Are we actively encouraging destructive hacking?
Facebook's latest Hacker Cup celebrates creative computer talent instead of rewarding the destroyers, which is rare
By Ira Winkler | Computerworld US | Published: 15:36, 11 January 2012
Whenever I see another "cyberchallenge" getting play in the press, I think our priorities are screwed up.
People seem to think that organising teams of people to hack into systems is a way to bring together the best computer talent to square off against each other. I look at it as a waste of that talent. Maybe the press wouldn't be as interested, but I believe we all would be better served by competitions over who can better secure a nonprofit organisation, who can develop a better fundraising database or who can teach underprivileged children math or programming better. Cyberchallenges are about who can destroy things most effectively. Doesn't it make sense to challenge young hackers to create something that can provide true value?
That's why I was excited to read about Facebook's latest Hacker Cup. This contest has become one of the few tests of creative computer talent. To quote the IDG News Service's report on the Hacker Cup: "The contest consists of successive sets of increasingly difficult algorithmic problems. Scoring will be based on how accurately and quickly the programmers complete the puzzles. Last year's contest featured challenges such as determining the optimum number of shield generators and warriors one should acquire for the Facebook game Starcraft II and calculating the best race car driving strategy given a variable number of opponents, race track curves and likelihood of crashing."
In other words, it's all about being creative, not destructive. Unfortunately, we often seem to highlight the people who destroy more than those who create.
For example, the National Security Agency is awarding scholarships based on cyberchallenges. This is muddied thinking. The NSA would get far more benefit if it awarded scholarships based on good, creative programming. By rewarding the forces of destruction, the NSA is sending a message. Is it one we want to send to the nation's young hackers?
Hacking attacks more interesting than prevention
Meanwhile, the media effectively lionise groups like Anonymous by breathlessly reporting on their latest hacks. But these hacks are really little more than random attacks that take advantage of vulnerabilities. The better story is admittedly much harder to cover, involving the IT staffs at hundreds of companies who create secure architectures and who, though subjected to hundreds, if not thousands, of attacks a day, repel them successfully.
For example, we don't hear about the talent it took to create our telecommunications infrastructure. We take for granted how seamless our communications have become. At this point, the Star Trek communicator seems outdated. Not only can we talk to people by saying their name, but we can also use our phones to text, download videos, run applications and buy a frappuccino from Starbuck's.
Then there's our financial infrastructure. We can walk around without any money, buy things with our cellphones, conduct commerce around the world with people we've never met and do many other things we never envisioned a decade ago. Now, try to name just one person who helped enable such an increase to the quality of our lives.
In both cases, we are talking about many thousands of creators who have done great things in relative anonymity. That's why I'm pleased with what Facebook is doing with its Hacker Cup. It's rewarding people who show they can use their knowledge creatively. And incidentally, it's restoring the original meaning of "hacker" in the process. It's about time that an organization stopped the nonsense of recognising people focused on destruction and started to reward people for demonstrating an ability to solve problems in creative ways.
There is an irony in my saying this. (And I don't mean that I have been highly critical of Facebook in the past, though my editor did say it would be unusual to hear me saying something nice about the company. My criticism stands ; a company enriched by its customers needs to have decent customer service in place.) I'm talking about the fact that I am mostly known for penetration testing and finding problems quickly. My work is in a way a criticism of the systems I test. But while I do believe that such testing and probing is necessary, I really do feel that the people who create the physical and technical infrastructures that I assess do the greater labor. There is a need for people to do penetration testing, but that need has been exaggerated compared to the need for talented professionals to give the penetration testers something to test.
We should train students to integrate security
My experience has shown me that penetration testing can involve a great deal of creativity. And admittedly, some hacks are extremely complicated and advanced. But again, the level of creativity is generally exaggerated when you compare it to the overall advances in computer-related innovation as a whole.
Even at the US National Security Agency, which possibly employs more professional hackers than any other organisation in the world, hackers are only a small percentage of the total IT staff, with the majority of those staffers responsible for running some of the largest data centres in the world, maintaining one of the most complicated satellite communications systems, designing new cryptographic algorithms, developing new applications, maintaining a network of tens of thousands of computers around the world tied to thousands of mainframes and servers, programming and maintaining supercomputers, and much more. And as in any other organisation, the skills of the world-class hackers employed by the NSA would be a moot issue if it weren't for the skills of the people who have developed the infrastructure that allows those hackers to exercise their skills.
What we really should be doing is not to reward a handful of students to find problems, but to train all students, and inevitably the profession, to integrate security into their efforts from the start. But that is the subject of another article.
It is also worth pointing out that in the long run, people are rewarded for creating, not destroying. Media exposure may give ego boosts to criminals, but the rewards for hacking are very short term, unless you go into a life of crime. Meanwhile, the people who create technologies can get residual income for years.
So, as Facebook is doing with the Hacker Cup, let's celebrate those who create things, not the destroyers. Let's stop pandering to what sounds cool from a science-fiction perspective and start focusing on the fact that talented creators have turned science fiction into a reality.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.