If Bruce Schneier is correct in his assessment of hackers: “In this same vein, computer networks have been plagued for years by hackers breaking into them. But these people aren’t breaking into systems for profit; they don’t commit fraud or theft. They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and just to see if they can… Hackers’ traditional and common defense is that they’re breaking into systems to test their security. They say the only way to learn about computer and network security is to attack systems. Never mind that these hackers don’t own the systems they’re breaking into; that’s just the excuse.” He points out that there is an ongoing controversial discussion about whether hackers are genuinely committing criminal acts while intruding into a network: “”I was only testing security” is not a valid defense. For years, we in the computer security field have heard that excuse. Because the hacker didn’t intend harm, because he just broke into the system and merely looked around, it wasn’t a real crime. Here’s a thought for you: imagine you return home and find the following note attached to your refrigerator: “I was testing the security of back doors in the neighborhood and found yours unlocked. I just looked around. I didn’t take anything. You should fix your lock.” Would you feel violated? Of course you would.”
To understand a hackers intention and motivation for “breaking and entering” into a system we have to analyse more than just the psychology of a hacker, but will also need to look at the social environment and background of the hacker culture as well. Before we can even begin to understand how to defend we need to understand why there is a threat vector. If you were to imagine a typical computer criminal the focus has changed from the punk kid to a nation state of highly trained computer science majors. Both of these are propagated by the media and are terribly misleading. Since the defense tactics vary wildly between these two types of criminals our efforts to implement an appropriate defense become unclear.
Ten Years ago the image of a hacker was defined by two researchers. Marc Rogers, a behavioral sciences researcher at the University of Manitoba in Winnipeg, Canada, and Jerrold M. Post, a psychiatrist at George Washington University in Washington, D.C. identified some basic behavioral trends in hackers who commit crimes.
Rogers says one characteristic is that they tend to minimize or misconstrue the consequences of their activities, rationalizing that their behavior is really performing a service to society. (Some researchers call this the Robin Hood Syndrome). They may also tend to dehumanize the problem and blame the ‘victim sites’ that they attack. Post says the same hackers share a sense of “ethical flexibility”, which means that since human contact is minimized over the computer, hacking becomes like a game where the serious consequences can be easily ignored.
But Rogers is careful to point out that not all hackers are criminals. He’s identified four categories as follows:
I. Old School Hackers:
These are your 1960s style computer programmers from
Stanford or MIT for whom the term ‘hacking’ is a badge of honour. They’re interested in lines of code and analysing systems, but what they do is not related to criminal activity. They don’t have a malicious intent, though they may have a lack of concern for privacy and proprietary information because they believe the Internet was designed
to be an open system.
II. Script Kiddies or Cyber-Punks: most commonly what the media call “hackers”.
These are the kids, like Mafia Boy, who most frequently get caught by authorities
because they brag online about their exploits. As an age group, they can be between 12 and 30 years old; they’re predominantly white and male; and on average have a grade 12 education. Bored in school, very adept with computers and technology, they download scripts or hack into systems with intent to vandalize or disrupt. There is also the “wannabee” hacker phenomenon: the would-be hackers. Historical note: The wannabee phenomenon has a slightly different flavor now (1993) than it did ten or fifteen years ago. When the people who are now hackerdom’s tribal elders were in larval stage, the process of becoming a hacker was largely unconscious and unaffected by models renowned in popular culture — communities formed spontaneously around people who, as individuals, felt irresistibly drawn to do hackerly things, and what wannabees experienced was a fairly pure, skill-focused desire to become similarly wizardly. Those days of innocence are gone forever; society’s adaptation to the advent of the microcomputer after 1980 included the elevation of the hacker into a new kind of folk hero, where the allure of hackish prestige drive people to consciously set out to be a hacker. Fortunately, to do this really well, one has to actually become a wizard. This brings the likes of the newbie to suffer the wrath of the old-time hackers tend who share a publicly articulated disgust for the self promoted and it gives newbies some fear and builds a deterrent of lore.
III. Professional Criminals, or Crackers:
These guys make a living breaking into systems and selling the information. They might get hired for corporate or government espionage. They may also have ties to organised criminal groups.
IV. Coders and Virus Writers:
Not a lot of research has been done on these guys. They like to see themselves as an elite. They have a lot of programming background and write code but won’t use it themselves. They have their own networks to experiment with, which they call “Zoos.” They leave it to others to introduce their codes into “The Wild,” or the Internet.
Ten years ago the Nation State hacker was not even a consideration, or at least publicly acknowledged. So I’d like to add that as number five.
V. Nation State Hackers
According to an article from the Wall Street Journal:
Nation-state hackers have different goals, and pose different kinds of risks. U.S. companies may be more vulnerable to one kind of attack than another, but they should understand the entire spectrum of threat.
Even in light of the recent news about China hacking U.S. newspapers, it appears that hackers based in other countries may pose a more systemic threat to critical infrastructure such as utility grids. It’s likely the increased warnings about the risk of cyber attacks to electric grids and other critical systems are being fueled by concerns that Iran is gaining more sophisticated hacking capabilities, says James A. Lewis, director and senior fellow of the technology and public policy program at the Center for Strategic and International Studies.
Mr. Lewis says he believes that Iran was the perpetrator of the August attack on Saudi Arabian Oil Company and the subsequent attacks on U.S. banks. “They were testing the American reaction and they were testing a new weapon,” he told CIO Journal.
“There are immense ongoing Chinese economic espionage efforts,” said Mr. Lewis but those are primarily centered on gaining technological advantage through the theft of intellectual property.
Whitehat, Blackhat, GreyHat:
Generally hackers are defined in two major categories: Black Hats and White Hats. And recently added Gray Hats. What separates the Black Hats from the White Hats and Gray Hats is intent.
This is where things get interesting cause what is white to one person can simultaneously be grey to another. Research from self-reported surveys and other types of documents that depend on honesty. Hacking is a field based upon merit, where status comes from reputed skills and exploits, therefore it is expected that self reported information, especially concerning individual class level and hat, has been inflated or an outright lie. Since the difference between White Hat and Black Hat is a perception on which many of who do not agree about what constitutes illegal behavior. Hats are a matter of self-definition, and with so many hackers having a loose grip on legalities, their take on whether they are legitimate or not seems suspect. Most citizens would consider something that is illegal to be wrong, thus making hacker perceptions of whether they are a White or Black Hat suspect at best.
Hacking activity and defining the intent might never be completely understood,
however, there are steps that can be taken to minimize risk. The social
learning theory illustrates that individuals are influenced by the behavior of their
peers. When there are no perceived penalties associated with illegal computer
activity, hacking activity increases. Therefore, there is a need to highlight the
consequences of engaging in hacking activities. While law enforcement is
struggling with ways to effectively track and prosecute computer criminals, there
needs to be an emphasis put on publicizing those who are caught and convicted
of computer crime. Many petty offenders are caught, but the outcomes of their
trials are not made that public. Meanwhile, major offenders either are not
convicted or are convicted then released. Many hackers are eventually rewarded for their illegal activity by the use of the positive reinforcements, such as a high paying job in the security industry. Some have gone on to form their own security company, while also playing the role of media darling for the press. Meanwhile, the research shows that computer crime increases when the perception of hackers is that there will be no retribution. This needs to change in order to affect change.