We operations people often are rather charmed by Netflix’ idea of Chaos Monkey. This is a tool that identifies a group of systems and randomly terminates one system in that group. If you’ve never heard of Chaos Monkey, you might ask why you would do such a thing. In production even.
Chaos Monkey runs during business hours and the idea is that if anything is wrong with the high availability configuration in that group, you’ll discover it during business hours when lot’s of people are available to solve the problem. But also, and this is the part we operations people like, it makes all people responsible for the application very aware that if they don’t do the right things to make their applications high available, their applications will fail soon. So it raises awareness. Lately Netflix even has a tool called Chaos Kong, which disables whole AWS (Amazon Web Services) regions.
I’ve been thinking that it would be great if there was something like Chaos Monkey for security (yes, I know Netflix has Security Monkey, but that’s more like a change tracking system). What I mean is: something that makes everyone aware that if we don’t adequately secure our applications and infrastructure, hacking will happen and we all will know it did happen. But not by malicious entities and we could still solve these problems before real malicious hacks take place.
At first I couldn’t think of anything that would have the same effect for security as Chaos Monkey, except maybe a government program to teach everyone hacking and inviting everyone to test the security everywhere. That probably will not happen.
But then I got a better idea (I think). Why not a department of hacking .. other departments? Take for example governmental organizations. It is well known and documented and my experience that security at governmental organizations is often lagging behind those at for example larger companies. I’m not saying their security is great, but the lack of skill and sometimes downright disinterest in security at some governmental organizations is or has been in a league of their own.
Enter the Department of Hacking Other Departments. I see at least two tasks for the DoHOD:
- Hack other departments.
- Be first responder (if required) in case of a hack and help with, for example, forensics.
Task 1: Hack other departments
We give the DoHOD the task to find leaks at other governmental organizations (in the same nation of course. Those for hacking those in other nations already exist. We call them intelligence agencies).
In this scheme employees of the DoHOD are allowed to find ways into other organizations as long as they don’t disrupt continuity (Disrupting continuity outside business hours is up for discussion). They have a so called “Get out of jail free card” for hacking as long as they properly protect their findings and any data they come across.
If the DoHOD finds a way to hack an “target organization” or finds security hygiene lacking, it needs to (securely) report that target organization and suggest improvements. And if that target organization doesn’t take measures soon enough, the DoHOD will notify the Department of Punishing Insecure Departments or better I guess, someone on executive levels (ministers, CEO’s and such).
Task 2: Be first responder
The DoHOD, with their knowledge of what hackers are capable of, should be able to help organizations when they get hacked for real by malicious forces. They should help to collect, preserve and analyze all evidence in such a way it can be used for criminal prosecution, if the hacked department requires.
Working at the DoHOD
I can imagine working at the DoHOD would be really, really fun. So where usually governments have a hard time getting skilled technical people, I really think that would be less of an issue at the DoHOD. Hacking is fun and hacking for good is even better. The idea it would really harden security of the whole government would probably inspire lots of skilled people. Properly screening of new employees would be necessary of course.
I can imagine this would really have a Chaos Monkey-like effect on awareness. You could do some checks automatically, but it often takes the ingenuity of a human hacker to really put the security to the test.
The effectiveness of the DoHOD could properly be measured by the number of hacks they are able to do and detected hacks by outside forces. You should always be careful with incentives like “if you find less hacks next year, you’re getting rewarded”, but if malicious hackers are measurably getting a harder time to break in (as far is known of course), you’re probably doing something good.
I can think of one significant problem with the DoHOD: that they might get hacked themselves. You could imagine the problem with losing all information of ways to attack the rest of the government. It would be really bad. So security measures at the DoHOD should be in the best condition possible.
Another possible downside is that the DoHOD doesn’t get enough mandate to hack other organizations and that those organizations that fall outside the tests of the DoHOD get relentlessly hacked by outside forces.
And the DoHOD, as I’ve described it here, won’t do much against attacks from the inside out. Though this could be offered as extra service I guess. “Just give us access to your network and we’ll hack you there too”.
Nevertheless, if implemented correctly and safely, the DoHOD will boost security awareness tremendously. I can really see it working.