A security professional’s view on criminal hacking has shifted away from the traditional stereotype of the hacker, towards a much more diverse cross-section of wider society
During the early 90s, the US government decided to crack down on criminal computer crimes in a series of raids dubbed Operation Sundevil. The raids were carried out by the US Secret Service working alongside local police and telecoms engineers and targeted “bulletin boards” (now more often called forums) that were engaged in blatant and open credit card fraud and telephone code abuse.
The people involved in such illicit activity mostly fitted a very narrow subset of society: teenagers and young adults from middle-class suburban homes. They had the disposable income to acquire what was at the time cutting-edge general purpose computing technology and had access to modems (extremely slow in the age of today’s broadband, but life-changing technology at the time).
The modems allowed them to connect to the internet and the fledging World Wide Web and form cliques on those bulletin boards to engage in a range of activities – not all of them legal.
Although Sundevil was far from the only anti-hacking law enforcement activity of the time, it is interesting because it went on to create much of the image of the hacker in popular culture. The 1995 film Hackers features a teenage character targeted in an investigation by doughnut-munching federal agents. His suburban bedroom, where one of his floppy disks was hidden, was raided.
That film also captured many other aspects of hacker culture, such as the hacking of old analogue telephone networks, known as “phreaking”, to gain free calls, and the habit of hackers to study, and share, treasure troves of technical information from large companies, such as the so-called “Crayola Books” shown off by the characters.
Now, many of the hackers of yesteryear are today’s information security (or cyber security) professionals, who work to protect information. The dated cultural view of the elite criminal hacker has fallen in to stereotype and myth over the decades and been overtaken by leaps of technological progress, where general purpose computing is in every home, and smartphones bring connectivity to people of every background, culture, and age.
In this new landscape, newer generations of hackers are often cutting their teeth against hardened computer systems, now armed with antivirus, firewalls, and more sophisticated protections, rather than the hapless, insecure, networks of the 80s.
At the same time, the hacker community (the majority of whom have no criminal intentions) has developed its capabilities, with techniques and tools previously the domain of skilled hackers now open-sourced to those with merely an inclination, not necessarily a desire to master and exploit technologies in the way hackers do.
The UK’s focus on a “code economy” has resulted in an army of citizens with coding skills of various levels, capable of taking these tools and repurposing them for novel uses.
This has manifested in the emergence of hacktivists, who rely on volume and PR over technical excellence. They are not hardened criminals, but motivated by political ideologies. As protestors, they tend to not worry greatly about concealing their actions. Those who associate with the Anonymous group of hacktivists are of this type, and some of them have ended up with criminal records as a result of the damage their actions have caused in the same way as protestors involved in vandalising real-world institutions.
On the other end of the spectrum, the wider prevalence of coding skills has also resulted in “project-managed crime” – criminal enterprises that shadow conventional IT business practices, but develop software for criminal use by others. Ransomware, that holds a user’s sensitive data on that computer to ransom by withholding an encryption code, are often designed by teams of professional criminals, including developers, testers, and project management staff.
The now infamous ransomware WannaCry, which hit the NHS in May 2017, is an example of this sort of software, with variants often sold alongside commercial licenses. WannaCry was developed from the tools of an intelligence agency, the US National Security Agency, that were intended to protect national security, but repurposed for other uses, rather than the tools of the hacking community.
Less so than a hacker mindset, the drivers for computer criminality now come more from the personal motivations of all people with access to technology (that is, almost everybody in our digital society). In higher education in the UK, we have observed that the primary motivator is not necessarily a drive for technical excellence, but more typical motivators of crimes such as revenge.
Two typical cases illustrate this: in one, a student committed an attack against an institution because he did not like the way they responded to his reports of a mugging on campus, while in another, a member of staff attacked their institution based on their previous dismissal. IT crime is now an outlet for criminal intent of all stripes; no longer the preserve of a technical elite.
There has been a transition from the black hat hackers, technical wizards, and studious technophiles, of older decades, to anyone who simply has the inclination to abuse the digital ecosystem. A security professional’s view on criminal hacking has shifted away from the traditional stereotype of the hacker, towards a much more diverse cross-section of wider society.
As with all forecasting, outdated or prejudiced thinking will ultimately lead to poor outcomes. Understanding criminal activities (the business of threat intelligence) is a mandatory practice in effective information security services.
By pooling the combined knowledge of our members (universities, colleges and research centres), we can develop intelligence that is both unique to academia’s problems and comprehensive in scope, evolving and adapting to the ever-changing landscape of criminal activities to not only better understand how it has changed, but also to proactively meet future threats as efficiently and effectively as possible.
One of the many challenges we have at Jisc, a not-for-profit that provides UK universities and colleges with shared digital infrastructure and services, is developing intelligence from our data to understand the motivations of those who bring harm upon the UK’s educational institutions.
With every new attempted attack, we gain a better understanding of tools used, can observe trends in malicious behaviour, and can better identify areas in the community where we work that are most vulnerable. This, in turn, helps us develop and enhance cutting-edge security services that better serve our members.