Most Infosec professionals in the USA who have been in offensive roles are probably used to a familiar gambit of remarks from friends, coworkers, family members, and colleagues about why they are learning offensive hacking techniques: “Why would you want to learn that?”, “Are you a criminal?”, “There is no valid reason to learn how to deface a website unless you want to be a criminal!” These are common questions Infosec professionals face day to day when explaining their work to laypersons, often resulting in the IT professional hiding their work from colleagues and friends. The accepted train of thought on why an Infosec professional learns Kali Linux, Buffer Overflows, and offensive attacks is to understand how an attack works and to put controls and monitoring in place to prevent or remediate any offensive attack. Being able to understand how an attack occurs and knowing how to avoid an attack is how a defender can secure computer systems and an organization.
Are the significant increase in and prominence of offensive hacking tutorials and free, open-source hacking tools over the last twenty years is helping increase the number of cybercriminals in the USA.
This is a good question. Most entry-level hackers and even most Infosec red team professionals could not perform an in-depth pentest without Burp Suite and Metasploit. Most Infosec professionals are not developers, and being able to code and understand security at the same time is sadly a rarity in the industry.
With the amount of YouTube tutorials available on the internet, any teenager with access to the internet could learn basic attacks that they can use on a local business. Are we, as a society, training the next generation of cybercriminals by providing free or low-cost training and tools around the country?
Honestly, probably, but there are a few caveats to this argument.
1. Most cyber professionals are already under heavy surveillance from the federal government.
2. The biggest threat is international state actors and international organized crime and not domestic hackers.
3. Entry level domestic hackers do not pose a threat
Most cyber professionals are already under heavy surveillance from the federal government.
If you have ever attended a local Defcon group, you have probably met an undercover FBI agent at least once. It is well known that law enforcement is often undercover at cyber and Infosec meetups. The FBI keep a large database of different individuals and skill sets, keep current with new trends, and maybe even recruit. In rare cases, they may arrange an arrest if they see obvious criminal activity, but I haven’t encountered this because the worst criminal act I have seen at local hacker events is jaywalking. It is well known at most hacking conferences and courses that cybersecurity has the same ethical code as law enforcement.
The biggest threat is international state actors and international organized crime, not domestic hackers.
The biggest threat to American business is not from American citizens but from foreign state-sponsored NSA equivalents. Foreign governments used to focus mainly on attacking other state actors, but that is no longer true. Forget AI; worry about the Russian and North Korean governments. Think about the Belarus and Chinese governments. The fight has become military vs. civilian.
In Murray Rothbard’s book “For a New Liberty: The Libertarian Manifesto,” Murray outlines a world with private police/security guards defending businesses in a free enterprise environment from security threats. Private police and a private military are used as a replacement for publicly funded police in an anarcho-capitalist idealistic society. Regardless of your politics and your fondness for Murray Rothbard, this prediction has become partially a reality. Police and federal law enforcement have been unable to defend even the smallest business from cyber threats for decades.
Penetration testing software helps private citizens and organizations make more secure software and systems. Understanding how attacks occur is the first step to understanding how to block an attack. Most experienced cyber professionals are getting ready to retire and often obtained their experience by practicing in legal grey areas before the Computer Fraud and Abuse Act was signed into law. By promoting the pen-testing software and training, America would reduce the skills gap for experienced cyber professionals who can practice the trade.
Entry level domestic hackers do not pose a threat
Most of the low level threats from domestic lone wolfs using scripts over the internet should be easy to mitigate and detect if the organization has even a base level of security. Someone just learning how to hack probably doesn’t know how to cover his or her tracks leading to an easy prosecution and or lawsuit of an attempted attack.
New hackers often lack the skills and awareness to be good enough at offensive hacking and not get caught. Experienced professionals who are eager to learn are already under surveillance. New hackers often lack the skills to perform advanced attacks that are advanced enough to breach a business. Businesses that are compromised by teenagers will probably be breached by state actors at some point in the future.
As Americans, citizens can already own a gun for home defense, assuming they can pass a federal background check. There is a political debate about gun ownership in the USA. Still, the conversation would be drastically different if the Russian military were trying to break into your workplace daily.
We should hold Infosec professionals to high ethical standards, the same standard as law enforcement. Still, we should also provide the training grounds for the new ethical hackers to start. We need to help train and make the day-to-day operations of the professionals fighting the next iteration of the Cold War for your organization.