacking law, the 1986 Computer Fraud and Abuse Act.
"[Before], we were building a bridge" of trust, he told me. "Now, we've developed some strong relationships where we can have policy discussions."
Bailey's likely to run into some serious headwinds, though. While a majority of cybersecurity experts surveyed by The Cybersecurity 202 said this week that the relationship between hackers and government officials has gotten better in the last several years, they also pointed out some major points of conflict.
Most ethical hackers strongly oppose Attorney General William P. Barr's push to stop companies from offering encrypted communication systems that prevent police from accessing communications with a warrant. And they say the Computer Fraud and Abuse act is still used too broadly to punish hackers - with many pointing to the case of Marcus Hutchins, a British security researcher who helped stem the damage from the massive WannaCry ransomware attack in 2017 but was charged under the CFAA a few months later for developing and selling malicious software.
Bailey acknowledged the conflict. He joked in a 2016 address that when he first met with ethical hackers at the Black Hat cybersecurity conference in 2015 "only half [of the meeting] was being yelled at." In succeeding years, he says, those conversations have become far less hostile and more productive. Now, he says ethical hackers frequently call him to talk over policy disagreements.
One of the big things Bailey wants to talk with ethical hackers about today is ways they can work with government to help warn young people who are skilled with computers away from criminal hacking or digital vandalism that might land them in trouble with the law.
"Kids who are tech savvy are having earlier and earlier access to valuable tools for learning hard skills like coding, but they may not also be getting information about how to use that power responsibly," he said.
The Justice Department is examining offering grants for organizations to write ethical hacking curriculum for high schools or community organizations, he said. They're also looking for ways to reach out to places where they might find tech savvy teens, such as the video gaming community.
But he's hoping the hacking community will take up the issue, too, and launch its own education efforts.
"It's very difficult for the government to shape a message here, to say 'hey kids, don't hack.' That doesn't really have a lot of purchase," he told me. "So, we're trying to figure out whether there are ways of leveraging the community to help us with that messaging."