On a Slippery Road in the Name of National Security

Two very important things happened at the recently concluded Cocon 2013. Not surprisingly, the media missed these, in favor of more "mainstream" news focusing on the celebrities and visible initiatives.

1. The Deputy National Security Advisor, Sh. Nehchal Sandhu gave a largely statistics & routine talk with the notable exception of a superb pronouncement:
   

   "We will not go down that road" 

   He was referring to the recent events surrounding NSA's surveillance and its fallout in the US (civil rights outrage) and in the rest of the world (Brazil, anyone?), including India (such as new guidelines on email usage, etc.). This statement was made to convey that the Indian Government would not indulge in the kind of tactics that NSA and FBI are being accused of.
   
   Why is this important? It portrays a commitment from the Government to act with a level of wisdom and maturity that has been hard to find recently not just here, but in most parts of the world.
   
   
2. A few speakers talked about the Government's collaboration with the hacker community. One of the talks included an unapologetic response to the criticism of this year's takedown of a malware's C&C Server at this year's nullcon -- announcing a new era of Government - Community partnership.
   
   On the sidelines of this talk was a much more sinister discussion. That some parts of the Government might be willing to take hackers for hire -- for ostensibly National Security engagements.
   
   On the face of it, it should not cause any concern, right? Not until you understand the implications, subtle and otherwise. How will this relationship begin, what pitstops will it make and how far will it go?
   An example: LulzSec (ex-)leader cooperating with the FBI.
   Another: Desi hackers join Indian Cyber Army. In this, there is even a mention of a lawyer wanting to change the IT Act to provide protection for "patriotic stealth operations". Of course, they might be talking about "usual" hiring of infosec professionals in cyber-defense positions... but there is enough to indicate otherwise too.
   
   There are enough rumours and murmurs on whole truckloads of East European hackers being allowed to flourish in the fond hope that they will provide the necessary "air" cover (and perhaps, tactical support) to their governments when push comes to shove in cyberwars. Are we talking about going down that route?
   
   National Security as a justification to do things that you wouldn't otherwise do is a very slippery slope. Once you start the journey, you have no control on the speed, direction or the destination. This is a route that argues that the means justify the ends. No doubt there will be people who argue that when our adversaries do it, we must do it too.
   
   However, I hope that saner voices such as Sh. Sandhu's will prevail.

On a different note, I do hope that our above-board educational hacker groups (such as garage4hackers) make every effort not to tip and fall into the wrong category. A few beers, some boasting and a vulnerable target are all the ingredients that enthusiastic young blood needs to cross the line. There are always rationalizations that can be made after the fact. Including misplaced patriotism.