Cyber Security has long had its own subculture, and sometimes this leads to clashes (misunderstandings) with the mainstream tech and policy culture. The most common example of this is the ongoing (and on, and on) debate about encryption and law enforcement. Amazingly, we seem to be re-litigating these questions as if we’ve learned nothing and formed no new consensus over the last twenty years. This is frustrating.
Equally frustrating are renewed conflicts because some people cannot distinguish analysis, education, and defensive preparedness from black hat hacking. This fog is apparently what has led Google Play to remove (weeks after approving!) the free Cybrary cyber security training app from its app store. The Cybrary founder has posted the arc of the events here. His frustration is evident and understandable. It’s as if the cyber and broader tech communities are no better at discussing these topics than they were twenty years ago. To take you back…
In 1995, in partnership with Wietse Venema, security researcher Dan Farmer, a brilliant and audacious student of legendary expert Gene Spafford, invented the Security Administrator Tool for Analyzing Networks — SATAN. It enabled a security admin to efficiently find flaws in their networks so that they could address them. Its accuracy and ease of use was a watershed moment in the security industry.
And what did Dan receive for his scientific and industrial innovation? Commendations? A promotion? $10m in venture capital to build a business around his open source tool? None of these. He received threats of legal action from the Department of Justice and a pink slip from his employer Silicon Graphics. Thank you very much.
All because SATAN could also be used by the bad guys. It was a tool to analyze networks and find their vulnerabilities. It was a tool the same way a VHS machine, or an encryption engine, or an internet connection, or a crowbar is a tool. Presumably those leading the backlash against Dan felt that if the good guys didn’t invent and distribute tools, the bad guys wouldn’t be smart enough to do so.
In 1995, when most of the bad guys were between 13 and 45 and lived in their parents’ basements, maybe, MAYBE this was true. In a world of cyber criminal syndicates and state-sponsored actors, it is insane to think that we are safer if we can restrict the flow of scientific and technological knowledge.
One of the few advantages we have in the cyber war is that most people are basically good. There are many, many, many more people who want to defend data, networks, e-commerce, e-government, free market capitalism, intellectual property, freedom, transparency and democracy than want to steal from them or destroy them. The vast majority of people would rather make $180,000 a year as a cyber security technician (and live openly within the law) than try to make millions and live in darkness and fear forever.
The broad distribution of knowledge primarily means the distribution of knowledge to the good people. Believe me, the bad people are already sufficiently motivated to find the information they need. Taking the Cybrary app off Google Play today makes us no safer than sanctioning Dan Farmer did in 1995.
Not to mention the commercial implications. SATAN paved the way for next-generation vulnerability assessment tools nmap and Nessus. Tenable Network Security (right here in the Cyber Corridor!) provides services on top of Nessus, and just raised a $250m venture capital round. The Vulnerability Assessment market is now a $1.5 billion market. The penetration testing market — which apparently got Cybrary banned from Google Play — is a $2.5 billion market.
Too much rides on getting this right. Billion-dollar markets, and the effective protection of our entire online economies. The security community has got to be able to effectively communicate to the broader tech and policy community that the creation and distribution of security knowledge and tools benefits us all much more than it harms us.
A good, small place to start would be to get the Cybrary app back up on the Google Play App Store.