The short answer: maybe.
I just returned from the thought-provoking two-day Merit Member Conference. Topics ranged from VDI to text-files.com, software defined networking, and cyber defense. The presentation on cyber defense was interesting for several reasons, most notably (to me) for the announcement by Don Welch of a Cyber Defense Range in Michigan. To steal Don’s illustration, think of a cyber defense range in terms of a rifle range. It will be a “safe” battleground for interested parties to attack and defend without the legal ramifications associated with the real world. Cyber defense classes will also be available/required. The idea? Teach America’s cyber “militia” (Don’s term) to defend against foreign or domestic cyber attacks.
Personally, I am very excited about this and cannot wait until it is complete and pricing information starts coming around. Others may be turned off or tepid at best. After the presentation, one conference attendee raised the important question: Will this range train terrorists? The response was that the range would train pretty much anyone who wanted to pay and had an appropriate sponsor. I have no idea which side of the fence the questioner fell on, but the appropriate reaction seemed obvious to me. This is no different than training someone to fly a plane. And yes, there should be stigma attached to that statement.
Over the past decade, reporters have focused on the fact that the September 11th hijackers trained in US flight schools. No one thinks we should stop training pilots. Why should hacking be any different? Merit’s argument for remaining as open as possible with this venture is that doing so allows far greater input from people like students or non-citizens. If the goal is to teach and learn, the greater the base the better. This means it might be possible for a prospect terrorist to go through the training. What impact does that really have in the scheme of things? I suppose cyber terrorists could learn a little easier what they would learn on their own anyway. The advantage falls to the defenders.
Here is the bigger problem. Cyber terrorism is real. It won’t go away just because we avoid building these kinds of facilities. What we need is to train the militia so they can defend. Yes, as we try to train the militia, we will unavoidably train the other side. Is it not worth a handful of malicious hackers to produce hundreds, if not thousands of cyber defense specialists? This is a numbers game. If substantially greater defense results, it is a win.