
US Defense contractors recruiting offensive attackers by the hundreds - mikkohypponen
http://www.forbes.com/sites/andygreenberg/2012/06/15/new-grad-looking-for-a-job-pentagon-contractors-post-openings-for-black-hat-hackers-2/
======
mtgx
This has confirmed all my worries. Whenever the intelligence agencies and the
politicians lobby for "cyber-bills" and such, and it's almost never about
"protecting US against threats", but about "attacking others".

So on one hand they keep drumming up the fear mongering about other countries
attacking us through "cyberspace" and that they _need_ "these bills" to stop
that, when in fact the bills, and the bigger budgets, are all about US
attacking others, and basically committing acts of war against them (their
words, not mine).

If the US is really afraid of "cyber-threats", then they really need to ramp
up the _defense_ at home, _not_ offense, and keep as much of the critical
infrastructure off the Internet as possible.

Oh, and these are a couple of funny posts about the politicians' abuse of the
word "cyber":

[http://www.techdirt.com/articles/20120614/01590919314/cyberp...](http://www.techdirt.com/articles/20120614/01590919314/cyberpolitics-
cyberbellicosity-cyberpushing-cybersecurity-to-cyberprevent-cyberwar.shtml)

[http://www.techdirt.com/articles/20120615/03214619333/politi...](http://www.techdirt.com/articles/20120615/03214619333/politicians-
who-cried-cyber-pearl-harbor-wolf.shtml)

~~~
tptacek
Are we really shocked, shocked that the DoD employs offensive technology
people? We're talking about the military here.

~~~
JoachimSchipper
Piggybacking off your comment: I _am_ surprised, am I missing something? Given
the US' and the West's rather serious vulnerability in this arena, escalating
the use of cyber-"weapons" doesn't obviously seem the best idea.

(Stockpiling hacks and crypto nastiness is obviously a good idea, doing
something about China's cyber-espionage makes sense, and increasingly
sophisticated and well-funded hacking is probably unavoidable; but TTBOMK, the
US has been the first to directly attack targets of major military
significance, both in Iraq and in Iran.)

~~~
tptacek
What is the logic here? That if the US simply doesn't invest in offensive
security research, nobody else will? That the US is somehow escalating the
information security crisis?

That would be a ridiculous point, unworthy of debate.

Nation states around the world owe their first allegiance to their own
interests, and then to the interests of their long-term economic and
geopolitical prospects, and then maybe to their people. Any allegiance owed to
principled conduct in "cyberspace" is way, way down the list. Any rival of the
United States has an advantage that can be prosecuted using offensive security
research is assuredly already doing so.

I also take issue with your last sentence, with the idea that the US was the
first state to directly engage foreign targets. Obviously, the words "of major
military significance" gives your argument a lot of room to maneuver, but the
overall effect of the argument as it stands is that the US is the only state
pursuing any kind of meaningful offensive security effort. That's almost
definitely not the case.

I'm also unclear as to why I should be particularly disturbed by the
weaponization of IT. Let's stipulate for a moment that Stuxnet was a weapon
intended to sabotage a covert Iranian nuclear weapons program. OK. And? What
moral authority does Stuxnet lack that a laser-guided bomb dropped from a jet
owns? Did Stuxnet kill anyone? To the extent the US military can accomplish
objectives using technological countermeasures rather than explosive
munitions, I call that progress.

~~~
FreakLegion
_> I also take issue with your last sentence, with the idea that the US was
the first state to directly engage foreign targets. Obviously, the words "of
major military significance" gives your argument a lot of room to maneuver,
but the overall effect of the argument as it stands is that the US is the only
state pursuing any kind of meaningful offensive security effort. That's almost
definitely not the case._

Absolutely. The US was simply the first to cause actual physical damage to a
high-profile target. Other nation states have focused their efforts on
accessing sensitive information, a la Aurora. Occasionally these attacks make
it into the news but, more often than not, they go undisclosed by the target
and/or unreported by the media.

------
pilom
I work for one of the companies listed in this article as a "Cyber Security
Engineer." I have 2 issues with this article. First, the vast majority of
cyber security work is defence. I would guess the percentage of people working
defence is 100x more than the number of people working offence. (And yet the
people on offence always have the upper hand, but that is a different story.)
Second, most of the hiring for offensive talent is at the Speculation phase.
NSA doesn't really outsource much of its work on this kind of stuff. The
contractors know that the demand will eventually ramp up but it hasn't yet. So
most offensive guys at contractors spend their time doing Internal R&D to use
as demos for the government. Some day NSA will ask for help, but it isn't
today. When it does though the contractors are trying to be ready.

------
AJ007
Unlike a standing army, the US could conceivably have a majority of the
world's skilled hackers and crackers on their payroll (directly or
indirectly.)

It also makes for good record keeping by "interviewing" talent.

