Hackers: If You Can't Beat 'Em, Hire 'Em

June 16, 2012 -- So what's it worth to you to prevent world-wide economic collapse, or even a major interruption of essential services, like power or water?

These are not hypothetical questions. Nor will they be caused by the Eurozone disaster, a double-dip recession, the disintegration of institutions deemed "too big to fail," or government spending run amok.

I am talking about cybergeddon—or the endgame of cyber warfare. A concept well-worn in national security organization conference rooms and the situation rooms of nations around the globe. It is somewhat newer to the front page of The New York Times, which has recently featured several investigative reports regarding Stuxnet and Flame, two potent worms created for international espionage that got loose and went viral.

We all know the hackers are out there. That's not going to change. The question is this, can we change the dynamic? Or more to the point, can we hire them—a whole lot of them? Simply put, how much should nations pay to build a cyber army (both civilian and military) of "white hat" hackers and talented computer security experts with the skills to out-hack or "out-code" the legions of nation state-sponsored or politically-motivated cyber terrorists sworn to destroy our way of life?

Everywhere we turn, there are reports of public and private sector breaches and compromised data. The SEC requires publicly traded companies disclose data breaches, and especially when intellectual property is stolen. Even when the forces of good arguably get it right, unintended consequences and leaks jeopardize the results.

Stuxnet is just one example. Written by American and Israeli spy agencies to sabotage Iran's nuclear enrichment facilities, it at least partially succeeded in its mission, The New York Times revealed early this month. Unfortunately, its creators did not account for the possibility that it might escape. It did. In fact, both Stuxnet and Flame escaped. The result is scary: the bad guys have these worms and can use them.

The Stuxnet story became public in 2010 because a programming error enabled it to leap out of its confines and circumnavigate the globe via the Internet.

Two days after the recent Times article, came the report about Flame, another international spy-grade superbug. This one had compromised the Fort Knox of software companies: "Microsoft told customers that the authors of Flame—a highly sophisticated surveillance computer virus discovered on networks in the Middle East and Iran—had figured out how to use Microsoft's own security system to forge digital security certificates, which then allowed the malicious code to spread undetected by anti-virus programs."

There are lessons we can draw from these stories. None of them are particularly comforting.

1. Hacking and the creation of spying tools that are distributed online are now standard operating procedure for nations large and small. Stuxnet, Flame and the Chinese government's widely reported collusion with practitioners of corporate espionage, prove that arsenals of powerful cyber weapons exist. This is an arms race where we cannot afford to fall behind. It is being waged in the sanctity of our homes and businesses and bank accounts. The Barbarians are not only at the gate—they are in our computers.