Firing (and Hiring) Hackers

[InfoSec News <isn () c4i org>]

http://www.techtv.com/cybercrime/digitaldisputes/story/0,23008,3338661,00.html

By Jack Karp
October 2, 2001 

In March of 1999, Chris Wiest was dishonorably discharged from the
United States Air Force Academy after being convicted by a military
court of "illegally accessing a computer system and causing damage."

Wiest's court-martial and discharge stemmed from the fact that Wiest
had been using his Air Force computer to access Internet Relay Chat
(IRC), an application that allows multiple users to chat interactively
with one another through a single server. But because of security
concerns, the Air Force Academy had prohibited the use of IRC among
its cadets.

Wiest admits he chose to do it anyway.

"I made a decision that, yes, I'll do this and I'll accept the risks
that go with it and, if I get caught, I am quite sure that I will be
out on the tour pad marching some tours and paying the consequences
for the choice of my actions," Wiest told "CyberCrime."

But Wiest didn't end up marching tours. He ended up out of the Air
Force, largely because the IRC program he was using had been set up
illegally on a North Carolina Internet company's hacked servers. Wiest
insists that he was not the one who set up the program and that
someone else had simply given him the passwords. Despite the fact that
the Air Force could find no evidence that Wiest had hacked the servers
and that the Air Force's own investigators agreed that Wiest probably
was not the hacker, Wiest was still dismissed from the service.

Representatives from the Air Force Academy won't say exactly why Wiest
was discharged, citing the pending legal case. But Drew Fahey, a
former officer with the Air Force's Office of Special Investigations
who investigated Wiest on the hacking charges, stands by the decision.

"To be an officer in the Air Force requires utmost integrity and then
honesty," Fahey said. "And he just did not portray that to me
whatsoever."

Hackers for hire?

But that's not the tack US military and government personnel have been
taking at recent hacking conventions such as Def Con, where "Meet the
Fed" events have become regular recruiting sessions.

"I think the objective of us coming and having a 'Meet the Fed' panel
is to give folks who haven't crossed the line yet a positive
alternative," Jim Christy, of the Office of the Assistant Secretary of
Defense for Command, Control, Communications, and Intelligence, said
at Def Con 9, held in Las Vegas this past July. "There's a whole lot
of talent, but the talent can be misused, and the government and
private sector can all use the talent."

In recent years, representatives of the Air Force, the Department of
Defense, and the Federal Computer Incident Response Team have all made
their way to Def Con and other hacker gatherings in an attempt to turn
hackers into recruits. At last year's Def Con 8, then-Assistant
Secretary of Defense Arthur Money told attendees, "If you are
extremely talented, and you are wondering what you'd like to do for
the rest of your life, join us and help us educate our people."

Money confessed to the assembled hackers that the Department of
Defense (DOD) had been victimized 22,124 times by hackers in 1999,
costing the department $25 billion. The large amount of damage was a
result, according to government representatives, of the government's
inability to recruit qualified technical staff.

Money talks

One of the biggest reasons the government has had difficulty hiring
qualified technical workers is financial, Money admitted while
speaking at Def Con 8. The financial rewards of working for the
government are not as high as of working for a high tech security
firm. But Dick Schaefer, director of infrastructure and information
assurance for the DOD, was quick to add that "we have got some of the
most sophisticated toys in the world. If you would like to get access
to those toys and become part of a very elite team, we would like to
talk to you."

The government is backing up its recruiting attempts with money. A
recent scholarship program sponsored by the National Science
Foundation will award $8.6 million to 200 students studying computers
at schools such as Carnegie Mellon, Purdue, Iowa State, and even the
Naval Postgraduate School in exchange for those students agreeing to
work as computer security professionals for the government after
graduation.

And, not satisfied with its recruiting efforts at home, the US
government is looking abroad for hacking help as well. In April, "The
Moscow Times" confirmed reports that US diplomats had tried to hire a
Moscow hacker to break into Russia's Federal Security Service's
network. The 20-year-old hacker, identified as "Vers," said he was
asked to copy, alter, and delete files in exchange for $10,000. Vers
instead went to the Russian government and told officials about the
diplomats' offer.

So why is the government suddenly being so aggressive in recruiting
hackers? To find out, read part two of our story.

Allies Out of Adversaries

It makes sense that the government is now looking to create allies out
of the hackers it has sometimes seen as adversaries. In the last few
years, government and military websites have become the target of an
embarrassingly high number of successful hacks.

In 1998, two teenage boys from Cloverdale, California, were caught
breaking into Pentagon and DOD computers. In 1999, a 19-year-old from
Green Bay, Wisconsin, was arrested and charged with hacking into the
Army's computer system, and another 19-year-old from Shoreline,
Washington, was sentenced to 15 months in prison after pleading guilty
to hacking the websites of NATO, the US Information Agency, and
then-Vice President Al Gore. A group calling itself Masterz of
Downloading took down both the FBI's and Senate's homepages that same
year. And, according to attrition.org, a website that once documented
and archived high-profile hacks, government sites successfully
attacked so far in 2001 include those of the Federal Highway
Administration, the Department of Health and Human Services, the
Federal Law Enforcement Training Center, and the US Navy Fleet &
Family Support Center.

But teen-age hackers are the least of the government's concerns. It's
international terrorists and foreign nations that really have
government computer personnel worried, according to Air Force
Lieutenant General Michael Hayden, who heads the National Security
Agency. Last year, while speaking at a computer security conference in
Baltimore, Hayden announced that cyberspace would become the next
major military battlefield.

And there have already been several "battles" illustrating his point.
In 1999, Army General Henry Shelton, chairman of the Joint Chiefs of
Staff, disclosed to reporters from the Reuters news service that the
United States had tried to mount electronic attacks on Serbian
computer networks during the NATO air campaign over the province of
Kosovo. In 2000, as tensions and violence were on the rise in the
Middle East, civilian hackers on both the Israeli and Palestinian
sides of the conflict began defacing government and commercial
websites, including websites belonging to US companies and nonprofit
organizations with ties to Israel. And after a US spy plane collided
with a Chinese fighter jet this past April, several US-based websites
were allegedly hacked by Chinese hackers.

"I would rather have my attention focused on what rogue states are
doing to us than being harassed seven times a day figuring out what
some guy is doing to us," Money said about trying to recruit hackers
to help the government ward off such threats.

Keeping recruits in check

But the government may have a harder time than it expects keeping the
hackers it recruits in check. Just this past May, an Air Force airman
was arrested in Korea for hacking into approximately 50 Korean
websites. The 24-year-old airman first class, who was stationed at
Osan Air Base, was caught by Korea's National Police Agency Cyber
Terror Response Center while hacking at his girlfriend's home in the
Gyeonggi Province of Korea.

And last year, the CIA admitted that it was investigating 160
employees who had allegedly created and participated in a secret chat
room they had hidden deep inside the bowels of the CIA's computers.
The chat room, which was built by the agency's own computer personnel,
existed for between five and 10 years before being discovered. Four
CIA employees and nine CIA contractors were disciplined for the
security breach and had their security clearances revoked, making them
unemployable by the CIA. Another 18 employees received letters of
reprimand, and many of them were suspended without pay for periods
ranging from five to 45 days.

Former Air Force Academy cadet Chris Wiest received a far more drastic
punishment than a 45-day suspension, however, when he was charged with
hacking into a company's servers to set up an unauthorized IRC chat
room. Wiest, who still denies the allegations, was convicted of the
lesser charge of "illegally accessing a computer system and causing
damage" and discharged from the Air Force. His conviction, if not
overturned on appeal, may bar him from ever becoming a lawyer, a goal
he has been pursuing since his discharge.

"I think an objective, reasonable person will conclude there's been an
injustice," said Frank Spinner, Wiest's defense attorney. "This is a
case about ineptitude on the part of the Air Force in trying to figure
out what computer hacking is."

Wiest is currently appealing his conviction. But whether he wins or
loses, the government will have to learn a lot more about hacking if
it intends to continue to recruit hackers into its ranks. For now,
Chris Wiest is a casualty of that learning process.

"I remember being terrified, absolutely terrified," Wiest said about
his trial and discharge. "And especially, you know, this is all I was
doing. I was chatting. The rest of this is ridiculous."

This article is based on original reporting by "CyberCrime" segment
producer Scott Pearson.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.