

Former Bush NSA Director calls for "digital Blackwater" - cfaubell
http://www.rawstory.com/rawreplay/2011/07/former-bush-nsa-director-calls-for-digital-blackwater/

======
iuguy
There's already several digital Blackwater's so to speak. HBGary Federal is
the obvious unsuccessful one, but you also have much more successful ones like
Endgame Security.

Personally my view is that the 'physical' Blackwaters of the world haven't
demonstrated an awful lot of adherence to the moral requirements associated
with such work, so why would the virtual ones do the same? If you sanction a
company with the ethics of Blackwater to do offensive work, do you really
think they only side they're ever going to fight on is yours? Do you think
that they'd represent your interests, or theirs, and do you think there'd be
any hope of the kind of transparency or limitations that you'd at least expect
to see in a state run equivalent?

~~~
lawnchair_larry
What indication do you have that endgame is successful?

Also, General Dynamics AIS.

~~~
iuguy
I think a lot is down to how you define success. They had a successful Series
A round, but in itself I wouldn't consider that success in itself.

I've seen a few things where I've been told it's from Endgame and I have to
say that there's no way that the information contained could've been acquired
in any way that could be construed as lawful under UK law (bear in mind that
our computer crime laws are garbage, but that's another discussion), although
I don't have any financial information.

~~~
lawnchair_larry
I see - I saw the pricing sheet from endgame that was leaked, but it was not
clear to me if anyone is really buying their services, and I am in the
industry (doing not shady things). So I was just curious.

------
rdl
I agree a "digital blackwater" can be much more effective than the government
for this kind of thing.

However, unlike physical violence, there's not as much "inherent human moral
knowledge" about computer crime/war/terrorism. It's pretty obvious to anyone
(including Blackwater shooters) that shooting people is wrong, all things
being equal; it is necessary in certain situations, but is to be avoided if
possible. Some kinds of shooting are worse than others, and there are lines
which most people wouldn't cross (shooting obviously unarmed people, children,
etc.), even if ordered to do so.

With most computer crime, it's not so obvious who is being hurt and how much;
there's also no primate/reptilian brain response to most of the activities
themselves, only their consequences.

There's also much more potential to use "able to do digital violence" to
influence business and politics within a stable nation state than to use
physical violence. Organized crime only really can operate in marginal
communities, at least through violent extortion -- in more developed places,
it sticks to providing unmet (illegal) needs like drugs, gambling,
prostitution, etc., or operates at a sub-organized level.

There's really nothing in "inherent morals" of people, or in cultural values,
which will prevent using a "digital blackwater" for political or business
ends.

If someone goes down this road (and the Chinese appear to have already, and
possibly Russia), everyone else has to, but the world will become worse
overall. Better for hackers, perhaps, as a subset, but I'd be fine with having
a little less money and living in a less-Gibsonian world.

------
trotsky
I do agree that there comes a time when you have to look at current the
current security environment and realize that you need to enable the private
sector to do more to defend themselves than appears possible currently.
Relating of course to industrial espionage and the so-called "APT", not this
#antisec nonsense. I don't look forward to a world where private firms are
employing offensive cyber-mercenaries, but let's be honest - that is what many
chinese firms and some western firms are already doing. Something needs to
change to let western businesses respond to these threats, and it's clear that
the usual mantras of defense in depth and being increasingly vigilant just
aren't leading us down a winning path. We may never have infosec world where
it's possible to adequately rely on defense only, perhaps it is time to move
past the missile defense shields and on to MAD - much like US defense has
gone.

~~~
JoachimSchipper
MAD doesn't really work if you have no idea who just hit you. It's not like
the Chinese couldn't gather a few proxies first...

~~~
trotsky
There is a considerable amount of intelligence that continues to be gathered
in the private sector about exploit authors, chinese hacking groups, and the
actors involved in ongoing intrusions. Many of these groups conduct a fair
amount of discussion and training pretty out in the open, confident of their
status as out of the reach of western justice. Specific techniques and code
present in a pair of Adobe 0-days used this spring point very loudly back to
one collective and probably one or two specific actors that talk about these
techniques in public in person. There are strong rumors that the night dragon
intrusions track back to a specific actor. I've seen private investigator
reports tailing specific intruders who verify that monitored intrusions happen
reliably just minutes after people they have full dossiers on show up at their
office. With many intrusions it's clear that the long term hosts are complicit
in the bahvior. The wall of proxies defense tends to or at least can fall down
against determined back hacking of the client.

All of these circumstances may not be the norm, but they exist. More would
exist if there were more incentives to develop this kind of intelligence. The
basic problem now is OK - what do you do with that info? NSA offensive
security practices are not built for or available to the private sector.
However, it seems very possible that these individual actors could be
dissuaded, harassed, redirected or worse given the right program.

I'm not speaking of a state vs. state MAD. Perhaps I used the wrong term. But,
even though I'm not a gun fan, there must be something to the idea that your
neighbors may be less likely to break into your house if everyone knows you
own a gun and you live somewhere you can shoot an intruder.

------
sorbus
So like lulzsec, anonymous, or all of the other groups, but operating for
money instead of humor and ideology. Sounds like a brilliant idea (that's
sarcasm, by the by).

------
brohee
Surprised no one mentioned HBGary yet. They sure have the lack of ethics that
job calls for...

~~~
officemonkey
Why would he mention HBGary when the fine folks at the Chertoff Group would be
happy to help you with that.

([http://chertoffgroup.com/cgroup/2010/03/general-michael-v-
ha...](http://chertoffgroup.com/cgroup/2010/03/general-michael-v-hayden/))

