Dave Aitel: Hackers May Help Choose The Next President of the United States

Posted on 29 January 2012 by


Dave Aitel is the founder and Chief [Security|technology|executive][1] Officer of Immunity, Inc, and runs the Daily Dave mailing list, where this article was originally published. It is re-published here with his kind permission.

At age 18, Aitel started spending his summers working at the National Security Agency (NSA) while attending Rensselaer Polytechnic Institute; three years later he began a three-year job as a full time NSA computer scientist, before leaving for a gig with penetration testing firm @stake, which was acquired by Symantec in 2004. Aitel is coauthor of The Shellcoder’s Handbook: Discovering and Exploiting Security Holes and The Hacker’s Handbook: The Strategy Behind Breaking into and Defending Networks, as well as penetration and assessment tools Spike, Spike Proxy and Sharefuzz. His work stands as among the finest in explaining foundational concepts such as, How Hacking Really Works and Why Attackers Win. Aitel also founded the offensive computing conference Infiltrate, which just completed its second year.

If you want to lose your weekend and be glued to your computer, visit the Immunity, Inc presentations page for a couple dozen thought-provoking and detailed presentations, papers and articles by Aitel and his colleagues, all available free for download.

It is, of course, very possible that hackers will get to help choose America’s next president. Possibly not in the most direct way (aka, attacking the electoral system directly, the candidates, or the super PACs that support their campaigns), although this did happen to some extent last time around.

But also, of course, indirectly in that cyber security is a beach ball used by the candidates and addressed by the candidates during their campaigns. So at some level it is interesting to compare and contrast the campaigns on the issue.

Cyber security is a part of the overall Internet and high-tech policy of each of the campaigns, touching upon copyright, patents, regulation, free speech, foreign policy, and other issues. But as it is rising in importance in the world at large, it is also becoming an increasingly visible part of each campaign’s strategy and message.

Below I split each of the campaigns out and share my opinions (as someone who has worked in cyber security for over a decade both as part of the Government and in the private sector) on their strengths and weaknesses.

Newt Gingrich
Wired has an article on Newt Gingrich on this issue out recently – and it is suitably hawkish on cyber security (or Cyber War, cyber security’s bigger, scarier cousin). Newt Gingrich has the significant advantage of being a science geek and thus can speak to the cyber security population in their own language. For example, he can quote Dune or other science fiction, and thus is less likely to trip over his words or have a “series of tubes” moment. Although he is by trade not technical, he is able to at least sound like he gets it. For example, his language in the Republican debates regarding SOPA was exactly what the technical community wanted to hear – and more eloquent on the subject than the other candidates on the issue.

Only Ron Paul met with similar approval in the technical community (by saying he was against it from the beginning) and Rick Santorum was clearly on the opposite side of the issue from the technical community. In one of the early debates, the moderator asked the candidates what they saw as some of the biggest threats against America that were going unaddressed, and both Herman Cain and Newt Gingrich listed cyber attack. That said, his positions have some nuance in the area and it’s not clear who is advising him on cyber security, if anyone. However, he never comes across as sounding uninformed on the subject in his public interviews (the meat of thecoffeeandmarkets piece is 16 minutes in or so and worth a listen).

Rick Santorum
While in the Senate Rick Santorum served as co-chair of the critical infrastructure protection committee, and he has been involved in cyber-security issues. It’s hard to say that he’s made much use of this experience on the campaign trail, however. He may find it difficult to connect with the technical community because of his stance on social issues. (More on that later).

Mitt Romney
One way to find out how a candidate is going to move is to look at who advises them. Two of Mitt Romney’s senior advisers have given keynote speeches at BlackHat, the largest information security conference in the world – Cofer Black and Michael Hayden. Both are well known in the community, and although neither is particularly technical, they both have well formed and forceful opinions based on long experience – a sort of hacker osmosis, if you will. To be specific, they both see a clear and present danger from foreign cyber espionage against the economic and security interests of the United States. Mitt Romney appears to use the phrase “cheating” when referring to these issues (although in an early debate he was more specific), lumping them a bit with larger copyright and trademark issues and almost entirely in relation to China.

Ron Paul
There’s a large libertarian streak among hackers and cyber security professionals, and it’s evident in how many of them support Ron Paul (sometimes in funny ways). That said, he does not always agree with the tech community’s latest drives. For example, he is not pro-net-neutrality (see 52 minutes in). Hacking is, in many ways, the discipline of studied iconoclasty, and no candidate is more iconoclastic than Ron Paul. Hackers also tend to have a lot of spare money, and no doubt some of that money is flowing to the Ron Paul campaign. In the first debate in Florida, you’ll notice Gingrich was careful to avoid seeming inimical to Ron Paul’s ideas on stage.

Barack Obama
The White House’s position on SOPA, which threaded the needle between Hollywood and the tech community, was an example of some of the different cards the current administration may play in the upcoming campaign. While supporting Google as much as probably possible against the Chinese cyber espionage attempts, the White House has also taken positions on many other cyber security issues, some of which have been widely criticized in the cyber security community.

And the industry has not exactly shrunk under Obama – experiencing a robust boom even in times of otherwise tight belts in the defense community. Administration efforts such as the Cyber Fast Track have also received positive acclaim. When you have a member of the l0pht running part of DARPA and Jeff Moss has a place advising DHS, you’ve built inroads to the community. It remains to be seen whether these inroads are highlighted by the campaign.

If any Republican is to attack the current administration’s policies on cyber, it will probably have to be on “Effectiveness”. I.E. It’s all well and good that the DHS has a new marketing campaign to increase cyber security awareness, but how does that stop hackers from actually hacking into our water plants with seeming ease? Unfortunately, this would essentially be a call for further regulation, which seems like a hard argument for a Republican candidate to make at the moment. You get this sense during some of the debates, where Republican candidates call for more covert action against Iran, and then have to circle back to “You know…things like Stuxnet”.

Social Issues
Taken as a whole, cyber security professionals are, like any other large population, quite diverse. However there are some strong general trends. For example, the overall population has a tendency to be quite atheistic, libertarian, pro-gay-rights, and international. This may swing hackers as voters (and donors) more towards Obama than the eventual Republican nominee. You may remember Obama being bashed for including “non-believers” in his 2008 inaugural address, for example.

So there are two future questions that bear thinking about as the campaigns develop:

  1. What, if any, influence will cyber security have on the presidential campaign? and
  2. What will change in cyber security if one of the Republicans wins?

I would opine that Mitt Romney’s choice of advisers presents the clearest indication not just that he will use cyber in his campaign, but as to what his positions as a President would be. That is, strongly hawkish against the ongoing economic cyber espionage conducted by the Chinese and other countries against US Firms. Cyber security has been in the news a lot this year, and I’d say there’s a strong chance that either he, or Newt Gingrich who is immersed in high tech culture more than any other nominee, uses cyber security as a differentiation during an upcoming debate.

It has the advantage of being both suitably hawkish, and having an impact on the most magic of words this year: “Jobs”.

[1] Depending on the bio.