I’m writing this in response to a very well put together article written by my friend Dave Lewis on CSO Online: “Are you a legitimate military target?“.
In the article Dave talks about how security researchers, practitioners, and security vendors are suddenly “surprised” to find themselves potentially being under the scrutiny of foreign (and guess what – domestic) governments and militaries.
Dave quotes Mikko Hypponen, F-Secure’s Chief Research officer who keynoted the FIRST conference last week in Berlin, saying “I didnâ€™t sign up for this”.
Well, sorry to take the other side – but you did. We all did. Even those of us who have been in the industry for almost 20 years. We grew up on movies like “War Games“, on the stories such as Cliff Stoll’s “The Cuckoo’s Egg“, and those of us who were pushing the boundaries and practicing security research, also knew that we were playing fast and loose with the law a lot of times (successfully for those of us with a clear record).
Well ,guess what, just like a nuclear physicist becomes a target (legitimate or not) for a foreign nation because they are associated with another nation’s nuclear program, so are we.
Any new piece of information that may allow an advantage in the greater scheme of things is highly sought after by nation states, and if you are not aware of it, well, good luck to you.
I join Dave’s closing comment on the difference between espionage and warfare. We all need to understand though that there are governments and their intelligence services behind both of these. So yes, we all knew very well what we were walking into when we found our first 0-day, vulnerability, or realized that we can bypass controls, processes, hardware, software or whatever it is we hack our way through. This kind of knowledge and skill is a far cry from a new crocheting technique.
p.s. I’ve mentioned the law here, and if you know me you know that one of my advice to any fellow practitioner is usually “get a lawyer”. This isn’t just for fun – law is just as hackable as cheap knockoff Chinese firmware, or a shady Israeli device driver. I highly encourage everyone to at least study your local legislation in relation to computer “stuff”, as well as dabble a bit in the international aspects of it.