Burn the Red Team!
As cybersecurity grows in importance in the modern era, Michael examines how seriously (or not) the subject should be taken for college students.
By MICHAEL KIELSTRA
When I started learning how to hack computers, I was very quickly taught one thing: as Uncle Ben never stops saying, great power and great responsibility go hand in hand. I read books by hackers skilled enough to hold a small country to ransom, but who emphasized over and over the importance of getting proper authorization. If you were hired to hack into a company, as a test for their fancy new intrusion detection system, say, and you came across a computer that wasn’t on the list of approved targets, you left it alone. It was that simple. You may imagine my surprise and horror, then, at the behavior of Red Team during this year’s NECCDC.
NECCDC, the Northeast Collegiate Cyber Defense Competition, centers around maintaining a small computer network for a fictional company. Red Team, made up of cybersecurity professionals, hack into this network. Competitors, organized into Blue Teams, try and mostly fail to keep Red Team out, and are scored on how well they keep relevant systems running.
Red Team, meanwhile, just has fun. This year, one of their members was there to write prank scripts. These were viruses that would make dancing bananas appear on Blue Teams’ screens or play loud music from their speakers; writing them was this man’s only job. The other Red Teamers referred to him as their CFO, for Chief Fun Officer. More seriously, Red Team members faked credentials to impersonate members of other teams, for example, which – although I concede is something actual cybercriminals do – had been explicitly forbidden to anyone at all at any point in the competition. When they gave a debrief at the end, I was expecting a discussion of common vulnerabilities and ways to mitigate them. What I got was a video montage, set to rock music, of “hilarious” things Blue Teams had said and done in the face of the Red Team’s onslaught. Put simply, Red Team were drunk on their own power, and they made sure everyone knew it.
I guess I should congratulate the Red Team and their decades if not centuries of combined cybersecurity experience on their victory over a bunch of nineteen- and twenty-year-olds. However, I must ask whether there is a place for this sort of ethos in cybersecurity today. Computer hacking, once a discipline confined to a few university dorm rooms and with stakes no higher than a midterm grade stored in an insecure database, is now global, professional, and lethal. A single cyberattack, launched in a couple of hours from anywhere in the world, can destroy hospitals and power plants, computer networks and crucial business data. For this reason, if I hire a hacker to test my security, I want to be very, very sure that he or she will not go beyond the boundaries I set. Hackers are simply too dangerous not to take themselves more seriously.
The NECCDC Red Team will surely respond that, when actually in the field, they are more calm and easier to work with. Not only do I doubt that this is true, it is also an abysmal excuse. NECCDC advertises itself very much on the strength of its Red Team, and Blue Teams are told to view it as similar to playing chess with Garry Kasparov. They will be beaten, but, in doing so, they get a chance to see how the experts do it. The Red Team were setting an example, and they made it very clear that computer hacking was all about hilarious pranks, broken laws, and general fun at the expense of your targets. Being good at what they do cannot save them when they are bad at teaching it.
The problem is far more widespread than NECCDC. The name “Red Team” alone, commonly used by hackers across the world, implies a sort of elite unit, glorying in its badassery. “Tiger Team”, also in widespread use, is even worse. The hackers I prefer to read almost never use these words, preferring the more scientific and careful “penetration tester” or, for those who don’t like being giggled at by ninth graders on career day, “pentester”. They are in, as I have come to realize, a minority. The Burp Intruder hacking toolkit, used by thousands of hackers and costing thousands of dollars per year for a business license, uses “Peter Weiner” as the username when trying to overload a login form by sending thousands of requests per second. Users can change this, but most hackers don’t.
If this is the prevalent attitude, it might seem hopeless to try to change it. Some computer security people, however, are more reasonable, and there are steps we can all take to encourage these few. If you are hiring hackers, hire the boring ones. They will probably give your system a more careful and thorough going-over anyway. If you are learning to hack mainly because you love the thrill of compromising someone else’s computer, stop. You’ll only cause yourself and others pain in the long run. If you are already a hacker, don’t play childish pranks or embed dumb jokes in your code. Computer hacking started out as the cybernetic equivalent of a bunch of kids running around with BB guns. It is now the equivalent of a bunch of kids running around with nuclear warheads. Moving from there to a culture of responsible adults armed with warheads will be difficult, but, with effort, I am sure it can be done.
Michael Kielstra ’22 (pmkielstra@college.harvard.edu) thinks, but isn’t sure, that he wrote this piece on a secure computer.